Re: [PATCH v11 06/20] x86/sev: Handle failures from snp_init()
From: Borislav Petkov
Date: Wed Aug 28 2024 - 05:50:11 EST
On Wed, Aug 28, 2024 at 10:17:57AM +0530, Nikunj A. Dadhania wrote:
> + if ((snp && !snp_enabled) ||
> + (!snp && snp_enabled))
> snp_abort();
And which boolean function is that?
diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
index e83b363c5e68..706cb59851b0 100644
--- a/arch/x86/mm/mem_encrypt_identity.c
+++ b/arch/x86/mm/mem_encrypt_identity.c
@@ -495,10 +495,10 @@ void __head sme_enable(struct boot_params *bp)
unsigned int eax, ebx, ecx, edx;
unsigned long feature_mask;
unsigned long me_mask;
- bool snp;
+ bool snp_en;
u64 msr;
- snp = snp_init(bp);
+ snp_en = snp_init(bp);
/* Check for the SME/SEV support leaf */
eax = 0x80000000;
@@ -531,15 +531,11 @@ void __head sme_enable(struct boot_params *bp)
RIP_REL_REF(sev_status) = msr = __rdmsr(MSR_AMD64_SEV);
feature_mask = (msr & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
- /* The SEV-SNP CC blob should never be present unless SEV-SNP is enabled. */
- if (snp && !(msr & MSR_AMD64_SEV_SNP_ENABLED))
- snp_abort();
-
/*
- * The SEV-SNP CC blob should be present and parsing CC blob should
- * succeed when SEV-SNP is enabled.
+ * Any discrepancies between the presence of a CC blob and SNP
+ * enablement abort the guest.
*/
- if (!snp && (msr & MSR_AMD64_SEV_SNP_ENABLED))
+ if (snp_en ^ (msr & MSR_AMD64_SEV_SNP_ENABLED))
snp_abort();
/* Check if memory encryption is enabled */
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette