Commit 22916417 authored Mar 04, 2021 by Tom Lendacky Committed by Borislav Petkov Mar 08, 2021

x86/virtio: Have SEV guests enforce restricted virtio memory access



An SEV guest requires that virtio devices use the DMA API to allow the
hypervisor to successfully access guest memory as needed.

The VIRTIO_F_VERSION_1 and VIRTIO_F_ACCESS_PLATFORM features tell virtio
to use the DMA API. Add arch_has_restricted_virtio_memory_access() for
x86, to fail the device probe if these features have not been set for the
device when running as an SEV guest.

 [ bp: Fix -Wmissing-prototypes warning
   Reported-by: kernel test robot <lkp@intel.com> ]

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/b46e0211f77ca1831f11132f969d470a6ffc9267.1614897610.git.thomas.lendacky@amd.com

parent f3db3365

arch/x86/Kconfig

+1 −0

Original line number	Diff line number	Diff line
		@@ -1518,6 +1518,7 @@ config AMD_MEM_ENCRYPT
		select ARCH_USE_MEMREMAP_PROT
		select ARCH_HAS_FORCE_DMA_UNENCRYPTED
		select INSTRUCTION_DECODER
		select ARCH_HAS_RESTRICTED_VIRTIO_MEMORY_ACCESS
		help
		Say yes to enable support for the encryption of system memory.
		This requires an AMD processor that supports Secure Memory

arch/x86/mm/mem_encrypt.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -19,6 +19,7 @@
		#include <linux/kernel.h>
		#include <linux/bitops.h>
		#include <linux/dma-mapping.h>
		#include <linux/virtio_config.h>

		#include <asm/tlbflush.h>
		#include <asm/fixmap.h>
		@@ -484,3 +485,8 @@ void __init mem_encrypt_init(void)
		print_mem_encrypt_feature_info();
		}

		int arch_has_restricted_virtio_memory_access(void)
		{
		return sev_active();
		}
		EXPORT_SYMBOL_GPL(arch_has_restricted_virtio_memory_access);