Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Boris,

On 09/28/2017 04:02 AM, Borislav Petkov wrote:
...

+bool sev_active(void)
+{
+	return sme_me_mask && sev_enabled;

What I'm still missing is the chicken bit. I.e., to be able to boot with
"mem_encrypt=smeonly" or so, which disables the SEV side but can still
allow SME. For when SEV has issues and people want to disable it.



Let me understand the ask, are you saying that we need a method to disable the SEV
feature from the host OS so that Hypervisor will not be able to create a SEV guest?
Because once a guest is booted with SEV feature, there is no way to disable the SEV
feature from the guest.

i.e if "mem_encrypt=smeonly" is set then we clear X86_FEATURE_SEV capability flag
defined in [1].

[1] https://marc.info/?l=linux-kernel&m=150585470323923&w=2


You can do the patch ontop of those and send it as a reply to this
thread - no need to wait to resend the whole thing again.




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux