Re: [PATCH] KVM: SEV: Disable KVM_CAP_VM_COPY_ENC_CONTEXT_FROM for SEV-ES

From: Paolo Bonzini
Date: Wed Sep 15 2021 - 04:44:24 EST

Next message: Marek Szyprowski: "Re: [PATCH v2 0/6] fw_devlink improvements"
Previous message: yukuai (C): "Re: [PATCH v6 6/6] nbd: fix uaf in nbd_handle_reply()"
In reply to: Sean Christopherson: "Re: [PATCH] KVM: SEV: Disable KVM_CAP_VM_COPY_ENC_CONTEXT_FROM for SEV-ES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 14/09/21 20:49, Sean Christopherson wrote:

On Tue, Sep 14, 2021, Peter Gonda wrote:

I do not think so. You cannot call KVM_SEV_LAUNCH_UPDATE_VMSA on the mirror
because svm_mem_enc_op() blocks calls from the mirror. So either you have to
update vmsa from the mirror or have the original VM read through its mirror's
vCPUs when calling KVM_SEV_LAUNCH_UPDATE_VMSA. Not sure which way is better
but I don't see a way to do this without updating KVM.

Ah, right, I forgot all of the SEV ioctls are blocked on the mirror. Put something
to that effect into the changelog to squash any argument about whether or not this
is the correct KVM behavior.

Indeed, at least KVM_SEV_LAUNCH_UPDATE_VMSA would have to be allowed in the mirror VM. Do you think anything else would be necessary?

Paolo

Next message: Marek Szyprowski: "Re: [PATCH v2 0/6] fw_devlink improvements"
Previous message: yukuai (C): "Re: [PATCH v6 6/6] nbd: fix uaf in nbd_handle_reply()"
In reply to: Sean Christopherson: "Re: [PATCH] KVM: SEV: Disable KVM_CAP_VM_COPY_ENC_CONTEXT_FROM for SEV-ES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]