Re: [PATCH v2 2/2] KVM: SEV: Configure "ALLOWED_SEV_FEATURES" VMCB Field

From: Sean Christopherson
Date: Thu Aug 22 2024 - 19:31:58 EST

Next message: Tristram.Ha: "RE: [PATCH net-next v4 2/2] net: dsa: microchip: Add KSZ8895/KSZ8864 switch support"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v4 2/6] netdev_features: remove unused __UNUSED_NETIF_F_1"
In reply to: Kim Phillips: "[PATCH v2 2/2] KVM: SEV: Configure "ALLOWED_SEV_FEATURES" VMCB Field"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 22, 2024, Kim Phillips wrote:
> AMD EPYC 5th generation processors have introduced a feature that allows
> the hypervisor to control the SEV_FEATURES that are set for, or by, a
> guest [1]. ALLOWED_SEV_FEATURES can be used by the hypervisor to enforce
> that SEV-ES and SEV-SNP guests cannot enable features that the
> hypervisor does not want to be enabled.
>
> When ALLOWED_SEV_FEATURES is enabled, a VMRUN will fail if any
> non-reserved bits are 1 in SEV_FEATURES but are 0 in
> ALLOWED_SEV_FEATURES.

This may need additional uAPI so that userspace can opt-in. Dunno. I hope guests
aren't abusing features, but IIUC, flipping this on has the potential to break
existing VMs, correct?

Next message: Tristram.Ha: "RE: [PATCH net-next v4 2/2] net: dsa: microchip: Add KSZ8895/KSZ8864 switch support"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v4 2/6] netdev_features: remove unused __UNUSED_NETIF_F_1"
In reply to: Kim Phillips: "[PATCH v2 2/2] KVM: SEV: Configure "ALLOWED_SEV_FEATURES" VMCB Field"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]