Hello, On Thu, Jan 21, 2021 at 08:55:07AM -0600, Tom Lendacky wrote: > The hardware will allow any SEV capable ASID to be run as SEV-ES, however, > the SEV firmware will not allow the activation of an SEV-ES VM to be > assigned to an ASID greater than or equal to the SEV minimum ASID value. The > reason for the latter is to prevent an !SEV-ES ASID starting out as an > SEV-ES guest and then disabling the SEV-ES VMCB bit that is used by VMRUN. > This would result in the downgrading of the security of the VM without the > VM realizing it. > > As a result, you have a range of ASIDs that can only run SEV-ES VMs and a > range of ASIDs that can only run SEV VMs. I see. That makes sense. What's the downside of SEV-ES compared to SEV w/o ES? Are there noticeable performance / feature penalties or is the split mostly for backward compatibility? Thanks. -- tejun
