diff options
author | 2023-06-26 15:32:39 -0700 | |
---|---|---|
committer | 2023-06-26 15:32:39 -0700 | |
commit | 2c96136a3f8dad6bfe35b003fb8b312f13a107e8 (patch) | |
tree | dcc5713059bf56cf70dfc4ec0d53ef7cbc88bcd1 /arch/x86/Kconfig | |
parent | Merge tag 'x86_cache_for_v6.5' of git://git.kernel.org/pub/scm/linux/kernel/g... (diff) | |
parent | virt: sevguest: Add CONFIG_CRYPTO dependency (diff) | |
download | linux-2c96136a3f8dad6bfe35b003fb8b312f13a107e8.tar.gz linux-2c96136a3f8dad6bfe35b003fb8b312f13a107e8.tar.bz2 linux-2c96136a3f8dad6bfe35b003fb8b312f13a107e8.zip |
Merge tag 'x86_cc_for_v6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 confidential computing update from Borislav Petkov:
- Add support for unaccepted memory as specified in the UEFI spec v2.9.
The gist of it all is that Intel TDX and AMD SEV-SNP confidential
computing guests define the notion of accepting memory before using
it and thus preventing a whole set of attacks against such guests
like memory replay and the like.
There are a couple of strategies of how memory should be accepted -
the current implementation does an on-demand way of accepting.
* tag 'x86_cc_for_v6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
virt: sevguest: Add CONFIG_CRYPTO dependency
x86/efi: Safely enable unaccepted memory in UEFI
x86/sev: Add SNP-specific unaccepted memory support
x86/sev: Use large PSC requests if applicable
x86/sev: Allow for use of the early boot GHCB for PSC requests
x86/sev: Put PSC struct on the stack in prep for unaccepted memory support
x86/sev: Fix calculation of end address based on number of pages
x86/tdx: Add unaccepted memory support
x86/tdx: Refactor try_accept_one()
x86/tdx: Make _tdx_hypercall() and __tdx_module_call() available in boot stub
efi/unaccepted: Avoid load_unaligned_zeropad() stepping into unaccepted memory
efi: Add unaccepted memory support
x86/boot/compressed: Handle unaccepted memory
efi/libstub: Implement support for unaccepted memory
efi/x86: Get full memory map in allocate_e820()
mm: Add support for unaccepted memory
Diffstat (limited to 'arch/x86/Kconfig')
-rw-r--r-- | arch/x86/Kconfig | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index ee272423ec20..f9ae63863f94 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -887,9 +887,11 @@ config INTEL_TDX_GUEST bool "Intel TDX (Trust Domain Extensions) - Guest Support" depends on X86_64 && CPU_SUP_INTEL depends on X86_X2APIC + depends on EFI_STUB select ARCH_HAS_CC_PLATFORM select X86_MEM_ENCRYPT select X86_MCE + select UNACCEPTED_MEMORY help Support running as a guest under Intel TDX. Without this support, the guest kernel can not boot or run under TDX. @@ -1544,11 +1546,13 @@ config X86_MEM_ENCRYPT config AMD_MEM_ENCRYPT bool "AMD Secure Memory Encryption (SME) support" depends on X86_64 && CPU_SUP_AMD + depends on EFI_STUB select DMA_COHERENT_POOL select ARCH_USE_MEMREMAP_PROT select INSTRUCTION_DECODER select ARCH_HAS_CC_PLATFORM select X86_MEM_ENCRYPT + select UNACCEPTED_MEMORY help Say yes to enable support for the encryption of system memory. This requires an AMD processor that supports Secure Memory |