| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <58e8f9dc-a8d3-a2a5-2dd7-0783355e2567@amd.com>
Date: Thu, 4 Aug 2022 08:13:35 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Jarkko Sakkinen <jarkko@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>
Cc: Jarkko Sakkinen <jarkko@...fian.com>,
Harald Hoyer <harald@...fian.com>,
Brijesh Singh <brijesh.singh@....com>,
John Allen <john.allen@....com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
"open list:AMD CRYPTOGRAPHIC COPROCESSOR (CCP) DRIVER - SE..."
<linux-crypto@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] crypto: ccp: Load the firmware twice when SEV API version
< 1.43
On 8/3/22 20:02, Jarkko Sakkinen wrote:
> From: Jarkko Sakkinen <jarkko@...fian.com>
>
> SEV-SNP does not initialize to a legit state, unless the firmware is
> loaded twice, when SEP API version < 1.43, and the firmware is updated
> to a later version. Because of this user space needs to work around
> this with "rmmod && modprobe" combo. Fix this by implementing the
> workaround to the driver.
The SNP hypervisor patches are placing a minimum supported version
requirement for the SEV firmware that exceeds the specified version
above [1] (for the reason above, as well as some others), so this patch
is not needed, NAK.
[1] https://lore.kernel.org/lkml/87a0481526e66ddd5f6192cbb43a50708aee2883.1655761627.git.ashish.kalra@amd.com/
Thanks,
Tom
>
> Reported-by: Harald Hoyer <harald@...fian.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@...fian.com>
> ---
> drivers/crypto/ccp/sev-dev.c | 22 +++++++++++++++++++---
> 1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index 799b476fc3e8..f2abb7439dde 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -76,6 +76,9 @@ static void *sev_es_tmr;
> #define NV_LENGTH (32 * 1024)
> static void *sev_init_ex_buffer;
>
> +/*
> + * SEV API version >= maj.min?
> + */
> static inline bool sev_version_greater_or_equal(u8 maj, u8 min)
> {
> struct sev_device *sev = psp_master->sev_data;
> @@ -89,6 +92,14 @@ static inline bool sev_version_greater_or_equal(u8 maj, u8 min)
> return false;
> }
>
> +/*
> + * SEV API version < maj.min?
> + */
> +static inline bool sev_version_less(u8 maj, u8 min)
> +{
> + return !sev_version_greater_or_equal(maj, min);
> +}
> +
> static void sev_irq_handler(int irq, void *data, unsigned int status)
> {
> struct sev_device *sev = data;
> @@ -1274,6 +1285,7 @@ void sev_pci_init(void)
> {
> struct sev_device *sev = psp_master->sev_data;
> int error, rc;
> + int i;
>
> if (!sev)
> return;
> @@ -1283,9 +1295,13 @@ void sev_pci_init(void)
> if (sev_get_api_version())
> goto err;
>
> - if (sev_version_greater_or_equal(0, 15) &&
> - sev_update_firmware(sev->dev) == 0)
> - sev_get_api_version();
> + /*
> + * SEV-SNP does not work properly before loading the FW twice in the API
> + * versions older than SEV 1.43.
> + */
> + for (i = 0; i < sev_version_greater_or_equal(0, 15) + sev_version_less(1, 43); i++)
> + if (sev_update_firmware(sev->dev) == 0)
> + sev_get_api_version();
>
> /* If an init_ex_path is provided rely on INIT_EX for PSP initialization
> * instead of INIT.
Powered by blists - more mailing lists