On 16/01/23 17:09, Zhi Wang wrote: > On Mon, 16 Jan 2023 13:53:56 +0530 > "Nikunj A. Dadhania" <nikunj@xxxxxxx> wrote: > >> On 13/01/23 17:23, Zhi Wang wrote: >>> On Thu, 12 Jan 2023 14:11:39 +0530 >>> Nikunj A Dadhania <nikunj@xxxxxxx> wrote: >>> >> >>>> diff --git a/Documentation/x86/amd-memory-encryption.rst >>>> b/Documentation/x86/amd-memory-encryption.rst index >>>> a1940ebe7be5..b3adc39d7735 100644 --- >>>> a/Documentation/x86/amd-memory-encryption.rst +++ >>>> b/Documentation/x86/amd-memory-encryption.rst @@ -95,3 +95,39 @@ by >>>> supplying mem_encrypt=on on the kernel command line. However, if BIOS >>>> does not enable SME, then Linux will not be able to activate memory >>>> encryption, even if configured to do so by default or the mem_encrypt=on >>>> command line parameter is specified. + >>>> +Secure Nested Paging (SNP) >>>> +========================== >>>> + >>>> +SEV-SNP introduces new features (SEV_FEATURES[1:63]) which can be >>>> enabled +by the hypervisor for security enhancements. Some of these >>>> features need +guest side implementation to function correctly. The >>>> below table lists the +expected guest behavior with various possible >>>> scenarios of guest/hypervisor +SNP feature support. >>>> + >> >>> "guest needs implementation" seems a little bit confusing. I suppose it >>> means the feature is mandatory for the guest. >> >> That is not correct. None of these features are mandatory for the guest. >> The hypervisor can enable this feature without the knowledge of guest >> kernel support. So there should be a mechanism in the guest to detect this >> and fail the boot if needed. >> >>> If so, on the second row >>> guest can boot without it. Some explanation? >> >> In the first and second row, HV has not enabled the feature, so the >> guest should boot fine irrespective of "Guest needs implementation". >> > > Feel free to educate me if I understand correctly or not: > > There are two kinds of features in SEV_FEATURES: > > 1. Features that HV can freely enable/disable and they won't distrub the guest. > > HV | Guest needs impl | Guest has impl | Result > Y/N N X (not necessary) Boot > > 2. Features that a guest has to be aware of and handle when HV enables them. > > HV | Guest needs impl | Guest has impl | Result > N Y X (Dont care) Boot > Y Y N Fail > Y Y Y Boot Yes, that is correct understanding. Regards Nikunj
