Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support
From: Borislav Petkov
Date: Thu Sep 28 2017 - 15:24:05 EST
Hi,
On Thu, Sep 28, 2017 at 01:48:48PM -0500, Brijesh Singh wrote:
> Let me understand the ask, are you saying that we need a method to disable the SEV
> feature from the host OS so that Hypervisor will not be able to create a SEV guest?
> Because once a guest is booted with SEV feature, there is no way to disable the SEV
> feature from the guest.
>
> i.e if "mem_encrypt=smeonly" is set then we clear X86_FEATURE_SEV capability flag
> defined in [1].
So actually we need chicken bits to be able to *enable* both when
CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set.
I.e.,
* mem_encrypt=on - both SME and SEV enabled
* mem_encrypt=smeonly - only SME, no SEV on the host. This option will
basically prevent from using any SEV guests and make the SEV part of the
code inactive. I.e., sev_active() and sev_enabled should be false. As
you say above, we should clear X86_FEATURE_SEV, yes.
* mem_encrypt=off - neither SME/SEV are enabled.
And =on and =off we already have.
How does that sound?
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--