From nobody Thu Oct 2 23:57:56 2025 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CC61DDC5 for ; Tue, 9 Sep 2025 08:06:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757405209; cv=none; b=BbW25voW0j4O71T65XjeyovnJwDedSGsrjg9ALeTBQLn4f4Gg++Tq2V9zOFwEmiICtzZJYusWgql7NLccxZdNJZh3WrNoyGOFGLkgKBgLOdVNG/5FixB3neHk8j+dpofqJkslT2J2T6fGp8EDyhelyId14ez1Rnfuda6x4gG0YQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757405209; c=relaxed/simple; bh=gEBrGLcTCYBTDaHRZjjQ4TRR7XwTHPOepnjLVMTZWN4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ULh1/5jy80jAaUZPQUsmq52x1HxJ6Y0o45QarfQDl+8t0nGe/ECPpJBd1BuyNrRrhvvkJ4GXmdfxDGrMKFX+RD4j2B+hvx1eNlXWmTWtWXTKfW73MIUvJQRm1m8hbwuYgkdoJAxKoqy9X++NPtOJ0JEYVOokfZLUC30rODsHQuY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dhQUWHav; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dhQUWHav" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-45dcf5f1239so20384815e9.2 for ; Tue, 09 Sep 2025 01:06:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757405206; x=1758010006; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=3hT6lomWwcUBoMRdDm5sUU/9gcCtnYSc12sPEJ1Evnc=; b=dhQUWHav7mo9PV26Q8fThrxdSrkWRxPykZ4efcbu3nCQLHnso/g1CTwpU8T/o65gOA QTjU7i3c53cAEbNj9mUfxbUZSXMLcKBxnM1hCM9T9HI4u2+etL6Z60OmdzbR6UfUwT8m TTReiPVpV0MK88HHL8ldwjC5Q5wWc0NJhMnia2kRc9cMe6J5NCeGOEILbiNYdArlGlNT 73ZPAIjgDBjX2/V1GM5KMEhsE/r5ThNyEbNpgQ2VC0P1CIeivgmgKLfSt2pC9nMEH1vC JRdbAwszwJ8IuzvHZ0gkTEhEUfTrU4vvll/fhm2Z2ko2nsIuOHEGNo6iOlMAem7jE1ev v2Ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757405206; x=1758010006; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3hT6lomWwcUBoMRdDm5sUU/9gcCtnYSc12sPEJ1Evnc=; b=FOXuwkwPsRuOoXI0bre6hio+EgIN6aH4yA8yjOuiPRqkDuAgpi+t/iwQe9FpKpF7Vk j/FiuFYRfY+fbJ0D1WrsRD23uxylrbS/lT8dlbbCwtD9BRju+fAZ3QaIVVhAzLbl77gT RbIwL4GpDQYc3gCgGBbFIolt8dMzob+UWEI4jp/aVejEiHbzFVFOa4R4iJiHnZzckww3 od3/qO3OOYDFxX2CLhJJS+ehWCcqitSJFWHUfV7P6fPlqJ2tdb53Id9qSoT7mbQkXMUe fBPOg+VALmJdaRT4W5trKH2G36CGQbJyKr23ufn+QsCcnp4NbBcMUGpFqKw8FaYWJrTw 5njQ== X-Gm-Message-State: AOJu0Yzh9jhU3SvMJHgv9572Bl4vBxw/9n0tXQJfYKvEAQ0DBY24QXej hqlxK8aB+tM1MpvJfPm9/SP6FfA+DjbP4OL45FMGFwNS+NkeDrnqxyLcnW7W6U2zUfjSldVM6A= = X-Google-Smtp-Source: AGHT+IGDbBSmNC1anj5wI5P62aSYEw9lEhDejC5ho+kgu91YH3dHHDbcF7VOQa2eNgE3DiF6BBgNMyrr X-Received: from wmbdv22.prod.google.com ([2002:a05:600c:6216:b0:45d:e232:8a3d]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:468e:b0:45d:da4a:8dd0 with SMTP id 5b1f17b1804b1-45de6b386abmr50683105e9.27.1757405206055; Tue, 09 Sep 2025 01:06:46 -0700 (PDT) Date: Tue, 9 Sep 2025 10:06:33 +0200 In-Reply-To: <20250909080631.2867579-5-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250909080631.2867579-5-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=1245; i=ardb@kernel.org; h=from:subject; bh=1n3hA3W+K2hArHGEcJW8o2NSc1WWSTWXp4Cn3bXHpYQ=; b=owGbwMvMwCVmkMcZplerG8N4Wi2JIWP/A874y7sepAXOeCaRK1h4U7u/cOWEz4G282YrPe77o ie6fJVWRykLgxgXg6yYIovA7L/vdp6eKFXrPEsWZg4rE8gQBi5OAZjIpcuMDBdqkk3Wv2F/F7Ps 24PLE1cnRn3PtN3EFZXfHSj1dcLEqniGf3aL951qW9S657BBwsdtW859a5r0uzLk/YQ9z45aiV5 +oc8HAA== X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250909080631.2867579-6-ardb+git@google.com> Subject: [PATCH v4 1/3] x86/boot: Drop unused sev_enable() fallback From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ard Biesheuvel The misc.h header is not included by the EFI stub, which is the only C caller of sev_enable(). This means the fallback for cases where CONFIG_AMD_MEM_ENCRYPT is not set is never used, so it can be dropped. Signed-off-by: Ard Biesheuvel Reviewed-by: Tom Lendacky --- arch/x86/boot/compressed/misc.h | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/mis= c.h index db1048621ea2..fd855e32c9b9 100644 --- a/arch/x86/boot/compressed/misc.h +++ b/arch/x86/boot/compressed/misc.h @@ -152,17 +152,6 @@ bool insn_has_rep_prefix(struct insn *insn); void sev_insn_decode_init(void); bool early_setup_ghcb(void); #else -static inline void sev_enable(struct boot_params *bp) -{ - /* - * bp->cc_blob_address should only be set by boot/compressed kernel. - * Initialize it to 0 unconditionally (thus here in this stub too) to - * ensure that uninitialized values from buggy bootloaders aren't - * propagated. - */ - if (bp) - bp->cc_blob_address =3D 0; -} static inline void snp_check_features(void) { } static inline void sev_es_shutdown_ghcb(void) { } static inline bool sev_es_check_ghcb_fault(unsigned long address) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 23:57:56 2025 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E85AE246335 for ; Tue, 9 Sep 2025 08:06:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757405211; cv=none; b=CbCh4NXrXiaRoRGr2bD1FPHArYCwy9Cy/TH2N0md7O6vbliBpiQmx2h46FbDMMO/xDVY/OwZbVmOno/VqHQju8Ppg14PJB6kUSaJU/3CMJWD07VJaAdel3Belv9hKNaazuoTiNwDwcjEe79Nbev/sbHtn9hGm/UrNw8KEvowOxA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757405211; c=relaxed/simple; bh=bxfkr1bwaVAXs5FaMEW8ZNuMu4e1wkIbDjqHc1Wwjv0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=uO87LPVdUmN7GNTh418uSs13WKfFy4m4tE4JKXJ9PmQrAeaTHu7S9PVrM3KgtDkuBF0nxBbGMOuKv+Bp3qwhpbo676Axus4VdU+PVExMsko8BrDT0/0CgoqEKFAa5pdDXIXTzgVo+KYbGAXJw7VCfNwTtki0zraX9GssHshIFvI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=A8vNg4sL; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="A8vNg4sL" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-45ddbdb92dfso19898375e9.1 for ; Tue, 09 Sep 2025 01:06:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757405207; x=1758010007; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=yKR8SFZ5tUbZvXiuQCaIge44w6NbXb6+pFcC4LViGfc=; b=A8vNg4sLs11FCE8jvgxRFdSLNc3MvQ1PYb4QMPlIJWmyLZ907nkQ6YCgX4BYIrVysc C9/CTU3HDthSeBy6UUkUCgxKlBWxnOZgVVvqj7w7DNOySwBciuDp9ummBrus0ZYxZid+ 4uxEp7BESIpPwSo8pupJOG4LnoRtcSFjJFyyuVBCRvw5PcgTvKbKFVJTwwyD5Ea01L5D KRmXu7SMo6yG6FyJjuuzahBNA4yMv9e+aymb3s0NFv5GrThTE4k7T9eKJu+sDFC9HU78 t2Na3zqsfgxcmvUGjXc3e92uXSDRQmrowf70+gcyN8x+uMZ3t67s1uWGxYfytHc9qDo9 XiOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757405207; x=1758010007; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yKR8SFZ5tUbZvXiuQCaIge44w6NbXb6+pFcC4LViGfc=; b=mFQ4HllO00gZLWb4dhvkLfmASdknyzyUOMOZkQMmgbiIhSbI6bpiwnUi3Cb/NxUelX /KKlWQfm5jZRYGySDba0b4VwzuG241MZwP9P+2nu2hxEcQnG6jHqAvnxGAxtbQEehhcL AlfqWojbcG7d8UW+jel+vksG3KfuTbr7frKc9pEsW/95p/+ymyj8eFD7gk1KDWUSK5AE +AFh53iGrnd0/sM1yZ87k68inhHpUue1nHiwp7GC/iWfFI6kphHq9izgky1CPnGVMdX6 IXy44MIPB4fEB2CGC0vTTDVkx7NfVeT/AjDgbuTF1JH1tkmPwwKzdgoarDRGGzPjEj/I PJKg== X-Gm-Message-State: AOJu0YwhspWtnVn6jkusu/EmZMrfoVBMjZstM8QVAh0i+Z38gRMzAYEX 0fK7P3rhviXV1bbBearwqvjbvQ23LUrM4saYyJACXZ1frquchCrk2JEWe1oVaAzD1aUwaXkTPA= = X-Google-Smtp-Source: AGHT+IG8pvazFoVc9FUnEXTt0W0SX40O2+ahnkSegmQainOj/4AlLriLRxQbk9LaYEnwMR7tdZ/ZDodS X-Received: from wmer2.prod.google.com ([2002:a05:600c:4342:b0:45d:d1f2:48ba]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:a05:b0:45d:d5c6:97b4 with SMTP id 5b1f17b1804b1-45ded2fb475mr14469155e9.9.1757405207202; Tue, 09 Sep 2025 01:06:47 -0700 (PDT) Date: Tue, 9 Sep 2025 10:06:34 +0200 In-Reply-To: <20250909080631.2867579-5-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250909080631.2867579-5-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=2156; i=ardb@kernel.org; h=from:subject; bh=0MPXvKn0M/hs2ODjQAAa+m+Dmix12uoqz11yvPlS3nI=; b=owGbwMvMwCVmkMcZplerG8N4Wi2JIWP/Ay7WRJ6dQQ42Js2iheG21ad5Bd6KLPLzy98fK2KxY YbzOqmOUhYGMS4GWTFFFoHZf9/tPD1RqtZ5lizMHFYmkCEMXJwCMJFnBxkZdjakHb90j/PDb2ap mzlrz72aF29ntnhzz2aOKQbx8YrFtxn+aX7fM0evrDru4a6j37yD/Qs9dh3NcL/vVXn468rdcv6 +fAA= X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250909080631.2867579-7-ardb+git@google.com> Subject: [PATCH v4 2/3] x86/efistub: Obtain SEV CC blob address from the stub From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ard Biesheuvel The x86 EFI stub no longer boots the core kernel via the traditional decompressor but jumps straight to it, avoiding all the page fault handling and other complexity that is entirely unnecessary when booting via EFI, which guarantees that all system memory is mapped 1:1. The SEV startup code in the core kernel expects the address of the CC blob configuration table in boot_params, so store it there when booting from EFI with SEV-SNP enabled. This removes the need to call sev_enable() from the EFI stub. Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/x86-stub.c | 21 +++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi= /libstub/x86-stub.c index 0d05eac7c72b..c4ef645762ec 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -681,17 +681,28 @@ static efi_status_t exit_boot(struct boot_params *boo= t_params, void *handle) return EFI_SUCCESS; } =20 -static bool have_unsupported_snp_features(void) +static bool check_snp_features(struct boot_params *bp) { + u64 status =3D sev_get_status(); u64 unsupported; =20 - unsupported =3D snp_get_unsupported_features(sev_get_status()); + unsupported =3D snp_get_unsupported_features(status); if (unsupported) { efi_err("Unsupported SEV-SNP features detected: 0x%llx\n", unsupported); - return true; + return false; } - return false; + + if (status & MSR_AMD64_SEV_SNP_ENABLED) { + void *tbl =3D get_efi_config_table(EFI_CC_BLOB_GUID); + + if (!tbl) { + efi_err("SEV-SNP