Re: [RFC PATCH v2 19/20] x86: Access the setup data through debugfs un-encrypted

From: Tom Lendacky
Date: Thu Sep 15 2016 - 13:08:34 EST


On 09/14/2016 09:51 AM, Borislav Petkov wrote:
> On Wed, Sep 14, 2016 at 09:29:41AM -0500, Tom Lendacky wrote:
>> This is still required because just using the __va() would still cause
>> the mapping created to have the encryption bit set. The ioremap call
>> will result in the mapping not having the encryption bit set.
>
> I meant this: https://lkml.kernel.org/r/20160902181447.GA25328@xxxxxxxxxxx
>
> Wouldn't simply clearing the SME mask work?
>
> #define __va(x) ((void *)(((unsigned long)(x)+PAGE_OFFSET) & ~sme_me_mask))
>
> Or are you saying, one needs the whole noodling through ioremap_cache()
> because the data is already encrypted and accessing it with sme_me_mask
> cleared would simply give you the encrypted garbage?

The problem is that this physical address does not contain the
encryption bit, and even if it did, it wouldn't matter. The __va()
define creates a virtual address that will be mapped as encrypted given
the current approach (which is how I found this). It's only ioremap()
that would create a mapping without the encryption attribute and since
this is unencrypted data it needs to be access accordingly.

Thanks,
Tom

>