search for: sev_es_setup_ap_jump_table

...64 val, unsigned int bits) extern void vc_no_ghcb(void); extern bool vc_boot_ghcb(struct pt_regs *regs); +struct real_mode_header; enum stack_type; #ifdef CONFIG_AMD_MEM_ENCRYPT const char *vc_stack_name(enum stack_type type); void sev_es_nmi_enter(void); void sev_es_nmi_exit(void); +int sev_es_setup_ap_jump_table(struct real_mode_header *rmh); #else /* CONFIG_AMD_MEM_ENCRYPT */ static inline const char *vc_stack_name(enum stack_type type) { return NULL; } +static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) +{ + return 0; +} #endif /* CONFIG_AMD_MEM_ENCRYPT*/ #endif diff --g...

...e; + /* Early IDT entry points for #VC handler */ extern void vc_no_ghcb(void); extern bool handle_vc_boot_ghcb(struct pt_regs *regs); @@ -91,9 +94,11 @@ static __always_inline void sev_es_ist_exit(void) if (static_branch_unlikely(&sev_es_enable_key)) __sev_es_ist_exit(); } +extern int sev_es_setup_ap_jump_table(struct real_mode_header *rmh); #else static inline void sev_es_ist_enter(struct pt_regs *regs) { } static inline void sev_es_ist_exit(void) { } +static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; } #endif #endif diff --git a/arch/x86/include/uapi/asm/svm.h...

...include <asm/msr-index.h> diff --git a/arch/x86/include/asm/sev-es.h b/arch/x86/include/asm/sev-es.h index a242d16727f1..ce9a197bf958 100644 --- a/arch/x86/include/asm/sev-es.h +++ b/arch/x86/include/asm/sev-es.h @@ -87,6 +87,7 @@ void sev_es_nmi_enter(void); void sev_es_nmi_exit(void); int sev_es_setup_ap_jump_table(struct real_mode_header *rmh); void sev_es_nmi_complete(void); +int __init sev_es_efi_map_ghcbs(pgd_t *pgd); #else /* CONFIG_AMD_MEM_ENCRYPT */ static inline const char *vc_stack_name(enum stack_type type) { @@ -97,6 +98,10 @@ static inline int sev_es_setup_ap_jump_table(struct real_mode_header...

...x86/include/asm/sev-es.h b/arch/x86/include/asm/sev-es.h index c89b6e2e6439..a242d16727f1 100644 --- a/arch/x86/include/asm/sev-es.h +++ b/arch/x86/include/asm/sev-es.h @@ -86,6 +86,7 @@ const char *vc_stack_name(enum stack_type type); void sev_es_nmi_enter(void); void sev_es_nmi_exit(void); int sev_es_setup_ap_jump_table(struct real_mode_header *rmh); +void sev_es_nmi_complete(void); #else /* CONFIG_AMD_MEM_ENCRYPT */ static inline const char *vc_stack_name(enum stack_type type) { @@ -95,6 +96,7 @@ static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; } +static inline void se...

....h> > > struct real_mode_header *real_mode_header; > u32 *trampoline_cr4_features; > @@ -107,6 +108,11 @@ static void __init setup_real_mode(void) > if (sme_active()) > trampoline_header->flags |= TH_FLAGS_SME_ACTIVE; > > + if (sev_es_active()) { > + if (sev_es_setup_ap_jump_table(real_mode_header)) > + panic("Failed to update SEV-ES AP Jump Table"); > + } > + So this function gets slowly sprinkled with if (sev-something) bla Please wrap at least those last two into a sev_setup_real_mode() or so. -- Regards/Gruss, Boris. https://people.ke...

...sev_es_nmi_complete(void) if (static_branch_unlikely(&sev_es_enable_key)) __sev_es_nmi_complete(); } +extern int __init sev_es_efi_map_ghcbs(pgd_t *pgd); #else static inline void sev_es_ist_enter(struct pt_regs *regs) { } static inline void sev_es_ist_exit(void) { } static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; } static inline void sev_es_nmi_complete(void) { } +static inline int sev_es_efi_map_ghcbs(pgd_t *pgd) { return 0; } #endif #endif diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c index 9ab3a4dfecd8..4e2b7e4d9b87 100644 --- a/arch/x86/k...

.../sev-es.h +++ b/arch/x86/include/asm/sev-es.h @@ -8,6 +8,8 @@ #ifndef __ASM_ENCRYPTED_STATE_H #define __ASM_ENCRYPTED_STATE_H +#ifndef __ASSEMBLY__ + #include <linux/types.h> #include <asm/insn.h> @@ -82,11 +84,36 @@ struct real_mode_header; #ifdef CONFIG_AMD_MEM_ENCRYPT int sev_es_setup_ap_jump_table(struct real_mode_header *rmh); +void sev_es_nmi_enter(void); #else /* CONFIG_AMD_MEM_ENCRYPT */ static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; } +static inline void sev_es_nmi_enter(void) { } +#endif /* CONFIG_AMD_MEM_ENCRYPT*/ + +#else /* !__ASSEMBLY__...

