On 09/29/2017 09:41 AM, Borislav Petkov wrote:
On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote:
if we are adding a chicken bits then I think we should do it for both
"smeonly" and "sevonly". We can boot host OS with SME disabled and SEV
enabled, and still be able to create the SEV guest from the hypervisor.
Sure, but is that a real use case? I mean, who would want to run
encrypted guests on an unencrypted hypervisor?
In production, you do not want to run encrypted guest on an unencrypted
hypervisor -- I was thinking about the debug environment. We can start
with mem_encrypt=sme and if we see the need for 'sev' arg then we can
extend it later.
I am working on the patch and will send for the review. thanks
-Brijesh