On 29/03/2022 23:28, Dov Murik wrote: > > > On 29/03/2022 21:30, Borislav Petkov wrote: > >> >> So now that I think of it, it would be even nicer if the fact whether >> guest debugging is allowed, were available to the guest *very early* >> during boot. Because I think the most important cases where you'd want >> to singlestep a SEV* guest with the qemu gdbstub is early guest kernel >> boot code. So it would be cool if we'd have access to the debugging >> setting that early. >> >> Lemme have a look at your patches in detail to get an idea what's >> happening there. > After a night's sleep I figured out that an SEV guest cannot tell if a value it's reading was (a) encrypted by the host using KVM_SEV_LAUNCH_UPDATE_DATA, or (b) added using secret injection using KVM_SEV_LAUNCH_SECRET. The only difference is that if the host is using KVM_SEV_LAUNCH_UPDATE_DATA, then it changes the measurement. But maybe for debugging scenarios we (= Guest Owner) don't care about the measurement being correct. If that's the case, we don't need a secure channel and secret injection. You can use a simple "sev=debug" (or whatever) in the kernel command-line to indicate your needs. Did I miss something? -Dov
