| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68daec1d-63b3-ecc5-f8c3-9df8a905ec88@amd.com>
Date: Thu, 20 Feb 2025 14:03:44 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: Ashish Kalra <Ashish.Kalra@....com>, seanjc@...gle.com,
pbonzini@...hat.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
john.allen@....com, herbert@...dor.apana.org.au
Cc: michael.roth@....com, dionnaglaze@...gle.com, nikunj@....com,
ardb@...nel.org, kevinloughlin@...gle.com, Neeraj.Upadhyay@....com,
aik@....com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-coco@...ts.linux.dev
Subject: Re: [PATCH v4 7/7] crypto: ccp: Move SEV/SNP Platform initialization
to KVM
On 2/19/25 14:55, Ashish Kalra wrote:
> From: Ashish Kalra <ashish.kalra@....com>
>
> SNP initialization is forced during PSP driver probe purely because SNP
> can't be initialized if VMs are running. But the only in-tree user of
> SEV/SNP functionality is KVM, and KVM depends on PSP driver for the same.
> Forcing SEV/SNP initialization because a hypervisor could be running
> legacy non-confidential VMs make no sense.
>
> This patch removes SEV/SNP initialization from the PSP driver probe
> time and moves the requirement to initialize SEV/SNP functionality
> to KVM if it wants to use SEV/SNP.
>
> Suggested-by: Sean Christopherson <seanjc@...gle.com>
> Reviewed-by: Alexey Kardashevskiy <aik@....com>
> Signed-off-by: Ashish Kalra <ashish.kalra@....com>
> ---
> drivers/crypto/ccp/sev-dev.c | 25 +------------------------
> 1 file changed, 1 insertion(+), 24 deletions(-)
>
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index f0f3e6d29200..99a663dbc2b6 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -1346,18 +1346,13 @@ static int _sev_platform_init_locked(struct sev_platform_init_args *args)
> if (sev->state == SEV_STATE_INIT)
> return 0;
>
> - /*
> - * Legacy guests cannot be running while SNP_INIT(_EX) is executing,
> - * so perform SEV-SNP initialization at probe time.
> - */
> rc = __sev_snp_init_locked(&args->error);
> if (rc && rc != -ENODEV) {
> /*
> * Don't abort the probe if SNP INIT failed,
> * continue to initialize the legacy SEV firmware.
> */
> - dev_err(sev->dev, "SEV-SNP: failed to INIT rc %d, error %#x\n",
> - rc, args->error);
> + dev_err(sev->dev, "SEV-SNP: failed to INIT, continue SEV INIT\n");
Please don't remove the error information.
> }
>
> /* Defer legacy SEV/SEV-ES support if allowed by caller/module. */
> @@ -2505,9 +2500,7 @@ EXPORT_SYMBOL_GPL(sev_issue_cmd_external_user);
> void sev_pci_init(void)
> {
> struct sev_device *sev = psp_master->sev_data;
> - struct sev_platform_init_args args = {0};
> u8 api_major, api_minor, build;
> - int rc;
>
> if (!sev)
> return;
> @@ -2530,16 +2523,6 @@ void sev_pci_init(void)
> api_major, api_minor, build,
> sev->api_major, sev->api_minor, sev->build);
>
> - /* Initialize the platform */
> - args.probe = true;
> - rc = sev_platform_init(&args);
> - if (rc)
> - dev_err(sev->dev, "SEV: failed to INIT error %#x, rc %d\n",
> - args.error, rc);
> -
> - dev_info(sev->dev, "SEV%s API:%d.%d build:%d\n", sev->snp_initialized ?
> - "-SNP" : "", sev->api_major, sev->api_minor, sev->build);
> -
> return;
>
> err:
> @@ -2550,10 +2533,4 @@ void sev_pci_init(void)
>
> void sev_pci_exit(void)
> {
> - struct sev_device *sev = psp_master->sev_data;
> -
> - if (!sev)
> - return;
> -
> - sev_firmware_shutdown(sev);
Should this remain? If there's a bug in KVM that somehow skips the
shutdown call, then SEV will remain initialized. I think the path is
safe to call a second time.
Thanks,
Tom
> }
Powered by blists - more mailing lists