On Fri, Apr 21, 2017 at 01:56:13PM -0500, Tom Lendacky wrote: > On 4/18/2017 4:22 PM, Tom Lendacky wrote: > > Add support to check if SME has been enabled and if memory encryption > > should be activated (checking of command line option based on the > > configuration of the default state). If memory encryption is to be > > activated, then the encryption mask is set and the kernel is encrypted > > "in place." > > > > Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx> > > --- > > arch/x86/kernel/head_64.S | 1 + > > arch/x86/mm/mem_encrypt.c | 83 +++++++++++++++++++++++++++++++++++++++++++-- > > 2 files changed, 80 insertions(+), 4 deletions(-) > > > > ... > > > > > -unsigned long __init sme_enable(void) > > +unsigned long __init sme_enable(struct boot_params *bp) > > { > > + const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off; > > + unsigned int eax, ebx, ecx, edx; > > + unsigned long me_mask; > > + bool active_by_default; > > + char buffer[16]; > > So it turns out that when KASLR is enabled (CONFIG_RAMDOMIZE_BASE=y) > the stack-protector support causes issues with this function because What issues? > it is called so early. I can get past it by adding: > > CFLAGS_mem_encrypt.o := $(nostackp) > > in the arch/x86/mm/Makefile, but that obviously eliminates the support > for the whole file. Would it be better to split out the sme_enable() > and other boot routines into a separate file or just apply the > $(nostackp) to the whole file? Josh might have a better idea here... CCed. -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html