On Tue, Apr 18, 2017 at 04:18:22PM -0500, Tom Lendacky wrote: > The boot data and command line data are present in memory in a decrypted > state and are copied early in the boot process. The early page fault > support will map these areas as encrypted, so before attempting to copy > them, add decrypted mappings so the data is accessed properly when copied. > > For the initrd, encrypt this data in place. Since the future mapping of the > initrd area will be mapped as encrypted the data will be accessed properly. > > Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx> > --- > arch/x86/include/asm/mem_encrypt.h | 11 +++++ > arch/x86/include/asm/pgtable.h | 3 + > arch/x86/kernel/head64.c | 30 ++++++++++++-- > arch/x86/kernel/setup.c | 10 +++++ > arch/x86/mm/mem_encrypt.c | 77 ++++++++++++++++++++++++++++++++++++ > 5 files changed, 127 insertions(+), 4 deletions(-) ... > diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c > index 603a166..a95800b 100644 > --- a/arch/x86/kernel/setup.c > +++ b/arch/x86/kernel/setup.c > @@ -115,6 +115,7 @@ > #include <asm/microcode.h> > #include <asm/mmu_context.h> > #include <asm/kaslr.h> > +#include <asm/mem_encrypt.h> > > /* > * max_low_pfn_mapped: highest direct mapped pfn under 4GB > @@ -374,6 +375,15 @@ static void __init reserve_initrd(void) > !ramdisk_image || !ramdisk_size) > return; /* No initrd provided by bootloader */ > > + /* > + * If SME is active, this memory will be marked encrypted by the > + * kernel when it is accessed (including relocation). However, the > + * ramdisk image was loaded decrypted by the bootloader, so make > + * sure that it is encrypted before accessing it. > + */ > + if (sme_active()) That test is not needed here because __sme_early_enc_dec() already tests sme_me_mask. There you should change that test to sme_active() instead. > + sme_early_encrypt(ramdisk_image, ramdisk_end - ramdisk_image); > + > initrd_start = 0; > > mapped_size = memblock_mem_size(max_pfn_mapped); -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html