| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BYAPR21MB1688094AE8B2D0EA02A17335D7D29@BYAPR21MB1688.namprd21.prod.outlook.com>
Date: Sun, 29 Jan 2023 04:44:05 +0000
From: "Michael Kelley (LINUX)" <mikelley@...rosoft.com>
To: Jeremi Piotrowski <jpiotrowski@...ux.microsoft.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: Jeremi Piotrowski <jpiotrowski@...rosoft.com>,
Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
Tianyu Lan <Tianyu.Lan@...rosoft.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"x86@...nel.org" <x86@...nel.org>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
Brijesh Singh <brijesh.singh@....com>,
Michael Roth <michael.roth@....com>,
Ashish Kalra <ashish.kalra@....com>,
Tom Lendacky <thomas.lendacky@....com>
Subject: RE: [RFC PATCH v1 4/6] x86/amd: Configure necessary MSRs for SNP
during CPU init when running as a guest
From: Jeremi Piotrowski <jpiotrowski@...ux.microsoft.com> Sent: Monday, January 23, 2023 8:51 AM
>
> Hyper-V may expose the SEV/SEV-SNP CPU features to the guest, but it is
> up to the guest to use them. early_detect_mem_encrypt() checks
> SYSCFG[MEM_ENCRYPT] and HWCR[SMMLOCK] and if these are not set the
> SEV-SNP features are cleared. Check if we are running under a
> hypervisor and if so - update SYSCFG and skip the HWCR check.
>
> It would be great to make this check more specific (checking for
> Hyper-V) but this code runs before hypervisor detection on the boot cpu.
Could you elaborate on why we would want this check to be Hyper-V
specific? Per my comments on Patch 3 of this series, I would think the
opposite. If possible, we want code like this to work on any hypervisor,
and not have Hyper-V specific behavior in code outside of the Hyper-V
modules. But I don't know this code well at all, so maybe there's an
aspect I'm missing.
Michael
>
> Signed-off-by: Jeremi Piotrowski <jpiotrowski@...ux.microsoft.com>
> ---
> arch/x86/kernel/cpu/amd.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index c7884198ad5b..17d91ac62937 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -565,6 +565,12 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
> * don't advertise the feature under CONFIG_X86_32.
> */
> if (cpu_has(c, X86_FEATURE_SME) || cpu_has(c, X86_FEATURE_SEV)) {
> + if (cpu_has(c, X86_FEATURE_HYPERVISOR)) {
> + rdmsrl(MSR_AMD64_SYSCFG, msr);
> + msr |= MSR_AMD64_SYSCFG_MEM_ENCRYPT;
> + wrmsrl(MSR_AMD64_SYSCFG, msr);
> + }
> +
> /* Check if memory encryption is enabled */
> rdmsrl(MSR_AMD64_SYSCFG, msr);
> if (!(msr & MSR_AMD64_SYSCFG_MEM_ENCRYPT))
> @@ -584,7 +590,7 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
> setup_clear_cpu_cap(X86_FEATURE_SME);
>
> rdmsrl(MSR_K7_HWCR, msr);
> - if (!(msr & MSR_K7_HWCR_SMMLOCK))
> + if (!(msr & MSR_K7_HWCR_SMMLOCK) && !cpu_has(c, X86_FEATURE_HYPERVISOR))
> goto clear_sev;
>
> return;
> --
> 2.25.1
Powered by blists - more mailing lists