...oline_header *th) th->flags |= TH_FLAGS_SME_ACTIVE; if (sev_es_active()) { + /* + * Skip the call to verify_cpu() in secondary_startup_64 as it + * will cause #VC exceptions when the AP can't handle them yet. + */ + th->start = (u64) secondary_startup_64_no_verify; + if (sev_es_setup_ap_jump_table(real_mode_header)) panic("Failed to update SEV-ES AP Jump Table"); } -- 2.27.0

...oline_header *th) th->flags |= TH_FLAGS_SME_ACTIVE; if (sev_es_active()) { + /* + * Skip the call to verify_cpu() in secondary_startup_64 as it + * will cause #VC exceptions when the AP can't handle them yet. + */ + th->start = (u64) secondary_startup_64_no_verify; + if (sev_es_setup_ap_jump_table(real_mode_header)) panic("Failed to update SEV-ES AP Jump Table"); } -- 2.27.0

...> + if (!ghcb_sw_exit_info_1_is_valid(ghcb) || > + !ghcb_sw_exit_info_2_is_valid(ghcb)) > + ret = 0; > + > + ret = ghcb->save.sw_exit_info_2; > + > + sev_es_put_ghcb(&state); > + > + local_irq_restore(flags); > + > + return ret; > +} > + > +int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) > +{ > + u16 startup_cs, startup_ip; > + phys_addr_t jump_table_pa; > + u64 jump_table_addr; > + u16 __iomem *jump_table; > + > + jump_table_addr = sev_es_get_jump_table_addr(); > + > + /* Check if AP Jump Table is non-zero and page-aligned *...

...__sev_es_nmi_complete(); >>> } >>> +extern int __init sev_es_efi_map_ghcbs(pgd_t *pgd); >>> #else >>> static inline void sev_es_ist_enter(struct pt_regs *regs) { } >>> static inline void sev_es_ist_exit(void) { } >>> static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh) { return 0; } >>> static inline void sev_es_nmi_complete(void) { } >>> +static inline int sev_es_efi_map_ghcbs(pgd_t *pgd) { return 0; } >>> #endif >>> >>> #endif >>> diff --git a/arch/x86/kernel/sev-es.c b/arch/...

..._SME_ACTIVE; > > if (sev_es_active()) { > + /* > + * Skip the call to verify_cpu() in secondary_startup_64 as it > + * will cause #VC exceptions when the AP can't handle them yet. > + */ > + th->start = (u64) secondary_startup_64_no_verify; > + > if (sev_es_setup_ap_jump_table(real_mode_header)) > panic("Failed to update SEV-ES AP Jump Table"); > } > -- > 2.27.0 > -- Kees Cook

..._SME_ACTIVE; > > if (sev_es_active()) { > + /* > + * Skip the call to verify_cpu() in secondary_startup_64 as it > + * will cause #VC exceptions when the AP can't handle them yet. > + */ > + th->start = (u64) secondary_startup_64_no_verify; > + > if (sev_es_setup_ap_jump_table(real_mode_header)) > panic("Failed to update SEV-ES AP Jump Table"); > } > -- > 2.27.0 > -- Kees Cook

From: Joerg Roedel <jroedel at suse.de> Hi, here is a new version of the SEV-ES Guest Support patches for x86. The previous versions can be found as a linked list starting here: https://lore.kernel.org/lkml/20200824085511.7553-1-joro at 8bytes.org/ I updated the patch-set based on ther review comments I got and the discussions around it. Another important change is that the early IDT

From: Joerg Roedel <jroedel at suse.de> Hi, here is a new version of the SEV-ES Guest Support patches for x86. The previous versions can be found as a linked list starting here: https://lore.kernel.org/lkml/20200824085511.7553-1-joro at 8bytes.org/ I updated the patch-set based on ther review comments I got and the discussions around it. Another important change is that the early IDT

From: Joerg Roedel <jroedel at suse.de> Hi, here is the fourth version of the SEV-ES Guest Support patches. I addressed the review comments sent to me for the previous version and rebased the code v5.8-rc5. The biggest change in this version is the IST handling code for the #VC handler. I adapted the entry code for the #VC handler to the big pile of entry code changes merged into

From: Joerg Roedel <jroedel at suse.de> Hi, here is the fourth version of the SEV-ES Guest Support patches. I addressed the review comments sent to me for the previous version and rebased the code v5.8-rc5. The biggest change in this version is the IST handling code for the #VC handler. I adapted the entry code for the #VC handler to the big pile of entry code changes merged into

From: Joerg Roedel <jroedel at suse.de> Hi, here is a rebased version of the latest SEV-ES patches. They are now based on latest tip/master instead of upstream Linux and include the necessary changes. Changes to v4 are in particular: - Moved early IDT setup code to idt.c, because the idt_descr and the idt_table are now static - This required to make stack protector work early (or

From: Joerg Roedel <jroedel at suse.de> Hi, here is the new version of the SEV-ES client enabling patch-set. It is based on the latest tip/master branch and contains the necessary changes. In particular those ar: - Enabling CR4.FSGSBASE early on supported processors so that early #VC exceptions on APs can be handled. - Add another patch (patch 1) to fix a KVM frame-size build

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.