lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Sep 2018 13:37:50 -0500 From: Brijesh Singh <brijesh.singh@....com> To: Sean Christopherson <sean.j.christopherson@...el.com>, Borislav Petkov <bp@...e.de> Cc: brijesh.singh@....com, x86@...nel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org, Tom Lendacky <thomas.lendacky@....com>, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com>, Paolo Bonzini <pbonzini@...hat.com>, Radim Krčmář <rkrcmar@...hat.com> Subject: Re: [PATCH v5 5/5] x86/kvm: Avoid dynamic allocation of pvclock data when SEV is active On 09/06/2018 09:18 AM, Sean Christopherson wrote: .... >>> >>> So are we going to be defining a decrypted section for every piece of >>> machinery now? >>> >>> That's a bit too much in my book. >>> >>> Why can't you simply free everything in .data..decrypted on !SVE guests? >> >> That would prevent adding __decrypted to existing declarations, e.g. >> hv_clock_boot, which would be ugly in its own right. A more generic >> solution would be to add something like __decrypted_exclusive to mark >> data that is used if and only if SEV is active, and then free the >> SEV-only data when SEV is disabled. > > Oh, and we'd need to make sure __decrypted_exclusive is freed when > !CONFIG_AMD_MEM_ENCRYPT, and preferably !sev_active() since the big > array is used only if SEV is active. This patch unconditionally > defines hv_clock_dec but only frees it if CONFIG_AMD_MEM_ENCRYPT=y && > !mem_encrypt_active(). > Again we have to consider the bare metal scenario while doing this. The aux array you proposed will be added in decrypted section only when CONFIG_AMD_MEM_ENCRYPT=y. If CONFIG_AMD_MEM_ENCRYPT=n then nothng gets put in .data.decrypted section. At the runtime, if memory encryption is active then .data.decrypted_hvclock will contains useful data. The __decrypted attribute in "" when CONFIG_AMD_MEM_ENCRYPT=n. -Brijesh
Powered by blists - more mailing lists