Re: [RFC PATCH v2 05/32] x86: Use encrypted access of BOOT related data with SEV

From: Tom Lendacky
Date: Thu Mar 16 2017 - 15:21:00 EST


On 3/7/2017 5:09 AM, Borislav Petkov wrote:
On Thu, Mar 02, 2017 at 10:12:59AM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lendacky@xxxxxxx>

When Secure Encrypted Virtualization (SEV) is active, BOOT data (such as
EFI related data, setup data) is encrypted and needs to be accessed as
such when mapped. Update the architecture override in early_memremap to
keep the encryption attribute when mapping this data.

This could also explain why persistent memory needs to be accessed
decrypted with SEV.

I'll add some comments about why persistent memory needs to be accessed
decrypted (because the encryption key changes across reboots) for both
SME and SEV.


In general, what the difference in that aspect is in respect to SME. And
I'd write that in the comment over the function. And not say "E820 areas
are checked in making this determination." because that is visible but
say *why* we need to check those ranges and determine access depending
on their type.

Will do.

Thanks,
Tom