Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 9/28/17 2:23 PM, Borislav Petkov wrote:
...
> So actually we need chicken bits to be able to *enable* both when
> CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set.
>
> I.e.,
>
> * mem_encrypt=on - both SME and SEV enabled
>
> * mem_encrypt=smeonly - only SME, no SEV on the host. This option will
> basically prevent from using any SEV guests and make the SEV part of the
> code inactive. I.e., sev_active() and sev_enabled should be false. As
> you say above, we should clear X86_FEATURE_SEV, yes.
>
> * mem_encrypt=off - neither SME/SEV are enabled.
>
> And =on and =off we already have.
>
> How does that sound?

if we are adding a chicken bits then I think we should do it for both
"smeonly" and "sevonly". We can boot host OS with SME disabled and SEV
enabled, and still be able to create the SEV guest from the hypervisor.

How about this ?

mem_encrypt=on     both SME and SEV enabled
mem_encrypt=sev    only SEV enabled
mem_encrypt=sme   only SME enabled
mem_encrypt=off     neither SME/SEV are enabled

-Brijesh




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux