| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fefc1f1f-fc06-a69b-3820-0180a1e597ce@amd.com>
Date: Fri, 7 Mar 2025 14:57:46 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: Ashish Kalra <Ashish.Kalra@....com>, seanjc@...gle.com,
pbonzini@...hat.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
john.allen@....com, herbert@...dor.apana.org.au
Cc: michael.roth@....com, dionnaglaze@...gle.com, nikunj@....com,
ardb@...nel.org, kevinloughlin@...gle.com, Neeraj.Upadhyay@....com,
aik@....com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-coco@...ts.linux.dev
Subject: Re: [PATCH v6 1/8] crypto: ccp: Abort doing SEV INIT if SNP INIT
fails
On 3/7/25 14:54, Tom Lendacky wrote:
> On 3/6/25 17:09, Ashish Kalra wrote:
>> From: Ashish Kalra <ashish.kalra@....com>
>>
>> If SNP host support (SYSCFG.SNPEn) is set, then RMP table must be
>
> s/RMP/the RMP/
>
>> initialized up before calling SEV INIT.
>
> s/up//
>
>>
>> In other words, if SNP_INIT(_EX) is not issued or fails then
>> SEV INIT will fail once SNP host support (SYSCFG.SNPEn) is enabled.
>
> s/once/if/
>
>>
>> Fixes: 1ca5614b84eed ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
>> Signed-off-by: Ashish Kalra <ashish.kalra@....com>
>> ---
>> drivers/crypto/ccp/sev-dev.c | 7 ++-----
>> 1 file changed, 2 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
>> index 2e87ca0e292a..a0e3de94704e 100644
>> --- a/drivers/crypto/ccp/sev-dev.c
>> +++ b/drivers/crypto/ccp/sev-dev.c
>> @@ -1112,7 +1112,7 @@ static int __sev_snp_init_locked(int *error)
>> if (!sev_version_greater_or_equal(SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR)) {
>> dev_dbg(sev->dev, "SEV-SNP support requires firmware version >= %d:%d\n",
>> SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR);
>> - return 0;
>> + return -EOPNOTSUPP;
>> }
>>
>> /* SNP_INIT requires MSR_VM_HSAVE_PA to be cleared on all CPUs. */
>> @@ -1325,12 +1325,9 @@ static int _sev_platform_init_locked(struct sev_platform_init_args *args)
>> */
>> rc = __sev_snp_init_locked(&args->error);
>> if (rc && rc != -ENODEV) {
>
> Can we get ride of this extra -ENODEV check? It can only be returned
> because of the same check that is made earlier in this function so it
> doesn't really serve any purpose from what I can tell.
>
> Just make this "if (rc) {"
My bad... -ENODEV is returned if cc_platform_has(CC_ATTR_HOST_SEV_SNP) is
false, never mind.
Thanks,
Tom
>
> Thanks,
> Tom
>
>> - /*
>> - * Don't abort the probe if SNP INIT failed,
>> - * continue to initialize the legacy SEV firmware.
>> - */
>> dev_err(sev->dev, "SEV-SNP: failed to INIT rc %d, error %#x\n",
>> rc, args->error);
>> + return rc;
>> }
>>
>> /* Defer legacy SEV/SEV-ES support if allowed by caller/module. */
Powered by blists - more mailing lists