| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 May 2022 11:44:42 +0200
From: Borislav Petkov <bp@...e.de>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: x86-ml <x86@...nel.org>, lkml <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] x86/sev for 5.19
Hi Linus,
please pull the third AMD confidential computing feature called Secure
Nested Paging.
---
The following changes since commit 3123109284176b1532874591f7c81f3837bbdc17:
Linux 5.18-rc1 (2022-04-03 14:08:21 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git tags/x86_sev_for_v5.19_rc1
for you to fetch changes up to ce6565282b3b16fd850c6a676f78c6bc76d0c235:
x86/entry: Fixup objtool/ibt validation (2022-05-20 12:04:56 +0200)
----------------------------------------------------------------
AMD SEV-SNP support
Add to confidential guests the necessary memory integrity protection
against malicious hypervisor-based attacks like data replay, memory
remapping and others, thus achieving a stronger isolation from the
hypervisor.
At the core of the functionality is a new structure called a reverse
map table (RMP) with which the guest has a say in which pages get
assigned to it and gets notified when a page which it owns, gets
accessed/modified under the covers so that the guest can take an
appropriate action.
In addition, add support for the whole machinery needed to launch a SNP
guest, details of which is properly explained in each patch.
And last but not least, the series refactors and improves parts of the
previous SEV support so that the new code is accomodated properly and
not just bolted on.
----------------------------------------------------------------
Borislav Petkov (2):
x86/boot: Add an efi.h header for the decompressor
x86/sev: Fix address space sparse warning
Brijesh Singh (21):
KVM: SVM: Define sev_features and VMPL field in the VMSA
x86/mm: Extend cc_attr to include AMD SEV-SNP
x86/sev: Define the Linux-specific guest termination reasons
x86/sev: Save the negotiated GHCB version
x86/sev: Check SEV-SNP features support
x86/sev: Add a helper for the PVALIDATE instruction
x86/sev: Check the VMPL level
x86/compressed: Add helper for validating pages in the decompression stage
x86/compressed: Register GHCB memory when SEV-SNP is active
x86/sev: Register GHCB memory when SEV-SNP is active
x86/sev: Add helper for validating pages in early enc attribute changes
x86/kernel: Mark the .bss..decrypted section as shared in the RMP table
x86/kernel: Validate ROM memory before accessing when SEV-SNP is active
x86/mm: Validate memory when changing the C-bit
x86/boot: Add Confidential Computing type to setup_data
x86/sev: Provide support for SNP guest request NAEs
x86/sev: Register SEV-SNP guest request platform device
virt: Add SEV-SNP guest driver
virt: sevguest: Add support to derive key
virt: sevguest: Add support to get extended report
x86/sev: Get the AP jump table address from secrets page
Colin Ian King (1):
x86/sev: Remove duplicated assignment to variable info
Haowen Bai (1):
virt: sevguest: Fix bool function returning negative value
Lai Jiangshan (2):
x86/sev: Annotate stack change in the #VC handler
x86/sev: Mark the code returning to user space as syscall gap
Michael Roth (24):
x86/boot: Introduce helpers for MSR reads/writes
x86/boot: Use MSR read/write helpers instead of inline assembly
x86/compressed/64: Detect/setup SEV/SME features earlier during boot
x86/sev: Detect/setup SEV/SME features earlier in boot
x86/head/64: Re-enable stack protection
x86/compressed/acpi: Move EFI detection to helper
x86/compressed/acpi: Move EFI system table lookup to helper
x86/compressed/acpi: Move EFI config table lookup to helper
x86/compressed/acpi: Move EFI vendor table lookup to helper
x86/compressed/acpi: Move EFI kexec handling into common code
KVM: x86: Move lookup of indexed CPUID leafs to helper
x86/sev: Move MSR-based VMGEXITs for CPUID to helper
x86/compressed/64: Add support for SEV-SNP CPUID table in #VC handlers
x86/boot: Add a pointer to Confidential Computing blob in bootparams
x86/compressed: Add SEV-SNP feature detection/setup
x86/compressed: Use firmware-validated CPUID leaves for SEV-SNP guests
x86/compressed: Export and rename add_identity_map()
