On 06/09/2017 02:36 PM, Tom Lendacky wrote: > On 6/8/2017 5:01 PM, Andrew Cooper wrote: >> On 08/06/2017 22:17, Boris Ostrovsky wrote: >>> On 06/08/2017 05:02 PM, Tom Lendacky wrote: >>>> On 6/8/2017 3:51 PM, Boris Ostrovsky wrote: >>>>>>> What may be needed is making sure X86_FEATURE_SME is not set for PV >>>>>>> guests. >>>>>> And that may be something that Xen will need to control through >>>>>> either >>>>>> CPUID or MSR support for the PV guests. >>>>> >>>>> Only on newer versions of Xen. On earlier versions (2-3 years old) >>>>> leaf >>>>> 0x80000007 is passed to the guest unchanged. And so is MSR_K8_SYSCFG. >>>> The SME feature is in leaf 0x8000001f, is that leaf passed to the >>>> guest >>>> unchanged? >>> Oh, I misread the patch where X86_FEATURE_SME is defined. Then all >>> versions, including the current one, pass it unchanged. >>> >>> All that's needed is setup_clear_cpu_cap(X86_FEATURE_SME) in >>> xen_init_capabilities(). >> >> AMD processors still don't support CPUID Faulting (or at least, I >> couldn't find any reference to it in the latest docs), so we cannot >> actually hide SME from a guest which goes looking at native CPUID. >> Furthermore, I'm not aware of any CPUID masking support covering that >> leaf. >> >> However, if Linux is using the paravirtual cpuid hook, things are >> slightly better. >> >> On Xen 4.9 and later, no guests will see the feature. On earlier >> versions of Xen (before I fixed the logic), plain domUs will not see the >> feature, while dom0 will. >> >> For safely, I'd recommend unilaterally clobbering the feature as Boris >> suggested. There is no way SME will be supportable on a per-PV guest > > That may be too late. Early boot support in head_64.S will make calls to > check for the feature (through CPUID and MSR), set the sme_me_mask and > encrypt the kernel in place. Is there another way to approach this? PV guests don't go through Linux x86 early boot code. They start at xen_start_kernel() (well, xen-head.S:startup_xen(), really) and merge with baremetal path at x86_64_start_reservations() (for 64-bit). -boris > >> basis, although (as far as I am aware) Xen as a whole would be able to >> encompass itself and all of its PV guests inside one single SME >> instance. > > Yes, that is correct. > > Thanks, > Tom > >> >> ~Andrew >> -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html