Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

From: Paolo Bonzini
Date: Thu Sep 22 2016 - 14:51:11 EST

On 22/09/2016 20:47, Tom Lendacky wrote:
> > Because the firmware volume is written to high memory in encrypted form,
> > and because the PEI phase runs in 32-bit mode, the firmware code will be
> > encrypted; on the other hand, data that is placed in low memory for the
> > kernel can be unencrypted, thus limiting differences between SME and SEV.
> I like the idea of limiting the differences but it would leave the EFI
> data and ACPI tables exposed and able to be manipulated.

Hmm, that makes sense. So I guess this has to stay, and Borislav's
proposal doesn't fly either.