On Tue, Jun 01, 2021, Borislav Petkov wrote: > On Mon, May 31, 2021 at 10:56:50PM +0800, Pu Wen wrote: > > Thanks for your suggestion, I'll try to set up early #GP handler to fix > > the problem. > > Why? AFAICT, you only need to return early in sme_enable() if CPUID is > not "AuthenticAMD". Just do that please. I don't think that would suffice, presumably MSR_AMD64_SEV doesn't exist on older AMD CPUs either. E.g. there's no mention of MSR 0xC001_0131 in the dev's guide from 2015[*]. I also don't see the point in checking the vendor string. A malicious hypervisor can lie about CPUID.0x0 just as easily as it can lie about CPUID.0x8000001f, so for SEV the options are to either trust the hypervisor or eat #GPs on RDMSR for non-SEV CPUs. If we go with "trust the hypervisor", then the original patch of hoisting the CPUID.0x8000001f check up is simpler than checking the vendor string. [*] https://www.amd.com/system/files/TechDocs/48751_16h_bkdg.pdf
