Re: [PATCH] x86/sev: Check whether SEV or SME is supported first

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 01, 2021, Borislav Petkov wrote:
> On Mon, May 31, 2021 at 10:56:50PM +0800, Pu Wen wrote:
> > Thanks for your suggestion, I'll try to set up early #GP handler to fix
> > the problem.
> 
> Why? AFAICT, you only need to return early in sme_enable() if CPUID is
> not "AuthenticAMD". Just do that please.

I don't think that would suffice, presumably MSR_AMD64_SEV doesn't exist on older
AMD CPUs either.  E.g. there's no mention of MSR 0xC001_0131 in the dev's guide
from 2015[*].

I also don't see the point in checking the vendor string.  A malicious hypervisor
can lie about CPUID.0x0 just as easily as it can lie about CPUID.0x8000001f, so
for SEV the options are to either trust the hypervisor or eat #GPs on RDMSR for
non-SEV CPUs.  If we go with "trust the hypervisor", then the original patch of
hoisting the CPUID.0x8000001f check up is simpler than checking the vendor string.


[*] https://www.amd.com/system/files/TechDocs/48751_16h_bkdg.pdf



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux