From patchwork Tue Apr 22 10:07:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 883279 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB84220D4F6 for ; Tue, 22 Apr 2025 10:07:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316469; cv=none; b=Rbq8/5tf7leAB67d7G4KTiXF8D0I5jxK9thYtx4CZHMO7mIt3GE4xNWZ6xkaDWY1Y/jnoZwstfkC+/3ZhI7BntsKbVf7g0jMAFY7niqDXLpEnyRViYITtwXee8/GiOPovfHQ1VMJ9N0ULJz8+0FNYshJi80nMXS4LyT/BKvBUH8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316469; c=relaxed/simple; bh=Cm8NWA5BP3mKS9HwnzkrkrTJStSA8teiiKrtym1me88=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=dq74akVjgl44sFPl3ZQl6cOzhwSyxQeF6lJTxPvNL4RZbbkmj6a9Z8+FD/1Cya+TzYS66FXrYZtLhFr8Nw8+2nCwhyHKjvjLtYB/nbO/5isJJUi3JGJ1iP/xz76oWoli1nP6ljGT+j7oAHLbr29o0finSlATTSKYEG3zfkVebRg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=gnv98v5g; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="gnv98v5g" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-44059976a1fso18695415e9.1 for ; Tue, 22 Apr 2025 03:07:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1745316466; x=1745921266; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=xt0ht6liAgPY3lQrG7FkkuME9QDJdGbeFpIuIVjivfE=; b=gnv98v5g+ee2IpRCfC+VIpVf1Wg+rOgXD4tOX9hubh77xBTulbIwbhSuFGnnwViKRo BQmHbxKyWoGez6D975U1p651TZPs5FB7qSdJP4qqFTKEUygl04s8zNpVsBNxtpHogzoE VL2H7L9loKHnA7aT090faDSFK7hFbj6j6STqVAaTwFI5pF6mC084IlD92o8w5P58vGow nNcC34+W8W6+gR8secqXWQ9/ZjdoytMCkBZY/zNQ7k9rmXR7bVzmzIvSKVpizA426/94 nYGFmOihlHUEalJAEA7fWd/fGeqveurn3kp3sRjZMEvJLEgIMRhFRBtv4uSFOPCqqQQM MDGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745316466; x=1745921266; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xt0ht6liAgPY3lQrG7FkkuME9QDJdGbeFpIuIVjivfE=; b=chn/CErJ9xJM8kBqu/h/M+FTtq8HXDlIisCHGzH7QAHDUnsJFSfuZaULAPlAh5zQKB Xd3CKfQeRKHE+7SqDa3mfI1IyvkfYVP5UpOZUULnZ4VDzdsnnSyCKID2h1TdnvHGLgDZ 0uXpFw/7Za4nNGJBqORooZIgI4izuGrEBgyAw1sYMNOgrLJ2/4SeppHP90/xGq5Qr/7+ i2zBPf+kgw1BWw0QXotg6sSsuU3K+oTecbOdvTJAOgU6ZDb+NEKlkXw93fwRhtuaJRAg TJuHRRD6e9SN8AimFq0rrmbBkIxAW3U+QG2LzPl/YU4COyVjAlJiztfIPiqAPrZWZNiR rUpw== X-Gm-Message-State: AOJu0YxbmJLnVb1n6Xs3xcGxt9tnOndpB3QM5Q8aYTRYm516U0IYuIDP FUZi863xpkDWMtGQJTU9wxrSqn5nyYYnhI9vC+k8BFcNPLfIWqPHZ0DpJltgs16eLvIyQKweHqn mouH561U/PMjd1QO2fmi3dc+tJhB1gwe3dr8fSYq0VNPzUroHa6ji+WZx/u0E2LQNHdM/v5zgtr uwg6bW5Cahwj8JNq5hXSsO9mrd7w== X-Google-Smtp-Source: AGHT+IFa177tG0VYSvpzMK9rSDaRQOZxLvX6M1Bp/PdZtKRH9VOk+HdFbm4GTEF/y+LLNhansKj0GIP+ X-Received: from wmbef18.prod.google.com ([2002:a05:600c:6612:b0:43d:b71:a576]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:a00e:b0:43c:f050:fee8 with SMTP id 5b1f17b1804b1-4406abffbdbmr123746275e9.20.1745316466140; Tue, 22 Apr 2025 03:07:46 -0700 (PDT) Date: Tue, 22 Apr 2025 12:07:30 +0200 In-Reply-To: <20250422100728.208479-7-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250422100728.208479-7-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=1291; i=ardb@kernel.org; h=from:subject; bh=EBYOXtesZbsjk0rQlr19cXSRJkHWcOkYu0UuVsNKW58=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYM9K/V8wE3lQtbPO61Cvi1r5+RStNpdpaTQx/r2+ceWf bPkJ8/tKGVhEONgkBVTZBGY/ffdztMTpWqdZ8nCzGFlAhnCwMUpABMRn8HIsL3uyz/HXbkmDyZn t+QGTSk8smBP7cMJW85uU7trUPOkRoXhr4zyvZ4/T5dISoZ87Fmbd8cx5+WMU1sETEqWhBf6Ljr MzQAA X-Mailer: git-send-email 2.49.0.805.g082f7c87e0-goog Message-ID: <20250422100728.208479-8-ardb+git@google.com> Subject: [PATCH v3 1/5] x86/boot: Drop unused sev_enable() fallback From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: x86@kernel.org, linux-kernel@vger.kernel.org, mingo@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov , Dionna Amalie Glaze , Kevin Loughlin From: Ard Biesheuvel The misc.h header is not included by the EFI stub, which is the only C caller of sev_enable(). This means the fallback for cases where CONFIG_AMD_MEM_ENCRYPT is not set is never used, so it can be dropped. Signed-off-by: Ard Biesheuvel --- arch/x86/boot/compressed/misc.h | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h index dd8d1a85f671..1e950bc5b085 100644 --- a/arch/x86/boot/compressed/misc.h +++ b/arch/x86/boot/compressed/misc.h @@ -144,17 +144,6 @@ void snp_set_page_private(unsigned long paddr); void snp_set_page_shared(unsigned long paddr); void sev_prep_identity_maps(unsigned long top_level_pgt); #else -static inline void sev_enable(struct boot_params *bp) -{ - /* - * bp->cc_blob_address should only be set by boot/compressed kernel. - * Initialize it to 0 unconditionally (thus here in this stub too) to - * ensure that uninitialized values from buggy bootloaders aren't - * propagated. - */ - if (bp) - bp->cc_blob_address = 0; -} static inline void snp_check_features(void) { } static inline void sev_es_shutdown_ghcb(void) { } static inline bool sev_es_check_ghcb_fault(unsigned long address) From patchwork Tue Apr 22 10:07:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 883638 Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5D6D21018A for ; Tue, 22 Apr 2025 10:07:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316471; cv=none; b=qXaj8wvDFenLAIYXTV8Na/vTTrQsQ4Gz2ZVsy/SuO9KhlnYD530bKklT4kmlwNczAa63uCluE7qxriI0issvWQMCFfhndxD9MN6U0XYmE9hGOo9mBi6Ic7R2FuIw8qckh6e7xitlf7kXeKvVTEh6bACwWT+iJakakTbHrt8yLSs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316471; c=relaxed/simple; bh=vOVJK3EbxOu+deO48i5WtceLXMWoAqrF7kmKB3PVP3c=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=XqlNeXzGPteRGVNPfQix22HN10oUpvawKL2xnp921C0xsVotrjqIIm9BLHeSLy7Exs+SLEiDbH2Rfmy9wURZzpG0gAklb1MW/CaPGprJLZw50Twt/vrC/hbmTrfjNTfDF7daZeg2AhJjcUyyDpPShklXfPT3E9mnDmiv8eEYYuY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=nIzOz6Cp; arc=none smtp.client-ip=209.85.221.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="nIzOz6Cp" Received: by mail-wr1-f74.google.com with SMTP id ffacd0b85a97d-39134c762ebso1528852f8f.0 for ; Tue, 22 Apr 2025 03:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1745316468; x=1745921268; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=fkJZNpcXKKRqW5nXae/vnTG+jOdvaVmSWupziVGr+E0=; b=nIzOz6CptACendDPKgY0ZTJO53clW+ax11ZA5THjMw5eho9Sj6DV9AH04rESGIG2dA Tyv5xVmlYcU4Lx00+NzUceilgvYB0AJV87oeotUXo3PTfs7rDCsDBlm9XLLXuys7QEsz em9I9632ikA/g1VPvLVm/CBmWSqipQV37CNVPHEiGltyxN6bFGnnyB2TDWO67u5KpmQF xMOWaGIkqig4a+cnLx26WvcQpicCgR8oNeetAVZDsp+rSG2YUQ/yv+/IGbGjPp313CWB +0x83QL/9MKeAWi4zsvkFgzqgD5lqvmL1erOn9Um7RySdYGZqpIjJ1hB5O1LWZN3YMGL J7IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745316468; x=1745921268; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fkJZNpcXKKRqW5nXae/vnTG+jOdvaVmSWupziVGr+E0=; b=V/H1XfByQAOG1OEkM/vqmZDOZ4CTO9ai+U+ILjW396brYWPYz9gqoHJeBoBcwKg2dV vt/ZlWzdbb3VYgBhjU6h2LON6PcQXpkmQxTn7saZ1B//I9D5edewmuj2le951kHi9Klu rKih8sHP1Ew0YmCw0blH+VyKziLG2d+u9pIhq7rEEXtMqCcKhVUgrhwqyjWz5MgUEYwU T/foc1TtFogyDfO4GVmE+ZGbebIGFjXWU31Q53wlq6vZGCsAK8MqnnMy6Qw5sTGGavgy L3dlmIT77BhNF1iWdDGkExZcPpU8DEwIZ9I35ILDXDV96Y7bkwZ/oEsT7upj91Dhmtox y94g== X-Gm-Message-State: AOJu0YyB0pT6EmE8Tucn4zuVJDcbkCwcSv/IFe6YOiRrT0BMzXHcdMT8 8pdif/kfapMoTTSPk1Mfjo1bERIB5VZ1PfG/+ZVU2X6dLjNy7tbNuxS3cV4tm/WXnp8Gq8YRaZ6 Z2plun6Cq7ttZePxD+c+g49SrZekKnbB+LqiqaZOcxWcsGbwMIA3SIex2gEbIg6HLtBmUVNVywT /omXrzG7w2HBTe/gNkgdCL6cCdAw== X-Google-Smtp-Source: AGHT+IH83U5+f0fJgse+Cc6ugxWy2ZiXy+6kHj05xIz1Cod8wiojISaH1CXIu+ea0J3O4lUYdw/zJ6n9 X-Received: from wmqb15.prod.google.com ([2002:a05:600c:4e0f:b0:43c:f6c0:3375]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:2481:b0:39a:cc34:2f9b with SMTP id ffacd0b85a97d-39efba3c712mr12081987f8f.16.1745316468108; Tue, 22 Apr 2025 03:07:48 -0700 (PDT) Date: Tue, 22 Apr 2025 12:07:31 +0200 In-Reply-To: <20250422100728.208479-7-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250422100728.208479-7-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=2156; i=ardb@kernel.org; h=from:subject; bh=uvFzfFDFC8UgTdlhkUvlnagkg29HZGy26l1GyMrYNOc=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYM9K21P0Jo6O1aPDO/TjekGB2rY9m1tee+9Zd0DA8u21 /cEtpV3lLIwiHEwyIopsgjM/vtu5+mJUrXOs2Rh5rAygQxh4OIUgIlsLmf4H33j15GYW5H3Sm0u ZnQerV2782tk5tGKdYFRjPlLg9es2cTIMP3HArHT2z0vWKlJzThysniRh59RRKHI+e87TrkvPMQ czwEA X-Mailer: git-send-email 2.49.0.805.g082f7c87e0-goog Message-ID: <20250422100728.208479-9-ardb+git@google.com> Subject: [PATCH v3 2/5] x86/efistub: Obtain SEV CC blob address from the stub From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: x86@kernel.org, linux-kernel@vger.kernel.org, mingo@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov , Dionna Amalie Glaze , Kevin Loughlin From: Ard Biesheuvel The x86 EFI stub no longer boots the core kernel via the traditional decompressor but jumps straight to it, avoiding all the page fault handling and other complexity that is entirely unnecessary when booting via EFI, which guarantees that all system memory is mapped 1:1. The SEV startup code in the core kernel expects the address of the CC blob configuration table in boot_params, so store it there when booting from EFI with SEV-SNP enabled. This removes the need to call sev_enable() from the EFI stub. Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/x86-stub.c | 21 +++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index cafc90d4caaf..d9ae1a230d39 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -681,17 +681,28 @@ static efi_status_t exit_boot(struct boot_params *boot_params, void *handle) return EFI_SUCCESS; } -static bool have_unsupported_snp_features(void) +static bool check_snp_features(struct boot_params *bp) { + u64 status = sev_get_status(); u64 unsupported; - unsupported = snp_get_unsupported_features(sev_get_status()); + unsupported = snp_get_unsupported_features(status); if (unsupported) { efi_err("Unsupported SEV-SNP features detected: 0x%llx\n", unsupported); - return true; + return false; } - return false; + + if (status & MSR_AMD64_SEV_SNP_ENABLED) { + void *tbl = get_efi_config_table(EFI_CC_BLOB_GUID); + + if (!tbl) { + efi_err("SEV-SNP is enabled but CC blob not found\n"); + return false; + } + bp->cc_blob_address = (u32)(unsigned long)tbl; + } + return true; } static void efi_get_seed(void *seed, int size) @@ -829,7 +840,7 @@ void __noreturn efi_stub_entry(efi_handle_t handle, hdr = &boot_params->hdr; - if (have_unsupported_snp_features()) + if (!check_snp_features(boot_params)) efi_exit(handle, EFI_UNSUPPORTED); if (IS_ENABLED(CONFIG_EFI_DXE_MEM_ATTRIBUTES)) { From patchwork Tue Apr 22 10:07:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 883278 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BB552139CE for ; Tue, 22 Apr 2025 10:07:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316473; cv=none; b=clN3PgbnIgqi3o1T4D76buaqVLz+72X3WNXplQ0t6MQIiqwMhG8GUBFhl4Pwf5b3bX5FPVPWnHD131B65x8P2qrEB9Ex39sy7DMrYe1wCfIOv5v1Bo5/ab/Xj3KX/rtMBorj92ZVxizwKbNFDu1Lvuh048C6AyvwL9acDlsXgGU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316473; c=relaxed/simple; bh=KKcbrMdslJS3KqxM2rvT9SplQa/vHb1kxDbA0qf2uN4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ELDq91snXjni8Y8bCpC7bX5G+9V5AXZXGjwUfubtzXOKTO71BWzfWsRVyd93fHZDeU97Tgz10Nxs/+54IUyCLqz/db50X9CUdWwjwnDkWJx0VnCCFjHF03/4NFOdmf7giEklkY8bvpd763pr7pWCK0rXYUw938sM5/tngcYFR2M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vrBDxmLe; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vrBDxmLe" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-43cf172ff63so21432055e9.3 for ; Tue, 22 Apr 2025 03:07:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1745316470; x=1745921270; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=L7Kr6vDedMX0dT5Gf6cxn3wiC8Sh0DwFdYKN5ceJbMA=; b=vrBDxmLeb0baJGXB3OLhVqILR8eVUcm1HJbjIE9g9KjjZNXqz/KyqMe3sehegM6brR l6UYyFKI2tdrcvBSOQGCz4iSIbF6wbfgNWAvHAQ6KYTM5Uz0vnmf/H6akFRNBVjzJG45 7kYvHI4GNIRBZReMk+NxA2Y5oBVW0n/DvHBCJXq1CWXhIIhXEpVu0mamYv8nWM546bz5 