On Mon, Apr 08, 2024 at 08:49:21AM +0200, Ard Biesheuvel wrote: > From: Ard Biesheuvel <ardb@xxxxxxxxxx> > > [ Commit cd0d9d92c8bb46e77de62efd7df13069ddd61e7d upstream ] > > The early SME/SEV code parses the command line very early, in order to > decide whether or not memory encryption should be enabled, which needs > to occur even before the initial page tables are created. > > This is problematic for a number of reasons: > - this early code runs from the 1:1 mapping provided by the decompressor > or firmware, which uses a different translation than the one assumed by > the linker, and so the code needs to be built in a special way; > - parsing external input while the entire kernel image is still mapped > writable is a bad idea in general, and really does not belong in > security minded code; > - the current code ignores the built-in command line entirely (although > this appears to be the case for the entire decompressor) > > Given that the decompressor/EFI stub is an intrinsic part of the x86 > bootable kernel image, move the command line parsing there and out of > the core kernel. This removes the need to build lib/cmdline.o in a > special way, or to use RIP-relative LEA instructions in inline asm > blocks. > > This involves a new xloadflag in the setup header to indicate > that mem_encrypt=on appeared on the kernel command line. > > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > Signed-off-by: Borislav Petkov (AMD) <bp@xxxxxxxxx> > Tested-by: Tom Lendacky <thomas.lendacky@xxxxxxx> > Link: https://lore.kernel.org/r/20240227151907.387873-17-ardb+git@xxxxxxxxxx > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > --- > arch/x86/boot/compressed/misc.c | 15 +++++++++ > arch/x86/include/uapi/asm/bootparam.h | 1 + > arch/x86/lib/Makefile | 13 -------- > arch/x86/mm/mem_encrypt_identity.c | 32 ++------------------ > drivers/firmware/efi/libstub/x86-stub.c | 3 ++ > 5 files changed, 22 insertions(+), 42 deletions(-) > > diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c > index f711f2a85862..c6136a1be283 100644 > --- a/arch/x86/boot/compressed/misc.c > +++ b/arch/x86/boot/compressed/misc.c > @@ -357,6 +357,19 @@ unsigned long decompress_kernel(unsigned char *outbuf, unsigned long virt_addr, > return entry; > } > > +/* > + * Set the memory encryption xloadflag based on the mem_encrypt= command line > + * parameter, if provided. > + */ > +static void parse_mem_encrypt(struct setup_header *hdr) > +{ > + int on = cmdline_find_option_bool("mem_encrypt=on"); > + int off = cmdline_find_option_bool("mem_encrypt=off"); > + > + if (on > off) > + hdr->xloadflags |= XLF_MEM_ENCRYPTION; > +} > + > /* > * The compressed kernel image (ZO), has been moved so that its position > * is against the end of the buffer used to hold the uncompressed kernel > @@ -387,6 +400,8 @@ asmlinkage __visible void *extract_kernel(void *rmode, unsigned char *output) > /* Clear flags intended for solely in-kernel use. */ > boot_params->hdr.loadflags &= ~KASLR_FLAG; > > + parse_mem_encrypt(&boot_params->hdr); > + > sanitize_boot_params(boot_params); > > if (boot_params->screen_info.orig_video_mode == 7) { This patch didn't apply on 6.6.y, so I applied it by hand, but it turns out there is no "boot_parms" on 6.6.y, so it breaks the build. So I've dropped this one from the 6.6.y tree now, if you can submit it in a form that at least compiles, I'll take it :) thanks, greg k-h
