On Tue, Nov 22, 2016 at 12:38:59PM +0100, Borislav Petkov wrote: > On Tue, Nov 15, 2016 at 12:29:35PM -0600, Tom Lendacky wrote: > > > Makes sense, but I think at least a dmesg warning here > > > might be a good idea. > > > > Good idea. Should it be a warning when it is first being set up or > > a warning the first time the bounce buffers need to be used. Or maybe > > both? > > Ok, let me put my user hat on... > > (... puts a felt hat ...) > > so what am I supposed to do about this as a user? Go and physically > remove those devices because I want to enable SME?! > > IMO, the only thing we should do is issue a *single* warning - > pr_warn_once - along the lines of: > > "... devices present which due to SME will use bounce buffers and will > cause their speed to diminish. Boot with sme=debug to see full info". > > And then sme=debug will dump the whole gory details. I don't think > screaming for each device is going to change anything in many cases. > 99% of people don't care - they just want shit to work. The issue is it's a (potential) security hole, not a slowdown. > > > A boot flag that says "don't enable devices that don't support > > > encryption" might be a good idea, too, since most people > > > don't read dmesg output and won't notice the message. > > > > I'll look into this. It might be something that can be checked as > > part of the device setting its DMA mask or the first time a DMA > > API is used if the device doesn't explicitly set its mask. > > Still with my user hat on, what would be the purpose of such an option? > > We already use bounce buffers so those devices do support encryption, > albeit slower. > > felt hat is confused. To disable unsecure things. If someone enables SEV one might have an expectation of security. Might help push vendors to do the right thing as a side effect. > -- > Regards/Gruss, > Boris. > > Good mailing practices for 400: avoid top-posting and trim the reply. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html