On 9/30/17 4:41 PM, Borislav Petkov wrote: ... >> 3.2 If bit is set, its SEV guest. We set sev_enabled to 'true' and also >> set 'sme_me_mask'. Return from the function. >> The SEV state *cannot* be controlled by a command line option. > So how do you propose to disable SEV? Right now I do: > > if (feature_mask == AMD_SEV_BIT) > sev_enabled = true; Host OS: -------- We can control the SEV feature visibility to the hypervisor through the host OS command line. mem_encrypt=on - SEV feature is available mem_encrypt=sme - SEV feature is disabled mem_encrypt =off - SEV feature is disabled When SEV feature is disabled, KVM will not be able to launch any SEV guests. When SEV support is available, KVM can enable it in a specific VM by setting SEV bit before executing the VMRUN instruction. Guest OS: -------- Checks the MSR_AMD64_SEV to determine if SEV feature is enabled. Please note that the MSR is a read-only. IOW, MSR is not intercepted by the hypervisor. Currently, mem_encrypt=xxx and CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is don't care. We can not depend on the command line because when SEV is enabled in a VM then instruction fetch will be decrypted by the hardware. If we want then we can perform the comparison between the SEV state obtained through MSR with user supplied command line and trigger BUG() if they don't match. > at the end, when mem_encrypt=sme wasn't supplied on the cmdline. IOW, > SEV is enabled either when CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT or > mem_encrypt=on. > > Hmmm? >
