Re: [PATCH v2] x86/kexec: Add EFI config table identity mapping for kexec kernel

From: Tao Liu
Date: Wed Aug 02 2023 - 04:24:25 EST


Hi Borislav,

On Sat, Jul 29, 2023 at 12:56 AM Borislav Petkov <bp@xxxxxxxxx> wrote:
>
> On Thu, Jul 27, 2023 at 07:03:26PM +0800, Tao Liu wrote:
> > Hi Borislav,
> >
> > Sorry for the late response. I spent some time retesting your patch
> > against 6.5.0-rc1 and 6.5.0-rc3, and it is OK. So
> >
> > Reported-and-tested-by: Tao Liu <ltao@xxxxxxxxxx>
> >
> > And will we use this patch as a workaround or will we wait for a
> > better solution as proposed by Michael?
>
> First of all, please do not top-post.
>

OK, thanks for the reminder.

> And yes, here's a better one. I'd appreciate it you testing it.
>

Thanks for the patch! I have tested it on the lenovo machine in the
past few days, no issue found, so the patch tests OK.

Thanks,
Tao Liu

> Thx.
>
> ---
> arch/x86/boot/compressed/idt_64.c | 5 ++++-
> arch/x86/boot/compressed/sev.c | 37 +++++++++++++++++++++++++++++--
> 2 files changed, 39 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/idt_64.c b/arch/x86/boot/compressed/idt_64.c
> index 6debb816e83d..0f03ac12e2a6 100644
> --- a/arch/x86/boot/compressed/idt_64.c
> +++ b/arch/x86/boot/compressed/idt_64.c
> @@ -63,7 +63,10 @@ void load_stage2_idt(void)
> set_idt_entry(X86_TRAP_PF, boot_page_fault);
>
> #ifdef CONFIG_AMD_MEM_ENCRYPT
> - set_idt_entry(X86_TRAP_VC, boot_stage2_vc);
> + if (sev_status & BIT(1))
> + set_idt_entry(X86_TRAP_VC, boot_stage2_vc);
> + else
> + set_idt_entry(X86_TRAP_VC, NULL);
> #endif
>
> load_boot_idt(&boot_idt_desc);
> diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
> index 09dc8c187b3c..c3e343bd4760 100644
> --- a/arch/x86/boot/compressed/sev.c
> +++ b/arch/x86/boot/compressed/sev.c
> @@ -404,13 +404,46 @@ void sev_enable(struct boot_params *bp)
> if (bp)
> bp->cc_blob_address = 0;
>
> + /*
> + * Do an initial SEV capability check before snp_init() which
> + * loads the CPUID page and the same checks afterwards are done
> + * without the hypervisor and are trustworthy.
> + *
> + * If the HV fakes SEV support, the guest will crash'n'burn
> + * which is good enough.
> + */
> +
> + /* Check for the SME/SEV support leaf */
> + eax = 0x80000000;
> + ecx = 0;
> + native_cpuid(&eax, &ebx, &ecx, &edx);
> + if (eax < 0x8000001f)
> + return;
> +
> + /*
> + * Check for the SME/SEV feature:
> + * CPUID Fn8000_001F[EAX]
> + * - Bit 0 - Secure Memory Encryption support
> + * - Bit 1 - Secure Encrypted Virtualization support
> + * CPUID Fn8000_001F[EBX]
> + * - Bits 5:0 - Pagetable bit position used to indicate encryption
> + */
> + eax = 0x8000001f;
> + ecx = 0;
> + native_cpuid(&eax, &ebx, &ecx, &edx);
> + /* Check whether SEV is supported */
> + if (!(eax & BIT(1)))
> + return;
> +
> /*
> * Setup/preliminary detection of SNP. This will be sanity-checked
> * against CPUID/MSR values later.
> */
> snp = snp_init(bp);
>
> - /* Check for the SME/SEV support leaf */
> + /* Now repeat the checks with the SNP CPUID table. */
> +
> + /* Recheck the SME/SEV support leaf */
> eax = 0x80000000;
> ecx = 0;
> native_cpuid(&eax, &ebx, &ecx, &edx);
> @@ -418,7 +451,7 @@ void sev_enable(struct boot_params *bp)
> return;
>
> /*
> - * Check for the SME/SEV feature:
> + * Recheck for the SME/SEV feature:
> * CPUID Fn8000_001F[EAX]
> * - Bit 0 - Secure Memory Encryption support
> * - Bit 1 - Secure Encrypted Virtualization support
> --
> 2.41.0
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
>