Early in the boot process, add checks to determine if the kernel is running with Secure Encrypted Virtualization (SEV) active. Checking for SEV requires checking that the kernel is running under a hypervisor (CPUID 0x00000001, bit 31), that the SEV feature is available (CPUID 0x8000001f, bit 1) and then checking a non-interceptable SEV MSR (0xc0010131, bit 0). This check is required so that during early compressed kernel booting the pagetables (both the boot pagetables and KASLR pagetables (if enabled) are updated to include the encryption mask so that when the kernel is decompressed into encrypted memory, it can boot properly. After the kernel is decompressed and continues booting the same logic is used to check if SEV is active and set a flag indicating so. This allows to distinguish between SME and SEV, each of which have unique differences in how certain things are handled: e.g. DMA (always bounce buffered with SEV) or EFI tables (always access decrypted with SME). Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@suse.de> Tested-by: Borislav Petkov <bp@suse.de> Cc: Laura Abbott <labbott@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: kvm@vger.kernel.org Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Andy Lutomirski <luto@kernel.org> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Link: https://lkml.kernel.org/r/20171020143059.3291-13-brijesh.singh@amd.com
152 lines
5.1 KiB
Makefile
152 lines
5.1 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# linux/arch/x86/boot/compressed/Makefile
|
|
#
|
|
# create a compressed vmlinux image from the original vmlinux
|
|
#
|
|
# vmlinuz is:
|
|
# decompression code (*.o)
|
|
# asm globals (piggy.S), including:
|
|
# vmlinux.bin.(gz|bz2|lzma|...)
|
|
#
|
|
# vmlinux.bin is:
|
|
# vmlinux stripped of debugging and comments
|
|
# vmlinux.bin.all is:
|
|
# vmlinux.bin + vmlinux.relocs
|
|
# vmlinux.bin.(gz|bz2|lzma|...) is:
|
|
# (see scripts/Makefile.lib size_append)
|
|
# compressed vmlinux.bin.all + u32 size of vmlinux.bin.all
|
|
|
|
KASAN_SANITIZE := n
|
|
OBJECT_FILES_NON_STANDARD := y
|
|
|
|
# Prevents link failures: __sanitizer_cov_trace_pc() is not linked in.
|
|
KCOV_INSTRUMENT := n
|
|
|
|
targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \
|
|
vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4
|
|
|
|
KBUILD_CFLAGS := -m$(BITS) -D__KERNEL__ -O2
|
|
KBUILD_CFLAGS += -fno-strict-aliasing $(call cc-option, -fPIE, -fPIC)
|
|
KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
|
|
cflags-$(CONFIG_X86_32) := -march=i386
|
|
cflags-$(CONFIG_X86_64) := -mcmodel=small
|
|
KBUILD_CFLAGS += $(cflags-y)
|
|
KBUILD_CFLAGS += -mno-mmx -mno-sse
|
|
KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
|
|
KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member)
|
|
|
|
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
|
|
GCOV_PROFILE := n
|
|
UBSAN_SANITIZE :=n
|
|
|
|
LDFLAGS := -m elf_$(UTS_MACHINE)
|
|
# Compressed kernel should be built as PIE since it may be loaded at any
|
|
# address by the bootloader.
|
|
ifeq ($(CONFIG_X86_32),y)
|
|
LDFLAGS += $(call ld-option, -pie) $(call ld-option, --no-dynamic-linker)