x86/compressed/64: Add identity mapping for Confidential Computing blob
x86/sev: Add SEV-SNP feature detection/setup
x86/sev: Use firmware-validated CPUID for SEV-SNP guests
x86/sev: Add a sev= cmdline option
virt: sevguest: Add documentation for SEV-SNP CPUID Enforcement
x86/boot: Put globals that are accessed early into the .data section
x86/sev: Add missing __init annotations to SEV init routines
Peter Gonda (1):
x86/sev-es: Replace open-coded hlt-loop with sev_es_terminate()
Peter Zijlstra (1):
x86/entry: Fixup objtool/ibt validation
Tom Lendacky (6):
KVM: SVM: Create a separate mapping for the SEV-ES save area
KVM: SVM: Create a separate mapping for the GHCB save area
KVM: SVM: Update the SEV-ES save area mapping
x86/sev: Use SEV-SNP AP creation to start secondary CPUs
virt: sevguest: Change driver name to reflect generic SEV support
virt: sevguest: Rename the sevguest dir and files to sev-guest
Yang Yingliang (1):
virt: sevguest: Fix return value check in alloc_shared_pages()
Documentation/admin-guide/kernel-parameters.txt | 2 +
Documentation/virt/coco/sev-guest.rst | 155 +++++
Documentation/virt/index.rst | 1 +
Documentation/x86/x86_64/boot-options.rst | 14 +
Documentation/x86/zero-page.rst | 2 +
arch/x86/boot/compressed/Makefile | 1 +
arch/x86/boot/compressed/acpi.c | 176 +----
arch/x86/boot/compressed/early_serial_console.c | 3 +-
arch/x86/boot/compressed/efi.c | 234 +++++++
arch/x86/boot/compressed/efi.h | 126 ++++
arch/x86/boot/compressed/head_64.S | 37 +-
arch/x86/boot/compressed/ident_map_64.c | 39 +-
arch/x86/boot/compressed/idt_64.c | 18 +-
arch/x86/boot/compressed/kaslr.c | 3 +-
arch/x86/boot/compressed/mem_encrypt.S | 36 -
arch/x86/boot/compressed/misc.c | 5 +-
arch/x86/boot/compressed/misc.h | 56 +-
arch/x86/boot/compressed/pgtable_64.c | 3 +-
arch/x86/boot/compressed/sev.c | 263 +++++++-
arch/x86/boot/cpucheck.c | 30 +-
arch/x86/boot/msr.h | 26 +
arch/x86/coco/core.c | 3 +
arch/x86/entry/entry_64.S | 6 +
arch/x86/entry/entry_64_compat.S | 5 +
arch/x86/include/asm/bootparam_utils.h | 1 +
arch/x86/include/asm/cpuid.h | 34 +
arch/x86/include/asm/msr-index.h | 2 +
arch/x86/include/asm/msr.h | 11 +-
arch/x86/include/asm/proto.h | 4 +
arch/x86/include/asm/ptrace.h | 4 +
arch/x86/include/asm/setup.h | 1 -
arch/x86/include/asm/sev-common.h | 82 +++
arch/x86/include/asm/sev.h | 137 +++-
arch/x86/include/asm/shared/msr.h | 15 +
arch/x86/include/asm/svm.h | 171 ++++-
arch/x86/include/uapi/asm/bootparam.h | 4 +-
arch/x86/include/uapi/asm/svm.h | 13 +
arch/x86/kernel/Makefile | 2 -
arch/x86/kernel/cpu/common.c | 4 +
arch/x86/kernel/head64.c | 29 +-
arch/x86/kernel/head_64.S | 37 +-
arch/x86/kernel/probe_roms.c | 13 +-
arch/x86/kernel/sev-shared.c | 534 ++++++++++++++-
arch/x86/kernel/sev.c | 855 +++++++++++++++++++++++-
arch/x86/kernel/smpboot.c | 3 +
arch/x86/kvm/cpuid.c | 19 +-
arch/x86/kvm/svm/sev.c | 22 +-
arch/x86/kvm/svm/svm.c | 8 +-
arch/x86/kvm/svm/svm.h | 4 +-
arch/x86/mm/mem_encrypt.c | 4 +
arch/x86/mm/mem_encrypt_amd.c | 71 +-
arch/x86/mm/mem_encrypt_identity.c | 8 +
arch/x86/realmode/init.c | 2 +-
drivers/virt/Kconfig | 3 +
drivers/virt/Makefile | 1 +
drivers/virt/coco/sev-guest/Kconfig | 14 +
drivers/virt/coco/sev-guest/Makefile | 2 +
drivers/virt/coco/sev-guest/sev-guest.c | 743 ++++++++++++++++++++
drivers/virt/coco/sev-guest/sev-guest.h | 63 ++
include/linux/cc_platform.h | 8 +
include/linux/efi.h | 1 +
include/uapi/linux/sev-guest.h | 80 +++
62 files changed, 3861 insertions(+), 392 deletions(-)
create mode 100644 Documentation/virt/coco/sev-guest.rst
create mode 100644 arch/x86/boot/compressed/efi.c
create mode 100644 arch/x86/boot/compressed/efi.h
create mode 100644 arch/x86/boot/msr.h
create mode 100644 arch/x86/include/asm/cpuid.h
create mode 100644 arch/x86/include/asm/shared/msr.h
create mode 100644 drivers/virt/coco/sev-guest/Kconfig
create mode 100644 drivers/virt/coco/sev-guest/Makefile
create mode 100644 drivers/virt/coco/sev-guest/sev-guest.c
create mode 100644 drivers/virt/coco/sev-guest/sev-guest.h
create mode 100644 include/uapi/linux/sev-guest.h
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman
(HRB 36809, AG Nürnberg)
Powered by blists - more mailing lists