On 9/28/17 2:23 PM, Borislav Petkov wrote: ... > So actually we need chicken bits to be able to *enable* both when > CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set. > > I.e., > > * mem_encrypt=on - both SME and SEV enabled > > * mem_encrypt=smeonly - only SME, no SEV on the host. This option will > basically prevent from using any SEV guests and make the SEV part of the > code inactive. I.e., sev_active() and sev_enabled should be false. As > you say above, we should clear X86_FEATURE_SEV, yes. > > * mem_encrypt=off - neither SME/SEV are enabled. > > And =on and =off we already have. > > How does that sound? if we are adding a chicken bits then I think we should do it for both "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV enabled, and still be able to create the SEV guest from the hypervisor. How about this ? mem_encrypt=on both SME and SEV enabled mem_encrypt=sev only SEV enabled mem_encrypt=sme only SME enabled mem_encrypt=off neither SME/SEV are enabled -Brijesh