| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210225121308.GB380@zn.tnic>
Date: Thu, 25 Feb 2021 13:13:08 +0100
From: Borislav Petkov <bp@...en8.de>
To: Joerg Roedel <joro@...tes.org>
Cc: x86@...nel.org, Joerg Roedel <jroedel@...e.de>, hpa@...or.com,
Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>,
Jiri Slaby <jslaby@...e.cz>,
Dan Williams <dan.j.williams@...el.com>,
Tom Lendacky <thomas.lendacky@....com>,
Juergen Gross <jgross@...e.com>,
Kees Cook <keescook@...omium.org>,
David Rientjes <rientjes@...gle.com>,
Cfir Cohen <cfir@...gle.com>,
Erdem Aktas <erdemaktas@...gle.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Mike Stunes <mstunes@...are.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Martin Radev <martin.b.radev@...il.com>,
Arvind Sankar <nivedita@...m.mit.edu>,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
virtualization@...ts.linux-foundation.org
Subject: Re: [PATCH 4/7] x86/boot/compressed/64: Add 32-bit boot #VC handler
On Wed, Feb 10, 2021 at 11:21:32AM +0100, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@...e.de>
>
> Add a #VC exception handler which is used when the kernel still executes
> in protected mode. This boot-path already uses CPUID, which will cause #VC
> exceptions in an SEV-ES guest.
>
> Signed-off-by: Joerg Roedel <jroedel@...e.de>
> ---
> arch/x86/boot/compressed/head_64.S | 6 ++
> arch/x86/boot/compressed/mem_encrypt.S | 77 +++++++++++++++++++++++++-
> 2 files changed, 82 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
> index 8deeec78cdb4..eadaa0a082b8 100644
> --- a/arch/x86/boot/compressed/head_64.S
> +++ b/arch/x86/boot/compressed/head_64.S
> @@ -34,6 +34,7 @@
> #include <asm/asm-offsets.h>
> #include <asm/bootparam.h>
> #include <asm/desc_defs.h>
> +#include <asm/trapnr.h>
> #include "pgtable.h"
>
> /*
> @@ -856,6 +857,11 @@ SYM_FUNC_START(startup32_set_idt_entry)
> SYM_FUNC_END(startup32_set_idt_entry)
>
> SYM_FUNC_START(startup32_load_idt)
> + /* #VC handler */
> + leal rva(startup32_vc_handler)(%ebp), %eax
> + movl $X86_TRAP_VC, %edx
> + call startup32_set_idt_entry
> +
> /* Load IDT */
> leal rva(boot32_idt)(%ebp), %eax
> movl %eax, rva(boot32_idt_desc+2)(%ebp)
> diff --git a/arch/x86/boot/compressed/mem_encrypt.S b/arch/x86/boot/compressed/mem_encrypt.S
> index aa561795efd1..350ecb56c7e4 100644
> --- a/arch/x86/boot/compressed/mem_encrypt.S
> +++ b/arch/x86/boot/compressed/mem_encrypt.S
> @@ -67,10 +67,85 @@ SYM_FUNC_START(get_sev_encryption_bit)
> ret
> SYM_FUNC_END(get_sev_encryption_bit)
>
> +/*
> + * Emit code to request an CPUID register from the Hypervisor using
> + * the MSR-based protocol.
> + *
> + * fn: The register containing the CPUID function
> + * reg: Register requested
> + * 1 = EAX
> + * 2 = EBX
> + * 3 = ECX
> + * 4 = EDX
> + *
> + * Result is in EDX. Jumps to .Lfail on error
> + */
> +.macro SEV_ES_REQ_CPUID fn:req reg:req
I'm wondering - instead of replicating this 4 times, can this be a
function which you CALL? You do have a stack so you should be able to.
> + /* Request CPUID[%ebx].EAX */
> + movl $\reg, %eax
> + shll $30, %eax
> + orl $0x00000004, %eax
> + movl \fn, %edx
> + movl $MSR_AMD64_SEV_ES_GHCB, %ecx
> + wrmsr
> + rep; vmmcall
> + rdmsr
> + /* Check response code */
Before you do that, I guess you wanna check:
GHCBData[29:12] – Reserved, must be zero
in the HV response.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists