| From 711885906b5c2df90746a51f4cd674f1ab9fbb1d Mon Sep 17 00:00:00 2001 |
| From: Borislav Petkov <bp@suse.de> |
| Date: Wed, 6 Oct 2021 19:34:55 +0200 |
| Subject: x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically |
| |
| From: Borislav Petkov <bp@suse.de> |
| |
| commit 711885906b5c2df90746a51f4cd674f1ab9fbb1d upstream. |
| |
| This Kconfig option was added initially so that memory encryption is |
| enabled by default on machines which support it. |
| |
| However, devices which have DMA masks that are less than the bit |
| position of the encryption bit, aka C-bit, require the use of an IOMMU |
| or the use of SWIOTLB. |
| |
| If the IOMMU is disabled or in passthrough mode, the kernel would switch |
| to SWIOTLB bounce-buffering for those transfers. |
| |
| In order to avoid that, |
| |
| 2cc13bb4f59f ("iommu: Disable passthrough mode when SME is active") |
| |
| disables the default IOMMU passthrough mode so that devices for which the |
| default 256K DMA is insufficient, can use the IOMMU instead. |
| |
| However 2, there are cases where the IOMMU is disabled in the BIOS, etc. |
| (think the usual hardware folk "oops, I dropped the ball there" cases) or a |
| driver doesn't properly use the DMA APIs or a device has a firmware or |
| hardware bug, e.g.: |
| |
| ea68573d408f ("drm/amdgpu: Fail to load on RAVEN if SME is active") |
| |
| However 3, in the above GPU use case, there are APIs like Vulkan and |
| some OpenGL/OpenCL extensions which are under the assumption that |
| user-allocated memory can be passed in to the kernel driver and both the |
| GPU and CPU can do coherent and concurrent access to the same memory. |
| That cannot work with SWIOTLB bounce buffers, of course. |
| |
| So, in order for those devices to function, drop the "default y" for the |
| SME by default active option so that users who want to have SME enabled, |
| will need to either enable it in their config or use "mem_encrypt=on" on |
| the kernel command line. |
| |
| [ tlendacky: Generalize commit message. ] |
| |
| Fixes: 7744ccdbc16f ("x86/mm: Add Secure Memory Encryption (SME) support") |
| Reported-by: Paul Menzel <pmenzel@molgen.mpg.de> |
| Signed-off-by: Borislav Petkov <bp@suse.de> |
| Acked-by: Alex Deucher <alexander.deucher@amd.com> |
| Acked-by: Tom Lendacky <thomas.lendacky@amd.com> |
| Cc: <stable@vger.kernel.org> |
| Link: https://lkml.kernel.org/r/8bbacd0e-4580-3194-19d2-a0ecad7df09c@molgen.mpg.de |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/x86/Kconfig | 1 - |
| 1 file changed, 1 deletion(-) |
| |
| --- a/arch/x86/Kconfig |
| +++ b/arch/x86/Kconfig |
| @@ -1534,7 +1534,6 @@ config AMD_MEM_ENCRYPT |
| |
| config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT |
| bool "Activate AMD Secure Memory Encryption (SME) by default" |
| - default y |
| depends on AMD_MEM_ENCRYPT |
| help |
| Say yes to have system memory encrypted by default if running on |