• L
    Merge tag 'x86_seves_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · da9803df
    Linus Torvalds 提交于
    Pull x86 SEV-ES support from Borislav Petkov:
     "SEV-ES enhances the current guest memory encryption support called SEV
      by also encrypting the guest register state, making the registers
      inaccessible to the hypervisor by en-/decrypting them on world
      switches. Thus, it adds additional protection to Linux guests against
      exfiltration, control flow and rollback attacks.
    
      With SEV-ES, the guest is in full control of what registers the
      hypervisor can access. This is provided by a guest-host exchange
      mechanism based on a new exception vector called VMM Communication
      Exception (#VC), a new instruction called VMGEXIT and a shared
      Guest-Host Communication Block which is a decrypted page shared
      between the guest and the hypervisor.
    
      Intercepts to the hypervisor become #VC exceptions in an SEV-ES guest
      so in order for that exception mechanism to work, the early x86 init
      code needed to be made able to handle exceptions, which, in itself,
      brings a bunch of very nice cleanups and improvements to the early
      boot code like an early page fault handler, allowing for on-demand
      building of the identity mapping. With that, !KASLR configurations do
      not use the EFI page table anymore but switch to a kernel-controlled
      one.
    
      The main part of this series adds the support for that new exchange
      mechanism. The goal has been to keep this as much as possibly separate
      from the core x86 code by concentrating the machinery in two
      SEV-ES-specific files:
    
        arch/x86/kernel/sev-es-shared.c
        arch/x86/kernel/sev-es.c
    
      Other interaction with core x86 code has been kept at minimum and
      behind static keys to minimize the performance impact on !SEV-ES
      setups.
    
      Work by Joerg Roedel and Thomas Lendacky and others"
    
    * tag 'x86_seves_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (73 commits)
      x86/sev-es: Use GHCB accessor for setting the MMIO scratch buffer
      x86/sev-es: Check required CPU features for SEV-ES
      x86/efi: Add GHCB mappings when SEV-ES is active
      x86/sev-es: Handle NMI State
      x86/sev-es: Support CPU offline/online
      x86/head/64: Don't call verify_cpu() on starting APs
      x86/smpboot: Load TSS and getcpu GDT entry before loading IDT
      x86/realmode: Setup AP jump table
      x86/realmode: Add SEV-ES specific trampoline entry point
      x86/vmware: Add VMware-specific handling for VMMCALL under SEV-ES
      x86/kvm: Add KVM-specific VMMCALL handling under SEV-ES
      x86/paravirt: Allow hypervisor-specific VMMCALL handling under SEV-ES
      x86/sev-es: Handle #DB Events
      x86/sev-es: Handle #AC Events
      x86/sev-es: Handle VMMCALL Events
      x86/sev-es: Handle MWAIT/MWAITX Events
      x86/sev-es: Handle MONITOR/MONITORX Events
      x86/sev-es: Handle INVD Events
      x86/sev-es: Handle RDPMC Events
      x86/sev-es: Handle RDTSC(P) Events
      ...
    da9803df
Kconfig 93.9 KB