On 29/03/2022 21:30, Borislav Petkov wrote: > > So now that I think of it, it would be even nicer if the fact whether > guest debugging is allowed, were available to the guest *very early* > during boot. Because I think the most important cases where you'd want > to singlestep a SEV* guest with the qemu gdbstub is early guest kernel > boot code. So it would be cool if we'd have access to the debugging > setting that early. > > Lemme have a look at your patches in detail to get an idea what's > happening there. Is efi_config_parse_tables() early enough? That's where we learn for the first time that the firmware has a launch-secrets area that we can look at. We can add there (say, next to the call to efi_tpm_eventlog_init()) a code to: 1. map the secret area (ioremap_encrypted()) 2. parse the table, look for the "sev debug enabled" GUID. 3. set the value of the kernel variable that we can later use anywhere. Of course Ard might know about a better mechanism or place to do that. -Dov
