tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'x86_urgent_for_v6.8_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Borislav Petkov:

- Do not reserve SETUP_RNG_SEED setup data in the e820 map as it should
be used by kexec only

- Make sure MKTME feature detection happens at an earlier time in the
boot process so that the physical address size supported by the CPU
is properly corrected and MTRR masks are programmed properly, leading
to TDX systems booting without disable_mtrr_cleanup on the cmdline

- Make sure the different address sizes supported by the CPU are read
out as early as possible

* tag 'x86_urgent_for_v6.8_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/e820: Don't reserve SETUP_RNG_SEED in e820
x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers
x86/cpu: Allow reducing x86_phys_bits during early_identify_cpu()

Linus Torvalds 73d35f83 04b8076d

options
unified split
Changed files
+98 -92
arch
x86
kernel
cpu
common.c
intel.c
e820.c
+2 -2
arch/x86/kernel/cpu/common.c
··· 1589 1589 get_cpu_vendor(c); 1590 1590 get_cpu_cap(c); 1591 1591 setup_force_cpu_cap(X86_FEATURE_CPUID); 1592 + get_cpu_address_sizes(c); 1592 1593 cpu_parse_early_param(); 1593 1594 1594 1595 if (this_cpu->c_early_init) ··· 1602 1601 this_cpu->c_bsp_init(c); 1603 1602 } else { 1604 1603 setup_clear_cpu_cap(X86_FEATURE_CPUID); 1604 + get_cpu_address_sizes(c); 1605 1605 } 1606 - 1607 - get_cpu_address_sizes(c); 1608 1606 1609 1607 setup_force_cpu_cap(X86_FEATURE_ALWAYS); 1610 1608
+91 -87
arch/x86/kernel/cpu/intel.c
··· 184 184 return false; 185 185 } 186 186 187 + #define MSR_IA32_TME_ACTIVATE 0x982 188 + 189 + /* Helpers to access TME_ACTIVATE MSR */ 190 + #define TME_ACTIVATE_LOCKED(x) (x & 0x1) 191 + #define TME_ACTIVATE_ENABLED(x) (x & 0x2) 192 + 193 + #define TME_ACTIVATE_POLICY(x) ((x >> 4) & 0xf) /* Bits 7:4 */ 194 + #define TME_ACTIVATE_POLICY_AES_XTS_128 0 195 + 196 + #define TME_ACTIVATE_KEYID_BITS(x) ((x >> 32) & 0xf) /* Bits 35:32 */ 197 + 198 + #define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */ 199 + #define TME_ACTIVATE_CRYPTO_AES_XTS_128 1 200 + 201 + /* Values for mktme_status (SW only construct) */ 202 + #define MKTME_ENABLED 0 203 + #define MKTME_DISABLED 1 204 + #define MKTME_UNINITIALIZED 2 205 + static int mktme_status = MKTME_UNINITIALIZED; 206 + 207 + static void detect_tme_early(struct cpuinfo_x86 *c) 208 + { 209 + u64 tme_activate, tme_policy, tme_crypto_algs; 210 + int keyid_bits = 0, nr_keyids = 0; 211 + static u64 tme_activate_cpu0 = 0; 212 + 213 + rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate); 214 + 215 + if (mktme_status != MKTME_UNINITIALIZED) { 216 + if (tme_activate != tme_activate_cpu0) { 217 + /* Broken BIOS? */ 218 + pr_err_once("x86/tme: configuration is inconsistent between CPUs\n"); 219 + pr_err_once("x86/tme: MKTME is not usable\n"); 220 + mktme_status = MKTME_DISABLED; 221 + 222 + /* Proceed. We may need to exclude bits from x86_phys_bits. */ 223 + } 224 + } else { 225 + tme_activate_cpu0 = tme_activate; 226 + } 227 + 228 + if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) { 229 + pr_info_once("x86/tme: not enabled by BIOS\n"); 230 + mktme_status = MKTME_DISABLED; 231 + return; 232 + } 233 + 234 + if (mktme_status != MKTME_UNINITIALIZED) 235 + goto detect_keyid_bits; 236 + 237 + pr_info("x86/tme: enabled by BIOS\n"); 238 + 239 + tme_policy = TME_ACTIVATE_POLICY(tme_activate); 240 + if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128) 241 + pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy); 242 + 243 + tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate); 244 + if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) { 245 + pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n", 246 + tme_crypto_algs); 247 + mktme_status = MKTME_DISABLED; 248 + } 249 + detect_keyid_bits: 250 + keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate); 251 + nr_keyids = (1UL << keyid_bits) - 1; 252 + if (nr_keyids) { 253 + pr_info_once("x86/mktme: enabled by BIOS\n"); 254 + pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids); 255 + } else { 256 + pr_info_once("x86/mktme: disabled by BIOS\n"); 257 + } 258 + 259 + if (mktme_status == MKTME_UNINITIALIZED) { 260 + /* MKTME is usable */ 261 + mktme_status = MKTME_ENABLED; 262 + } 263 + 264 + /* 265 + * KeyID bits effectively lower the number of physical address 266 + * bits. Update cpuinfo_x86::x86_phys_bits accordingly. 