is enabled but CC blob not found\n"); + return false; + } + bp->cc_blob_address =3D (u32)(unsigned long)tbl; + } + return true; } =20 static void efi_get_seed(void *seed, int size) @@ -831,7 +842,7 @@ void __noreturn efi_stub_entry(efi_handle_t handle, =20 hdr =3D &boot_params->hdr; =20 - if (have_unsupported_snp_features()) + if (!check_snp_features(boot_params)) efi_exit(handle, EFI_UNSUPPORTED); =20 if (IS_ENABLED(CONFIG_EFI_DXE_MEM_ATTRIBUTES)) { --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 23:57:56 2025 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7F212459FF for ; Tue, 9 Sep 2025 08:06:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757405211; cv=none; b=MMQtxFOiF4pe+G7QRpDIpDvv5gCuU3IID4jpEXIqA0pPBo0d0f9RGRkVSfhC4EkYd45L5U+1V5gO9Ee/6dfI/druF7d3Ni4PV/8/5GYRkiF7Yz0F/OOSjfreFukHMOWoa9ijxPMfuIbpOe3ou29pHCjeUrfTFrOhS4gagfaCD+c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757405211; c=relaxed/simple; bh=Radutzz8E8EuU7gMVj8q9wIgxzGfs33yWguzFJb9z88=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=spXvD4j3Qi7u/SdWzRv95mCwIrM+8bgy4e034XOC4H4tQnU0pXJgNbH3WUWqHsivzvum/S0pag4AmxiQVWYjzRRy47WF9yQuByg75gHPPcrQqHQEkNmD36OMeSW6Df0Ce92QRSKpb0XiZ/VRYJOPaY8ozRaQQYj04O1dqovEMrg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=NZjNfI8u; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="NZjNfI8u" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-45dde353979so17183735e9.3 for ; Tue, 09 Sep 2025 01:06:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1757405208; x=1758010008; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=gIYMwnegjvJO/DJAEuqEQ2WuvgmAGBZauOlQiaZuyVw=; b=NZjNfI8u8t3CXiDNGBI3Z637BE4V7Um+4Lsv6h7wXKn2mBNom8iB/JIa/mr1BSe/el VnoIQ4KZ3gw0HsFmc6QuYiZiPWfw6yQU92HRrY42bqD/fLHgXOxwxmEucj5/VQEts/gq C7+u8SNjCCmNZ0ErGBVxDxsKMULkDLypXi+HYANVwQgB44dBsBV3rw2tNwVPbVcuX5bo WGkRKzR4rgIvI4EE9dbo4hbCeZ9Uaj/JZ4hYSDiDZplO33ZhdsRPf80fyZ/UK+Rlya4d wHnPJj1XhI4KHEIC4aLlHuOsynQGQpKSYlpz2eaUT6c2Rzld3s5AhWR8x7DZgpN0jheg HTsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757405208; x=1758010008; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gIYMwnegjvJO/DJAEuqEQ2WuvgmAGBZauOlQiaZuyVw=; b=MxRO0Iskh3x9mzYMWjwiaekE3IbQVrp9rbm+MelACNSpPS3Ij9N9aqpCL/wCiOQWwG RQU7hmnJ7UOwM7P/+TWAS9RAUDnXY3PGQiTAypae6U4rSJpFOXk+/3jmeBP44R49huop Lm4Jxtx6E6Ug+dfe1i5+pvjGybZT0t1n9kB/nnjHyet6igPJjFn4oFY7hc7FRkXfughN dGiX39KkIDsynvXfuUePonLhcqiCeYXw7Prk9bctxu7U/Fzgk/6xxTKYo30GuDv/l/tc bhP3gIHGnAtfhy4ITL/JLsmjjXya6nF3idDWeqiBFxDTC15zNgP6WOnBRq6wLZQu99rz c+Gg== X-Gm-Message-State: AOJu0Yz+lmlUPk9/CO7h0boqFgfM7oQ6Zg0lK2J2Y+TUOhV0X3Ojj7P2 gO2J9bHxKd7lPOVUF47s2ryzm/zAhzW5Ois73zVw3lG4+QrcoTBKSEZNRMVEO4dSFJ/SvZghXw= = X-Google-Smtp-Source: AGHT+IHJm6oIsPFaA/H7FFpzZiwRaWMizREym7EFTHfuKxm+JVkgAyIeXLgmXB9jLd3AId1sF48xuPXw X-Received: from wmsr2.prod.google.com ([2002:a05:600c:8b02:b0:45d:e074:65ac]) (user=ardb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1d24:b0:45b:7185:9e5 with SMTP id 5b1f17b1804b1-45dea7a561dmr41447865e9.5.1757405208317; Tue, 09 Sep 2025 01:06:48 -0700 (PDT) Date: Tue, 9 Sep 2025 10:06:35 +0200 In-Reply-To: <20250909080631.2867579-5-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250909080631.2867579-5-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=2383; i=ardb@kernel.org; h=from:subject; bh=81pcKoS/mmPNH4toQqB1IJqgCUIxbpQJFeBBrqPQD3s=; b=owGbwMvMwCVmkMcZplerG8N4Wi2JIWP/A26JWxN26L9i5b073+nE2ttflc0jZgre/DaBpSh5a t3/pzo+HaUsDGJcDLJiiiwCs/++23l6olSt8yxZmDmsTCBDGLg4BWAiN/YxMjxiYipNmXLPlVXm 7lfZ6wy8iy1ZtNce+LGeX37jvPcVjwIZGXY9fXB16V6LIN9LbCZF6zZUmqh+vWZ3J+NdjPTey0v n1jEBAA== X-Mailer: git-send-email 2.51.0.384.g4c02a37b29-goog Message-ID: <20250909080631.2867579-8-ardb+git@google.com> Subject: [PATCH v4 3/3] x86/efistub: Don't bother enabling SEV in the EFI stub From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, x86@kernel.org, Ard Biesheuvel , Tom Lendacky , Borislav Petkov Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ard Biesheuvel One of the last things the EFI stub does before handing over to the core kernel when booting as a SEV guest is enabling SEV, even though this is mostly redundant: one of the first things the core kernel does is calling sme_enable(), after setting up the early GDT and IDT but before even setting up the kernel page tables. sme_enable() performs the same SEV-SNP initialization that the decompressor performs in sev_enable(). So let's just drop this call to sev_enable(), and rely on the core kernel to initiaize SEV correctly. Signed-off-by: Ard Biesheuvel --- arch/x86/include/asm/sev.h | 2 -- drivers/firmware/efi/libstub/x86-stub.c | 6 ------ 2 files changed, 8 deletions(-) diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index d7be1ff3f7e0..b017e1dab705 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -462,7 +462,6 @@ static __always_inline void sev_es_nmi_complete(void) __sev_es_nmi_complete(); } extern int __init sev_es_efi_map_ghcbs_cas(pgd_t *pgd); -extern void sev_enable(struct boot_params *bp); =20 /* * RMPADJUST modifies the RMP permissions of a page of a lesser- @@ -588,7 +587,6 @@ static inline void sev_es_ist_exit(void) { } static inline int sev_es_setup_ap_jump_table(struct real_mode_header *rmh)= { return 0; } static inline void sev_es_nmi_complete(void) { } static inline int sev_es_efi_map_ghcbs_cas(pgd_t *pgd) { return 0; } -static inline void sev_enable(struct boot_params *bp) { } static inline int pvalidate(unsigned long vaddr, bool rmp_psize, bool vali= date) { return 0; } static inline int rmpadjust(unsigned long vaddr, bool rmp_psize, unsigned = long attrs) { return 0; } static inline void setup_ghcb(void) { } diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi= /libstub/x86-stub.c index c4ef645762ec..354bc3901193 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -938,12 +938,6 @@ void __noreturn efi_stub_entry(efi_handle_t handle, goto fail; } =20 - /* - * Call the SEV init code while still running with the firmware's - * GDT/IDT, so #VC exceptions will be handled by EFI. - */ - sev_enable(boot_params); - efi_5level_switch(); =20 enter_kernel(kernel_entry, boot_params); --=20 2.51.0.384.g4c02a37b29-goog