| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <151f5519-c827-4c55-b0e0-9fb3101f35d4@amd.com>
Date: Fri, 7 Mar 2025 15:06:07 -0600
From: "Kalra, Ashish" <ashish.kalra@....com>
To: Tom Lendacky <thomas.lendacky@....com>, seanjc@...gle.com,
pbonzini@...hat.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
john.allen@....com, herbert@...dor.apana.org.au
Cc: michael.roth@....com, dionnaglaze@...gle.com, nikunj@....com,
ardb@...nel.org, kevinloughlin@...gle.com, Neeraj.Upadhyay@....com,
aik@....com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-coco@...ts.linux.dev
Subject: Re: [PATCH v6 1/8] crypto: ccp: Abort doing SEV INIT if SNP INIT
fails
On 3/7/2025 2:57 PM, Tom Lendacky wrote:
> On 3/7/25 14:54, Tom Lendacky wrote:
>> On 3/6/25 17:09, Ashish Kalra wrote:
>>> From: Ashish Kalra <ashish.kalra@....com>
>>>
>>> If SNP host support (SYSCFG.SNPEn) is set, then RMP table must be
>>
>> s/RMP/the RMP/
>>
>>> initialized up before calling SEV INIT.
>>
>> s/up//
>>
>>>
>>> In other words, if SNP_INIT(_EX) is not issued or fails then
>>> SEV INIT will fail once SNP host support (SYSCFG.SNPEn) is enabled.
>>
>> s/once/if/
>>
>>>
>>> Fixes: 1ca5614b84eed ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
>>> Signed-off-by: Ashish Kalra <ashish.kalra@....com>
>>> ---
>>> drivers/crypto/ccp/sev-dev.c | 7 ++-----
>>> 1 file changed, 2 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
>>> index 2e87ca0e292a..a0e3de94704e 100644
>>> --- a/drivers/crypto/ccp/sev-dev.c
>>> +++ b/drivers/crypto/ccp/sev-dev.c
>>> @@ -1112,7 +1112,7 @@ static int __sev_snp_init_locked(int *error)
>>> if (!sev_version_greater_or_equal(SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR)) {
>>> dev_dbg(sev->dev, "SEV-SNP support requires firmware version >= %d:%d\n",
>>> SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR);
>>> - return 0;
>>> + return -EOPNOTSUPP;
>>> }
>>>
>>> /* SNP_INIT requires MSR_VM_HSAVE_PA to be cleared on all CPUs. */
>>> @@ -1325,12 +1325,9 @@ static int _sev_platform_init_locked(struct sev_platform_init_args *args)
>>> */
>>> rc = __sev_snp_init_locked(&args->error);
>>> if (rc && rc != -ENODEV) {
>>
>> Can we get ride of this extra -ENODEV check? It can only be returned
>> because of the same check that is made earlier in this function so it
>> doesn't really serve any purpose from what I can tell.
>>
>> Just make this "if (rc) {"
>
> My bad... -ENODEV is returned if cc_platform_has(CC_ATTR_HOST_SEV_SNP) is
> false, never mind.
Yes, that's what i was going to reply with ... we want to continue with
SEV INIT if SNP host support is not enabled.
Thanks,
Ashish
>
> Thanks,
> Tom
>
>>
>> Thanks,
>> Tom
>>
>>> - /*
>>> - * Don't abort the probe if SNP INIT failed,
>>> - * continue to initialize the legacy SEV firmware.
>>> - */
>>> dev_err(sev->dev, "SEV-SNP: failed to INIT rc %d, error %#x\n",
>>> rc, args->error);
>>> + return rc;
>>> }
>>>
>>> /* Defer legacy SEV/SEV-ES support if allowed by caller/module. */
Powered by blists - more mailing lists