x86/head/64: Don't call verify_cpu() on starting APs

The APs are not ready to handle exceptions when verify_cpu() is called in secondary_startup_64(). Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lkml.kernel.org/r/20200907131613.12703-69-joro@8bytes.org
author: Joerg Roedel <jroedel@suse.de> 2020-09-07 15:16:09 +0200
committer: Borislav Petkov <bp@suse.de> 2020-09-09 11:33:20 +0200
commit: 3ecacdbd23956a549d93023f86adc87b4a9d6520 (patch)
tree: b8b381ffd9cadf91cd0d4875cb53ec81c94a61ea /arch/x86/kernel/head_64.S
parent: 520d030852b4c9babfce9a79d8b5320b6b5545e6 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 1a71d0d4d575..7eb2a1c87969 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -126,6 +126,18 @@ SYM_CODE_START(secondary_startup_64)
 	call verify_cpu
 
 	/*
+	 * The secondary_startup_64_no_verify entry point is only used by
+	 * SEV-ES guests. In those guests the call to verify_cpu() would cause
+	 * #VC exceptions which can not be handled at this stage of secondary
+	 * CPU bringup.
+	 *
+	 * All non SEV-ES systems, especially Intel systems, need to execute
+	 * verify_cpu() above to make sure NX is enabled.
+	 */
+SYM_INNER_LABEL(secondary_startup_64_no_verify, SYM_L_GLOBAL)
+	UNWIND_HINT_EMPTY
+
+	/*
 	 * Retrieve the modifier (SME encryption mask if SME is active) to be
 	 * added to the initial pgdir entry that will be programmed into CR3.
 	 */
author	Joerg Roedel <jroedel@suse.de>	2020-09-07 15:16:09 +0200
committer	Borislav Petkov <bp@suse.de>	2020-09-09 11:33:20 +0200
commit	3ecacdbd23956a549d93023f86adc87b4a9d6520 (patch)
tree	b8b381ffd9cadf91cd0d4875cb53ec81c94a61ea /arch/x86/kernel/head_64.S
parent	520d030852b4c9babfce9a79d8b5320b6b5545e6 (diff)