lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <04b37d71-c887-660b-5046-17dec4bb4115@redhat.com>
Date:   Wed, 24 Feb 2021 10:18:21 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Nathan Tempelman <natet@...gle.com>
Cc:     thomas.lendacky@....com, x86@...nel.org, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org, srutherford@...gle.com,
        seanjc@...gle.com, rientjes@...gle.com, brijesh.singh@....com,
        Ashish.Kalra@....com, Nathaniel McCallum <npmccallum@...hat.com>
Subject: Re: [RFC] KVM: x86: Support KVM VMs sharing SEV context

[CCing Nathaniel McCallum]

On 24/02/21 09:59, Nathan Tempelman wrote:
> 
> +7.23 KVM_CAP_VM_COPY_ENC_CONTEXT_TO
> +-----------------------------------
> +
> +Architectures: x86 SEV enabled
> +Type: system

vm ioctl, not system (/dev/kvm).  But, see below.

> +Parameters: args[0] is the fd of the kvm to mirror encryption context to
> +Returns: 0 on success; ENOTTY on error
> +
> +This capability enables userspace to copy encryption context from a primary
> +vm to the vm indicated by the fd.
> +
> +This is intended to support in-guest workloads scheduled by the host. This
> +allows the in-guest workload to maintain its own NPTs and keeps the two vms
> +from accidentally clobbering each other with interrupts and the like (separate
> +APIC/MSRs/etc).

 From purely an API design standpoint, I think I'd prefer a "set context 
from" API (the other way round) to match the existing KVM_SEV_INIT.

Apart from this, the code is very nice and I would have no issues 
merging this in 5.12 even after the merge window.

As an aside, do you happen to have SEV selftests at Google?  I would 
gladly volunteer to write the selftest myself for this ioctl given the 
infrastructure.

Thanks,

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