Re: [PATCH v7 08/36] x86/mm: Add support to enable SME in early boot processing

From: Tom Lendacky
Date: Tue Jun 20 2017 - 11:53:13 EST


On 6/20/2017 2:38 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:51:15PM -0500, Tom Lendacky wrote:
Add support to the early boot code to use Secure Memory Encryption (SME).
Since the kernel has been loaded into memory in a decrypted state, encrypt
the kernel in place and update the early pagetables with the memory
encryption mask so that new pagetable entries will use memory encryption.

The routines to set the encryption mask and perform the encryption are
stub routines for now with functionality to be added in a later patch.

Because of the need to have the routines available to head_64.S, the
mem_encrypt.c is always built and #ifdefs in mem_encrypt.c will provide
functionality or stub routines depending on CONFIG_AMD_MEM_ENCRYPT.

Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx>
---
arch/x86/include/asm/mem_encrypt.h | 8 +++++++
arch/x86/kernel/head64.c | 33 +++++++++++++++++++++---------
arch/x86/kernel/head_64.S | 39 ++++++++++++++++++++++++++++++++++--
arch/x86/mm/Makefile | 4 +---
arch/x86/mm/mem_encrypt.c | 24 ++++++++++++++++++++++
5 files changed, 93 insertions(+), 15 deletions(-)

...

diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index b99d469..9a78277 100644
--- a/arch/x86/mm/mem_encrypt.c
+++ b/arch/x86/mm/mem_encrypt.c
@@ -11,6 +11,9 @@
*/
#include <linux/linkage.h>
+#include <linux/init.h>
+
+#ifdef CONFIG_AMD_MEM_ENCRYPT
/*
* Since SME related variables are set early in the boot process they must
@@ -19,3 +22,24 @@
*/
unsigned long sme_me_mask __section(.data) = 0;
EXPORT_SYMBOL_GPL(sme_me_mask);
+
+void __init sme_encrypt_kernel(void)
+{
+}

Just the minor:

void __init sme_encrypt_kernel(void) { }

in case you have to respin.

I have to re-spin for the kbuild test error. But given that this
function will be filled in later it's probably not worth doing the
space savings here.

Thanks,
Tom


Reviewed-by: Borislav Petkov <bp@xxxxxxx>