On 11/11/2016 10:17 AM, Kani, Toshimitsu wrote: > On Wed, 2016-11-09 at 18:36 -0600, Tom Lendacky wrote: >> Boot data (such as EFI related data) is not encrypted when the system >> is booted and needs to be accessed unencrypted. Add support to apply >> the proper attributes to the EFI page tables and to the >> early_memremap and memremap APIs to identify the type of data being >> accessed so that the proper encryption attribute can be applied. > : >> +static bool memremap_apply_encryption(resource_size_t phys_addr, >> + unsigned long size) >> +{ >> + /* SME is not active, just return true */ >> + if (!sme_me_mask) >> + return true; >> + >> + /* Check if the address is part of the setup data */ >> + if (memremap_setup_data(phys_addr, size)) >> + return false; >> + >> + /* Check if the address is part of EFI boot/runtime data */ >> + switch (efi_mem_type(phys_addr)) { >> + case EFI_BOOT_SERVICES_DATA: >> + case EFI_RUNTIME_SERVICES_DATA: >> + return false; >> + } >> + >> + /* Check if the address is outside kernel usable area */ >> + switch (e820_get_entry_type(phys_addr, phys_addr + size - >> 1)) { >> + case E820_RESERVED: >> + case E820_ACPI: >> + case E820_NVS: >> + case E820_UNUSABLE: >> + return false; >> + } >> + >> + return true; >> +} > > Are you supporting encryption for E820_PMEM ranges? If so, this > encryption will persist across a reboot and does not need to be > encrypted again, right? Also, how do you keep a same key across a > reboot? The key will change across a reboot... so I need to look into this more for memory that isn't used as traditional system ram. Thanks, Tom > > Thanks, > -Toshi > -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html