| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dc69a9bb-a4a0-d82b-2e9c-cf6336ab8252@amd.com>
Date: Tue, 1 Jun 2021 13:30:44 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Pu Wen <puwen@...on.cn>, x86@...nel.org
Cc: joro@...tes.org, dave.hansen@...ux.intel.com, peterz@...radead.org,
tglx@...utronix.de, mingo@...hat.com, bp@...e.de, hpa@...or.com,
jroedel@...e.de, sashal@...nel.org, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] x86/sev: Check whether SEV or SME is supported first
On 5/26/21 2:24 AM, Pu Wen wrote:
> The first two bits of the CPUID leaf 0x8000001F EAX indicate whether
> SEV or SME is supported respectively. It's better to check whether
> SEV or SME is supported before checking the SEV MSR(0xc0010131) to
> see whether SEV or SME is enabled.
>
> This also avoid the MSR reading failure on the first generation Hygon
> Dhyana CPU which does not support SEV or SME.
>
> Fixes: eab696d8e8b9 ("x86/sev: Do not require Hypervisor CPUID bit for SEV guests")
> Cc: <stable@...r.kernel.org> # v5.10+
> Signed-off-by: Pu Wen <puwen@...on.cn>
I think the commit message needs to be expanded to clarify the situations
and provide more detail.
This is both a bare-metal issue and a guest/VM issue. Since Hygon doesn't
support the MSR_AMD64_SEV MSR, reading that MSR results in a #GP - either
directly from hardware in the bare-metal case or via the hypervisor
(because the RDMSR is actually intercepted) in the guest/VM case,
resulting in a failed boot. And since this is very early in the boot
phase, rdmsrl_safe()/native_read_msr_safe() can't be used.
So by checking the CPUID information before attempting the RDMSR, this
goes back to the behavior before the patch identified in the Fixes: tag.
With an improved commit message:
Acked-by: Tom Lendacky <thomas.lendacky@....com>
> ---
> arch/x86/mm/mem_encrypt_identity.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
> index a9639f663d25..470b20208430 100644
> --- a/arch/x86/mm/mem_encrypt_identity.c
> +++ b/arch/x86/mm/mem_encrypt_identity.c
> @@ -504,10 +504,6 @@ void __init sme_enable(struct boot_params *bp)
> #define AMD_SME_BIT BIT(0)
> #define AMD_SEV_BIT BIT(1)
>
> - /* Check the SEV MSR whether SEV or SME is enabled */
> - sev_status = __rdmsr(MSR_AMD64_SEV);
> - feature_mask = (sev_status & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
> -
> /*
> * Check for the SME/SEV feature:
> * CPUID Fn8000_001F[EAX]
> @@ -519,11 +515,16 @@ void __init sme_enable(struct boot_params *bp)
> eax = 0x8000001f;
> ecx = 0;
> native_cpuid(&eax, &ebx, &ecx, &edx);
> - if (!(eax & feature_mask))
> + /* Check whether SEV or SME is supported */
> + if (!(eax & (AMD_SEV_BIT | AMD_SME_BIT)))
> return;
>
> me_mask = 1UL << (ebx & 0x3f);
>
> + /* Check the SEV MSR whether SEV or SME is enabled */
> + sev_status = __rdmsr(MSR_AMD64_SEV);
> + feature_mask = (sev_status & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
> +
> /* Check if memory encryption is enabled */
> if (feature_mask == AMD_SME_BIT) {
> /*
>
Powered by blists - more mailing lists