Hi Borislav, On Sat, Jul 29, 2023 at 12:56 AM Borislav Petkov <bp@xxxxxxxxx> wrote: > > On Thu, Jul 27, 2023 at 07:03:26PM +0800, Tao Liu wrote: > > Hi Borislav, > > > > Sorry for the late response. I spent some time retesting your patch > > against 6.5.0-rc1 and 6.5.0-rc3, and it is OK. So > > > > Reported-and-tested-by: Tao Liu <ltao@xxxxxxxxxx> > > > > And will we use this patch as a workaround or will we wait for a > > better solution as proposed by Michael? > > First of all, please do not top-post. > OK, thanks for the reminder. > And yes, here's a better one. I'd appreciate it you testing it. > Thanks for the patch! I have tested it on the lenovo machine in the past few days, no issue found, so the patch tests OK. Thanks, Tao Liu > Thx. > > --- > arch/x86/boot/compressed/idt_64.c | 5 ++++- > arch/x86/boot/compressed/sev.c | 37 +++++++++++++++++++++++++++++-- > 2 files changed, 39 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/boot/compressed/idt_64.c b/arch/x86/boot/compressed/idt_64.c > index 6debb816e83d..0f03ac12e2a6 100644 > --- a/arch/x86/boot/compressed/idt_64.c > +++ b/arch/x86/boot/compressed/idt_64.c > @@ -63,7 +63,10 @@ void load_stage2_idt(void) > set_idt_entry(X86_TRAP_PF, boot_page_fault); > > #ifdef CONFIG_AMD_MEM_ENCRYPT > - set_idt_entry(X86_TRAP_VC, boot_stage2_vc); > + if (sev_status & BIT(1)) > + set_idt_entry(X86_TRAP_VC, boot_stage2_vc); > + else > + set_idt_entry(X86_TRAP_VC, NULL); > #endif > > load_boot_idt(&boot_idt_desc); > diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c > index 09dc8c187b3c..c3e343bd4760 100644 > --- a/arch/x86/boot/compressed/sev.c > +++ b/arch/x86/boot/compressed/sev.c > @@ -404,13 +404,46 @@ void sev_enable(struct boot_params *bp) > if (bp) > bp->cc_blob_address = 0; > > + /* > + * Do an initial SEV capability check before snp_init() which > + * loads the CPUID page and the same checks afterwards are done > + * without the hypervisor and are trustworthy. > + * > + * If the HV fakes SEV support, the guest will crash'n'burn > + * which is good enough. > + */ > + > + /* Check for the SME/SEV support leaf */ > + eax = 0x80000000; > + ecx = 0; > + native_cpuid(&eax, &ebx, &ecx, &edx); > + if (eax < 0x8000001f) > + return; > + > + /* > + * Check for the SME/SEV feature: > + * CPUID Fn8000_001F[EAX] > + * - Bit 0 - Secure Memory Encryption support > + * - Bit 1 - Secure Encrypted Virtualization support > + * CPUID Fn8000_001F[EBX] > + * - Bits 5:0 - Pagetable bit position used to indicate encryption > + */ > + eax = 0x8000001f; > + ecx = 0; > + native_cpuid(&eax, &ebx, &ecx, &edx); > + /* Check whether SEV is supported */ > + if (!(eax & BIT(1))) > + return; > + > /* > * Setup/preliminary detection of SNP. This will be sanity-checked > * against CPUID/MSR values later. > */ > snp = snp_init(bp); > > - /* Check for the SME/SEV support leaf */ > + /* Now repeat the checks with the SNP CPUID table. */ > + > + /* Recheck the SME/SEV support leaf */ > eax = 0x80000000; > ecx = 0; > native_cpuid(&eax, &ebx, &ecx, &edx); > @@ -418,7 +451,7 @@ void sev_enable(struct boot_params *bp) > return; > > /* > - * Check for the SME/SEV feature: > + * Recheck for the SME/SEV feature: > * CPUID Fn8000_001F[EAX] > * - Bit 0 - Secure Memory Encryption support > * - Bit 1 - Secure Encrypted Virtualization support > -- > 2.41.0 > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette >