AMD memory encryption, enabled during boot, crashes when retpoline is not enabled in the kernel. Bisected: efac0eedfab515e523cde5cb7a62289eb2ee58f8 is the first bad commit commit efac0eedfab515e523cde5cb7a62289eb2ee58f8 Author: Brijesh Singh <brijesh.singh@amd.com> Date: Wed Feb 9 12:10:13 2022 -0600 x86/kernel: Mark the .bss..decrypted section as shared in the RMP table The encryption attribute for the .bss..decrypted section is cleared in the initial page table build. This is because the section contains the data that need to be shared between the guest and the hypervisor. When SEV-SNP is active, just clearing the encryption attribute in the page table is not enough. The page state needs to be updated in the RMP table. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Borislav Petkov <bp@suse.de> Link: https://lore.kernel.org/r/20220307213356.2797205-20-brijesh.singh@amd.com arch/x86/kernel/head64.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Relevant config: $ zcat /proc/config.gz | grep -E '(RETPOLINE|AMD_MEM_ENCRYPT)' # CONFIG_RETPOLINE is not set CONFIG_AMD_MEM_ENCRYPT=y CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y Adding mem_encrypt=off to /etc/default/grub GRUB_CMDLINE_LINUX avoids the crash. Reproducible: Always Steps to Reproduce: 1. emerge -pv =sys-kernel/gentoo-sources-5.19.2 2. cd $KERNELDIR ; make config 3. Disable CONFIG_RETPOLINE 4. Enable AMD Secure Memory Encryption (SME) support 5. make && make install && etc Actual Results: POST, Grub Menu, reset, POST, Grub Menu, reset, etc Expected Results: POST, Grub Menu, login prompt This is admittedly a niche configuration; most folks will either not enable SME, or won't enable it by default, or will enable retpolines. Also only impacts AMD processors, of course. There's a mailing list thread that also seems to implicate this commit: https://lore.kernel.org/all/YqfabnTRxFSM+LoX@google.com/ $ emerge --info Portage 3.0.34 (python 3.10.6-final-0, default/linux/amd64/17.1/no-multilib, gcc-12.1.1, glibc-2.35-r8, 5.19.2-gentoo-r1-shore x86_64) ================================================================= System uname: Linux-5.19.2-gentoo-r1-shore-x86_64-AMD_Ryzen_7_1700_Eight-Core_Processor-with-glibc2.35 KiB Mem: 32820100 total, 31701148 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Fri, 19 Aug 2022 15:30:01 +0000 Head commit of repository gentoo: c40ddd461caa9af5588ae4b2773fc5ea6fd38ea1 Head commit of repository wsdd: 5ff23bd513f2074ada36cb0599f05e7375adcc8b sh bash 5.1_p16-r1 ld GNU ld (Gentoo 2.38 p4) 2.38 app-misc/pax-utils: 1.3.5::gentoo app-shells/bash: 5.1_p16-r1::gentoo dev-java/java-config: 2.3.1::gentoo dev-lang/perl: 5.36.0::gentoo dev-lang/python: 3.10.6_p2::gentoo, 3.11.0_rc1::gentoo dev-util/cmake: 3.24.1::gentoo dev-util/meson: 0.63.1::gentoo sys-apps/baselayout: 2.8-r2::gentoo sys-apps/openrc: 0.45.2::gentoo sys-apps/sandbox: 2.29::gentoo sys-devel/autoconf: 2.71-r1::gentoo sys-devel/automake: 1.16.5::gentoo sys-devel/binutils: 2.38-r2::gentoo sys-devel/binutils-config: 5.4.1::gentoo sys-devel/gcc: 12.1.1_p20220625::gentoo sys-devel/gcc-config: 2.5-r1::gentoo sys-devel/libtool: 2.4.7::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.35-r8::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 wsdd location: /var/db/repos/wsdd-overlay sync-type: git sync-uri: https://github.com/christgau/wsdd-gentoo.git masters: gentoo ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=3 --complete-graph --with-bdeps=y" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg buildpkg-live config-protect-if-modified distlocks downgrade-backup ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-backup unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j20" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/bash" USE="acl amd64 bzip2 cli crypt dri dvd fdk fortran gdbm iconv ipv6 ithreads jpeg json libglvnd libtirpc lzo ncurses nfsv41 nptl openmp pam pcre pcre16 png python readline samba seccomp split-usr sqlite ssl syslog udev unicode uuid x264 xattr xml yaml zlib" ABI_X86="64" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="void" KERNEL="linux" L10N="en en-US" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_10" PYTHON_TARGETS="python3_10" USERLAND="GNU" VIDEO_CARDS="dummy" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
Please file this upstream at: https://bugzilla.kernel.org/
Filed. https://bugzilla.kernel.org/show_bug.cgi?id=216385
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=cdaa0a407f1acd3a44861e3aea6e3c7349e668f1
Didn't see any update on the upstream ticket but it looks like it's in 6.0-rc3: https://lwn.net/Articles/906314/
Queued for next release of gentoo-sources included with 5.19.6 commit 0a9d19d1cdac2b8749a0d11ee55554609df56cc8 (HEAD -> 5.19, origin/5.19) Author: Mike Pagano <mpagano@gentoo.org> Date: Wed Aug 31 08:10:53 2022 -0400 x86/sev: Don't use cc_platform_has() for early SEV-SNP calls Bug: https://bugs.gentoo.org/865831 Signed-off-by: Mike Pagano <mpagano@gentoo.org>
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6ac0a98df573e702d624119d0fb4680fffeca1a commit b6ac0a98df573e702d624119d0fb4680fffeca1a Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-08-31 15:58:55 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-08-31 15:58:55 +0000 sys-kernel/gentoo-sources: add 5.19.6 and two fixes Revert fix from upstream for DRM/i915 thanks to Luigi 'Comio' Mantellini Closes: https://bugs.gentoo.org/866023 x86/sev: Don't use cc_platform_has() for early SEV-SNP calls Closes: https://bugs.gentoo.org/865831 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.19.6.ebuild | 29 ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
