When Secure Memory Encryption is enabled, the trampoline area must not be encrypted. A CPU running in real mode will not be able to decrypt memory that has been encrypted because it will not be able to use addresses with the memory encryption mask. A recent change that added a new system_state value exposed a warning issued by early_ioreamp() when the system_state was not SYSTEM_BOOTING. At the stage where the trampoline area is decrypted, the system_state is now SYSTEM_SCHEDULING. The check was changed to issue a warning if the system_state is greater than or equal to SYSTEM_RUNNING. Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx> --- arch/x86/realmode/init.c | 11 +++++++++++ mm/early_ioremap.c | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c index a163a90..195ba29 100644 --- a/arch/x86/realmode/init.c +++ b/arch/x86/realmode/init.c @@ -6,6 +6,7 @@ #include <asm/pgtable.h> #include <asm/realmode.h> #include <asm/tlbflush.h> +#include <asm/mem_encrypt.h> struct real_mode_header *real_mode_header; u32 *trampoline_cr4_features; @@ -130,6 +131,16 @@ static void __init set_real_mode_permissions(void) unsigned long text_start = (unsigned long) __va(real_mode_header->text_start); + /* + * If SME is active, the trampoline area will need to be in + * decrypted memory in order to bring up other processors + * successfully. + */ + if (sme_active()) { + sme_early_decrypt(__pa(base), size); + set_memory_decrypted((unsigned long)base, size >> PAGE_SHIFT); + } + set_memory_nx((unsigned long) base, size >> PAGE_SHIFT); set_memory_ro((unsigned long) base, ro_size >> PAGE_SHIFT); set_memory_x((unsigned long) text_start, text_size >> PAGE_SHIFT); diff --git a/mm/early_ioremap.c b/mm/early_ioremap.c index b1dd4a9..01d13ae 100644 --- a/mm/early_ioremap.c +++ b/mm/early_ioremap.c @@ -110,7 +110,7 @@ static int __init check_early_ioremap_leak(void) enum fixed_addresses idx; int i, slot; - WARN_ON(system_state != SYSTEM_BOOTING); + WARN_ON(system_state >= SYSTEM_RUNNING); slot = -1; for (i = 0; i < FIX_BTMAPS_SLOTS; i++) { -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html