Re: [PATCH 0/2] support kdump for AMD secure memory encryption(sme)
From: Tom Lendacky
Date: Tue May 15 2018 - 13:38:45 EST
On 5/14/2018 8:51 PM, Lianbo Jiang wrote:
> It is convenient to remap the old memory encrypted to the second kernel by
> calling ioremap_encrypted().
>
> When sme enabled on AMD server, we also need to support kdump. Because
> the memory is encrypted in the first kernel, we will remap the old memory
> encrypted to the second kernel(crash kernel), and sme is also enabled in
> the second kernel, otherwise the old memory encrypted can not be decrypted.
> Because simply changing the value of a C-bit on a page will not
> automatically encrypt the existing contents of a page, and any data in the
> page prior to the C-bit modification will become unintelligible. A page of
> memory that is marked encrypted will be automatically decrypted when read
> from DRAM and will be automatically encrypted when written to DRAM.
>
> For the kdump, it is necessary to distinguish whether the memory is
> encrypted. Furthermore, we should also know which part of the memory is
> encrypted or decrypted. We will appropriately remap the memory according
> to the specific situation in order to tell cpu how to deal with the
> data(encrypted or decrypted). For example, when sme enabled, if the old
> memory is encrypted, we will remap the old memory in encrypted way, which
> will automatically decrypt the old memory encrypted when we read those data
> from the remapping address.
>
> ----------------------------------------------
> | first-kernel | second-kernel | kdump support |
> | (mem_encrypt=on|off) | (yes|no) |
> |--------------+---------------+---------------|
> | on | on | yes |
> | off | off | yes |
> | on | off | no |
> | off | on | no |
> |______________|_______________|_______________|
>
> Test tools:
> makedumpfile[v1.6.3]: https://github.com/LianboJ/makedumpfile
> commit e1de103eca8f (A draft for kdump vmcore about AMD SME)
> Author: Lianbo Jiang <lijiang@xxxxxxxxxx>
> Date: Mon May 14 17:02:40 2018 +0800
> Note: This patch can only dump vmcore in the case of SME enabled.
>
> crash-7.2.1: https://github.com/crash-utility/crash.git
> commit 1e1bd9c4c1be (Fix for the "bpf" command display on Linux 4.17-rc1)
> Author: Dave Anderson <anderson@xxxxxxxxxx>
> Date: Fri May 11 15:54:32 2018 -0400
>
> Test environment:
> HP ProLiant DL385Gen10 AMD EPYC 7251
> 8-Core Processor
> 32768 MB memory
> 600 GB disk space
>
> Linux 4.17-rc4:
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> commit 75bc37fefc44 ("Linux 4.17-rc4")
> Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Date: Sun May 6 16:57:38 2018 -1000
>
> Reference:
> AMD64 Architecture Programmer's Manual
> https://support.amd.com/TechDocs/24593.pdf
>
Have you also tested this with SEV? It would be nice if the kdump
changes you make work with both SME and SEV.
Thanks,
Tom
> Lianbo Jiang (2):
> add a function(ioremap_encrypted) for kdump when AMD sme enabled.
> support kdump when AMD secure memory encryption is active
>
> arch/x86/include/asm/dmi.h | 14 +++++++++++++-
> arch/x86/include/asm/io.h | 2 ++
> arch/x86/kernel/acpi/boot.c | 8 ++++++++
> arch/x86/kernel/crash_dump_64.c | 27 +++++++++++++++++++++++++++
> arch/x86/mm/ioremap.c | 25 +++++++++++++++++--------
> drivers/acpi/tables.c | 14 +++++++++++++-
> drivers/iommu/amd_iommu_init.c | 9 ++++++++-
> fs/proc/vmcore.c | 36 +++++++++++++++++++++++++++++++-----
> include/linux/crash_dump.h | 4 ++++
> kernel/kexec_core.c | 12 ++++++++++++
> 10 files changed, 135 insertions(+), 16 deletions(-)
>