Eric W. Biederman
2021-May-06 17:42 UTC
[PATCH 2/2] x86/kexec/64: Forbid kexec when running as an SEV-ES guest
Joerg Roedel <joro at 8bytes.org> writes:> From: Joerg Roedel <jroedel at suse.de> > > For now, kexec is not supported when running as an SEV-ES guest. Doing > so requires additional hypervisor support and special code to hand > over the CPUs to the new kernel in a safe way. > > Until this is implemented, do not support kexec in SEV-ES guests.I don't understand this. Fundamentally kexec is about doing things more or less inspite of what the firmware is doing. I don't have any idea what a SEV-ES is. But the normal x86 boot doesn't do anything special. Is cross cpu IPI emulation buggy? If this is a move in your face hypervisor like Xen is sometimes I can see perhaps needing a little bit of different work during bootup. Perhaps handing back a cpu on system shutdown and asking for more cpus on system boot up. What is the actual problem you are trying to avoid? And yes for a temporary hack the suggestion of putting code into machine_kexec_prepare seems much more reasonable so we don't have to carry special case infrastructure for the forseeable future. Eric> Cc: stable at vger.kernel.org # v5.10+ > Signed-off-by: Joerg Roedel <jroedel at suse.de> > --- > arch/x86/kernel/machine_kexec_64.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c > index c078b0d3ab0e..f902cc9cc634 100644 > --- a/arch/x86/kernel/machine_kexec_64.c > +++ b/arch/x86/kernel/machine_kexec_64.c > @@ -620,3 +620,11 @@ void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages) > */ > set_memory_encrypted((unsigned long)vaddr, pages); > } > + > +/* > + * Kexec is not supported in SEV-ES guests yet > + */ > +bool arch_kexec_supported(void) > +{ > + return !sev_es_active(); > +}
Joerg Roedel
2021-May-06 18:41 UTC
[PATCH 2/2] x86/kexec/64: Forbid kexec when running as an SEV-ES guest
On Thu, May 06, 2021 at 12:42:03PM -0500, Eric W. Biederman wrote:> I don't understand this. > > Fundamentally kexec is about doing things more or less inspite of > what the firmware is doing. > > I don't have any idea what a SEV-ES is. But the normal x86 boot doesn't > do anything special. Is cross cpu IPI emulation buggy?Under SEV-ES the normal SIPI-based sequence to re-initialize a CPU does not work anymore. An SEV-ES guest is a special virtual machine where the hardware encrypts the guest memory and the guest register state. The hypervisor can't make any modifications to the guests registers at runtime. Therefore it also can't emulate a SIPI sequence and reset the vCPU. The guest kernel has to reset the vCPU itself and hand it over from the old kernel to the kexec'ed kernel. This isn't currently implemented and therefore kexec needs to be disabled when running as an SEV-ES guest. Implementing this also requires an extension to the guest-hypervisor protocol (the GHCB Spec[1]) which is only available in version 2. So a guest running on a hypervisor supporting only version 1 will never properly support kexec.> What is the actual problem you are trying to avoid?Currently, if someone tries kexec in an SEV-ES guest, the kexec'ed kernel will only be able to bring up the boot CPU, not the others. The others will wake up with the old kernels CPU state in the new kernels memory and do undefined things, most likely triple-fault because their page-table is not existent anymore. So since kexec currently does not work as expected under SEV-ES, it is better to hide it until everything is implemented so it can do what the user expects.> And yes for a temporary hack the suggestion of putting code into > machine_kexec_prepare seems much more reasonable so we don't have to > carry special case infrastructure for the forseeable future.As I said above, for protocol version 1 it will stay disabled, so it is not only a temporary hack. Regards, Joerg [1] https://developer.amd.com/wp-content/resources/56421.pdf