mirror of https://gitee.com/openkylin/linux.git
x86/mm: Add Secure Encrypted Virtualization (SEV) support
Provide support for Secure Encrypted Virtualization (SEV). This initial support defines a flag that is used by the kernel to determine if it is running with SEV active. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@suse.de> Tested-by: Borislav Petkov <bp@suse.de> Cc: kvm@vger.kernel.org Cc: Borislav Petkov <bp@alien8.de> Cc: Andy Lutomirski <luto@kernel.org> Link: https://lkml.kernel.org/r/20171020143059.3291-3-brijesh.singh@amd.com
This commit is contained in:
parent
33e63acc11
commit
d8aa7eea78
|
@ -47,6 +47,9 @@ void __init mem_encrypt_init(void);
|
|||
|
||||
void swiotlb_set_mem_attributes(void *vaddr, unsigned long size);
|
||||
|
||||
bool sme_active(void);
|
||||
bool sev_active(void);
|
||||
|
||||
#else /* !CONFIG_AMD_MEM_ENCRYPT */
|
||||
|
||||
#define sme_me_mask 0ULL
|
||||
|
@ -64,6 +67,9 @@ static inline void __init sme_early_init(void) { }
|
|||
static inline void __init sme_encrypt_kernel(void) { }
|
||||
static inline void __init sme_enable(struct boot_params *bp) { }
|
||||
|
||||
static inline bool sme_active(void) { return false; }
|
||||
static inline bool sev_active(void) { return false; }
|
||||
|
||||
#endif /* CONFIG_AMD_MEM_ENCRYPT */
|
||||
|
||||
/*
|
||||
|
|
|
@ -42,6 +42,8 @@ static char sme_cmdline_off[] __initdata = "off";
|
|||
u64 sme_me_mask __section(.data) = 0;
|
||||
EXPORT_SYMBOL_GPL(sme_me_mask);
|
||||
|
||||
static bool sev_enabled __section(.data);
|
||||
|
||||
/* Buffer used for early in-place encryption by BSP, no locking needed */
|
||||
static char sme_early_buffer[PAGE_SIZE] __aligned(PAGE_SIZE);
|
||||
|
||||
|
@ -192,6 +194,30 @@ void __init sme_early_init(void)
|
|||
protection_map[i] = pgprot_encrypted(protection_map[i]);
|
||||
}
|
||||
|
||||
/*
|
||||
* SME and SEV are very similar but they are not the same, so there are
|
||||
* times that the kernel will need to distinguish between SME and SEV. The
|
||||
* sme_active() and sev_active() functions are used for this. When a
|
||||
* distinction isn't needed, the mem_encrypt_active() function can be used.
|
||||
*
|
||||
* The trampoline code is a good example for this requirement. Before
|
||||
* paging is activated, SME will access all memory as decrypted, but SEV
|
||||
* will access all memory as encrypted. So, when APs are being brought
|
||||
* up under SME the trampoline area cannot be encrypted, whereas under SEV
|
||||
* the trampoline area must be encrypted.
|
||||
*/
|
||||
bool sme_active(void)
|
||||
{
|
||||
return sme_me_mask && !sev_enabled;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(sme_active);
|
||||
|
||||
bool sev_active(void)
|
||||
{
|
||||
return sme_me_mask && sev_enabled;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(sev_active);
|
||||
|
||||
/* Architecture __weak replacement functions */
|
||||
void __init mem_encrypt_init(void)
|
||||
{
|
||||
|
|
|
@ -23,11 +23,14 @@
|
|||
|
||||
#define sme_me_mask 0ULL
|
||||
|
||||
static inline bool sme_active(void) { return false; }
|
||||
static inline bool sev_active(void) { return false; }
|
||||
|
||||
#endif /* CONFIG_ARCH_HAS_MEM_ENCRYPT */
|
||||
|
||||
static inline bool sme_active(void)
|
||||
static inline bool mem_encrypt_active(void)
|
||||
{
|
||||
return !!sme_me_mask;
|
||||
return sme_me_mask;
|
||||
}
|
||||
|
||||
static inline u64 sme_get_me_mask(void)
|
||||
|
|
Loading…
Reference in New Issue