oDt4Mre7MzE4NBYTCyHn/NbvML3rdzkjfwkFqP1T48swova3vMXHEQ6zASmnN1AFcIE1 jx6wQ20Own3OnfLoatLjYp618OWp97IQ4lzjkCYxZ/VpaLZRV1Rd1TSrwg9CjF0Gwfta FpkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745316470; x=1745921270; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=L7Kr6vDedMX0dT5Gf6cxn3wiC8Sh0DwFdYKN5ceJbMA=; b=wgzxYMThzkW3NUzOquesbXD3JIwmP/JuUXMNWXzZIYhplSGpDGGHw7MmIwlschzCfM zYWdQpkp06znJBzlf6AgCC/NPIScvQVuwGFwYYTe+jX1lb9GEU8YQKOYnqcBBw5axrj8 rxRnXK7Bt8FnOeM2FTi5mt11HCOSBrO8V+mcJ9gNPV5ncI4keQkVH7Gqyiu8rTGZaxG/ vA6aIrqgm7grjOnjBIOTNaI+gX/ZNzmAyv6i/YYw0wzDPdzZl51RePB+zNgEySdoJD2e 5IGF/VhXLxiOiiUHbM6EBZd2Ns/wwnDbh+eSP6H+l0MzkjEkOH0SInqM4zDat2YibPVA omJw== X-Gm-Message-State: AOJu0YzgFMn5fK5CPnKXBHNMCiEZidZ/T7iNR9uTUgen3tzOK8ZT3WVD nxJahWvuB35rF2PzWymS4JQRCFnEH1kESi78pq3Zf4zGbuMvlyQ9Ejrq/vuGBlV4oKb/Q+5c2pv nFzdULMbbu2uTCi6TAi+uUCjHuFoNMn5oDK8IdUz+0a0emfRrgzI1t3gAZd7vAI12VxL+2aG8YH Q2R9vCgeCIwew1qJk8vdktTzYs7w== X-Google-Smtp-Source: AGHT+IFmFUN1kctZDCn1yQZ52mc7bsumWthyC0zjUXvM1+3eOyXNDdJZE7OfEKY1eyc74rzPAkGNr9N3 X-Received: from wmbbd21.prod.google.com ([2002:a05:600c:1f15:b0:43c:f7c3:c16e]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:5023:b0:43c:fa0e:4713 with SMTP id 5b1f17b1804b1-4406ab7efadmr150700145e9.2.1745316470037; Tue, 22 Apr 2025 03:07:50 -0700 (PDT) Date: Tue, 22 Apr 2025 12:07:32 +0200 In-Reply-To: <20250422100728.208479-7-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250422100728.208479-7-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=2029; i=ardb@kernel.org; h=from:subject; bh=PPMFqT/zi9DvnPqyl+cEjK3zE5nLJOScfPcUNRpIYsc=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYM9K2Pe2poFH8/IHl5zcyvXu86v7DMnsZsu+vB/nfH8J QxN8TE/O0pZGMQ4GGTFFFkEZv99t/P0RKla51myMHNYmUCGMHBxCsBEPNYw/JVZXDb3y5tvCf// 1yv4mP1PDH/odi1yyl1VVXXJS00mvzIZGfZLT+wu/l+msmt7AcOCOfmmX5tdXdP3Pz69Z1/mjgc LfNkA X-Mailer: git-send-email 2.49.0.805.g082f7c87e0-goog Message-ID: <20250422100728.208479-10-ardb+git@google.com> Subject: [PATCH v3 3/5] x86/boot: Drop redundant RMPADJUST in SEV SVSM presence check From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: x86@kernel.org, linux-kernel@vger.kernel.org, mingo@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov , Dionna Amalie Glaze , Kevin Loughlin From: Ard Biesheuvel snp_vmpl will be assigned a non-zero value when executing at a VMPL other than 0, and this is inferred from a call to RMPADJUST, which only works when running at VMPL0. This means that testing snp_vmpl is sufficient, and there is no need to perform the same check again. Signed-off-by: Ard Biesheuvel --- arch/x86/boot/compressed/sev.c | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c index 478c65149cf0..91a2836b20a1 100644 --- a/arch/x86/boot/compressed/sev.c +++ b/arch/x86/boot/compressed/sev.c @@ -582,30 +582,16 @@ void sev_enable(struct boot_params *bp) */ if (sev_status & MSR_AMD64_SEV_SNP_ENABLED) { u64 hv_features; - int ret; hv_features = get_hv_features(); if (!(hv_features & GHCB_HV_FT_SNP)) sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); /* - * Enforce running at VMPL0 or with an SVSM. - * - * Use RMPADJUST (see the rmpadjust() function for a description of - * what the instruction does) to update the VMPL1 permissions of a - * page. If the guest is running at VMPL0, this will succeed. If the - * guest is running at any other VMPL, this will fail. Linux SNP guests - * only ever run at a single VMPL level so permission mask changes of a - * lesser-privileged VMPL are a don't-care. + * Running at VMPL0 is required unless an SVSM is present and + * the hypervisor supports the required SVSM GHCB events. */ - ret = rmpadjust((unsigned long)&boot_ghcb_page, RMP_PG_SIZE_4K, 1); - - /* - * Running at VMPL0 is not required if an SVSM is present and the hypervisor - * supports the required SVSM GHCB events. - */ - if (ret && - !(snp_vmpl && (hv_features & GHCB_HV_FT_SNP_MULTI_VMPL))) + if (snp_vmpl > 0 && !(hv_features & GHCB_HV_FT_SNP_MULTI_VMPL)) sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_NOT_VMPL0); } From patchwork Tue Apr 22 10:07:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 883637 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8614E20D4F6 for ; Tue, 22 Apr 2025 10:07:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316475; cv=none; b=I961QVbN8+D3DNcHphXu/1ZqBywmQxBCRRZ9S+TVS+j6tsrIwRiN8AJML5IiEXcfsh1789T78MfCNC/HJmnfPtOuHaETjUnIVWj0dldTDHFHF3Rf1hBViTC5zj/AFhEmzX1Q/I1dGM+EVtcqcba6v1a3WAxyiHVyTjD14CBF61Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316475; c=relaxed/simple; bh=GIUFYEPyGYfKGc0PPY6tQJ80hwh0wA75Wwtw3lhqhfw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=W4NgeIPRl+vs4VPbby/xmtHsf6nU2W6FJQWqPb36sDqYdeg3fOOFfR4TH/XYc6eHE3/3byBBluP+d6Oqn8sQUx4O2BUnjykQBOnV+vTBlMk+wbghAdCp1aog3XFWtk39HJntTlep+ctK1mExHT0oCqjb70fWVWhhz0nKgxkPkek= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=3MG2RAxN; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="3MG2RAxN" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-43cf172ff63so21432145e9.3 for ; Tue, 22 Apr 2025 03:07:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1745316472; x=1745921272; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=+uDSj/a78y5CTkwwVW780j1vFa4nB3BKuRODNgKIvqk=; b=3MG2RAxNjBRvbg/ZtsYZSYS5P8Znu2n+nxMSwOswOmSr32UfJBF6hLMqxLrO0I+kfB FuPiHwyZ0uasHEfdHFHVRIPyAtpvzfvudlDIvnn2v43Uxa1FZ/zStDsvUPSbM60JDwQO KFQod6k7xYpkmceR7z3g5ZPShrKsceXYIqbZCd7EDVeY71J5bjy14v0pfYS+NSk/6S8V KusrDc6UlpRAEGrzvAAasWREhLyx6X3/vjD926SCorwG1BaWIihLzZkU0MytKqiroQcG upAcUkGCWOBmdsJWp9fZtwCCEOpDz8OY8E95D5zFUT0xToAwMo0/0arvZ4m3C2k5vlk7 2fdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745316472; x=1745921272; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+uDSj/a78y5CTkwwVW780j1vFa4nB3BKuRODNgKIvqk=; b=wAGMwB3xjV2HHgBL4mfVl491EjiBvyE9nFsOOe5rYEU2z7GvC96Zk0phfKwbVSiX4z v4oV2V6yJhsf7dd9izF9ZZIa/JxNzZAWtG7S3jRzcf59UEa9LkJkr4xIY9E9ManDXX0q bSSr4FCaSSt/L6Ux1bQvQ6ocwROoxDwzBeH8Tuho4dwNyEtIwIzjpaTKlASDY7iscttL lP+HyRmf7JUcadkptxbrr0+e/9n4+ndFuhyaSxz0dbxE3YeZzlqM6ZmbWc78e5g3CU+8 Hipgab7PCZtvRV/GYWezLgPoILwe3kS3mpCU0ypomPE8Ym8/5KPEXB3MDcEdxmsB76PS mZSg== X-Gm-Message-State: AOJu0YwXFAiemQvWeQdVHsQmvusj4JPIYsWKXrZ9yYQ+0zH8X3cdiK19 LS4By4NfblM6Xa8QeeHTTkwJhMKQM95g3rUa8aDsLmFJttIs0umeve3wpfAem338uOzYuY0aLm9 GQv2ynFvGNlqPAy2IJquXnerMWVd85FtL6kQxDN/dG7fmgbpPE/4C9tti2OfCib6JaGEj2xwDNv LhwMq5yILRT48pK8WNEEZBDvhltQ== X-Google-Smtp-Source: AGHT+IEDLcQMXNDfKrQxKgqe3y/SZCaJQ1YZJAIHNR3ks91xPuvaiSGeRwSEzICRkIxvXxbYZhmA4HK1 X-Received: from wmbhg23.prod.google.com ([2002:a05:600c:5397:b0:43d:44cf:11f8]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3b0d:b0:43d:7413:cb3e with SMTP id 5b1f17b1804b1-4406ab7f548mr111476305e9.1.1745316471962; Tue, 22 Apr 2025 03:07:51 -0700 (PDT) Date: Tue, 22 Apr 2025 12:07:33 +0200 In-Reply-To: <20250422100728.208479-7-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250422100728.208479-7-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=6465; i=ardb@kernel.org; h=from:subject; bh=O9MPAbgsJxC5SW2cxjXxQ67LptvnOIX9WzkitS/fhSo=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYM9K3PuAv2TxVtm3GUtOP2QpW3dPR1BiQcV53Pvm3zvj jqiGyfQUcrCIMbBICumyCIw+++7nacnStU6z5KFmcPKBDKEgYtTACZSo8jwPyx2+ZXjd47kKE9h OG9TbbR4gq6Ng6QM+5EKk88zhEKENzAyrN2pluW7huuV1xt9mZolp7c+du5nspTO/Ve8c1dMiqU AOwA= X-Mailer: git-send-email 2.49.0.805.g082f7c87e0-goog Message-ID: <20250422100728.208479-11-ardb+git@google.com> Subject: [PATCH v3 4/5] x86/sev: Unify SEV-SNP hypervisor feature check From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: x86@kernel.org, linux-kernel@vger.kernel.org, mingo@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov , Dionna Amalie Glaze , Kevin Loughlin From: Ard Biesheuvel The decompressor and the core kernel both check the hypervisor feature mask exposed by the hypervisor, but test it in slightly different ways. This disparity seems unintentional, and simply a result of the fact that the decompressor and the core kernel evolve differently over time when it comes to setting up the SEV-SNP execution context. So move the HV feature check into a helper function and call that instead. For the core kernel, move the check to an earlier boot stage, right after the point where it is established that the guest is executing in SEV-SNP mode. Signed-off-by: Ard Biesheuvel --- arch/x86/boot/compressed/sev.c | 19 +---------- arch/x86/boot/startup/sev-shared.c | 33 +++++++++++++++----- arch/x86/boot/startup/sme.c | 2 ++ arch/x86/coco/sev/core.c | 11 ------- arch/x86/include/asm/sev-internal.h | 3 +- arch/x86/include/asm/sev.h | 2 ++ 6 files changed, 32 insertions(+), 38 deletions(-) diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c index 91a2836b20a1..5477f8bf9c96 100644 --- a/arch/x86/boot/compressed/sev.c +++ b/arch/x86/boot/compressed/sev.c @@ -576,24 +576,7 @@ void sev_enable(struct boot_params *bp) sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED); } - /* - * SNP is supported in v2 of the GHCB spec which mandates support for HV - * features. - */ - if (sev_status & MSR_AMD64_SEV_SNP_ENABLED) { - u64 hv_features; - - hv_features = get_hv_features(); - if (!(hv_features & GHCB_HV_FT_SNP)) - sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); - - /* - * Running at VMPL0 is required unless an SVSM is present and - * the hypervisor supports the required SVSM GHCB events. - */ - if (snp_vmpl > 0 && !(hv_features & GHCB_HV_FT_SNP_MULTI_VMPL)) - sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_NOT_VMPL0); - } + snp_check_hv_features(); if (snp && !(sev_status & MSR_AMD64_SEV_SNP_ENABLED)) error("SEV-SNP supported indicated by CC blob, but not SEV status MSR."); diff --git a/arch/x86/boot/startup/sev-shared.c b/arch/x86/boot/startup/sev-shared.c index 173f3d1f777a..7151cdd37557 100644 --- a/arch/x86/boot/startup/sev-shared.c +++ b/arch/x86/boot/startup/sev-shared.c @@ -94,16 +94,10 @@ sev_es_terminate(unsigned int set, unsigned int reason) asm volatile("hlt\n" : : : "memory"); } -/* - * The hypervisor features are available from GHCB version 2 onward. - */ -u64 get_hv_features(void) +static u64 __head get_hv_features(void) { u64 val; - if (ghcb_version < 2) - return 0; - sev_es_wr_ghcb_msr(GHCB_MSR_HV_FT_REQ); VMGEXIT(); @@ -114,6 +108,31 @@ u64 get_hv_features(void) return GHCB_MSR_HV_FT_RESP_VAL(val); } +u64 __head snp_check_hv_features(void) +{ + /* + * SNP is supported in v2 of the GHCB spec which mandates support for HV + * features. + */ + if (sev_status & MSR_AMD64_SEV_SNP_ENABLED) { + u64 hv_features; + + hv_features = get_hv_features(); + if (!(hv_features & GHCB_HV_FT_SNP)) + sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); + + /* + * Running at VMPL0 is required unless an SVSM is present and + * the hypervisor supports the required SVSM GHCB events. + */ + if (snp_vmpl > 0 && !(hv_features & GHCB_HV_FT_SNP_MULTI_VMPL)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_NOT_VMPL0); + + return hv_features; + } + return 0; +} + void snp_register_ghcb_early(unsigned long paddr) { unsigned long pfn = paddr >> PAGE_SHIFT; diff --git a/arch/x86/boot/startup/sme.c b/arch/x86/boot/startup/sme.c index 5738b31c8e60..11caa343790d 100644 --- a/arch/x86/boot/startup/sme.c +++ b/arch/x86/boot/startup/sme.c @@ -533,6 +533,8 @@ void __head sme_enable(struct boot_params *bp) if (snp_en ^ !!(msr & MSR_AMD64_SEV_SNP_ENABLED)) snp_abort(); + sev_hv_features = snp_check_hv_features(); + /* Check if memory encryption is enabled */ if (feature_mask == AMD_SME_BIT) { if (!(bp->hdr.xloadflags & XLF_MEM_ENCRYPTION)) diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index 617988a5f3d7..20c37bff6259 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -1170,17 +1170,6 @@ void __init sev_es_init_vc_handling(void) if (!sev_es_check_cpu_features()) panic("SEV-ES CPU Features missing"); - /* - * SNP is supported in v2 of the GHCB spec which mandates support for HV - * features. - */ - if (cc_platform_has(CC_ATTR_GUEST_SEV_SNP)) { - sev_hv_features = get_hv_features(); - - if (!(sev_hv_features & GHCB_HV_FT_SNP)) - sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); - } - /* Initialize per-cpu GHCB pages */ for_each_possible_cpu(cpu) { alloc_runtime_data(cpu); diff --git a/arch/x86/include/asm/sev-internal.h b/arch/x86/include/asm/sev-internal.h index e54847a69107..3d3fbcae7ba7 100644 --- a/arch/x86/include/asm/sev-internal.h +++ b/arch/x86/include/asm/sev-internal.h @@ -4,7 +4,6 @@ extern struct ghcb boot_ghcb_page; extern struct ghcb *boot_ghcb; -extern u64 sev_hv_features; /* #VC handler runtime per-CPU data */ struct sev_es_runtime_data { @@ -107,6 +106,6 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, void snp_register_ghcb_early(unsigned long paddr); bool sev_es_negotiate_protocol(void); bool sev_es_check_cpu_features(void); -u64 get_hv_features(void); +void check_hv_features(void); const struct snp_cpuid_table *snp_cpuid_get_table(void); diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index a8661dfc9a9a..8637a65973ef 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -418,6 +418,7 @@ struct svsm_call { #ifdef CONFIG_AMD_MEM_ENCRYPT extern u8 snp_vmpl; +extern u64 sev_hv_features; extern void __sev_es_ist_enter(struct pt_regs *regs); extern void __sev_es_ist_exit(void); @@ -494,6 +495,7 @@ void snp_set_memory_private(unsigned long vaddr, unsigned long npages); void snp_set_wakeup_secondary_cpu(void); bool snp_init(struct boot_params *bp); void __noreturn snp_abort(void); +u64 snp_check_hv_features(void); void snp_dmi_setup(void); int snp_issue_svsm_attest_req(u64 call_id, struct svsm_call *call, struct svsm_attest_call *input); void snp_accept_memory(phys_addr_t start, phys_addr_t end); From patchwork Tue Apr 22 10:07:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 883277 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1EBE20C490 for ; Tue, 22 Apr 2025 10:07:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316477; cv=none; b=lwky35QrZekZ6pLn9XSjoBheQ/Pei/GGeJgBP3Skt/GK45CnjJ+ZXmmlG6KqwnQvz/rxhdhPdEv2dJCUq5OdYYnRBr+WKPPsEtPdXEn7Qt1CIdxZlOaQA8uu9GJi2PVm0heUvTz+xh/Q3yKs0WqtkxvBsSlQN/cBYcNVLAo7Z0s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745316477; c=relaxed/simple; bh=OZC01qFvs+z6NnFJ35K2gqqtQjNtdb1vBdWCiuPeZkM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ZqN+vbExAvb7r12DWP2bg5cnh7q6mf3cIlzUU/8nBwDY10LgyJUj3EvHqvkcA17d/0F8uD2amRgpXWCCO7w2r54X9JyXGs4/3SbmhPiozJkPN98OZGhderFhI3zy2zrGCBj64+APqgP9aKyoQvyPoZgXsmRWsgNwCE/RL4rVgac= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=OiTYFkJn; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="OiTYFkJn" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-43cf5196c25so28147895e9.0 for ; Tue, 22 Apr 2025 03:07:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1745316474; x=1745921274; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ws8tmZmzNzitVKHYH495oHPaAWftQig6IJtfdT6v6zc=; b=OiTYFkJnZT3qAnomg1JPhYYRp99s0TMS9b3wy64HJRj4zeyV8eFhQk3oX/N0kzer5z 1erOBc1iM8hq/fvFhTo2gIVdjCyuRE/S/vabWgwKll+XJApS7tDrRMJLvFLffWH8mem5 Ruag/3VJX/cRoPbkzRdb6dm/suEK4sAgBoK6qK5/P7fukA0mFjlljI6XsjIfhxnltArW OcKLf8z69xQqygjndlYPbvAg9/dm5BJah5JRT3kVy83l0l9ePNu5DrNhz5lMjSQ3O0mv KD+yGn8CACD7QvE3/oBVpvDp5xjzVinYqJTuW03BeCbE2KKtsEFGWUI/AH70NM3rgLok D+Lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745316474; x=1745921274; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ws8tmZmzNzitVKHYH495oHPaAWftQig6IJtfdT6v6zc=; b=G3SgE/oHJSsAvde32JQRFVhqW1Abb4KrMw5kLvIP80lQ/toAp1vgUrCgN9Ms/c1Ks6 JWbj7ab94vIEWQW7EglWrcyZeKhctAmXoKpKu/sInlM7Gpnqn0avC6yMj84S7SVt/3ur +t/OrQmX/4+S4kxFuIFXVlKACxphcSzbbFSI7LLyVJwA4n/2BmoMkY4lZLMKv1g8bTBE XmNTO3E97k7Z/it/urvSn/IwisClwTogJQQjlH0PKb9jY/lohnJiEBxx6FW5dPbTj9NV cU/bxmmFswSPr6BmL1tYZF80eqmg7LZH0l/+8xfbFLmL9wM4+md4G0IAG/Jf4p6yY1ai a5gQ== X-Gm-Message-State: AOJu0YzDYMlp9kJP7CaXS2T8P6ve6+Bk7eyfzuNjxrx6UxlDSG4Y8bky y5m7l8c7mLrExIIm3gSZnEF+I4c3rZ6o03sicOy9cyrqQI0zTYzAThgUc8fQRUMxvXyXNjA2xjl +6Q0nAmjd7/2dS+Oks7hDPYg2nx7AimZW/msHM3qk46IyS5gbRg6nsSGWFbuc2hu7VMcnm0/iXz nAUpMb+gYNtXSAoI4jaDlqWWel4g== X-Google-Smtp-Source: AGHT+IEsttKPc+1+pKNp7wkrPzKN6VR701tpMP/CW7FNllIuNswL8vMW3YW3zCuV2chYoM5R1a48fkwQ X-Received: from wmbes27.prod.google.com ([2002:a05:600c:811b:b0:440:5d62:5112]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a5d:6da1:0:b0:39e:e259:91fd with SMTP id ffacd0b85a97d-39efba3cbbbmr12965416f8f.17.1745316473972; Tue, 22 Apr 2025 03:07:53 -0700 (PDT) Date: Tue, 22 Apr 2025 12:07:34 +0200 In-Reply-To: <20250422100728.208479-7-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-efi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250422100728.208479-7-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=2375; i=ardb@kernel.org; h=from:subject; bh=KbofsdXhZq5FJV6/iTzACT581EDT107l3QmYOrFF/SU=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYM9K6tdQlZX18VTVZD5U4KU+89rsWY8U8+8cj5x9dXax Y7e55Z1lLIwiHEwyIopsgjM/vtu5+mJUrXOs2Rh5rAygQxh4OIUgIm8d2X4w6cs5zrZdvuntbLL jbva9n5p2Lr01SahS4en9lo+iXvOuIiR4bbH9LYNztfO6tovfTOl8EL2qv4wO42sWWeSXq16Ira siRkA X-Mailer: git-send-email 2.49.0.805.g082f7c87e0-goog Message-ID: <20250422100728.208479-12-ardb+git@google.com> Subject: [PATCH v3 5/5] x86/efistub: Don't bother enabling SEV in the EFI stub From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: x86@kernel.org, linux-kernel@vger.kernel.org, mingo@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov , Dionna Amalie Glaze , Kevin Loughlin From: Ard Biesheuvel One of the last things the EFI stub does before handing over to the core kernel when booting as a SEV guest is enabling SEV, even though this is mostly redundant: one of the first things the core kernel does is calling sme_enable(), after setting up the early GDT and IDT but before even setting up the kernel page tables. sme_enable() performs the same SEV-SNP initialization that the decompressor performs in sev_enable(). So let's just drop this call to sev_enable(), and rely on the core kernel to initiaize SEV correctly. Signed-off-by: Ard Biesheuvel --- arch/x86/include/asm/sev.h | 2 -- drivers/firmware/efi/libstub/x86-stub.c | 6 ------ 2 files changed, 8 deletions(-) diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 8637a65973ef..d762cc0fd47e 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -443,7 +443,6 @@ static __always_inline void sev_es_nmi_complete(void) __sev_es_nmi_complete(); } extern int __init sev_es_efi_map_ghcbs(pgd_t *pgd); -extern void sev_enable(struct boot_params *bp); /* * RMPADJUST modifies the RMP permissions of a page of a lesser- @@ -531,7 +530,6 @@ static inline void sev_es_ist_exit(void) { } static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; } static inline void sev_es_nmi_complete(void) { } static inline int sev_es_efi_map_ghcbs(pgd_t *pgd) { return 0; } -static inline void sev_enable(struct boot_params *bp) { } static inline int pvalidate(unsigned long vaddr, bool rmp_psize, bool validate) { return 0; } static inline int rmpadjust(unsigned long vaddr, bool rmp_psize, unsigned long attrs) { return 0; } static inline void setup_ghcb(void) { } diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index d9ae1a230d39..6b4f5ac91e7f 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -936,12 +936,6 @@ void __noreturn efi_stub_entry(efi_handle_t handle, goto fail; } - /* - * Call the SEV init code while still running with the firmware's - * GDT/IDT, so #VC exceptions will be handled by EFI. - */ - sev_enable(boot_params); - efi_5level_switch(); enter_kernel(kernel_entry, boot_params);