267 + */ 268 + c->x86_phys_bits -= keyid_bits; 269 + } 270 + 187 271 static void early_init_intel(struct cpuinfo_x86 *c) 188 272 { 189 273 u64 misc_enable; ··· 406 322 */ 407 323 if (detect_extended_topology_early(c) < 0) 408 324 detect_ht_early(c); 325 + 326 + /* 327 + * Adjust the number of physical bits early because it affects the 328 + * valid bits of the MTRR mask registers. 329 + */ 330 + if (cpu_has(c, X86_FEATURE_TME)) 331 + detect_tme_early(c); 409 332 } 410 333 411 334 static void bsp_init_intel(struct cpuinfo_x86 *c) ··· 573 482 #endif 574 483 } 575 484 576 - #define MSR_IA32_TME_ACTIVATE 0x982 577 - 578 - /* Helpers to access TME_ACTIVATE MSR */ 579 - #define TME_ACTIVATE_LOCKED(x) (x & 0x1) 580 - #define TME_ACTIVATE_ENABLED(x) (x & 0x2) 581 - 582 - #define TME_ACTIVATE_POLICY(x) ((x >> 4) & 0xf) /* Bits 7:4 */ 583 - #define TME_ACTIVATE_POLICY_AES_XTS_128 0 584 - 585 - #define TME_ACTIVATE_KEYID_BITS(x) ((x >> 32) & 0xf) /* Bits 35:32 */ 586 - 587 - #define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */ 588 - #define TME_ACTIVATE_CRYPTO_AES_XTS_128 1 589 - 590 - /* Values for mktme_status (SW only construct) */ 591 - #define MKTME_ENABLED 0 592 - #define MKTME_DISABLED 1 593 - #define MKTME_UNINITIALIZED 2 594 - static int mktme_status = MKTME_UNINITIALIZED; 595 - 596 - static void detect_tme(struct cpuinfo_x86 *c) 597 - { 598 - u64 tme_activate, tme_policy, tme_crypto_algs; 599 - int keyid_bits = 0, nr_keyids = 0; 600 - static u64 tme_activate_cpu0 = 0; 601 - 602 - rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate); 603 - 604 - if (mktme_status != MKTME_UNINITIALIZED) { 605 - if (tme_activate != tme_activate_cpu0) { 606 - /* Broken BIOS? */ 607 - pr_err_once("x86/tme: configuration is inconsistent between CPUs\n"); 608 - pr_err_once("x86/tme: MKTME is not usable\n"); 609 - mktme_status = MKTME_DISABLED; 610 - 611 - /* Proceed. We may need to exclude bits from x86_phys_bits. */ 612 - } 613 - } else { 614 - tme_activate_cpu0 = tme_activate; 615 - } 616 - 617 - if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) { 618 - pr_info_once("x86/tme: not enabled by BIOS\n"); 619 - mktme_status = MKTME_DISABLED; 620 - return; 621 - } 622 - 623 - if (mktme_status != MKTME_UNINITIALIZED) 624 - goto detect_keyid_bits; 625 - 626 - pr_info("x86/tme: enabled by BIOS\n"); 627 - 628 - tme_policy = TME_ACTIVATE_POLICY(tme_activate); 629 - if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128) 630 - pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy); 631 - 632 - tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate); 633 - if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) { 634 - pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n", 635 - tme_crypto_algs); 636 - mktme_status = MKTME_DISABLED; 637 - } 638 - detect_keyid_bits: 639 - keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate); 640 - nr_keyids = (1UL << keyid_bits) - 1; 641 - if (nr_keyids) { 642 - pr_info_once("x86/mktme: enabled by BIOS\n"); 643 - pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids); 644 - } else { 645 - pr_info_once("x86/mktme: disabled by BIOS\n"); 646 - } 647 - 648 - if (mktme_status == MKTME_UNINITIALIZED) { 649 - /* MKTME is usable */ 650 - mktme_status = MKTME_ENABLED; 651 - } 652 - 653 - /* 654 - * KeyID bits effectively lower the number of physical address 655 - * bits. Update cpuinfo_x86::x86_phys_bits accordingly. 656 - */ 657 - c->x86_phys_bits -= keyid_bits; 658 - } 659 - 660 485 static void init_cpuid_fault(struct cpuinfo_x86 *c) 661 486 { 662 487 u64 msr; ··· 708 701 srat_detect_node(c); 709 702 710 703 init_ia32_feat_ctl(c); 711 - 712 - if (cpu_has(c, X86_FEATURE_TME)) 713 - detect_tme(c); 714 704 715 705 init_intel_misc_features(c); 716 706
+5 -3
arch/x86/kernel/e820.c
··· 1017 1017 e820__range_update(pa_data, sizeof(*data)+data->len, E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); 1018 1018 1019 1019 /* 1020 - * SETUP_EFI and SETUP_IMA are supplied by kexec and do not need 1021 - * to be reserved. 1020 + * SETUP_EFI, SETUP_IMA and SETUP_RNG_SEED are supplied by 1021 + * kexec and do not need to be reserved. 1022 1022 */ 1023 - if (data->type != SETUP_EFI && data->type != SETUP_IMA) 1023 + if (data->type != SETUP_EFI && 1024 + data->type != SETUP_IMA && 1025 + data->type != SETUP_RNG_SEED) 1024 1026 e820__range_update_kexec(pa_data, 1025 1027 sizeof(*data) + data->len, 1026 1028 E820_TYPE_RAM, E820_TYPE_RESERVED_KERN);