| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Jun 2021 16:14:22 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Borislav Petkov <bp@...en8.de>
Cc: Pu Wen <puwen@...on.cn>, Joerg Roedel <jroedel@...e.de>,
x86@...nel.org, joro@...tes.org, thomas.lendacky@....com,
dave.hansen@...ux.intel.com, peterz@...radead.org,
tglx@...utronix.de, mingo@...hat.com, hpa@...or.com,
sashal@...nel.org, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] x86/sev: Check whether SEV or SME is supported first
On Tue, Jun 01, 2021, Borislav Petkov wrote:
> On Mon, May 31, 2021 at 10:56:50PM +0800, Pu Wen wrote:
> > Thanks for your suggestion, I'll try to set up early #GP handler to fix
> > the problem.
>
> Why? AFAICT, you only need to return early in sme_enable() if CPUID is
> not "AuthenticAMD". Just do that please.
I don't think that would suffice, presumably MSR_AMD64_SEV doesn't exist on older
AMD CPUs either. E.g. there's no mention of MSR 0xC001_0131 in the dev's guide
from 2015[*].
I also don't see the point in checking the vendor string. A malicious hypervisor
can lie about CPUID.0x0 just as easily as it can lie about CPUID.0x8000001f, so
for SEV the options are to either trust the hypervisor or eat #GPs on RDMSR for
non-SEV CPUs. If we go with "trust the hypervisor", then the original patch of
hoisting the CPUID.0x8000001f check up is simpler than checking the vendor string.
[*] https://www.amd.com/system/files/TechDocs/48751_16h_bkdg.pdf
Powered by blists - more mailing lists