Skip to content
  • Tom Lendacky's avatar
    x86/boot: Add early boot support when running with SEV active · 1958b5fc
    Tom Lendacky authored
    Early in the boot process, add checks to determine if the kernel is
    running with Secure Encrypted Virtualization (SEV) active.
    Checking for SEV requires checking that the kernel is running under a
    hypervisor (CPUID 0x00000001, bit 31), that the SEV feature is available
    (CPUID 0x8000001f, bit 1) and then checking a non-interceptable SEV MSR
    (0xc0010131, bit 0).
    This check is required so that during early compressed kernel booting the
    pagetables (both the boot pagetables and KASLR pagetables (if enabled) are
    updated to include the encryption mask so that when the kernel is
    decompressed into encrypted memory, it can boot properly.
    After the kernel is decompressed and continues booting the same logic is
    used to check if SEV is active and set a flag indicating so.  This allows
    to distinguish between SME and SEV, each of which have unique differences
    in how certain things are handled: e.g. DMA (always bounce buffered with
    SEV) or EFI tables (always access decrypted with SME).
    Signed-off-by: default avatarTom Lendacky <>
    Signed-off-by: default avatarBrijesh Singh <>
    Signed-off-by: default avatarThomas Gleixner <>
    Reviewed-by: default avatarBorislav Petkov <>
    Tested-by: default avatarBorislav Petkov <>
    Cc: Laura Abbott <>
    Cc: Kees Cook <>
    Cc: Konrad Rzeszutek Wilk <>
    Cc: Radim Krčmář <>
    Cc: Borislav Petkov <>
    Cc: Andy Lutomirski <>
    Cc: Paolo Bonzini <>
    Cc: "Kirill A. Shutemov" <>