x86/boot/compressed/64: Check SEV encryption in 64-bit boot-path

Check whether the hypervisor reported the correct C-bit when running as an SEV guest. Using a wrong C-bit position could be used to leak sensitive data from the guest to the hypervisor. The check function is in a separate file: arch/x86/kernel/sev_verify_cbit.S so that it can be re-used in the running kernel image. [ bp: Massage. ] Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Link: https://lkml.kernel.org/r/20201028164659.27002-4-joro@8bytes.org
author: Joerg Roedel <jroedel@suse.de> 2020-10-28 17:46:57 +0100
committer: Borislav Petkov <bp@suse.de> 2020-10-29 18:06:52 +0100
commit: 86ce43f7dde81562f58b24b426cef068bd9f7595 (patch)
tree: f3042a795cff8aa037faa8c7d77e61d003af12d7 /arch/x86/boot/compressed/ident_map_64.c
parent: ed7b895f3efb5df184722f5a30f8164fcaffceb1 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c
index a5e5db6ada3c..39b2eded7bc2 100644
--- a/arch/x86/boot/compressed/ident_map_64.c
+++ b/arch/x86/boot/compressed/ident_map_64.c
@@ -164,6 +164,7 @@ void initialize_identity_maps(void *rmode)
 	add_identity_map(cmdline, cmdline + COMMAND_LINE_SIZE);
 
 	/* Load the new page-table. */
+	sev_verify_cbit(top_level_pgt);
 	write_cr3(top_level_pgt);
 }
author	Joerg Roedel <jroedel@suse.de>	2020-10-28 17:46:57 +0100
committer	Borislav Petkov <bp@suse.de>	2020-10-29 18:06:52 +0100
commit	86ce43f7dde81562f58b24b426cef068bd9f7595 (patch)
tree	f3042a795cff8aa037faa8c7d77e61d003af12d7 /arch/x86/boot/compressed/ident_map_64.c
parent	ed7b895f3efb5df184722f5a30f8164fcaffceb1 (diff)