x86/sev: Move common memory encryption code to mem_encrypt.c

	  helps to determine the effectiveness of preserving large and huge

	  page mappings when mapping protections are changed.

config X86_MEM_ENCRYPT

	select ARCH_HAS_FORCE_DMA_UNENCRYPTED

	select DYNAMIC_PHYSICAL_MASK

	select ARCH_HAS_RESTRICTED_VIRTIO_MEMORY_ACCESS

	def_bool n

config AMD_MEM_ENCRYPT

	bool "AMD Secure Memory Encryption (SME) support"

	depends on X86_64 && CPU_SUP_AMD

	select DMA_COHERENT_POOL

	select DYNAMIC_PHYSICAL_MASK

	select ARCH_USE_MEMREMAP_PROT

	select ARCH_HAS_FORCE_DMA_UNENCRYPTED

	select INSTRUCTION_DECODER

	select ARCH_HAS_RESTRICTED_VIRTIO_MEMORY_ACCESS

	select ARCH_HAS_CC_PLATFORM

	select X86_MEM_ENCRYPT

	help

	  Say yes to enable support for the encryption of system memory.

	  This requires an AMD processor that supports Secure Memory

# SPDX-License-Identifier: GPL-2.0

# Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c

KCOV_INSTRUMENT_tlb.o			:= n

KCOV_INSTRUMENT_mem_encrypt.o		:= n

KCOV_INSTRUMENT_mem_encrypt_amd.o	:= n

KCOV_INSTRUMENT_mem_encrypt_identity.o	:= n

KASAN_SANITIZE_mem_encrypt.o		:= n

KASAN_SANITIZE_mem_encrypt_amd.o	:= n

KASAN_SANITIZE_mem_encrypt_identity.o	:= n

KCSAN_SANITIZE := n

ifdef CONFIG_FUNCTION_TRACER

CFLAGS_REMOVE_mem_encrypt.o		= -pg

CFLAGS_REMOVE_mem_encrypt_amd.o		= -pg

CFLAGS_REMOVE_mem_encrypt_identity.o	= -pg

endif

obj-$(CONFIG_RANDOMIZE_MEMORY)			+= kaslr.o

obj-$(CONFIG_PAGE_TABLE_ISOLATION)		+= pti.o

obj-$(CONFIG_X86_MEM_ENCRYPT)	+= mem_encrypt.o

obj-$(CONFIG_AMD_MEM_ENCRYPT)	+= mem_encrypt_amd.o

obj-$(CONFIG_AMD_MEM_ENCRYPT)	+= mem_encrypt_identity.o

obj-$(CONFIG_AMD_MEM_ENCRYPT)	+= mem_encrypt_boot.o

// SPDX-License-Identifier: GPL-2.0-only

/*

 * Memory Encryption Support Common Code

 *

 * Copyright (C) 2016 Advanced Micro Devices, Inc.

 *

 * Author: Tom Lendacky <thomas.lendacky@amd.com>

 */

#include <linux/dma-direct.h>

#include <linux/dma-mapping.h>

#include <linux/swiotlb.h>

#include <linux/cc_platform.h>

#include <linux/mem_encrypt.h>

#include <linux/virtio_config.h>

/* Override for DMA direct allocation check - ARCH_HAS_FORCE_DMA_UNENCRYPTED */

bool force_dma_unencrypted(struct device *dev)

{

	/*

	 * For SEV, all DMA must be to unencrypted addresses.

	 */

	if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))

		return true;

	/*

	 * For SME, all DMA must be to unencrypted addresses if the

	 * device does not support DMA to addresses that include the

	 * encryption mask.

	 */

	if (cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT)) {

		u64 dma_enc_mask = DMA_BIT_MASK(__ffs64(sme_me_mask));

		u64 dma_dev_mask = min_not_zero(dev->coherent_dma_mask,

						dev->bus_dma_limit);

		if (dma_dev_mask <= dma_enc_mask)

			return true;

	}

	return false;

}

static void print_mem_encrypt_feature_info(void)

{

	pr_info("AMD Memory Encryption Features active:");

	/* Secure Memory Encryption */

	if (cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT)) {

		/*

		 * SME is mutually exclusive with any of the SEV

		 * features below.

		 */

		pr_cont(" SME\n");

		return;

	}

	/* Secure Encrypted Virtualization */

	if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))

		pr_cont(" SEV");

	/* Encrypted Register State */

	if (cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT))

		pr_cont(" SEV-ES");

	pr_cont("\n");

}

/* Architecture __weak replacement functions */

void __init mem_encrypt_init(void)

{

	if (!cc_platform_has(CC_ATTR_MEM_ENCRYPT))

		return;

	/* Call into SWIOTLB to update the SWIOTLB DMA buffers */

	swiotlb_update_mem_attributes();

	print_mem_encrypt_feature_info();

}

int arch_has_restricted_virtio_memory_access(void)

{

	return cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT);

}

EXPORT_SYMBOL_GPL(arch_has_restricted_virtio_memory_access);

	notify_range_enc_status_changed(vaddr, npages, enc);

}

/* Override for DMA direct allocation check - ARCH_HAS_FORCE_DMA_UNENCRYPTED */

bool force_dma_unencrypted(struct device *dev)

{

	/*

	 * For SEV, all DMA must be to unencrypted addresses.

	 */

	if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))

		return true;

	/*

	 * For SME, all DMA must be to unencrypted addresses if the

	 * device does not support DMA to addresses that include the

	 * encryption mask.

	 */

	if (cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT)) {

		u64 dma_enc_mask = DMA_BIT_MASK(__ffs64(sme_me_mask));

		u64 dma_dev_mask = min_not_zero(dev->coherent_dma_mask,

						dev->bus_dma_limit);

		if (dma_dev_mask <= dma_enc_mask)

			return true;

	}

	return false;

}

void __init mem_encrypt_free_decrypted_mem(void)

{

	unsigned long vaddr, vaddr_end, npages;

	free_init_pages("unused decrypted", vaddr, vaddr_end);

}

static void print_mem_encrypt_feature_info(void)

{

	pr_info("AMD Memory Encryption Features active:");

	/* Secure Memory Encryption */

	if (cc_platform_has(CC_ATTR_HOST_MEM_ENCRYPT)) {

		/*

		 * SME is mutually exclusive with any of the SEV

		 * features below.

		 */

		pr_cont(" SME\n");

		return;

	}

	/* Secure Encrypted Virtualization */

	if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))

		pr_cont(" SEV");

	/* Encrypted Register State */

	if (cc_platform_has(CC_ATTR_GUEST_STATE_ENCRYPT))

		pr_cont(" SEV-ES");

	pr_cont("\n");

}

/* Architecture __weak replacement functions */

void __init mem_encrypt_init(void)

{

	if (!sme_me_mask)

		return;

	/* Call into SWIOTLB to update the SWIOTLB DMA buffers */

	swiotlb_update_mem_attributes();

	print_mem_encrypt_feature_info();

}

int arch_has_restricted_virtio_memory_access(void)

{

	return cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT);

}

EXPORT_SYMBOL_GPL(arch_has_restricted_virtio_memory_access);