CVE-2021-47228 is a vulnerability in the Linux kernel related to the handling of EFI (Extensible Firmware Interface) reserved memory mappings on x86 architectures, specifically in environments using AMD SEV (Secure Encrypted Virtualization). The issue arises because certain drivers require memory marked as EFI boot services data to be preserved after the firmware's ExitBootServices() call. This preservation is done by marking the memory with the EFI_MEMORY_RUNTIME attribute and reserving it via efi_mem_reserve(). Under SEV, memory with the EFI_MEMORY_RUNTIME attribute must be mapped as encrypted by the Linux kernel. Failure to do so can cause the kernel to crash during boot, as demonstrated by a general protection fault in the EFI Variables Facility. The root cause is that the __ioremap_check_other() function did not account for this type of boot data reserved at runtime, leading to unencrypted mapping of memory that should be encrypted under SEV. The fix involves expanding this function to recognize EFI_MEMORY_RUNTIME-marked memory and ensure it is mapped encrypted for SEV guests. This vulnerability does not impact confidentiality or integrity directly but affects availability by causing kernel crashes during boot on affected systems. The CVSS score is 6.2 (medium severity), with an attack vector of local access, low attack complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits are reported in the wild. This vulnerability primarily affects Linux kernel versions prior to the patch and systems running AMD SEV-enabled virtualization environments.

For European organizations, the impact of CVE-2021-47228 is primarily on the availability and stability of Linux systems running on AMD SEV-enabled hardware, particularly in virtualized environments. Organizations using SEV for enhanced security in cloud or on-premises virtualization may experience boot failures or kernel crashes if their Linux kernels are unpatched. This could lead to downtime of critical services, disruption of virtual machine operations, and increased operational costs due to troubleshooting and remediation. Since SEV is used to protect virtual machines by encrypting memory, failure to handle EFI runtime memory correctly undermines the stability of these protections. While the vulnerability does not expose data confidentiality or integrity directly, the resulting system crashes can cause service interruptions, impacting business continuity. European enterprises relying on Linux-based infrastructure in sectors such as finance, telecommunications, and government, where virtualization and hardware-based encryption are increasingly adopted, may be particularly affected. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to stability issues.

To mitigate CVE-2021-47228, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, ensuring that the __ioremap_check_other() function correctly maps EFI_MEMORY_RUNTIME memory as encrypted under SEV. 2) Verify that virtualization hosts and guest systems using AMD SEV have updated kernels and firmware supporting this fix. 3) Conduct thorough testing of SEV-enabled virtual machines after patching to confirm stable boot and operation. 4) Monitor kernel logs for EFI-related errors or crashes during boot to detect potential unpatched systems. 5) For environments where immediate patching is not feasible, consider disabling SEV temporarily or avoiding use of EFI runtime memory features until patched. 6) Maintain an inventory of systems using AMD SEV and prioritize patching based on criticality. 7) Collaborate with hardware and virtualization vendors to ensure firmware and hypervisor compatibility with patched kernels. These steps go beyond generic advice by focusing on the specific interaction between EFI memory attributes and SEV encryption requirements.