On 17 July 2018 at 03:15, Brijesh Singh <brijesh.singh@xxxxxxx> wrote: > Hi Ard, > > > > On 07/11/2018 05:00 AM, Ard Biesheuvel wrote: >> >> On 3 July 2018 at 15:32, Brijesh Singh <brijesh.singh@xxxxxxx> wrote: >>> >>> SEV guest fails to update the UEFI runtime variables stored in the >>> flash. commit 1379edd59673 ("x86/efi: Access EFI data as encrypted >>> when SEV is active") unconditionally maps all the UEFI runtime data >>> as 'encrypted' (C=1). When SEV is active the UEFI runtime data marked >>> as EFI_MEMORY_MAPPED_IO should be mapped as 'unencrypted' so that both >>> guest and hypervisor can access the data. >>> >>> Fixes: 1379edd59673 (x86/efi: Access EFI data as encrypted ...) >>> Cc: Tom Lendacky <thomas.lendacky@xxxxxxx> >>> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> >>> Cc: Borislav Petkov <bp@xxxxxxx> >>> Cc: linux-efi@xxxxxxxxxxxxxxx >>> Cc: kvm@xxxxxxxxxxxxxxx >>> Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> >>> Cc: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> >>> Cc: Andy Lutomirski <luto@xxxxxxxxxx> >>> Cc: <stable@xxxxxxxxxxxxxxx> # 4.15.x >>> Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx> >>> --- >>> arch/x86/platform/efi/efi_64.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/arch/x86/platform/efi/efi_64.c >>> b/arch/x86/platform/efi/efi_64.c >>> index 77873ce..5f2eb32 100644 >>> --- a/arch/x86/platform/efi/efi_64.c >>> +++ b/arch/x86/platform/efi/efi_64.c >>> @@ -417,7 +417,7 @@ static void __init __map_region(efi_memory_desc_t >>> *md, u64 va) >>> if (!(md->attribute & EFI_MEMORY_WB)) >>> flags |= _PAGE_PCD; >>> >>> - if (sev_active()) >>> + if (sev_active() && md->type != EFI_MEMORY_MAPPED_IO) >>> flags |= _PAGE_ENC; >>> >>> pfn = md->phys_addr >> PAGE_SHIFT; >> >> >> Is it safe to only update this occurrence and not the one in >> efi_runtime_update_mappings() ? >> > > > It's safe to update this occurrence only. The SEV support is added > in recent EDK2 bios, and the version of bios provides the > EFI_MEMORY_ATTRIBUTE_TABLE. Hence the efi_enabled(EFI_MEM_ATTR) check in > efi_runtime_update_mappings() will always be true. When EFI_MEM_ATTR is > set the code updates the mapping and returns (see below) > > void __init efi_runtime_update_mappings(void) > { > ..... > ..... > > /* > * Use the EFI Memory Attribute Table for mapping permissions if it > * exists, since it is intended to supersede EFI_PROPERTIES_TABLE. > */ > if (efi_enabled(EFI_MEM_ATTR)) { > efi_memattr_apply_permissions(NULL, efi_update_mem_attr); > return; > } > > > ... > > } > > The EFI_MEMORY_ATTRIBUTE_TABLE table does not include MMIO regions, the > table describes the memory protections to EFI runtime code and data > regions only. Both EFI runtime code and data should be mapped as > encrypted. Hence I skipped updating the efi_runtime_update_mappings(). > Ok, thanks for clearing that up Queued in efi/urgent -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html