Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
From: Borislav Petkov <bp@xxxxxxxxx>
Date: Fri, 28 Jan 2022 23:58:32 +0100
Cc: Brijesh Singh <brijesh.singh@xxxxxxx>, x86@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, linux-efi@xxxxxxxxxxxxxxx, platform-driver-x86@xxxxxxxxxxxxxxx, linux-coco@xxxxxxxxxxxxxxx, linux-mm@xxxxxxxxx, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Joerg Roedel <jroedel@xxxxxxx>, Tom Lendacky <thomas.lendacky@xxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, Ard Biesheuvel <ardb@xxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Sean Christopherson <seanjc@xxxxxxxxxx>, Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>, Jim Mattson <jmattson@xxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, Sergio Lopez <slp@xxxxxxxxxx>, Peter Gonda <pgonda@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Srinivas Pandruvada <srinivas.pandruvada@xxxxxxxxxxxxxxx>, David Rientjes <rientjes@xxxxxxxxxx>, Dov Murik <dovmurik@xxxxxxxxxxxxx>, Tobin Feldman-Fitzthum <tobin@xxxxxxx>, Vlastimil Babka <vbabka@xxxxxxx>, "Kirill A . Shutemov" <kirill@xxxxxxxxxxxxx>, Andi Kleen <ak@xxxxxxxxxxxxxxx>, "Dr . David Alan Gilbert" <dgilbert@xxxxxxxxxx>, tony.luck@xxxxxxxxx, marcorr@xxxxxxxxxx, sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx
In-reply-to: <20220119162747.ewgxirwcnrcajazm@amd.com>
References: <20220118142345.65wuub2p3alavhpb@amd.com> <20220118143238.lu22npcktxuvadwk@amd.com> <20220118143730.wenhm2bbityq7wwy@amd.com> <YebsKcpnYzvjaEjs@zn.tnic> <20220118172043.djhy3dwg4fhhfqfs@amd.com> <Yeb7vOaqDtH6Fpsb@zn.tnic> <20220118184930.nnwbgrfr723qabnq@amd.com> <20220119011806.av5rtxfv4et2sfkl@amd.com> <YefzQuqrV8kdLr9z@zn.tnic> <20220119162747.ewgxirwcnrcajazm@amd.com>

On Wed, Jan 19, 2022 at 10:27:47AM -0600, Michael Roth wrote:
> At that point it's much easier for the guest owner to just check the
> CPUID values directly against known good values for a particular
> configuration as part of their attestation process and leave the
> untrusted cloud vendor out of it completely. So not measuring the
> CPUID page as part of SNP attestation allows for that flexibility.

Well, in that case, I guess you don't need the sanity-checking in the
guest either - you simply add it to the attestation TODO-list for the
guest owner to go through:

Upon booting, the guest owner should compare the CPUID leafs the guest
sees with the ones supplied during boot.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

References:
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Borislav Petkov
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Borislav Petkov
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Borislav Petkov
- Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
  - From: Michael Roth

Prev by Date: Re: [PATCH v3 0/9] Parallel CPU bringup for x86_64
Next by Date: RE: [PATCH] kvm: Move KVM_GET_XSAVE2 IOCTL definition at the end of kvm.h
Previous by thread: Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
Next by thread: [PATCH v8 25/40] x86/compressed/acpi: move EFI config table lookup to helper
Index(es):
- Date
- Thread

[Index of Archives] [KVM ARM] [KVM ia64] [KVM ppc] [Virtualization Tools] [Spice Development] [Libvirt] [Libvirt Users] [Linux USB Devel] [Linux Audio Users] [Yosemite Questions] [Linux Kernel] [Linux SCSI] [XFree86]