| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Jun 2021 14:34:03 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Borislav Petkov <bp@...en8.de>,
Brijesh Singh <brijesh.singh@....com>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
linux-efi@...r.kernel.org, platform-driver-x86@...r.kernel.org,
linux-coco@...ts.linux.dev, linux-mm@...ck.org,
linux-crypto@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Joerg Roedel <jroedel@...e.de>,
"H. Peter Anvin" <hpa@...or.com>, Ard Biesheuvel <ardb@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Sergio Lopez <slp@...hat.com>, Peter Gonda <pgonda@...gle.com>,
Peter Zijlstra <peterz@...radead.org>,
Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
David Rientjes <rientjes@...gle.com>, tony.luck@...el.com,
npmccallum@...hat.com
Subject: Re: [PATCH Part1 RFC v3 16/22] KVM: SVM: Create a separate mapping
for the SEV-ES save area
On 6/14/21 5:58 AM, Borislav Petkov wrote:
> On Wed, Jun 02, 2021 at 09:04:10AM -0500, Brijesh Singh wrote:
>> +/* Save area definition for SEV-ES and SEV-SNP guests */
>> +struct sev_es_save_area {
>
> Can we agree on a convention here to denote SEV-ES and later
> variants VS earlier ones so that you don't have "SEV-ES" in the name
> sev_es_save_area but to mean that this applies to SNP and future stuff
> too?
I was just following the APM, which lists it as the "State Save Area for
SEV-ES."
>
> What about SEV-only guests? I'm assuming those use the old variant.
Correct.
>
> Which would mean you can call this
>
> struct prot_guest_save_area
>
> or so, so that it doesn't have "sev" in the name and so that there's no
> confusion...
I guess we can call it just prot_save_area or protected_save_area or even
encrypted_save_area (no need for guest, since guest is implied, e.g. we
don't call the normal save area guest_save_area).
>
> Ditto for the size defines.
>
>> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
>> index 5bc887e9a986..d93a1c368b61 100644
>> --- a/arch/x86/kvm/svm/sev.c
>> +++ b/arch/x86/kvm/svm/sev.c
>> @@ -542,12 +542,20 @@ static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
>>
>> static int sev_es_sync_vmsa(struct vcpu_svm *svm)
>
> Not SEV-ES only anymore, so I guess sev_snp_sync_vmca() or so.
>
>> - struct vmcb_save_area *save = &svm->vmcb->save;
>> + struct sev_es_save_area *save = svm->vmsa;
>>
>> /* Check some debug related fields before encrypting the VMSA */
>> - if (svm->vcpu.guest_debug || (save->dr7 & ~DR7_FIXED_1))
>> + if (svm->vcpu.guest_debug || (svm->vmcb->save.dr7 & ~DR7_FIXED_1))
>> return -EINVAL;
>>
>> + /*
>> + * SEV-ES will use a VMSA that is pointed to by the VMCB, not
>> + * the traditional VMSA that is part of the VMCB. Copy the
>> + * traditional VMSA as it has been built so far (in prep
>> + * for LAUNCH_UPDATE_VMSA) to be the initial SEV-ES state.
>
> Ditto - nomenclature.
Yup, that can be made more generic.
>
>> + */
>> + memcpy(save, &svm->vmcb->save, sizeof(svm->vmcb->save));
>> +
>> /* Sync registgers */
> ^^^^^^^^^^
>
> typo. Might as well fix while at it.
Will do.
Thanks,
Tom
>
Powered by blists - more mailing lists