lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Dec 2020 00:48:23 +0000 From: Ashish Kalra <Ashish.Kalra@....com> To: pbonzini@...hat.com Cc: tglx@...utronix.de, mingo@...hat.com, hpa@...or.com, joro@...tes.org, bp@...e.de, thomas.lendacky@....com, x86@...nel.org, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, srutherford@...gle.com, brijesh.singh@....com, dovmurik@...ux.vnet.ibm.com, tobin@....com, jejb@...ux.ibm.com, frankeh@...ibm.com, dgilbert@...hat.com Subject: [PATCH v2 8/9] KVM: x86: Add kexec support for SEV page encryption bitmap. From: Ashish Kalra <ashish.kalra@....com> Reset the host's page encryption bitmap related to kernel specific page encryption status settings before we load a new kernel by kexec. We cannot reset the complete page encryption bitmap here as we need to retain the UEFI/OVMF firmware specific settings. The host's page encryption bitmap is maintained for the guest to keep the encrypted/decrypted state of the guest pages, therefore we need to explicitly mark all shared pages as encrypted again before rebooting into the new guest kernel. Signed-off-by: Ashish Kalra <ashish.kalra@....com> --- arch/x86/kernel/kvm.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index 7f57ede3cb8e..55d845e025b2 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -38,6 +38,7 @@ #include <asm/cpuidle_haltpoll.h> #include <asm/ptrace.h> #include <asm/svm.h> +#include <asm/e820/api.h> DEFINE_STATIC_KEY_FALSE(kvm_async_pf_enabled); @@ -383,6 +384,33 @@ static void kvm_pv_guest_cpu_reboot(void *unused) */ if (kvm_para_has_feature(KVM_FEATURE_PV_EOI)) wrmsrl(MSR_KVM_PV_EOI_EN, 0); + /* + * Reset the host's page encryption bitmap related to kernel + * specific page encryption status settings before we load a + * new kernel by kexec. NOTE: We cannot reset the complete + * page encryption bitmap here as we need to retain the + * UEFI/OVMF firmware specific settings. + */ + if (sev_active() & (smp_processor_id() == 0)) { + int i; + unsigned long nr_pages; + + for (i = 0; i < e820_table->nr_entries; i++) { + struct e820_entry *entry = &e820_table->entries[i]; + unsigned long start_pfn; + unsigned long end_pfn; + + if (entry->type != E820_TYPE_RAM) + continue; + + start_pfn = entry->addr >> PAGE_SHIFT; + end_pfn = (entry->addr + entry->size) >> PAGE_SHIFT; + nr_pages = DIV_ROUND_UP(entry->size, PAGE_SIZE); + + kvm_sev_hypercall3(KVM_HC_PAGE_ENC_STATUS, + entry->addr, nr_pages, 1); + } + } kvm_pv_disable_apf(); kvm_disable_steal_time(); } -- 2.17.1
Powered by blists - more mailing lists