Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

From: Brijesh Singh
Date: Thu Sep 28 2017 - 14:49:02 EST


Hi Boris,

On 09/28/2017 04:02 AM, Borislav Petkov wrote:
...

+bool sev_active(void)
+{
+ return sme_me_mask && sev_enabled;

What I'm still missing is the chicken bit. I.e., to be able to boot with
"mem_encrypt=smeonly" or so, which disables the SEV side but can still
allow SME. For when SEV has issues and people want to disable it.



Let me understand the ask, are you saying that we need a method to disable the SEV
feature from the host OS so that Hypervisor will not be able to create a SEV guest?
Because once a guest is booted with SEV feature, there is no way to disable the SEV
feature from the guest.

i.e if "mem_encrypt=smeonly" is set then we clear X86_FEATURE_SEV capability flag
defined in [1].

[1] https://marc.info/?l=linux-kernel&m=150585470323923&w=2


You can do the patch ontop of those and send it as a reply to this
thread - no need to wait to resend the whole thing again.