Re: [PATCH v14 21/22] crypto: ccp: Add the SNP_{PAUSE,RESUME}_ATTESTATION commands

From: Sean Christopherson
Date: Wed Apr 24 2024 - 20:15:54 EST

Next message: Sean Christopherson: "Re: [PATCH v14 17/22] KVM: SEV: Avoid WBINVD for HVA-based MMU notifications for SNP"
Previous message: Kunihiko Hayashi: "Re: [PATCH 1/4] arm64: dts: uniphier: ld11-global: use generic node name for audio-codec"
Next in thread: Michael Roth: "Re: [PATCH v14 21/22] crypto: ccp: Add the SNP_{PAUSE,RESUME}_ATTESTATION commands"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Apr 21, 2024, Michael Roth wrote:
> These commands can be used to pause servicing of guest attestation
> requests. This useful when updating the reported TCB or signing key with
> commands such as SNP_SET_CONFIG/SNP_COMMIT/SNP_VLEK_LOAD, since they may
> in turn require updates to userspace-supplied certificates, and if an
> attestation request happens to be in-flight at the time those updates
> are occurring there is potential for a guest to receive a certificate
> blob that is out of sync with the effective signing key for the
> attestation report.
>
> These interfaces also provide some versatility with how similar
> firmware/certificate update activities can be handled in the future.

Wait, IIUC, this is using the kernel to get two userspace components to not
stomp over each other. Why is this the kernel's problem to solve?

Next message: Sean Christopherson: "Re: [PATCH v14 17/22] KVM: SEV: Avoid WBINVD for HVA-based MMU notifications for SNP"
Previous message: Kunihiko Hayashi: "Re: [PATCH 1/4] arm64: dts: uniphier: ld11-global: use generic node name for audio-codec"
Next in thread: Michael Roth: "Re: [PATCH v14 21/22] crypto: ccp: Add the SNP_{PAUSE,RESUME}_ATTESTATION commands"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]