| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8d1884d7-f0a4-07b0-c674-584f9c724f89@amd.com>
Date: Fri, 7 Mar 2025 15:29:45 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: "Kalra, Ashish" <ashish.kalra@....com>, seanjc@...gle.com,
pbonzini@...hat.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
john.allen@....com, herbert@...dor.apana.org.au
Cc: michael.roth@....com, dionnaglaze@...gle.com, nikunj@....com,
ardb@...nel.org, kevinloughlin@...gle.com, Neeraj.Upadhyay@....com,
aik@....com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-coco@...ts.linux.dev
Subject: Re: [PATCH v6 1/8] crypto: ccp: Abort doing SEV INIT if SNP INIT
fails
On 3/7/25 15:06, Kalra, Ashish wrote:
> On 3/7/2025 2:57 PM, Tom Lendacky wrote:
>> On 3/7/25 14:54, Tom Lendacky wrote:
>>> On 3/6/25 17:09, Ashish Kalra wrote:
>>>> From: Ashish Kalra <ashish.kalra@....com>
>>>>
>>>> If SNP host support (SYSCFG.SNPEn) is set, then RMP table must be
>>>
>>> s/RMP/the RMP/
>>>
>>>> initialized up before calling SEV INIT.
>>>
>>> s/up//
>>>
>>>>
>>>> In other words, if SNP_INIT(_EX) is not issued or fails then
>>>> SEV INIT will fail once SNP host support (SYSCFG.SNPEn) is enabled.
>>>
>>> s/once/if/
>>>
>>>>
>>>> Fixes: 1ca5614b84eed ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
>>>> Signed-off-by: Ashish Kalra <ashish.kalra@....com>
>>>> ---
>>>> drivers/crypto/ccp/sev-dev.c | 7 ++-----
>>>> 1 file changed, 2 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
>>>> index 2e87ca0e292a..a0e3de94704e 100644
>>>> --- a/drivers/crypto/ccp/sev-dev.c
>>>> +++ b/drivers/crypto/ccp/sev-dev.c
>>>> @@ -1112,7 +1112,7 @@ static int __sev_snp_init_locked(int *error)
>>>> if (!sev_version_greater_or_equal(SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR)) {
>>>> dev_dbg(sev->dev, "SEV-SNP support requires firmware version >= %d:%d\n",
>>>> SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR);
>>>> - return 0;
>>>> + return -EOPNOTSUPP;
>>>> }
>>>>
>>>> /* SNP_INIT requires MSR_VM_HSAVE_PA to be cleared on all CPUs. */
>>>> @@ -1325,12 +1325,9 @@ static int _sev_platform_init_locked(struct sev_platform_init_args *args)
>>>> */
>>>> rc = __sev_snp_init_locked(&args->error);
>>>> if (rc && rc != -ENODEV) {
>>>
>>> Can we get ride of this extra -ENODEV check? It can only be returned
>>> because of the same check that is made earlier in this function so it
>>> doesn't really serve any purpose from what I can tell.
>>>
>>> Just make this "if (rc) {"
>>
>> My bad... -ENODEV is returned if cc_platform_has(CC_ATTR_HOST_SEV_SNP) is
>> false, never mind.
>
> Yes, that's what i was going to reply with ... we want to continue with
> SEV INIT if SNP host support is not enabled.
Although we could get rid of that awkward if statement by doing...
if (cc_platform_has(CC_ATTR_HOST_SEV_SNP)) {
rc = __sev_snp_init_locked(&args->error);
if (rc) {
dev_err(sev->dev, ...
return rc;
}
}
And deleting the cc_platform_has() check from __sev_snp_init_locked().
Thanks,
Tom
>
> Thanks,
> Ashish
>
>>
>> Thanks,
>> Tom
>>
>>>
>>> Thanks,
>>> Tom
>>>
>>>> - /*
>>>> - * Don't abort the probe if SNP INIT failed,
>>>> - * continue to initialize the legacy SEV firmware.
>>>> - */
>>>> dev_err(sev->dev, "SEV-SNP: failed to INIT rc %d, error %#x\n",
>>>> rc, args->error);
>>>> + return rc;
>>>> }
>>>>
>>>> /* Defer legacy SEV/SEV-ES support if allowed by caller/module. */
>
Powered by blists - more mailing lists