Message ID | 20210708055757.2090-1-khalid.elmously@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Hirsute,1/1] x86/ioremap: Map EFI-reserved memory as encrypted for SEV | expand |
On 08.07.21 07:57, Khalid Elmously wrote: > From: Tom Lendacky <thomas.lendacky@amd.com> > > BugLink: https://bugs.launchpad.com/bugs/1931254 ^ bugs.launchpad.net > > Some drivers require memory that is marked as EFI boot services > data. In order for this memory to not be re-used by the kernel > after ExitBootServices(), efi_mem_reserve() is used to preserve it > by inserting a new EFI memory descriptor and marking it with the > EFI_MEMORY_RUNTIME attribute. > > Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to > be mapped encrypted by Linux, otherwise the kernel might crash at boot > like below: > > EFI Variables Facility v0.08 2004-May-17 > general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI > CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:efi_mokvar_entry_next > [...] > Call Trace: > efi_mokvar_sysfs_init > ? efi_mokvar_table_init > do_one_initcall > ? __kmalloc > kernel_init_freeable > ? rest_init > kernel_init > ret_from_fork > > Expand the __ioremap_check_other() function to additionally check for > this other type of boot data reserved at runtime and indicate that it > should be mapped encrypted for an SEV guest. > > [ bp: Massage commit message. ] > > Fixes: 58c909022a5a ("efi: Support for MOK variable config table") > Reported-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> > Signed-off-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Borislav Petkov <bp@suse.de> > Tested-by: Joerg Roedel <jroedel@suse.de> > Cc: <stable@vger.kernel.org> # 5.10+ > Link: https://lkml.kernel.org/r/20210608095439.12668-2-joro@8bytes.org > (cherry picked from commit 8d651ee9c71bb12fc0c8eb2786b66cbe5aa3e43b) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > arch/x86/mm/ioremap.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c > index 9e5ccc56f8e0..356b746dfbe7 100644 > --- a/arch/x86/mm/ioremap.c > +++ b/arch/x86/mm/ioremap.c > @@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des > if (!IS_ENABLED(CONFIG_EFI)) > return; > > - if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA) > + if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA || > + (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA && > + efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME)) > desc->flags |= IORES_MAP_ENCRYPTED; > } > >
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 7/7/21 11:57 PM, Khalid Elmously wrote: > From: Tom Lendacky <thomas.lendacky@amd.com> > > BugLink: https://bugs.launchpad.com/bugs/1931254 > > Some drivers require memory that is marked as EFI boot services > data. In order for this memory to not be re-used by the kernel > after ExitBootServices(), efi_mem_reserve() is used to preserve it > by inserting a new EFI memory descriptor and marking it with the > EFI_MEMORY_RUNTIME attribute. > > Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to > be mapped encrypted by Linux, otherwise the kernel might crash at boot > like below: > > EFI Variables Facility v0.08 2004-May-17 > general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI > CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:efi_mokvar_entry_next > [...] > Call Trace: > efi_mokvar_sysfs_init > ? efi_mokvar_table_init > do_one_initcall > ? __kmalloc > kernel_init_freeable > ? rest_init > kernel_init > ret_from_fork > > Expand the __ioremap_check_other() function to additionally check for > this other type of boot data reserved at runtime and indicate that it > should be mapped encrypted for an SEV guest. > > [ bp: Massage commit message. ] > > Fixes: 58c909022a5a ("efi: Support for MOK variable config table") > Reported-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> > Signed-off-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Borislav Petkov <bp@suse.de> > Tested-by: Joerg Roedel <jroedel@suse.de> > Cc: <stable@vger.kernel.org> # 5.10+ > Link: https://lkml.kernel.org/r/20210608095439.12668-2-joro@8bytes.org > (cherry picked from commit 8d651ee9c71bb12fc0c8eb2786b66cbe5aa3e43b) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > arch/x86/mm/ioremap.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c > index 9e5ccc56f8e0..356b746dfbe7 100644 > --- a/arch/x86/mm/ioremap.c > +++ b/arch/x86/mm/ioremap.c > @@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des > if (!IS_ENABLED(CONFIG_EFI)) > return; > > - if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA) > + if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA || > + (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA && > + efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME)) > desc->flags |= IORES_MAP_ENCRYPTED; > } > >
On Thu, Jul 8, 2021 at 2:58 AM Khalid Elmously <khalid.elmously@canonical.com> wrote: > > From: Tom Lendacky <thomas.lendacky@amd.com> > > BugLink: https://bugs.launchpad.com/bugs/1931254 > Hey Khalid, thanks for the patch! I tried to access this link and it wasn't reachable. Then I noticed..it seems it should be ".launchpad.net" right? With that, the link worked. I guess this can be fixed when applying the patch! Cheers, Guilherme
This was applied through a stable patch set. Thank you! -Kelsey On 2021-07-08 01:57:57 , Khalid Elmously wrote: > From: Tom Lendacky <thomas.lendacky@amd.com> > > BugLink: https://bugs.launchpad.com/bugs/1931254 > > Some drivers require memory that is marked as EFI boot services > data. In order for this memory to not be re-used by the kernel > after ExitBootServices(), efi_mem_reserve() is used to preserve it > by inserting a new EFI memory descriptor and marking it with the > EFI_MEMORY_RUNTIME attribute. > > Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to > be mapped encrypted by Linux, otherwise the kernel might crash at boot > like below: > > EFI Variables Facility v0.08 2004-May-17 > general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI > CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:efi_mokvar_entry_next > [...] > Call Trace: > efi_mokvar_sysfs_init > ? efi_mokvar_table_init > do_one_initcall > ? __kmalloc > kernel_init_freeable > ? rest_init > kernel_init > ret_from_fork > > Expand the __ioremap_check_other() function to additionally check for > this other type of boot data reserved at runtime and indicate that it > should be mapped encrypted for an SEV guest. > > [ bp: Massage commit message. ] > > Fixes: 58c909022a5a ("efi: Support for MOK variable config table") > Reported-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> > Signed-off-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Borislav Petkov <bp@suse.de> > Tested-by: Joerg Roedel <jroedel@suse.de> > Cc: <stable@vger.kernel.org> # 5.10+ > Link: https://lkml.kernel.org/r/20210608095439.12668-2-joro@8bytes.org > (cherry picked from commit 8d651ee9c71bb12fc0c8eb2786b66cbe5aa3e43b) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > arch/x86/mm/ioremap.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c > index 9e5ccc56f8e0..356b746dfbe7 100644 > --- a/arch/x86/mm/ioremap.c > +++ b/arch/x86/mm/ioremap.c > @@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des > if (!IS_ENABLED(CONFIG_EFI)) > return; > > - if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA) > + if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA || > + (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA && > + efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME)) > desc->flags |= IORES_MAP_ENCRYPTED; > } > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index 9e5ccc56f8e0..356b746dfbe7 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des if (!IS_ENABLED(CONFIG_EFI)) return; - if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA) + if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA || + (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA && + efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME)) desc->flags |= IORES_MAP_ENCRYPTED; }