lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 21 Jan 2021 17:12:43 -0600
From:   Tom Lendacky <thomas.lendacky@....com>
To:     Tejun Heo <tj@...nel.org>
Cc:     Vipin Sharma <vipinsh@...gle.com>, brijesh.singh@....com,
        jon.grimm@....com, eric.vantassell@....com, pbonzini@...hat.com,
        seanjc@...gle.com, lizefan@...wei.com, hannes@...xchg.org,
        frankja@...ux.ibm.com, borntraeger@...ibm.com, corbet@....net,
        joro@...tes.org, vkuznets@...hat.com, wanpengli@...cent.com,
        jmattson@...gle.com, tglx@...utronix.de, mingo@...hat.com,
        bp@...en8.de, hpa@...or.com, gingell@...gle.com,
        rientjes@...gle.com, dionnaglaze@...gle.com, kvm@...r.kernel.org,
        x86@...nel.org, cgroups@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller

On 1/21/21 9:55 AM, Tejun Heo wrote:
> Hello,
> 
> On Thu, Jan 21, 2021 at 08:55:07AM -0600, Tom Lendacky wrote:
>> The hardware will allow any SEV capable ASID to be run as SEV-ES, however,
>> the SEV firmware will not allow the activation of an SEV-ES VM to be
>> assigned to an ASID greater than or equal to the SEV minimum ASID value. The
>> reason for the latter is to prevent an !SEV-ES ASID starting out as an
>> SEV-ES guest and then disabling the SEV-ES VMCB bit that is used by VMRUN.
>> This would result in the downgrading of the security of the VM without the
>> VM realizing it.
>>
>> As a result, you have a range of ASIDs that can only run SEV-ES VMs and a
>> range of ASIDs that can only run SEV VMs.
> 
> I see. That makes sense. What's the downside of SEV-ES compared to SEV w/o
> ES? Are there noticeable performance / feature penalties or is the split
> mostly for backward compatibility?

SEV-ES is an incremental enhancement of SEV where the register state of 
the guest is protected/encrypted. As with a lot of performance questions, 
the answer is ...it depends. With SEV-ES, there is additional overhead 
associated with a world switch (VMRUN/VMEXIT) to restore and save 
additional register state. Also, exit events are now divided up into 
automatic exits (AE) and non-automatic exits (NAE). NAE events result in a 
new #VC exception being generated where the guest is then required to use 
the VMGEXIT instruction to communicate only the state necessary to perform 
the operation. A CPUID instruction is a good example, where a shared page 
is used to communicate required state to the hypervisor to perform the 
CPUID emulation, which then returns the results back through the shared 
page to the guest. So it all depends on how often the workload in question 
performs operations that result in a VMEXIT of the vCPU, etc.

Thanks,
Tom

> 
> Thanks.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