On Wed, Jan 31, 2024 at 9:35 AM Borislav Petkov <bp@xxxxxxxxx> wrote:
>
> On Mon, Jan 29, 2024 at 07:05:05PM +0100, Ard Biesheuvel wrote:
> > +/*
> > + * Set the memory encryption xloadflag based on the mem_encrypt= command line
> > + * parameter, if provided. If not, the consumer of the flag decides what the
> > + * default behavior should be.
> > + */
> > +static void set_mem_encrypt_flag(struct setup_header *hdr)
>
> parse_mem_encrypt
>
OK
> > +{
> > + hdr->xloadflags &= ~(XLF_MEM_ENCRYPTION | XLF_MEM_ENCRYPTION_ENABLED);
> > +
> > + if (IS_ENABLED(CONFIG_ARCH_HAS_MEM_ENCRYPT)) {
>
> That's unconditionally enabled on x86:
>
> select ARCH_HAS_MEM_ENCRYPT
>
> in x86/Kconfig.
>
> Which sounds like you need a single XLF_MEM_ENCRYPT and simplify this
> more.
>
OK, but that only means I can drop the if().
The reason we need two flags is because there is no default value to
use when the command line param is absent.
There is CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT but that one is AMD
specific. There is CONFIG_X86_MEM_ENCRYPT which is shared between
SME/SEV and TDX, which has no default setting.
> > + int on = cmdline_find_option_bool("mem_encrypt=on");
> > + int off = cmdline_find_option_bool("mem_encrypt=off");
> > +
> > + if (on || off)
> > + hdr->xloadflags |= XLF_MEM_ENCRYPTION;
> > + if (on > off)
> > + hdr->xloadflags |= XLF_MEM_ENCRYPTION_ENABLED;
> > + }
> > +}
>
> Otherwise, I like the simplification.
>
Cheers.
