Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

[Borislav Petkov]

Hi,

On Thu, Sep 28, 2017 at 01:48:48PM -0500, Brijesh Singh wrote:
> Let me understand the ask, are you saying that we need a method to disable the SEV
> feature from the host OS so that Hypervisor will not be able to create a SEV guest?
> Because once a guest is booted with SEV feature, there is no way to disable the SEV
> feature from the guest.
> 
> i.e if "mem_encrypt=smeonly" is set then we clear X86_FEATURE_SEV capability flag
> defined in [1].

So actually we need chicken bits to be able to *enable* both when
CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set.

I.e.,

* mem_encrypt=on - both SME and SEV enabled

* mem_encrypt=smeonly - only SME, no SEV on the host. This option will
basically prevent from using any SEV guests and make the SEV part of the
code inactive. I.e., sev_active() and sev_enabled should be false. As
you say above, we should clear X86_FEATURE_SEV, yes.

* mem_encrypt=off - neither SME/SEV are enabled.

And =on and =off we already have.

How does that sound?

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--