| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Jun 2021 06:55:05 +0000
From: Wen Pu <puwen@...on.cn>
To: Tom Lendacky <thomas.lendacky@....com>,
"x86@...nel.org" <x86@...nel.org>
CC: "joro@...tes.org" <joro@...tes.org>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"mingo@...hat.com" <mingo@...hat.com>, "bp@...e.de" <bp@...e.de>,
"hpa@...or.com" <hpa@...or.com>,
"jroedel@...e.de" <jroedel@...e.de>,
"sashal@...nel.org" <sashal@...nel.org>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] x86/sev: Check whether SEV or SME is supported first
On 2021/6/2 2:30, Tom Lendacky wrote:
> On 5/26/21 2:24 AM, Pu Wen wrote:
>> The first two bits of the CPUID leaf 0x8000001F EAX indicate whether
>> SEV or SME is supported respectively. It's better to check whether
>> SEV or SME is supported before checking the SEV MSR(0xc0010131) to
>> see whether SEV or SME is enabled.
>>
>> This also avoid the MSR reading failure on the first generation Hygon
>> Dhyana CPU which does not support SEV or SME.
>>
>> Fixes: eab696d8e8b9 ("x86/sev: Do not require Hypervisor CPUID bit for SEV guests")
>> Cc: <stable@...r.kernel.org> # v5.10+
>> Signed-off-by: Pu Wen <puwen@...on.cn>
>
> I think the commit message needs to be expanded to clarify the situations
> and provide more detail.
Okay.
> This is both a bare-metal issue and a guest/VM issue. Since Hygon doesn't
> support the MSR_AMD64_SEV MSR, reading that MSR results in a #GP - either
> directly from hardware in the bare-metal case or via the hypervisor
> (because the RDMSR is actually intercepted) in the guest/VM case,
> resulting in a failed boot. And since this is very early in the boot
> phase, rdmsrl_safe()/native_read_msr_safe() can't be used.
The description is good, will add this.
> So by checking the CPUID information before attempting the RDMSR, this
> goes back to the behavior before the patch identified in the Fixes: tag.
>
> With an improved commit message:
>
> Acked-by: Tom Lendacky <thomas.lendacky@....com>
Thanks, will send patch v2 with improved commit messages.
--
Regards,
Pu Wen
>> ---
>> arch/x86/mm/mem_encrypt_identity.c | 11 ++++++-----
>> 1 file changed, 6 insertions(+), 5 deletions(-)
>>
>> diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
>> index a9639f663d25..470b20208430 100644
>> --- a/arch/x86/mm/mem_encrypt_identity.c
>> +++ b/arch/x86/mm/mem_encrypt_identity.c
>> @@ -504,10 +504,6 @@ void __init sme_enable(struct boot_params *bp)
>> #define AMD_SME_BIT BIT(0)
>> #define AMD_SEV_BIT BIT(1)
>>
>> - /* Check the SEV MSR whether SEV or SME is enabled */
>> - sev_status = __rdmsr(MSR_AMD64_SEV);
>> - feature_mask = (sev_status & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
>> -
>> /*
>> * Check for the SME/SEV feature:
>> * CPUID Fn8000_001F[EAX]
>> @@ -519,11 +515,16 @@ void __init sme_enable(struct boot_params *bp)
>> eax = 0x8000001f;
>> ecx = 0;
>> native_cpuid(&eax, &ebx, &ecx, &edx);
>> - if (!(eax & feature_mask))
>> + /* Check whether SEV or SME is supported */
>> + if (!(eax & (AMD_SEV_BIT | AMD_SME_BIT)))
>> return;
>>
>> me_mask = 1UL << (ebx & 0x3f);
>>
>> + /* Check the SEV MSR whether SEV or SME is enabled */
>> + sev_status = __rdmsr(MSR_AMD64_SEV);
>> + feature_mask = (sev_status & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
>> +
>> /* Check if memory encryption is enabled */
>> if (feature_mask == AMD_SME_BIT) {
>> /*
>>
Powered by blists - more mailing lists