[PATCH 1/3] kexec: Do not map the kexec area as decrypted when SEV is active
From: Lianbo Jiang
Date: Fri Mar 15 2019 - 06:32:45 EST
Currently, the arch_kexec_post_{alloc,free}_pages unconditionally
maps the kexec area as decrypted. This works fine when SME is active.
Because in SME, the first kernel is loaded in decrypted area by the
BIOS, so the second kernel must be also loaded into the decrypted
memory.
When SEV is active, the first kernel is loaded into the encrypted
area, so the second kernel must be also loaded into the encrypted
memory. Lets make sure that arch_kexec_post_{alloc,free}_pages does
not clear the memory encryption mask from the kexec area when SEV
is active.
Co-developed-by: Brijesh Singh <brijesh.singh@xxxxxxx>
Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
Signed-off-by: Lianbo Jiang <lijiang@xxxxxxxxxx>
---
arch/x86/kernel/machine_kexec_64.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
index ceba408ea982..bcebf4993da4 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -566,7 +566,10 @@ int arch_kexec_post_alloc_pages(void *vaddr, unsigned int pages, gfp_t gfp)
* not encrypted because when we boot to the new kernel the
* pages won't be accessed encrypted (initially).
*/
- return set_memory_decrypted((unsigned long)vaddr, pages);
+ if (sme_active())
+ return set_memory_decrypted((unsigned long)vaddr, pages);
+
+ return 0;
}
void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages)
@@ -575,5 +578,6 @@ void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages)
* If SME is active we need to reset the pages back to being
* an encrypted mapping before freeing them.
*/
- set_memory_encrypted((unsigned long)vaddr, pages);
+ if (sme_active())
+ set_memory_encrypted((unsigned long)vaddr, pages);
}
--
2.17.1