Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
From: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Date: Fri, 2 Sep 2022 18:52:51 +0200
Cc: Xiaoyao Li <xiaoyao.li@xxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Isaku Yamahata <isaku.yamahata@xxxxxxxxx>, Daniel P. Berrangé <berrange@xxxxxxxxxx>, Philippe Mathieu-Daudé <f4bug@xxxxxxxxx>, Richard Henderson <richard.henderson@xxxxxxxxxx>, "Michael S . Tsirkin" <mst@xxxxxxxxxx>, Marcel Apfelbaum <marcel.apfelbaum@xxxxxxxxx>, Cornelia Huck <cohuck@xxxxxxxxxx>, Marcelo Tosatti <mtosatti@xxxxxxxxxx>, Laszlo Ersek <lersek@xxxxxxxxxx>, Eric Blake <eblake@xxxxxxxxxx>, Connor Kuehl <ckuehl@xxxxxxxxxx>, erdemaktas@xxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx
In-reply-to: <YxIgq9flJehbEngQ@google.com>
References: <20220802074750.2581308-1-xiaoyao.li@intel.com> <20220802074750.2581308-16-xiaoyao.li@intel.com> <20220825113636.qlqmflxcxemh2lmf@sirius.home.kraxel.org> <389a2212-56b8-938b-22e5-24ae2bc73235@intel.com> <20220826055711.vbw2oovti2qevzzx@sirius.home.kraxel.org> <a700a0c6-7f25-dc45-4c49-f61709808f29@intel.com> <YxFv6RglTOY3Pevj@google.com> <20220902054621.yyffxn2vnm74r2b3@sirius.home.kraxel.org> <YxIgq9flJehbEngQ@google.com>

On Fri, Sep 02, 2022 at 03:26:35PM +0000, Sean Christopherson wrote:
> On Fri, Sep 02, 2022, Gerd Hoffmann wrote:
> > 
> > Hmm, ok, but shouldn't the SEPT_VE bit *really* controlled by the guest then?
> > 
> > Having a hypervisor-controlled config bit to protect against a malicious
> > hypervisor looks pointless to me ...
> 
> IIRC, all (most?) of the attributes are included in the attestation report, so a
> guest/customer can refuse to provision secrets to the guest if the hypervisor is
> misbehaving.

Good.  I think we sorted all issues then.

Acked-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

take care,
  Gerd

References:
- [PATCH v1 00/40] TDX QEMU support
  - From: Xiaoyao Li
- [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Xiaoyao Li
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Gerd Hoffmann
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Xiaoyao Li
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Gerd Hoffmann
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Xiaoyao Li
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Sean Christopherson
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Gerd Hoffmann
- Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
  - From: Sean Christopherson

Prev by Date: Re: [PATCH v3 4/7] arm64: mte: Lock a page for MTE tag initialisation
Next by Date: Re: [PATCH v3 4/7] arm64: mte: Lock a page for MTE tag initialisation
Previous by thread: Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
Next by thread: [PATCH v1 21/40] i386/tdx: Parse TDVF metadata for TDX VM
Index(es):
- Date
- Thread

[Index of Archives] [KVM ARM] [KVM ia64] [KVM ppc] [Virtualization Tools] [Spice Development] [Libvirt] [Libvirt Users] [Linux USB Devel] [Linux Audio Users] [Yosemite Questions] [Linux Kernel] [Linux SCSI] [XFree86]