[RFC Part1 PATCH 10/13] X86: kernel: make the bss.decrypted section shared in RMP table

From: Brijesh Singh
Date: Wed Mar 24 2021 - 12:45:38 EST

Next message: Brijesh Singh: "[RFC Part1 PATCH 11/13] x86/kernel: validate rom memory before accessing when SEV-SNP is active"
Previous message: Brijesh Singh: "[RFC Part1 PATCH 00/13] Add AMD Secure Nested Paging (SEV-SNP) Guest Support"
In reply to: Borislav Petkov: "Re: [RFC Part1 PATCH 01/13] x86/cpufeatures: Add SEV-SNP CPU feature"
Next in thread: Brijesh Singh: "[RFC Part1 PATCH 11/13] x86/kernel: validate rom memory before accessing when SEV-SNP is active"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The encryption attribute for the bss.decrypted region is cleared in the
initial page table build. This is because the section contains the data
that need to be shared between the guest and the hypervisor.

When SEV-SNP is active, just clearing the encryption attribute in the
page table is not enough. We also need to make the page shared in the
RMP table.

Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Joerg Roedel <jroedel@xxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Cc: Tony Luck <tony.luck@xxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxx>
Cc: "Peter Zijlstra (Intel)" <peterz@xxxxxxxxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: Tom Lendacky <thomas.lendacky@xxxxxxx>
Cc: David Rientjes <rientjes@xxxxxxxxxx>
Cc: Sean Christopherson <seanjc@xxxxxxxxxx>
Cc: x86@xxxxxxxxxx
Cc: kvm@xxxxxxxxxxxxxxx
Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
---
arch/x86/kernel/head64.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
index 5e9beb77cafd..1bf005d38ebc 100644
--- a/arch/x86/kernel/head64.c
+++ b/arch/x86/kernel/head64.c
@@ -40,6 +40,7 @@
#include <asm/extable.h>
#include <asm/trapnr.h>
#include <asm/sev-es.h>
+#include <asm/sev-snp.h>

/*
* Manage page tables very early on.
@@ -288,6 +289,19 @@ unsigned long __head __startup_64(unsigned long physaddr,
if (mem_encrypt_active()) {
vaddr = (unsigned long)__start_bss_decrypted;
vaddr_end = (unsigned long)__end_bss_decrypted;
+
+ /*
+ * The bss.decrypted region is mapped decrypted in the initial page table.
+ * If SEV-SNP is active then transition the page to shared in the RMP table
+ * so that it is consistent with the page table attribute change below.
+ */
+ if (sev_snp_active()) {
+ unsigned long npages;
+
+ npages = PAGE_ALIGN(vaddr_end - vaddr) >> PAGE_SHIFT;
+ early_snp_set_memory_shared(__pa(vaddr), __pa(vaddr), npages);
+ }
+
for (; vaddr < vaddr_end; vaddr += PMD_SIZE) {
i = pmd_index(vaddr);
pmd[i] -= sme_get_me_mask();
--
2.17.1

Next message: Brijesh Singh: "[RFC Part1 PATCH 11/13] x86/kernel: validate rom memory before accessing when SEV-SNP is active"
Previous message: Brijesh Singh: "[RFC Part1 PATCH 00/13] Add AMD Secure Nested Paging (SEV-SNP) Guest Support"
In reply to: Borislav Petkov: "Re: [RFC Part1 PATCH 01/13] x86/cpufeatures: Add SEV-SNP CPU feature"
Next in thread: Brijesh Singh: "[RFC Part1 PATCH 11/13] x86/kernel: validate rom memory before accessing when SEV-SNP is active"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]