mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT 

commit 2995674833 upstream.

It was meant well at the time but nothing's using it so get rid of it.

Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20240202163510.GDZb0Zvj8qOndvFOiZ@fat_crate.local
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Borislav Petkov (AMD) 2024-02-02 17:29:32 +01:00 committed by Greg Kroah-Hartman
parent 89bca7fe63
commit f459760513
4 changed files with 10 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Documentation/admin-guide/kernel-parameters.txt
View File

@ -3327,9 +3327,7 @@
mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control
Valid arguments: on, off Valid arguments: on, off
Default (depends on kernel configuration option): Default: off
on (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y)
off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n)
mem_encrypt=on: Activate SME mem_encrypt=on: Activate SME
mem_encrypt=off: Do not activate SME mem_encrypt=off: Do not activate SME

16
Documentation/arch/x86/amd-memory-encryption.rst
View File

@ -87,14 +87,14 @@ The state of SME in the Linux kernel can be documented as follows:
kernel is non-zero). kernel is non-zero).
SME can also be enabled and activated in the BIOS. If SME is enabled and SME can also be enabled and activated in the BIOS. If SME is enabled and
activated in the BIOS, then all memory accesses will be encrypted and it will activated in the BIOS, then all memory accesses will be encrypted and it
not be necessary to activate the Linux memory encryption support. If the BIOS will not be necessary to activate the Linux memory encryption support.
merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG), then Linux can activate
memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or If the BIOS merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG),
by supplying mem_encrypt=on on the kernel command line. However, if BIOS does then memory encryption can be enabled by supplying mem_encrypt=on on the
not enable SME, then Linux will not be able to activate memory encryption, even kernel command line. However, if BIOS does not enable SME, then Linux
if configured to do so by default or the mem_encrypt=on command line parameter will not be able to activate memory encryption, even if configured to do
is specified. so by default or the mem_encrypt=on command line parameter is specified.
Secure Nested Paging (SNP) Secure Nested Paging (SNP)
========================== ==========================

13
arch/x86/Kconfig
View File

@ -1539,19 +1539,6 @@ config AMD_MEM_ENCRYPT
This requires an AMD processor that supports Secure Memory This requires an AMD processor that supports Secure Memory
Encryption (SME). Encryption (SME).
config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
bool "Activate AMD Secure Memory Encryption (SME) by default"
depends on AMD_MEM_ENCRYPT
help
Say yes to have system memory encrypted by default if running on
an AMD processor that supports Secure Memory Encryption (SME).
If set to Y, then the encryption of system memory can be
deactivated with the mem_encrypt=off command line option.
If set to N, then the encryption of system memory can be
activated with the mem_encrypt=on command line option.
# Common NUMA Features # Common NUMA Features
config NUMA config NUMA
bool "NUMA Memory Allocation and Scheduler Support" bool "NUMA Memory Allocation and Scheduler Support"

11
arch/x86/mm/mem_encrypt_identity.c
View File

@ -97,7 +97,6 @@ static char sme_workarea[2 * PMD_SIZE] __section(".init.scratch");
static char sme_cmdline_arg[] __initdata = "mem_encrypt"; static char sme_cmdline_arg[] __initdata = "mem_encrypt";
static char sme_cmdline_on[] __initdata = "on"; static char sme_cmdline_on[] __initdata = "on";
static char sme_cmdline_off[] __initdata = "off";
static void __init sme_clear_pgd(struct sme_populate_pgd_data *ppd) static void __init sme_clear_pgd(struct sme_populate_pgd_data *ppd)
{ {
@ -504,7 +503,7 @@ void __init sme_encrypt_kernel(struct boot_params *bp)
void __init sme_enable(struct boot_params *bp) void __init sme_enable(struct boot_params *bp)
{ {
const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off; const char *cmdline_ptr, *cmdline_arg, *cmdline_on;
unsigned int eax, ebx, ecx, edx; unsigned int eax, ebx, ecx, edx;
unsigned long feature_mask; unsigned long feature_mask;
unsigned long me_mask; unsigned long me_mask;
@ -587,12 +586,6 @@ void __init sme_enable(struct boot_params *bp)
asm ("lea sme_cmdline_on(%%rip), %0" asm ("lea sme_cmdline_on(%%rip), %0"
: "=r" (cmdline_on) : "=r" (cmdline_on)
: "p" (sme_cmdline_on)); : "p" (sme_cmdline_on));
asm ("lea sme_cmdline_off(%%rip), %0"
: "=r" (cmdline_off)
: "p" (sme_cmdline_off));
if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT))
sme_me_mask = me_mask;
cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr |
((u64)bp->ext_cmd_line_ptr << 32)); ((u64)bp->ext_cmd_line_ptr << 32));
@ -602,8 +595,6 @@ void __init sme_enable(struct boot_params *bp)
if (!strncmp(buffer, cmdline_on, sizeof(buffer))) if (!strncmp(buffer, cmdline_on, sizeof(buffer)))
sme_me_mask = me_mask; sme_me_mask = me_mask;
else if (!strncmp(buffer, cmdline_off, sizeof(buffer)))
sme_me_mask = 0;
out: out:
if (sme_me_mask) { if (sme_me_mask) {