Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: 2016-09-22 17:47:32
Also in:
kvm, linux-efi, linux-mm, lkml
On 09/22/2016 09:35 AM, Borislav Petkov wrote:
On Mon, Aug 22, 2016 at 07:25:25PM -0400, Brijesh Singh wrote:quoted
From: Tom Lendacky <thomas.lendacky@amd.com> EFI data is encrypted when the kernel is run under SEV. Update the page table references to be sure the EFI memory areas are accessed encrypted. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> --- arch/x86/platform/efi/efi_64.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c index 0871ea4..98363f3 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c@@ -213,7 +213,7 @@ void efi_sync_low_kernel_mappings(void) int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) { - unsigned long pfn, text; + unsigned long pfn, text, flags; efi_memory_desc_t *md; struct page *page; unsigned npages;@@ -230,6 +230,10 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) efi_scratch.efi_pgt = (pgd_t *)__sme_pa(efi_pgd); pgd = efi_pgd; + flags = _PAGE_NX | _PAGE_RW; + if (sev_active) + flags |= _PAGE_ENC;So this is confusing me. There's this patch which says EFI data is accessed in the clear: https://lkml.kernel.org/r/20160822223738.29880.6909.stgit@tlendack-t1.amdoffice.net but now here it is encrypted when SEV is enabled. Do you mean, it is encrypted here because we're in the guest kernel?
Yes, the idea is that the SEV guest will be running encrypted from the start, including the BIOS/UEFI, and so all of the EFI related data will be encrypted. Thanks, Tom
Thanks.
-- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>