|
|
else
|
|
# To build 64-bit compressed kernel as PIE, we disable relocation
|
|
# overflow check to avoid relocation overflow error with a new linker
|
|
# command-line option, -z noreloc-overflow.
|
|
LDFLAGS += $(shell $(LD) --help 2>&1 | grep -q "\-z noreloc-overflow" \
|
|
&& echo "-z noreloc-overflow -pie --no-dynamic-linker")
|
|
endif
|
|
LDFLAGS_vmlinux := -T
|
|
|
|
hostprogs-y := mkpiggy
|
|
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
|
|
|
|
sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABCDGRSTVW] \(_text\|__bss_start\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
|
|
|
|
quiet_cmd_voffset = VOFFSET $@
|
|
cmd_voffset = $(NM) $< | sed -n $(sed-voffset) > $@
|
|
|
|
targets += ../voffset.h
|
|
|
|
$(obj)/../voffset.h: vmlinux FORCE
|
|
$(call if_changed,voffset)
|
|
|
|
$(obj)/misc.o: $(obj)/../voffset.h
|
|
|
|
vmlinux-objs-y := $(obj)/vmlinux.lds $(obj)/head_$(BITS).o $(obj)/misc.o \
|
|
$(obj)/string.o $(obj)/cmdline.o $(obj)/error.o \
|
|
$(obj)/piggy.o $(obj)/cpuflags.o
|
|
|
|
vmlinux-objs-$(CONFIG_EARLY_PRINTK) += $(obj)/early_serial_console.o
|
|
vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr.o
|
|
ifdef CONFIG_X86_64
|
|
vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/pagetable.o
|
|
vmlinux-objs-y += $(obj)/mem_encrypt.o
|
|
endif
|
|
|
|
$(obj)/eboot.o: KBUILD_CFLAGS += -fshort-wchar -mno-red-zone
|
|
|
|
vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \
|
|
$(objtree)/drivers/firmware/efi/libstub/lib.a
|
|
vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
|
|
|
|
# The compressed kernel is built with -fPIC/-fPIE so that a boot loader
|
|
# can place it anywhere in memory and it will still run. However, since
|
|
# it is executed as-is without any ELF relocation processing performed
|
|
# (and has already had all relocation sections stripped from the binary),
|
|
# none of the code can use data relocations (e.g. static assignments of
|
|
# pointer values), since they will be meaningless at runtime. This check
|
|
# will refuse to link the vmlinux if any of these relocations are found.
|
|
quiet_cmd_check_data_rel = DATAREL $@
|
|
define cmd_check_data_rel
|
|
for obj in $(filter %.o,$^); do \
|
|
${CROSS_COMPILE}readelf -S $$obj | grep -qF .rel.local && { \
|
|
echo "error: $$obj has data relocations!" >&2; \
|
|
exit 1; \
|
|
} || true; \
|
|
done
|
|
endef
|
|
|
|
$(obj)/vmlinux: $(vmlinux-objs-y) FORCE
|
|
$(call if_changed,check_data_rel)
|
|
$(call if_changed,ld)
|
|
|
|
OBJCOPYFLAGS_vmlinux.bin := -R .comment -S
|
|
$(obj)/vmlinux.bin: vmlinux FORCE
|
|
$(call if_changed,objcopy)
|
|
|
|
targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs
|
|
|
|
CMD_RELOCS = arch/x86/tools/relocs
|
|
quiet_cmd_relocs = RELOCS $@
|
|
cmd_relocs = $(CMD_RELOCS) $< > $@;$(CMD_RELOCS) --abs-relocs $<
|
|
$(obj)/vmlinux.relocs: vmlinux FORCE
|
|
$(call if_changed,relocs)
|
|
|
|
vmlinux.bin.all-y := $(obj)/vmlinux.bin
|
|
vmlinux.bin.all-$(CONFIG_X86_NEED_RELOCS) += $(obj)/vmlinux.relocs
|
|
|
|
$(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,gzip)
|
|
$(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,bzip2)
|
|
$(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,lzma)
|
|
$(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,xzkern)
|
|
$(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,lzo)
|
|
$(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,lz4)
|
|
|
|
suffix-$(CONFIG_KERNEL_GZIP) := gz
|
|
suffix-$(CONFIG_KERNEL_BZIP2) := bz2
|
|
suffix-$(CONFIG_KERNEL_LZMA) := lzma
|
|
suffix-$(CONFIG_KERNEL_XZ) := xz
|
|
suffix-$(CONFIG_KERNEL_LZO) := lzo
|
|
suffix-$(CONFIG_KERNEL_LZ4) := lz4
|
|
|
|
quiet_cmd_mkpiggy = MKPIGGY $@
|
|
cmd_mkpiggy = $(obj)/mkpiggy $< > $@ || ( rm -f $@ ; false )
|
|
|
|
targets += piggy.S
|
|
$(obj)/piggy.S: $(obj)/vmlinux.bin.$(suffix-y) $(obj)/mkpiggy FORCE
|
|
$(call if_changed,mkpiggy)
|