x86/sev-es: Check required CPU features for SEV-ES
Make sure the machine supports RDRAND, otherwise there is no trusted source of randomness in the system. To also check this in the pre-decompression stage, make has_cpuflag() not depend on CONFIG_RANDOMIZE_BASE anymore. Signed-off-by: Martin Radev <martin.b.radev@gmail.com> Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lkml.kernel.org/r/20200907131613.12703-73-joro@8bytes.org
This commit is contained in:
parent
39336f4ffb
commit
f5ed777586
|
@ -1,6 +1,4 @@
|
|||
// SPDX-License-Identifier: GPL-2.0
|
||||
#ifdef CONFIG_RANDOMIZE_BASE
|
||||
|
||||
#include "../cpuflags.c"
|
||||
|
||||
bool has_cpuflag(int flag)
|
||||
|
@ -9,5 +7,3 @@ bool has_cpuflag(int flag)
|
|||
|
||||
return test_bit(flag, cpu.flags);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
|
|
@ -85,8 +85,6 @@ void choose_random_location(unsigned long input,
|
|||
unsigned long *output,
|
||||
unsigned long output_size,
|
||||
unsigned long *virt_addr);
|
||||
/* cpuflags.c */
|
||||
bool has_cpuflag(int flag);
|
||||
#else
|
||||
static inline void choose_random_location(unsigned long input,
|
||||
unsigned long input_size,
|
||||
|
@ -97,6 +95,9 @@ static inline void choose_random_location(unsigned long input,
|
|||
}
|
||||
#endif
|
||||
|
||||
/* cpuflags.c */
|
||||
bool has_cpuflag(int flag);
|
||||
|
||||
#ifdef CONFIG_X86_64
|
||||
extern int set_page_decrypted(unsigned long address);
|
||||
extern int set_page_encrypted(unsigned long address);
|
||||
|
|
|
@ -145,6 +145,9 @@ void sev_es_shutdown_ghcb(void)
|
|||
if (!boot_ghcb)
|
||||
return;
|
||||
|
||||
if (!sev_es_check_cpu_features())
|
||||
error("SEV-ES CPU Features missing.");
|
||||
|
||||
/*
|
||||
* GHCB Page must be flushed from the cache and mapped encrypted again.
|
||||
* Otherwise the running kernel will see strange cache effects when
|
||||
|
|
|
@ -9,6 +9,21 @@
|
|||
* and is included directly into both code-bases.
|
||||
*/
|
||||
|
||||
#ifndef __BOOT_COMPRESSED
|
||||
#define error(v) pr_err(v)
|
||||
#define has_cpuflag(f) boot_cpu_has(f)
|
||||
#endif
|
||||
|
||||
static bool __init sev_es_check_cpu_features(void)
|
||||
{
|
||||
if (!has_cpuflag(X86_FEATURE_RDRAND)) {
|
||||
error("RDRAND instruction not supported - no trusted source of randomness available\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static void sev_es_terminate(unsigned int reason)
|
||||
{
|
||||
u64 val = GHCB_SEV_TERMINATE;
|
||||
|
|
|
@ -665,6 +665,9 @@ void __init sev_es_init_vc_handling(void)
|
|||
if (!sev_es_active())
|
||||
return;
|
||||
|
||||
if (!sev_es_check_cpu_features())
|
||||
panic("SEV-ES CPU Features missing");
|
||||
|
||||
/* Enable SEV-ES special handling */
|
||||
static_branch_enable(&sev_es_enable_key);
|
||||
|
||||
|
|
Loading…
Reference in New Issue