| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Aug 2022 10:57:16 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Jarkko Sakkinen <jarkko@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>
Cc: Jarkko Sakkinen <jarkko@...fian.com>,
Harald Hoyer <harald@...fian.com>,
Brijesh Singh <brijesh.singh@....com>,
John Allen <john.allen@....com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
"open list:AMD CRYPTOGRAPHIC COPROCESSOR (CCP) DRIVER - SE..."
<linux-crypto@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] crypto: ccp: Add a quirk to firmware update
On 8/7/22 19:15, Jarkko Sakkinen wrote:
> From: Jarkko Sakkinen <jarkko@...fian.com>
Looks good, just some minor commit message and comment changes requested.
>
> A quirk for fixing the committed TCB version, when upgrading from earlier
> firmware version than 1.33.01. This is a known issue, and the documented
", when upgrading from earlier firmware version than 1.33.01" => "when
upgrading from a firmware version earlier than 1.50"
> workaround is to load the firmware twice.
>
> The issue realizes in a machine where the upgrade is done from firmware
> reporting having SEV API version 1.49, and requires the following
> workaround:
Replace the above paragraph with just: "Currently, this issue requires the
following workaround:"
>
> sudo modprobe -r kvm_amd
> sudo modprobe -r ccp
> sudo modprobe ccp
> sudo modprobe kvm_amd
>
> Implement this workaround inside kernel by checking whether the API
> version is less than 1.50, and if so, download the firmware twice.
> This addresses the TCB version issue.
>
> Link: https://lore.kernel.org/all/de02389f-249d-f565-1136-4af3655fab2a@profian.com/
> Reported-by: Harald Hoyer <harald@...fian.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@...fian.com>
> ---
> drivers/crypto/ccp/sev-dev.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index 799b476fc3e8..8ae26c5c64f6 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -742,6 +742,11 @@ static int sev_update_firmware(struct device *dev)
> struct page *p;
> u64 data_size;
>
> + if (!sev_version_greater_or_equal(0, 15)) {
> + dev_dbg(dev, "DOWNLOAD_FIRMWARE not supported\n");
> + return -1;
> + }
> +
> if (sev_get_firmware(dev, &firmware) == -ENOENT) {
> dev_dbg(dev, "No SEV firmware file present\n");
> return -1;
> @@ -774,6 +779,14 @@ static int sev_update_firmware(struct device *dev)
> data->len = firmware->size;
>
> ret = sev_do_cmd(SEV_CMD_DOWNLOAD_FIRMWARE, data, &error);
> +
> + /*
> + * A quirk for fixing the committed TCB version, when upgrading from
> + * earlier firmware version than 1.33.01.
s/1.33.01/1.50/
Thanks,
Tom
> + */
> + if (!ret && !sev_version_greater_or_equal(1, 50))
> + ret = sev_do_cmd(SEV_CMD_DOWNLOAD_FIRMWARE, data, &error);
> +
> if (ret)
> dev_dbg(dev, "Failed to update SEV firmware: %#x\n", error);
> else
> @@ -1283,8 +1296,7 @@ void sev_pci_init(void)
> if (sev_get_api_version())
> goto err;
>
> - if (sev_version_greater_or_equal(0, 15) &&
> - sev_update_firmware(sev->dev) == 0)
> + if (sev_update_firmware(sev->dev) == 0)
> sev_get_api_version();
>
> /* If an init_ex_path is provided rely on INIT_EX for PSP initialization
Powered by blists - more mailing lists