x86/sev: Handle failures from snp_init()

Address the ignored failures from snp_init() in sme_enable(). Add error
handling for scenarios where snp_init() fails to retrieve the SEV-SNP CC
blob or encounters issues while parsing the CC blob. Ensure that SNP guests
will error out early, preventing delayed error reporting or undefined
behavior.

Signed-off-by: Nikunj A Dadhania <nikunj@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/r/20241009092850.197575-3-nikunj@amd.com

diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
index ac33b2263a434db626bb8d791fedeb4301c3b9e1..e6c7686f443a060cc62fdb6a82d549a1a0c9e9df 100644 (file)
--- a/arch/x86/mm/mem_encrypt_identity.c
+++ b/arch/x86/mm/mem_encrypt_identity.c
@@ -495,10 +495,10 @@ void __head sme_enable(struct boot_params *bp)
        unsigned int eax, ebx, ecx, edx;
        unsigned long feature_mask;
        unsigned long me_mask;
-       bool snp;
+       bool snp_en;
        u64 msr;
 
-       snp = snp_init(bp);
+       snp_en = snp_init(bp);
 
        /* Check for the SME/SEV support leaf */
        eax = 0x80000000;
@@ -531,8 +531,11 @@ void __head sme_enable(struct boot_params *bp)
        RIP_REL_REF(sev_status) = msr = __rdmsr(MSR_AMD64_SEV);
        feature_mask = (msr & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
 
-       /* The SEV-SNP CC blob should never be present unless SEV-SNP is enabled. */
-       if (snp && !(msr & MSR_AMD64_SEV_SNP_ENABLED))
+       /*
+        * Any discrepancies between the presence of a CC blob and SNP
+        * enablement abort the guest.
+        */
+       if (snp_en ^ !!(msr & MSR_AMD64_SEV_SNP_ENABLED))
                snp_abort();
 
        /* Check if memory encryption is enabled */