| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fe39a04d-2b3a-476f-9505-b874e3ad93b4@amd.com> Date: Fri, 30 Aug 2024 15:47:50 -0500 From: "Kalra, Ashish" <ashish.kalra@....com> To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> Cc: Tom Lendacky <thomas.lendacky@....com>, "Maciej W. Rozycki" <macro@...am.me.uk>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Kevin Loughlin <kevinloughlin@...gle.com>, linux-kernel@...r.kernel.org, Rick Edgecombe <rick.p.edgecombe@...el.com>, Isaku Yamahata <isaku.yamahata@...el.com> Subject: Re: [PATCH] x86/tdx: Fix crash on kexec with CONFIG_EISA Hello Kirill, On 8/29/2024 7:53 AM, Kirill A. Shutemov wrote: > On Wed, Aug 28, 2024 at 02:43:23PM -0500, Kalra, Ashish wrote: >> Hello Kirill, >> >> On 8/28/2024 1:21 AM, Kirill A. Shutemov wrote: >>>>>> memremap() >>>>>> arch_memremap_wb() >>>>>> ioremap_cache() >>>>>> __ioremap_caller(.encrytped = false) >>>>>> >>>>>> I think arch_memremap_wb() should be mapped ioremap_encrypted() in x86 >>>>>> case. See the patch below. >>>>>> >>>>>> It seems to be working fine on TDX, but I am not sure about SEV. >>>>>> >>>>>> Tom, any comments? >>>>> I haven't dug through the code that thoroughly, but I don't think making >>>>> arch_memremap_wb() be ioremap_encrypted() will work for SME, where some >>>>> data, e.g. setup data, is unencrypted and needs to be mapped shared. >>>>> >>>>> Let me add @Ashish to the thread and have him investigate this since he >>>>> has been working on the kexec support under SNP. Can someone provide the >>>>> specific kernel options that need to be in place? >>>> As Tom asked for, please provide the specific kernel options to test >>>> with this configuration. >>> It is not about testing a specific configuration. The question is if it >>> safe for memremap() to map all WB memory as encrypted by default. >>> >>> Looks like it is safe for TDX, but I am not sure about SME/SEV. >> For SEV it may make sense, but for SME we don't want memremap() to map >> all WB memory as encrypted by default. > Could you elaborate why? > > I mean if it is specific memory ranges that can be identified as such we > could make exception for them. Looks like that the exception is already made for some of these memory ranges with MEMREMAP_DEC flag set along with MEMREMAP_WB. >>> Maybe we want a specific flag to make memremap() map WB memory as >>> decrypted/shared. Make everything encrypted by default seems like a sane >>> default. >> What are MEMREMAP_ENC, MEMREMAP_DEC flags being used for currently ? > Good question. > > I see zero use of MEMREMAP_ENC in the kernel. And MEMREMAP_DEC only used > for setup data which I believe AMD thing. > > If it is the only memory that must be decrypted, I guess we can make it > work with encrypted by default. Yes, and this looks pretty much covered with: arch_memremap_can_ram_remap(..) -> if (CC_ATTR_HOST_MEM_REMAP) --> memremap_is_setup_data() ---> memremap(.., MEMREMAP_WB | MEMREMAP_DEC); It does look like that it can work with encrypted by default and any memory ranges which need special handling and need to be setup as decrypted can use MEMREMAP_WB | MEMREMAP_DEC flag. Thanks, Ashish
Powered by blists - more mailing lists