]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commit
projects / mirror_ubuntu-eoan-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c603a30) | patch
x86/mm: Create a workarea in the kernel for SME early encryption
authorThomas Lendacky <Thomas.Lendacky@amd.com>
Wed, 19 Jun 2019 18:40:59 +0000 (18:40 +0000)
committerBorislav Petkov <bp@suse.de>
Thu, 20 Jun 2019 07:44:26 +0000 (09:44 +0200)
commite1bfa87399e372446454ecbaeba2800f0a385733
tree0a77c9eeb6febe2b386c8909a7c6200910e4160btree
parentc603a309cc75f3dd018ddb20ee44c05047918cbfcommit | diff
x86/mm: Create a workarea in the kernel for SME early encryption

In order for the kernel to be encrypted "in place" during boot, a workarea
outside of the kernel must be used. This SME workarea used during early
encryption of the kernel is situated on a 2MB boundary after the end of
the kernel text, data, etc. sections (_end).

This works well during initial boot of a compressed kernel because of
the relocation used for decompression of the kernel. But when performing
a kexec boot, there's a chance that the SME workarea may not be mapped
by the kexec pagetables or that some of the other data used by kexec
could exist in this range.

Create a section for SME in vmlinux.lds.S. Position it after "_end", which
is after "__end_of_kernel_reserve", so that the memory will be reclaimed
during boot and since this area is all zeroes, it compresses well. This
new section will be part of the kernel image, so kexec will account for it
in pagetable mappings and placement of data after the kernel.

Here's an example of a kernel size without and with the SME section:

without:
vmlinux: 36,501,616
bzImage:  6,497,344

100000000-47f37ffff : System RAM
  1e4000000-1e47677d4 : Kernel code (0x7677d4)
  1e47677d5-1e4e2e0bf : Kernel data (0x6c68ea)
  1e5074000-1e5372fff : Kernel bss (0x2fefff)

with:
vmlinux: 44,419,408
bzImage:  6,503,136

880000000-c7ff7ffff : System RAM
  8cf000000-8cf7677d4 : Kernel code (0x7677d4)
  8cf7677d5-8cfe2e0bf : Kernel data (0x6c68ea)
  8d0074000-8d0372fff : Kernel bss (0x2fefff)

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Baoquan He <bhe@redhat.com>
Reviewed-by: Dave Hansen <dave.hansen@intel.com>
Tested-by: Lianbo Jiang <lijiang@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: "Rafael Ávila de Espíndola" <rafael@espindo.la>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "x86@kernel.org" <x86@kernel.org>
Link: https://lkml.kernel.org/r/3c483262eb4077b1654b2052bd14a8d011bffde3.1560969363.git.thomas.lendacky@amd.com
arch/x86/kernel/vmlinux.lds.S diff | blob | blame | history
arch/x86/mm/mem_encrypt_identity.c diff | blob | blame | history
Ubuntu Eoan Linux kernel mirror