On Mon, Jan 02, 2023 at 02:08:10PM +0530, Nikunj A Dadhania wrote: > The hypervisor can enable various new features (SEV_FEATURES[1:63]) > and start the SNP guest. Some of these features need guest side > implementation. If any of these features are enabled without guest > side implementation, the behavior of the SNP guest will be undefined. > The SNP guest boot may fail in a non-obvious way making it difficult > to debug. > > Instead of allowing the guest to continue and have it fail randomly > later, detect this early and fail gracefully. > > SEV_STATUS MSR indicates features which hypervisor has enabled. While ^ the > booting, SNP guests should ascertain that all the enabled features > have guest side implementation. In case any feature is not implemented > in the guest, the guest terminates booting with SNP feature > unsupported exit code. > > More details in AMD64 APM[1] Vol 2: 15.34.10 SEV_STATUS MSR > > [1] https://www.amd.com/system/files/TechDocs/40332_4.05.pdf > > Fixes: cbd3d4f7c4e5 ("x86/sev: Check SEV-SNP features support") > CC: Borislav Petkov <bp@xxxxxxxxx> > CC: Michael Roth <michael.roth@xxxxxxx> > CC: Tom Lendacky <thomas.lendacky@xxxxxxx> > CC: <stable@xxxxxxxxxx> > Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxx> ... > diff --git a/Documentation/x86/amd-memory-encryption.rst b/Documentation/x86/amd-memory-encryption.rst > index a1940ebe7be5..b8b6b87be995 100644 > --- a/Documentation/x86/amd-memory-encryption.rst > +++ b/Documentation/x86/amd-memory-encryption.rst > @@ -95,3 +95,38 @@ by supplying mem_encrypt=on on the kernel command line. However, if BIOS does > not enable SME, then Linux will not be able to activate memory encryption, even > if configured to do so by default or the mem_encrypt=on command line parameter > is specified. > + > +Secure Nested Paging (SNP): No ":" > +=========================== <---- newline here. > +SEV-SNP introduces new features (SEV_FEATURES[1:63]) which can be enabled > +by the hypervisor for security enhancements. Some of these features need > +guest side implementation to function correctly. The below table lists the > +expected guest behavior with various possible scenarios of guest/hypervisor > +SNP feature support. > + > ++---------------+---------------+---------------+---------------+ > +|Feature Enabled| Guest needs | Guest has | Guest boot | > +| by HV |implementation |implementation | behavior | > ++---------------+---------------+---------------+---------------+ > +| No | No | No | Boot | > +| | | | | > ++---------------+---------------+---------------+---------------+ > +| No | Yes | No | Boot | > +| | | | | > ++---------------+---------------+---------------+---------------+ > +| No | Yes | Yes | Boot | > +| | | | | > ++---------------+---------------+---------------+---------------+ > +| Yes | No | No | Boot with | > +| | | |feature enabled| > ++---------------+---------------+---------------+---------------+ > +| Yes | Yes | No | Graceful Boot | > +| | | | Failure | > ++---------------+---------------+---------------+---------------+ > +| Yes | Yes | Yes | Boot with | > +| | | |feature enabled| > ++---------------+---------------+---------------+---------------+ sphinx is not happy about that table for some reason. I always find the error messages cryptic though: Documentation/x86/amd-memory-encryption.rst:110: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/x86/amd-memory-encryption.rst:110: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/x86/amd-memory-encryption.rst:122: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/x86/amd-memory-encryption.rst:128: WARNING: Block quote ends without a blank line; unexpected unindent. You can repro by doing "make htmldocs". -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette
