crypto/ccp: Implement SNP x86 shutdown

The SEV firmware has support to disable SNP during an SNP_SHUTDOWN_EX command.
Verify that this support is available and set the flag so that SNP is disabled
when it is not being used.

In cases where SNP is disabled, skip the call to amd_iommu_snp_disable(), as
all of the IOMMU pages have already been made shared. Also skip the panic
case, since snp_shutdown() does IPIs.

Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Link: https://patch.msgid.link/20260324161301.1353976-7-tycho@kernel.org

authored by

Tycho Andersen (AMD) and committed by

Borislav Petkov (AMD) 1 month ago f995fc37 7b2bc5f0

+28 -18

2 changed files

expand all

drivers

crypto

ccp

sev-dev.c

include

linux

psp-sev.h

+24 -17

drivers/crypto/ccp/sev-dev.c

··· 2039 2039 memset(&data, 0, sizeof(data)); 2040 2040 data.len = sizeof(data); 2041 2041 data.iommu_snp_shutdown = 1; 2042 + if (sev->snp_feat_info_0.ecx & SNP_X86_SHUTDOWN_SUPPORTED) 2043 + data.x86_snp_shutdown = 1; 2042 2044 2043 2045 /* 2044 2046 * If invoked during panic handling, local interrupts are disabled ··· 2074 2072 return ret; 2075 2073 } 2076 2074 2077 - /* 2078 - * SNP_SHUTDOWN_EX with IOMMU_SNP_SHUTDOWN set to 1 disables SNP 2079 - * enforcement by the IOMMU and also transitions all pages 2080 - * associated with the IOMMU to the Reclaim state. 2081 - * Firmware was transitioning the IOMMU pages to Hypervisor state 2082 - * before version 1.53. But, accounting for the number of assigned 2083 - * 4kB pages in a 2M page was done incorrectly by not transitioning 2084 - * to the Reclaim state. This resulted in RMP #PF when later accessing 2085 - * the 2M page containing those pages during kexec boot. Hence, the 2086 - * firmware now transitions these pages to Reclaim state and hypervisor 2087 - * needs to transition these pages to shared state. SNP Firmware 2088 - * version 1.53 and above are needed for kexec boot. 2089 - */ 2090 - ret = amd_iommu_snp_disable(); 2091 - if (ret) { 2092 - dev_err(sev->dev, "SNP IOMMU shutdown failed\n"); 2093 - return ret; 2075 + if (data.x86_snp_shutdown) { 2076 + if (!panic) 2077 + snp_shutdown(); 2078 + } else { 2079 + /* 2080 + * SNP_SHUTDOWN_EX with IOMMU_SNP_SHUTDOWN set to 1 disables SNP 2081 + * enforcement by the IOMMU and also transitions all pages 2082 + * associated with the IOMMU to the Reclaim state. 2083 + * Firmware was transitioning the IOMMU pages to Hypervisor state 2084 + * before version 1.53. But, accounting for the number of assigned 2085 + * 4kB pages in a 2M page was done incorrectly by not transitioning 2086 + * to the Reclaim state. This resulted in RMP #PF when later accessing 2087 + * the 2M page containing those pages during kexec boot. Hence, the 2088 + * firmware now transitions these pages to Reclaim state and hypervisor 2089 + * needs to transition these pages to shared state. SNP Firmware 2090 + * version 1.53 and above are needed for kexec boot. 2091 + */ 2092 + ret = amd_iommu_snp_disable(); 2093 + if (ret) { 2094 + dev_err(sev->dev, "SNP IOMMU shutdown failed\n"); 2095 + return ret; 2096 + } 2094 2097 } 2095 2098 2096 2099 snp_leak_hv_fixed_pages();

+4 -1

include/linux/psp-sev.h

··· 829 829 * 830 830 * @len: length of the command buffer read by the PSP 831 831 * @iommu_snp_shutdown: Disable enforcement of SNP in the IOMMU 832 + * @x86_snp_shutdown: Disable SNP on all cores 832 833 * @rsvd1: reserved 833 834 */ 834 835 struct sev_data_snp_shutdown_ex { 835 836 u32 len; 836 837 u32 iommu_snp_shutdown:1; 837 - u32 rsvd1:31; 838 + u32 x86_snp_shutdown:1; 839 + u32 rsvd1:30; 838 840 } __packed; 839 841 840 842 /** ··· 893 891 } __packed; 894 892 895 893 /* Feature bits in ECX */ 894 + #define SNP_X86_SHUTDOWN_SUPPORTED BIT(1) 896 895 #define SNP_RAPL_DISABLE_SUPPORTED BIT(2) 897 896 #define SNP_CIPHER_TEXT_HIDING_SUPPORTED BIT(3) 898 897 #define SNP_AES_256_XTS_POLICY_SUPPORTED BIT(4)

Configure Feed

Configure Feed