Commit 2e5fc478 authored by Ingo Molnar's avatar Ingo Molnar
Browse files

Merge branch 'x86/sev' into x86/boot, to resolve conflicts and to pick up dependent tree 



We are going to queue up a number of patches that depend
on fresh changes in x86/sev - merge in that branch to
reduce the number of conflicts going forward.

Also resolve a current conflict with x86/sev.

Conflicts:
	arch/x86/include/asm/coco.h

Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
parents 29cd8555 ee8ff876

Documentation/admin-guide/kernel-parameters.txt

+1 −3
Original line number Diff line number Diff line
@@ -3320,9 +3320,7 @@ 


	mem_encrypt=	[X86-64] AMD Secure Memory Encryption (SME) control

			Valid arguments: on, off

			Default (depends on kernel configuration option):

			  on  (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y)

			  off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n)

			Default: off

			mem_encrypt=on:		Activate SME

			mem_encrypt=off:	Do not activate SME

Documentation/arch/x86/amd-memory-encryption.rst

+8 −8
Original line number Diff line number Diff line
@@ -87,14 +87,14 @@ The state of SME in the Linux kernel can be documented as follows: 
	  kernel is non-zero).



SME can also be enabled and activated in the BIOS. If SME is enabled and

activated in the BIOS, then all memory accesses will be encrypted and it will

not be necessary to activate the Linux memory encryption support.  If the BIOS

merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG), then Linux can activate

memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or

by supplying mem_encrypt=on on the kernel command line.  However, if BIOS does

not enable SME, then Linux will not be able to activate memory encryption, even

if configured to do so by default or the mem_encrypt=on command line parameter

is specified.

activated in the BIOS, then all memory accesses will be encrypted and it

will not be necessary to activate the Linux memory encryption support.



If the BIOS merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG),

then memory encryption can be enabled by supplying mem_encrypt=on on the

kernel command line.  However, if BIOS does not enable SME, then Linux

will not be able to activate memory encryption, even if configured to do

so by default or the mem_encrypt=on command line parameter is specified.



Secure Nested Paging (SNP)

==========================

Documentation/virt/coco/sev-guest.rst

+52 −0
Original line number Diff line number Diff line
@@ -67,6 +67,23 @@ counter (e.g. counter overflow), then -EIO will be returned. 
                };

        };



The host ioctls are issued to a file descriptor of the /dev/sev device.

The ioctl accepts the command ID/input structure documented below.



::



        struct sev_issue_cmd {

                /* Command ID */

                __u32 cmd;



                /* Command request structure */

                __u64 data;



                /* Firmware error code on failure (see psp-sev.h) */

                __u32 error;

        };





2.1 SNP_GET_REPORT

------------------
@@ -124,6 +141,41 @@ be updated with the expected value. 


See GHCB specification for further detail on how to parse the certificate blob.



2.4 SNP_PLATFORM_STATUS

-----------------------

:Technology: sev-snp

:Type: hypervisor ioctl cmd

:Parameters (out): struct sev_user_data_snp_status

:Returns (out): 0 on success, -negative on error



The SNP_PLATFORM_STATUS command is used to query the SNP platform status. The

status includes API major, minor version and more. See the SEV-SNP

specification for further details.



2.5 SNP_COMMIT

--------------

:Technology: sev-snp

:Type: hypervisor ioctl cmd

:Returns (out): 0 on success, -negative on error



SNP_COMMIT is used to commit the currently installed firmware using the

SEV-SNP firmware SNP_COMMIT command. This prevents roll-back to a previously

committed firmware version. This will also update the reported TCB to match

that of the currently installed firmware.



2.6 SNP_SET_CONFIG

------------------

:Technology: sev-snp

:Type: hypervisor ioctl cmd

:Parameters (in): struct sev_user_data_snp_config

:Returns (out): 0 on success, -negative on error



SNP_SET_CONFIG is used to set the system-wide configuration such as

reported TCB version in the attestation report. The command is similar

to SNP_CONFIG command defined in the SEV-SNP spec. The current values of

the firmware parameters affected by this command can be queried via

SNP_PLATFORM_STATUS.



3. SEV-SNP CPUID Enforcement

============================

arch/x86/Kbuild

+2 −0
Original line number Diff line number Diff line
@@ -28,5 +28,7 @@ obj-y += net/ 


obj-$(CONFIG_KEXEC_FILE) += purgatory/



obj-y += virt/svm/



# for cleaning

subdir- += boot tools

arch/x86/Kconfig

+0 −13
Original line number Diff line number Diff line
@@ -1539,19 +1539,6 @@ config AMD_MEM_ENCRYPT 
	  This requires an AMD processor that supports Secure Memory

	  Encryption (SME).



config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT

	bool "Activate AMD Secure Memory Encryption (SME) by default"

	depends on AMD_MEM_ENCRYPT

	help

	  Say yes to have system memory encrypted by default if running on

	  an AMD processor that supports Secure Memory Encryption (SME).



	  If set to Y, then the encryption of system memory can be

	  deactivated with the mem_encrypt=off command line option.



	  If set to N, then the encryption of system memory can be

	  activated with the mem_encrypt=on command line option.



# Common NUMA Features

config NUMA

	bool "NUMA Memory Allocation and Scheduler Support"