Re: [PATCH] x86/sev: Do the C-bit verification only on the BSP

From: Tom Lendacky
Date: Mon Dec 04 2023 - 11:06:52 EST

Next message: Vincent Guittot: "Re: [RFC PATCH 2/6] sched/uclamp: Simulate PELT decay in util_avg_uclamp"
Previous message: Javier Martinez Canillas: "Re: [RFC PATCH] of/platform: Disable sysfb if a simple-framebuffer node is found"
Next in thread: Borislav Petkov: "Re: [PATCH] x86/sev: Do the C-bit verification only on the BSP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/30/23 07:26, Borislav Petkov wrote:

From: "Borislav Petkov (AMD)" <bp@xxxxxxxxx>

There's no need to do it on every AP.

The C-bit value read on the BSP and also verified there, is used
everywhere from now on.

There should be no functional changes resulting from this patch - just
a bit faster booting APs.

Signed-off-by: Borislav Petkov (AMD) <bp@xxxxxxxxx>

One minor question below, but otherwise

Acked-by: Tom Lendacky <thomas.lendacky@xxxxxxx>

---
arch/x86/kernel/head_64.S | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 3dcabbc49149..af40d8eb4dca 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -114,6 +114,28 @@ SYM_CODE_START_NOALIGN(startup_64)
/* Form the CR3 value being sure to include the CR3 modifier */
addq $(early_top_pgt - __START_KERNEL_map), %rax
+
+#ifdef CONFIG_AMD_MEM_ENCRYPT
+ mov %rax, %rdi
+ mov %rax, %r14
+
+ addq phys_base(%rip), %rdi
+
+ /*
+ * For SEV guests: Verify that the C-bit is correct. A malicious
+ * hypervisor could lie about the C-bit position to perform a ROP
+ * attack on the guest by writing to the unencrypted stack and wait for
+ * the next RET instruction.
+ */
+ call sev_verify_cbit
+
+ /*
+ * Restore CR3 value without the phys_base which will be added
+ * below, before writing %cr3.
+ */
+ mov %r14, %rax

You're ignoring RAX now on return, so you can probably just make sev_verify_cbit() a void function now. You would still need to save RAX because of the calling convention, though, so it doesn't make this code any cleaner (other than the comment could then just say restore CR3 value). You're call, I'm good either way.

Thanks,
Tom

+#endif
+
jmp 1f
SYM_CODE_END(startup_64)
@@ -192,15 +214,6 @@ SYM_INNER_LABEL(secondary_startup_64_no_verify, SYM_L_GLOBAL)
/* Setup early boot stage 4-/5-level pagetables. */
addq phys_base(%rip), %rax
- /*
- * For SEV guests: Verify that the C-bit is correct. A malicious
- * hypervisor could lie about the C-bit position to perform a ROP
- * attack on the guest by writing to the unencrypted stack and wait for
- * the next RET instruction.
- */
- movq %rax, %rdi
- call sev_verify_cbit
-
/*
* Switch to new page-table
*

Next message: Vincent Guittot: "Re: [RFC PATCH 2/6] sched/uclamp: Simulate PELT decay in util_avg_uclamp"
Previous message: Javier Martinez Canillas: "Re: [RFC PATCH] of/platform: Disable sysfb if a simple-framebuffer node is found"
Next in thread: Borislav Petkov: "Re: [PATCH] x86/sev: Do the C-bit verification only on the BSP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]