Re: [PATCH] x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
From: Ard Biesheuvel
Date: Fri Feb 02 2024 - 11:48:27 EST
On Fri, 2 Feb 2024 at 17:35, Borislav Petkov <bp@xxxxxxxxx> wrote:
>
> On Thu, Feb 01, 2024 at 05:15:51PM +0100, Ard Biesheuvel wrote:
> > OK, I'll remove it in the next rev.
>
> Considering how it simplifies sme_enable() even more, I'd like to
> expedite this one.
>
> Thx.
>
> ---
> From: "Borislav Petkov (AMD)" <bp@xxxxxxxxx>
> Date: Fri, 2 Feb 2024 17:29:32 +0100
> Subject: [PATCH] x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
>
> It was meant well at the time but nothing's using it so get rid of it.
>
> Signed-off-by: Borislav Petkov (AMD) <bp@xxxxxxxxx>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 4 +---
> Documentation/arch/x86/amd-memory-encryption.rst | 16 ++++++++--------
> arch/x86/Kconfig | 13 -------------
> arch/x86/mm/mem_encrypt_identity.c | 11 +----------
> 4 files changed, 10 insertions(+), 34 deletions(-)
>
Works for me.
Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 31b3a25680d0..2cb70a384af8 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -3320,9 +3320,7 @@
>
> mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control
> Valid arguments: on, off
> - Default (depends on kernel configuration option):
> - on (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y)
> - off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n)
> + Default: off
> mem_encrypt=on: Activate SME
> mem_encrypt=off: Do not activate SME
>
> diff --git a/Documentation/arch/x86/amd-memory-encryption.rst b/Documentation/arch/x86/amd-memory-encryption.rst
> index 07caa8fff852..414bc7402ae7 100644
> --- a/Documentation/arch/x86/amd-memory-encryption.rst
> +++ b/Documentation/arch/x86/amd-memory-encryption.rst
> @@ -87,14 +87,14 @@ The state of SME in the Linux kernel can be documented as follows:
> kernel is non-zero).
>
> SME can also be enabled and activated in the BIOS. If SME is enabled and
> -activated in the BIOS, then all memory accesses will be encrypted and it will
> -not be necessary to activate the Linux memory encryption support. If the BIOS
> -merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG), then Linux can activate
> -memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or
> -by supplying mem_encrypt=on on the kernel command line. However, if BIOS does
> -not enable SME, then Linux will not be able to activate memory encryption, even
> -if configured to do so by default or the mem_encrypt=on command line parameter
> -is specified.
> +activated in the BIOS, then all memory accesses will be encrypted and it
> +will not be necessary to activate the Linux memory encryption support.
> +
> +If the BIOS merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG),
> +then memory encryption can be enabled by supplying mem_encrypt=on on the
> +kernel command line. However, if BIOS does not enable SME, then Linux
> +will not be able to activate memory encryption, even if configured to do
> +so by default or the mem_encrypt=on command line parameter is specified.
>
> Secure Nested Paging (SNP)
> ==========================
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 5edec175b9bf..58d3593bc4f2 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1539,19 +1539,6 @@ config AMD_MEM_ENCRYPT
> This requires an AMD processor that supports Secure Memory
> Encryption (SME).
>
> -config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
> - bool "Activate AMD Secure Memory Encryption (SME) by default"
> - depends on AMD_MEM_ENCRYPT
> - help
> - Say yes to have system memory encrypted by default if running on
> - an AMD processor that supports Secure Memory Encryption (SME).
> -
> - If set to Y, then the encryption of system memory can be
> - deactivated with the mem_encrypt=off command line option.
> -
> - If set to N, then the encryption of system memory can be
> - activated with the mem_encrypt=on command line option.
> -
> # Common NUMA Features
> config NUMA
> bool "NUMA Memory Allocation and Scheduler Support"
> diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
> index 7f72472a34d6..efe9f217fcf9 100644
> --- a/arch/x86/mm/mem_encrypt_identity.c
> +++ b/arch/x86/mm/mem_encrypt_identity.c
> @@ -97,7 +97,6 @@ static char sme_workarea[2 * PMD_SIZE] __section(".init.scratch");
>
> static char sme_cmdline_arg[] __initdata = "mem_encrypt";
> static char sme_cmdline_on[] __initdata = "on";
> -static char sme_cmdline_off[] __initdata = "off";
>
> static void __init sme_clear_pgd(struct sme_populate_pgd_data *ppd)
> {
> @@ -504,7 +503,7 @@ void __init sme_encrypt_kernel(struct boot_params *bp)
>
> void __init sme_enable(struct boot_params *bp)
> {
> - const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off;
> + const char *cmdline_ptr, *cmdline_arg, *cmdline_on;
> unsigned int eax, ebx, ecx, edx;
> unsigned long feature_mask;
> unsigned long me_mask;
> @@ -587,12 +586,6 @@ void __init sme_enable(struct boot_params *bp)
> asm ("lea sme_cmdline_on(%%rip), %0"
> : "=r" (cmdline_on)
> : "p" (sme_cmdline_on));
> - asm ("lea sme_cmdline_off(%%rip), %0"
> - : "=r" (cmdline_off)
> - : "p" (sme_cmdline_off));
> -
> - if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT))
> - sme_me_mask = me_mask;
>
> cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr |
> ((u64)bp->ext_cmd_line_ptr << 32));
> @@ -602,8 +595,6 @@ void __init sme_enable(struct boot_params *bp)
>
> if (!strncmp(buffer, cmdline_on, sizeof(buffer)))
> sme_me_mask = me_mask;
> - else if (!strncmp(buffer, cmdline_off, sizeof(buffer)))
> - sme_me_mask = 0;
>
> out:
> if (sme_me_mask) {
> --
> 2.43.0
>
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette