Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
x86/mm: Encrypt the initrd earlier for BSP microcode update
Currently the BSP microcode update code examines the initrd very early
in the boot process. If SME is active, the initrd is treated as being
encrypted but it has not been encrypted (in place) yet. Update the
early boot code that encrypts the kernel to also encrypt the initrd so
that early BSP microcode updates work.
Tested-by: Gabriel Craciunescu <nix.or.die@gmail.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20180110192634.6026.10452.stgit@tlendack-t1.amdoffice.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
authored by Tom Lendacky and committed by Ingo Molnar 107cd253 cc5f01e2
+2
-2
arch/x86/include/asm/mem_encrypt.h
+2
-2
arch/x86/include/asm/mem_encrypt.h
···
39
40
void __init sme_early_init(void);
41
42
-
void __init sme_encrypt_kernel(void);
43
void __init sme_enable(struct boot_params *bp);
44
45
int __init early_set_memory_decrypted(unsigned long vaddr, unsigned long size);
···
67
68
static inline void __init sme_early_init(void) { }
69
70
-
static inline void __init sme_encrypt_kernel(void) { }
71
static inline void __init sme_enable(struct boot_params *bp) { }
72
73
static inline bool sme_active(void) { return false; }
···
39
40
void __init sme_early_init(void);
41
42
+
void __init sme_encrypt_kernel(struct boot_params *bp);
43
void __init sme_enable(struct boot_params *bp);
44
45
int __init early_set_memory_decrypted(unsigned long vaddr, unsigned long size);
···
67
68
static inline void __init sme_early_init(void) { }
69
70
+
static inline void __init sme_encrypt_kernel(struct boot_params *bp) { }
71
static inline void __init sme_enable(struct boot_params *bp) { }
72
73
static inline bool sme_active(void) { return false; }
+2
-2
arch/x86/kernel/head64.c
+2
-2
arch/x86/kernel/head64.c
-10
arch/x86/kernel/setup.c
-10
arch/x86/kernel/setup.c
···
364
!ramdisk_image || !ramdisk_size)
365
return; /* No initrd provided by bootloader */
366
367
-
/*
368
-
* If SME is active, this memory will be marked encrypted by the
369
-
* kernel when it is accessed (including relocation). However, the
370
-
* ramdisk image was loaded decrypted by the bootloader, so make
371
-
* sure that it is encrypted before accessing it. For SEV the
372
-
* ramdisk will already be encrypted, so only do this for SME.
373
-
*/
374
-
if (sme_active())
375
-
sme_early_encrypt(ramdisk_image, ramdisk_end - ramdisk_image);
376
-
377
initrd_start = 0;
378
379
mapped_size = memblock_mem_size(max_pfn_mapped);
+58
-8
arch/x86/mm/mem_encrypt.c
+58
-8
arch/x86/mm/mem_encrypt.c
···
738
return total;
739
}
740
741
-
void __init sme_encrypt_kernel(void)
742
{
743
unsigned long workarea_start, workarea_end, workarea_len;
744
unsigned long execute_start, execute_end, execute_len;
745
unsigned long kernel_start, kernel_end, kernel_len;
746
struct sme_populate_pgd_data ppd;
747
unsigned long pgtable_area_len;
748
unsigned long decrypted_base;
···
752
return;
753
754
/*
755
-
* Prepare for encrypting the kernel by building new pagetables with
756
-
* the necessary attributes needed to encrypt the kernel in place.
757
*
758
* One range of virtual addresses will map the memory occupied
759
-
* by the kernel as encrypted.
760
*
761
* Another range of virtual addresses will map the memory occupied
762
-
* by the kernel as decrypted and write-protected.
763
*
764
* The use of write-protect attribute will prevent any of the
765
* memory from being cached.
···
770
kernel_start = __pa_symbol(_text);
771
kernel_end = ALIGN(__pa_symbol(_end), PMD_PAGE_SIZE);
772
kernel_len = kernel_end - kernel_start;
773
774
/* Set the encryption workarea to be immediately after the kernel */
775
workarea_start = kernel_end;
···
807
*/
808
pgtable_area_len = sizeof(pgd_t) * PTRS_PER_PGD;
809
pgtable_area_len += sme_pgtable_calc(execute_end - kernel_start) * 2;
810
811
/* PUDs and PMDs needed in the current pagetables for the workarea */
812
pgtable_area_len += sme_pgtable_calc(execute_len + pgtable_area_len);
···
847
848
/*
849
* A new pagetable structure is being built to allow for the kernel
850
-
* to be encrypted. It starts with an empty PGD that will then be
851
-
* populated with new PUDs and PMDs as the encrypted and decrypted
852
-
* kernel mappings are created.
853
*/
854
ppd.pgd = ppd.pgtable_area;
855
memset(ppd.pgd, 0, sizeof(pgd_t) * PTRS_PER_PGD);
···
862
* the base of the mapping.
863
*/
864
decrypted_base = (pgd_index(workarea_end) + 1) & (PTRS_PER_PGD - 1);
865
decrypted_base <<= PGDIR_SHIFT;
866
867
/* Add encrypted kernel (identity) mappings */
···
881
ppd.vaddr = kernel_start + decrypted_base;
882
ppd.vaddr_end = kernel_end + decrypted_base;
883
sme_map_range_decrypted_wp(&ppd);
884
885
/* Add decrypted workarea mappings to both kernel mappings */
886
ppd.paddr = workarea_start;
···
912
sme_encrypt_execute(kernel_start, kernel_start + decrypted_base,
913
kernel_len, workarea_start, (unsigned long)ppd.pgd);
914
915
/*
916
* At this point we are running encrypted. Remove the mappings for
917
* the decrypted areas - all that is needed for this is to remove
···
925
ppd.vaddr = kernel_start + decrypted_base;
926
ppd.vaddr_end = kernel_end + decrypted_base;
927
sme_clear_pgd(&ppd);
928
929
ppd.vaddr = workarea_start + decrypted_base;
930
ppd.vaddr_end = workarea_end + decrypted_base;
···
738
return total;
739
}
740
741
+
void __init sme_encrypt_kernel(struct boot_params *bp)
742
{
743
unsigned long workarea_start, workarea_end, workarea_len;
744
unsigned long execute_start, execute_end, execute_len;
745
unsigned long kernel_start, kernel_end, kernel_len;
746
+
unsigned long initrd_start, initrd_end, initrd_len;
747
struct sme_populate_pgd_data ppd;
748
unsigned long pgtable_area_len;
749
unsigned long decrypted_base;
···
751
return;
752
753
/*
754
+
* Prepare for encrypting the kernel and initrd by building new
755
+
* pagetables with the necessary attributes needed to encrypt the
756
+
* kernel in place.
757
*
758
* One range of virtual addresses will map the memory occupied
759
+
* by the kernel and initrd as encrypted.
760
*
761
* Another range of virtual addresses will map the memory occupied
762
+
* by the kernel and initrd as decrypted and write-protected.
763
*
764
* The use of write-protect attribute will prevent any of the
765
* memory from being cached.
···
768
kernel_start = __pa_symbol(_text);
769
kernel_end = ALIGN(__pa_symbol(_end), PMD_PAGE_SIZE);
770
kernel_len = kernel_end - kernel_start;
771
+
772
+
initrd_start = 0;
773
+
initrd_end = 0;
774
+
initrd_len = 0;
775
+
#ifdef CONFIG_BLK_DEV_INITRD
776
+
initrd_len = (unsigned long)bp->hdr.ramdisk_size |
777
+
((unsigned long)bp->ext_ramdisk_size << 32);
778
+
if (initrd_len) {
779
+
initrd_start = (unsigned long)bp->hdr.ramdisk_image |
780
+
((unsigned long)bp->ext_ramdisk_image << 32);
781
+
initrd_end = PAGE_ALIGN(initrd_start + initrd_len);
782
+
initrd_len = initrd_end - initrd_start;
783
+
}
784
+
#endif
785
786
/* Set the encryption workarea to be immediately after the kernel */
787
workarea_start = kernel_end;
···
791
*/
792
pgtable_area_len = sizeof(pgd_t) * PTRS_PER_PGD;
793
pgtable_area_len += sme_pgtable_calc(execute_end - kernel_start) * 2;
794
+
if (initrd_len)
795
+
pgtable_area_len += sme_pgtable_calc(initrd_len) * 2;
796
797
/* PUDs and PMDs needed in the current pagetables for the workarea */
798
pgtable_area_len += sme_pgtable_calc(execute_len + pgtable_area_len);
···
829
830
/*
831
* A new pagetable structure is being built to allow for the kernel
832
+
* and initrd to be encrypted. It starts with an empty PGD that will
833
+
* then be populated with new PUDs and PMDs as the encrypted and
834
+
* decrypted kernel mappings are created.
835
*/
836
ppd.pgd = ppd.pgtable_area;
837
memset(ppd.pgd, 0, sizeof(pgd_t) * PTRS_PER_PGD);
···
844
* the base of the mapping.
845
*/
846
decrypted_base = (pgd_index(workarea_end) + 1) & (PTRS_PER_PGD - 1);
847
+
if (initrd_len) {
848
+
unsigned long check_base;
849
+
850
+
check_base = (pgd_index(initrd_end) + 1) & (PTRS_PER_PGD - 1);
851
+
decrypted_base = max(decrypted_base, check_base);
852
+
}
853
decrypted_base <<= PGDIR_SHIFT;
854
855
/* Add encrypted kernel (identity) mappings */
···
857
ppd.vaddr = kernel_start + decrypted_base;
858
ppd.vaddr_end = kernel_end + decrypted_base;
859
sme_map_range_decrypted_wp(&ppd);
860
+
861
+
if (initrd_len) {
862
+
/* Add encrypted initrd (identity) mappings */
863
+
ppd.paddr = initrd_start;
864
+
ppd.vaddr = initrd_start;
865
+
ppd.vaddr_end = initrd_end;
866
+
sme_map_range_encrypted(&ppd);
867
+
/*
868
+
* Add decrypted, write-protected initrd (non-identity) mappings
869
+
*/
870
+
ppd.paddr = initrd_start;
871
+
ppd.vaddr = initrd_start + decrypted_base;
872
+
ppd.vaddr_end = initrd_end + decrypted_base;
873
+
sme_map_range_decrypted_wp(&ppd);
874
+
}
875
876
/* Add decrypted workarea mappings to both kernel mappings */
877
ppd.paddr = workarea_start;
···
873
sme_encrypt_execute(kernel_start, kernel_start + decrypted_base,
874
kernel_len, workarea_start, (unsigned long)ppd.pgd);
875
876
+
if (initrd_len)
877
+
sme_encrypt_execute(initrd_start, initrd_start + decrypted_base,
878
+
initrd_len, workarea_start,
879
+
(unsigned long)ppd.pgd);
880
+
881
/*
882
* At this point we are running encrypted. Remove the mappings for
883
* the decrypted areas - all that is needed for this is to remove
···
881
ppd.vaddr = kernel_start + decrypted_base;
882
ppd.vaddr_end = kernel_end + decrypted_base;
883
sme_clear_pgd(&ppd);
884
+
885
+
if (initrd_len) {
886
+
ppd.vaddr = initrd_start + decrypted_base;
887
+
ppd.vaddr_end = initrd_end + decrypted_base;
888
+
sme_clear_pgd(&ppd);
889
+
}
890
891
ppd.vaddr = workarea_start + decrypted_base;
892
ppd.vaddr_end = workarea_end + decrypted_base;
+23
-23
arch/x86/mm/mem_encrypt_boot.S
+23
-23
arch/x86/mm/mem_encrypt_boot.S
···
22
23
/*
24
* Entry parameters:
25
-
* RDI - virtual address for the encrypted kernel mapping
26
-
* RSI - virtual address for the decrypted kernel mapping
27
-
* RDX - length of kernel
28
* RCX - virtual address of the encryption workarea, including:
29
* - stack page (PAGE_SIZE)
30
* - encryption routine page (PAGE_SIZE)
···
41
addq $PAGE_SIZE, %rax /* Workarea encryption routine */
42
43
push %r12
44
-
movq %rdi, %r10 /* Encrypted kernel */
45
-
movq %rsi, %r11 /* Decrypted kernel */
46
-
movq %rdx, %r12 /* Kernel length */
47
48
/* Copy encryption routine into the workarea */
49
movq %rax, %rdi /* Workarea encryption routine */
···
52
rep movsb
53
54
/* Setup registers for call */
55
-
movq %r10, %rdi /* Encrypted kernel */
56
-
movq %r11, %rsi /* Decrypted kernel */
57
movq %r8, %rdx /* Pagetables used for encryption */
58
-
movq %r12, %rcx /* Kernel length */
59
movq %rax, %r8 /* Workarea encryption routine */
60
addq $PAGE_SIZE, %r8 /* Workarea intermediate copy buffer */
61
···
71
72
ENTRY(__enc_copy)
73
/*
74
-
* Routine used to encrypt kernel.
75
* This routine must be run outside of the kernel proper since
76
* the kernel will be encrypted during the process. So this
77
* routine is defined here and then copied to an area outside
···
79
* during execution.
80
*
81
* On entry the registers must be:
82
-
* RDI - virtual address for the encrypted kernel mapping
83
-
* RSI - virtual address for the decrypted kernel mapping
84
* RDX - address of the pagetables to use for encryption
85
-
* RCX - length of kernel
86
* R8 - intermediate copy buffer
87
*
88
* RAX - points to this routine
89
*
90
-
* The kernel will be encrypted by copying from the non-encrypted
91
-
* kernel space to an intermediate buffer and then copying from the
92
-
* intermediate buffer back to the encrypted kernel space. The physical
93
-
* addresses of the two kernel space mappings are the same which
94
-
* results in the kernel being encrypted "in place".
95
*/
96
/* Enable the new page tables */
97
mov %rdx, %cr3
···
106
push %r15
107
push %r12
108
109
-
movq %rcx, %r9 /* Save kernel length */
110
-
movq %rdi, %r10 /* Save encrypted kernel address */
111
-
movq %rsi, %r11 /* Save decrypted kernel address */
112
113
/* Set the PAT register PA5 entry to write-protect */
114
movl $MSR_IA32_CR_PAT, %ecx
···
128
movq %r9, %r12
129
130
2:
131
-
movq %r11, %rsi /* Source - decrypted kernel */
132
movq %r8, %rdi /* Dest - intermediate copy buffer */
133
movq %r12, %rcx
134
rep movsb
135
136
movq %r8, %rsi /* Source - intermediate copy buffer */
137
-
movq %r10, %rdi /* Dest - encrypted kernel */
138
movq %r12, %rcx
139
rep movsb
140
···
22
23
/*
24
* Entry parameters:
25
+
* RDI - virtual address for the encrypted mapping
26
+
* RSI - virtual address for the decrypted mapping
27
+
* RDX - length to encrypt
28
* RCX - virtual address of the encryption workarea, including:
29
* - stack page (PAGE_SIZE)
30
* - encryption routine page (PAGE_SIZE)
···
41
addq $PAGE_SIZE, %rax /* Workarea encryption routine */
42
43
push %r12
44
+
movq %rdi, %r10 /* Encrypted area */
45
+
movq %rsi, %r11 /* Decrypted area */
46
+
movq %rdx, %r12 /* Area length */
47
48
/* Copy encryption routine into the workarea */
49
movq %rax, %rdi /* Workarea encryption routine */
···
52
rep movsb
53
54
/* Setup registers for call */
55
+
movq %r10, %rdi /* Encrypted area */
56
+
movq %r11, %rsi /* Decrypted area */
57
movq %r8, %rdx /* Pagetables used for encryption */
58
+
movq %r12, %rcx /* Area length */
59
movq %rax, %r8 /* Workarea encryption routine */
60
addq $PAGE_SIZE, %r8 /* Workarea intermediate copy buffer */
61
···
71
72
ENTRY(__enc_copy)
73
/*
74
+
* Routine used to encrypt memory in place.
75
* This routine must be run outside of the kernel proper since
76
* the kernel will be encrypted during the process. So this
77
* routine is defined here and then copied to an area outside
···
79
* during execution.
80
*
81
* On entry the registers must be:
82
+
* RDI - virtual address for the encrypted mapping
83
+
* RSI - virtual address for the decrypted mapping
84
* RDX - address of the pagetables to use for encryption
85
+
* RCX - length of area
86
* R8 - intermediate copy buffer
87
*
88
* RAX - points to this routine
89
*
90
+
* The area will be encrypted by copying from the non-encrypted
91
+
* memory space to an intermediate buffer and then copying from the
92
+
* intermediate buffer back to the encrypted memory space. The physical
93
+
* addresses of the two mappings are the same which results in the area
94
+
* being encrypted "in place".
95
*/
96
/* Enable the new page tables */
97
mov %rdx, %cr3
···
106
push %r15
107
push %r12
108
109
+
movq %rcx, %r9 /* Save area length */
110
+
movq %rdi, %r10 /* Save encrypted area address */
111
+
movq %rsi, %r11 /* Save decrypted area address */
112
113
/* Set the PAT register PA5 entry to write-protect */
114
movl $MSR_IA32_CR_PAT, %ecx
···
128
movq %r9, %r12
129
130
2:
131
+
movq %r11, %rsi /* Source - decrypted area */
132
movq %r8, %rdi /* Dest - intermediate copy buffer */
133
movq %r12, %rcx
134
rep movsb
135
136
movq %r8, %rsi /* Source - intermediate copy buffer */
137
+
movq %r10, %rdi /* Dest - encrypted area */
138
movq %r12, %rcx
139
rep movsb
140