Re: [PATCH] x86/CPU/AMD, mm: Extend with mem_encrypt=sme option

From: Brijesh Singh
Date: Mon Oct 02 2017 - 07:32:34 EST

On 10/1/17 5:02 PM, Borislav Petkov wrote:
> On Sun, Oct 01, 2017 at 02:45:09PM -0500, Brijesh Singh wrote:
>>> So I want to be able to disable SEV and the whole code that comes with
>>> it in the *host*.
>> We can add a new variable 'sme_only'. By default this variable should be set
>> to false. When mem_encrypt=sme is passed then set it to true and
>> based on sme_only state early_detect_mem_encrypt() can clear X86_FEATURE_SEV
>> flag.
> Why would you need yet another variable? We have sev_enabled already?!?

Because sev_enabled will always be 'false' when we are booting on bare
metal. Whereas when we are running under hypervisor then this variable
will be true for the SEV guest, please see [1]. Both sev_active() and
sme_active() make use of this variable hence we will not be able to set
the sev_enabled variable on bare metal. Basically none of the SEV cases
will be executed on bare metal -- only thing which we need to take care
of is clearing the X86_FEATURE_SEV flag so that hypervisor will never
launch SEV guest when mem_encrypt=sme option is provided.