On Thu, 18 May 2023 at 22:48, Tom Lendacky <thomas.lendacky@xxxxxxx> wrote: > > On 5/8/23 02:03, Ard Biesheuvel wrote: > > The bare metal decompressor code was never really intended to run in a > > hosted environment such as the EFI boot services, and does a few things > > that are problematic in the context of EFI boot now that the logo > > requirements are getting tighter. > > > > In particular, the decompressor moves its own executable image around in > > memory, and relies on demand paging to populate the identity mappings, > > and these things are difficult to support in a context where memory is > > not permitted to be mapped writable and executable at the same time or, > > at the very least, is mapped non-executable by default, and needs > > special treatment for this restriction to be lifted. > > > > Since EFI already maps all of memory 1:1, we don't need to create new > > page tables or handle page faults when decompressing the kernel. That > > means there is also no need to replace the special exception handlers > > for SEV. Generally, there is little need to do anything that the > > decompressor does beyond > > > > - initialize SEV encryption, if needed, > > - perform the 4/5 level paging switch, if needed, > > - decompress the kernel > > - relocate the kernel > > > > So let's do all of this from the EFI stub code, and avoid the bare metal > > decompressor altogether. > > This patch crashes SEV guests, probably because of the BSS is accessed > encrypted and results in ciphertext for what would be a zero for a non-SEV > guest. After pushing patch #19 everything started working again. From a > bisectability perspective, you probably want patch #19 before this one. > Noted, thanks.
