x86/sev: Run RMPADJUST on SVSM calling area page to test VMPL

Determining the VMPL at which the kernel runs involves performing a RMPADJUST
operation on an arbitrary page of memory, and observing whether it succeeds.

The use of boot_ghcb_page in the core kernel in this case is completely
arbitrary, but results in the need to provide a PIC alias for it. So use
boot_svsm_ca_page instead, which already needs this alias for other reasons.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/20250828102202.1849035-28-ardb+git@google.com

diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
index b71c1ab6a2826ee095c9e01b9e6dd7a3075c6619..3628e9bddc6a13356fc8613fa1558d483ea9a1fd 100644 (file)
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -327,7 +327,7 @@ static bool early_snp_init(struct boot_params *bp)
         * running at VMPL0. The CA will be used to communicate with the
         * SVSM and request its services.
         */
-       svsm_setup_ca(cc_info);
+       svsm_setup_ca(cc_info, rip_rel_ptr(&boot_ghcb_page));
 
        /*
         * Pass run-time kernel a pointer to CC info via boot_params so EFI

diff --git a/arch/x86/boot/startup/sev-shared.c b/arch/x86/boot/startup/sev-shared.c
index 7bd73462c11effa1acefeef0f4a0b06a5a51779c..83c222a4f1fa9e9266f4f6a17f6c5460bfc35186 100644 (file)
--- a/arch/x86/boot/startup/sev-shared.c
+++ b/arch/x86/boot/startup/sev-shared.c
@@ -801,7 +801,8 @@ static void __head pvalidate_4k_page(unsigned long vaddr, unsigned long paddr,
  * Maintain the GPA of the SVSM Calling Area (CA) in order to utilize the SVSM
  * services needed when not running in VMPL0.
  */
-static bool __head svsm_setup_ca(const struct cc_blob_sev_info *cc_info)
+static bool __head svsm_setup_ca(const struct cc_blob_sev_info *cc_info,
+                                void *page)
 {
        struct snp_secrets_page *secrets_page;
        struct snp_cpuid_table *cpuid_table;
@@ -824,7 +825,7 @@ static bool __head svsm_setup_ca(const struct cc_blob_sev_info *cc_info)
         * routine is running identity mapped when called, both by the decompressor
         * code and the early kernel code.
         */
-       if (!rmpadjust((unsigned long)rip_rel_ptr(&boot_ghcb_page), RMP_PG_SIZE_4K, 1))
+       if (!rmpadjust((unsigned long)page, RMP_PG_SIZE_4K, 1))
                return false;
 
        /*

diff --git a/arch/x86/boot/startup/sev-startup.c b/arch/x86/boot/startup/sev-startup.c
index 8412807a865c872547ff6dd9c8a837e1d929d0da..3da04a715831b44b6d86fa9dd9020c25ce349d80 100644 (file)
--- a/arch/x86/boot/startup/sev-startup.c
+++ b/arch/x86/boot/startup/sev-startup.c
@@ -302,7 +302,7 @@ static __head void svsm_setup(struct cc_blob_sev_info *cc_info)
         * running at VMPL0. The CA will be used to communicate with the
         * SVSM to perform the SVSM services.
         */
-       if (!svsm_setup_ca(cc_info))
+       if (!svsm_setup_ca(cc_info, rip_rel_ptr(&boot_svsm_ca_page)))
                return;
 
        /*