Re: [PATCH v10 48/50] KVM: SEV: Provide support for SNP_GUEST_REQUEST NAE event

From: Dionna Amalie Glaze
Date: Mon Oct 16 2023 - 19:18:35 EST


> +
> + /*
> + * If a VMM-specific certificate blob hasn't been provided, grab the
> + * host-wide one.
> + */
> + snp_certs = sev_snp_certs_get(sev->snp_certs);
> + if (!snp_certs)
> + snp_certs = sev_snp_global_certs_get();
> +

This is where the generation I suggested adding would get checked. If
the instance certs' generation is not the global generation, then I
think we need a way to return to the VMM to make that right before
continuing to provide outdated certificates.
This might be an unreasonable request, but the fact that the certs and
reported_tcb can be set while a VM is running makes this an issue.

--
-Dionna Glaze, PhD (she/her)