Commit 29956748 authored by Borislav Petkov (AMD)'s avatar Borislav Petkov (AMD)

x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT

It was meant well at the time but nothing's using it so get rid of it.
Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Acked-by: default avatarArd Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20240202163510.GDZb0Zvj8qOndvFOiZ@fat_crate.local
parent 1bfca8d2
...@@ -3320,9 +3320,7 @@ ...@@ -3320,9 +3320,7 @@
mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control
Valid arguments: on, off Valid arguments: on, off
Default (depends on kernel configuration option): Default: off
on (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y)
off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n)
mem_encrypt=on: Activate SME mem_encrypt=on: Activate SME
mem_encrypt=off: Do not activate SME mem_encrypt=off: Do not activate SME
......
...@@ -87,14 +87,14 @@ The state of SME in the Linux kernel can be documented as follows: ...@@ -87,14 +87,14 @@ The state of SME in the Linux kernel can be documented as follows:
kernel is non-zero). kernel is non-zero).
SME can also be enabled and activated in the BIOS. If SME is enabled and SME can also be enabled and activated in the BIOS. If SME is enabled and
activated in the BIOS, then all memory accesses will be encrypted and it will activated in the BIOS, then all memory accesses will be encrypted and it
not be necessary to activate the Linux memory encryption support. If the BIOS will not be necessary to activate the Linux memory encryption support.
merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG), then Linux can activate
memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or If the BIOS merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG),
by supplying mem_encrypt=on on the kernel command line. However, if BIOS does then memory encryption can be enabled by supplying mem_encrypt=on on the
not enable SME, then Linux will not be able to activate memory encryption, even kernel command line. However, if BIOS does not enable SME, then Linux
if configured to do so by default or the mem_encrypt=on command line parameter will not be able to activate memory encryption, even if configured to do
is specified. so by default or the mem_encrypt=on command line parameter is specified.
Secure Nested Paging (SNP) Secure Nested Paging (SNP)
========================== ==========================
......
...@@ -1539,19 +1539,6 @@ config AMD_MEM_ENCRYPT ...@@ -1539,19 +1539,6 @@ config AMD_MEM_ENCRYPT
This requires an AMD processor that supports Secure Memory This requires an AMD processor that supports Secure Memory
Encryption (SME). Encryption (SME).
config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
bool "Activate AMD Secure Memory Encryption (SME) by default"
depends on AMD_MEM_ENCRYPT
help
Say yes to have system memory encrypted by default if running on
an AMD processor that supports Secure Memory Encryption (SME).
If set to Y, then the encryption of system memory can be
deactivated with the mem_encrypt=off command line option.
If set to N, then the encryption of system memory can be
activated with the mem_encrypt=on command line option.
# Common NUMA Features # Common NUMA Features
config NUMA config NUMA
bool "NUMA Memory Allocation and Scheduler Support" bool "NUMA Memory Allocation and Scheduler Support"
......
...@@ -97,7 +97,6 @@ static char sme_workarea[2 * PMD_SIZE] __section(".init.scratch"); ...@@ -97,7 +97,6 @@ static char sme_workarea[2 * PMD_SIZE] __section(".init.scratch");
static char sme_cmdline_arg[] __initdata = "mem_encrypt"; static char sme_cmdline_arg[] __initdata = "mem_encrypt";
static char sme_cmdline_on[] __initdata = "on"; static char sme_cmdline_on[] __initdata = "on";
static char sme_cmdline_off[] __initdata = "off";
static void __init sme_clear_pgd(struct sme_populate_pgd_data *ppd) static void __init sme_clear_pgd(struct sme_populate_pgd_data *ppd)
{ {
...@@ -504,7 +503,7 @@ void __init sme_encrypt_kernel(struct boot_params *bp) ...@@ -504,7 +503,7 @@ void __init sme_encrypt_kernel(struct boot_params *bp)
void __init sme_enable(struct boot_params *bp) void __init sme_enable(struct boot_params *bp)
{ {
const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off; const char *cmdline_ptr, *cmdline_arg, *cmdline_on;
unsigned int eax, ebx, ecx, edx; unsigned int eax, ebx, ecx, edx;
unsigned long feature_mask; unsigned long feature_mask;
unsigned long me_mask; unsigned long me_mask;
...@@ -587,12 +586,6 @@ void __init sme_enable(struct boot_params *bp) ...@@ -587,12 +586,6 @@ void __init sme_enable(struct boot_params *bp)
asm ("lea sme_cmdline_on(%%rip), %0" asm ("lea sme_cmdline_on(%%rip), %0"
: "=r" (cmdline_on) : "=r" (cmdline_on)
: "p" (sme_cmdline_on)); : "p" (sme_cmdline_on));
asm ("lea sme_cmdline_off(%%rip), %0"
: "=r" (cmdline_off)
: "p" (sme_cmdline_off));
if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT))
sme_me_mask = me_mask;
cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr |
((u64)bp->ext_cmd_line_ptr << 32)); ((u64)bp->ext_cmd_line_ptr << 32));
...@@ -602,8 +595,6 @@ void __init sme_enable(struct boot_params *bp) ...@@ -602,8 +595,6 @@ void __init sme_enable(struct boot_params *bp)
if (!strncmp(buffer, cmdline_on, sizeof(buffer))) if (!strncmp(buffer, cmdline_on, sizeof(buffer)))
sme_me_mask = me_mask; sme_me_mask = me_mask;
else if (!strncmp(buffer, cmdline_off, sizeof(buffer)))
sme_me_mask = 0;
out: out:
if (sme_me_mask) { if (sme_me_mask) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment