| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Sep 2017 13:48:48 -0500
From: Brijesh Singh <brijesh.singh@....com>
To: Borislav Petkov <bp@...e.de>
Cc: brijesh.singh@....com, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, x86@...nel.org,
Tom Lendacky <thomas.lendacky@....com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Andy Lutomirski <luto@...nel.org>
Subject: Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted
Virtualization (SEV) support
Hi Boris,
On 09/28/2017 04:02 AM, Borislav Petkov wrote:
...
>> +bool sev_active(void)
>> +{
>> + return sme_me_mask && sev_enabled;
>
> What I'm still missing is the chicken bit. I.e., to be able to boot with
> "mem_encrypt=smeonly" or so, which disables the SEV side but can still
> allow SME. For when SEV has issues and people want to disable it.
>
Let me understand the ask, are you saying that we need a method to disable the SEV
feature from the host OS so that Hypervisor will not be able to create a SEV guest?
Because once a guest is booted with SEV feature, there is no way to disable the SEV
feature from the guest.
i.e if "mem_encrypt=smeonly" is set then we clear X86_FEATURE_SEV capability flag
defined in [1].
[1] https://marc.info/?l=linux-kernel&m=150585470323923&w=2
> You can do the patch ontop of those and send it as a reply to this
> thread - no need to wait to resend the whole thing again.
>
Powered by blists - more mailing lists