On 02/10/2017 17:07, Brijesh Singh wrote: > > > Yep, that will work just fine. There are couple of ways we can limit > hypervisor from creating the SEV guest 1) clear the X86_FEATURE_SEV bit > when mem_encrypt=sme is passed or 2) parse the mem_encrypt=xxx in > kvm-amd.ko > and fail the KVM_SEV_INIT when mem_encrpt=sme or mem_encrypt=off. Stupid question ahead: if it's just about guests, why bother with mem_encrypt=xxx at all? kvm_amd should have a sev parameter anyway, you can just do kvm_amd.sev=0 to disable it. Paolo