On 09/12/2016 07:17 AM, Borislav Petkov wrote: > On Mon, Aug 22, 2016 at 05:38:29PM -0500, Tom Lendacky wrote: >> Add support to check if memory encryption is active in the kernel and that >> it has been enabled on the AP. If memory encryption is active in the kernel >> but has not been enabled on the AP then do not allow the AP to continue >> start up. >> >> Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx> >> --- >> arch/x86/include/asm/msr-index.h | 2 ++ >> arch/x86/include/asm/realmode.h | 12 ++++++++++++ >> arch/x86/realmode/init.c | 4 ++++ >> arch/x86/realmode/rm/trampoline_64.S | 19 +++++++++++++++++++ >> 4 files changed, 37 insertions(+) > > ... > >> diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S >> index dac7b20..94e29f4 100644 >> --- a/arch/x86/realmode/rm/trampoline_64.S >> +++ b/arch/x86/realmode/rm/trampoline_64.S >> @@ -30,6 +30,7 @@ >> #include <asm/msr.h> >> #include <asm/segment.h> >> #include <asm/processor-flags.h> >> +#include <asm/realmode.h> >> #include "realmode.h" >> >> .text >> @@ -92,6 +93,23 @@ ENTRY(startup_32) >> movl %edx, %fs >> movl %edx, %gs >> >> + /* Check for memory encryption support */ >> + bt $TH_FLAGS_SME_ENABLE_BIT, pa_tr_flags >> + jnc .Ldone >> + movl $MSR_K8_SYSCFG, %ecx >> + rdmsr >> + bt $MSR_K8_SYSCFG_MEM_ENCRYPT_BIT, %eax >> + jc .Ldone >> + >> + /* >> + * Memory encryption is enabled but the MSR has not been set on this >> + * CPU so we can't continue > > Hmm, let me try to parse this correctly: BSP has SME enabled but the > BIOS might not've set this on the AP? Really? Is that even possible? Anything is possible, although it's highly unlikely. > > Because if SME is enabled, that means that MSR_K8_SYSCFG[23] on the BSP > is set, right? Correct. > > Also, I want to rule out here simple BIOS idiocy: if the only problem > with the bit not being set in the AP is because some BIOS monkey forgot > to do so, then we should try to set it ourselves and not die for no real > reason. Yes, we can do that. I was debating on which way to go with this. Most likely this would never happen, but if it did... I can change this to set the MSR bit and continue. Thanks, Tom > > Or is there another issue? > -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
