Bug 212651
| Summary: | Module signing & AMD Secure Processor => panic | ||
|---|---|---|---|
| Product: | Other | Reporter: | Roman Žilka (roman.zilka) |
| Component: | Modules | Assignee: | other_modules |
| Status: | NEW --- | ||
| Severity: | normal | CC: | john.allen, thomas.lendacky |
| Priority: | P1 | ||
| Hardware: | x86-64 | ||
| OS: | Linux | ||
| Kernel Version: | Subsystem: | ||
| Regression: | No | Bisected commit-id: | |
| Attachments: |
Complete 5.10.27 config w/o CRYPTO_DEV_CCP
Complete 5.4.97 config, CRYPTO_DEV_CCP=y, MODULE_SIG=n dmesg, 5.10.27, CRYPTO_DEV_CCP=n, MODULE_SIG=y Crash screen 1 Crash screen 2 Crash screen 3 cpuid Crash screen with CONFIG_CRYPTO_DEV_CCP_CRYPTO=m |
||
|
Description
Roman Žilka
2021-04-12 16:20:50 UTC
Created attachment 296339 [details]
Complete 5.4.97 config, CRYPTO_DEV_CCP=y, MODULE_SIG=n
Created attachment 296341 [details]
dmesg, 5.10.27, CRYPTO_DEV_CCP=n, MODULE_SIG=y
Created attachment 296347 [details]
Crash screen 1
Created attachment 296349 [details]
Crash screen 2
Created attachment 296353 [details]
Crash screen 3
Forgot about this one time I got all the way to an emergency shell. Panic moments later.
Hi Roman, What is the specific processor you are using? A similar problem was reported a while ago, but I could never reproduce it on the hardware I have available (Naples server CPUs). Thanks, John Created attachment 296389 [details]
cpuid
Hi John,
it's a Ryzen 3 1200, the original 14nm model, running ucode 0x8001138. Building the file "amd/amd_sev_fam17h_model0xh.sbin" (MD5 64c8b9ac6b5e2ba5649b5e26f7bb7232) from linux-firmware into the kernel has no effect. Cpuid goes on to say (full output attached):
AMD Secure Encryption (0x8000001f):
SME: secure memory encryption support = true
SEV: secure encrypted virtualize support = true
VM page flush MSR support = true
SEV-ES: SEV encrypted state support = false
SEV-SNP: SEV secure nested paging = false
VMPL: VM permission levels = false
hardware cache coher across enc domains = false
SEV guest exec only from 64-bit host = false
restricted injection = false
alternate injection = false
full debug state swap for SEV-ES guests = false
disallowing IBS use by host = false
encryption bit position in PTE = 0x2f (47)
physical address space width reduction = 0x5 (5)
number of VM permission levels = 0x0 (0)
number of SEV-enabled guests supported = 0xf (15)
minimum SEV guest ASID = 0x0 (0)
Thank you for your effort.
This issue has nothing to do the AMD memory encryption feature, it is an issue with the CCP driver. If you change your kernel config to: CONFIG_CRYPTO_DEV_CCP_CRYPTO=m or CONFIG_CRYPTO_DEV_CCP_CRYPTO=n the problem will go away (but will still need to be fixed). The CONFIG_CRYPTO_DEV_CCP_CRYPTO option builds the ccp-crypto module, which participates in the kernel crypto API, and so is used to validate the module signatures. If you set that particular config to "m", the module will not autoload so the boot will be successful. Created attachment 296393 [details]
Crash screen with CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
That worked. I'm now running this (kernel 5.10.27, signed modules) and all is fine:
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_CCP=y
CONFIG_CRYPTO_DEV_CCP_DD=y
CONFIG_CRYPTO_DEV_SP_CCP=y
# CONFIG_CRYPTO_DEV_CCP_CRYPTO is not set
# CONFIG_CRYPTO_DEV_SP_PSP is not set
# CONFIG_CRYPTO_DEV_CCP_DEBUGFS is not set
I first tried the above, except CONFIG_CRYPTO_DEV_CCP_CRYPTO=m. The system booted completely and ran fine. The usual modules had gotten auto-loaded, ccp-crypto hadn't. Just to test, I loaded it by hand and then loaded a bunch of random modules - all ok. Then I started an unrelated application and the kernel crashed (screenshot).
|