[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y7QwXcAUmS3VZcbH@zn.tnic>
Date: Tue, 3 Jan 2023 14:40:45 +0100
From: Borislav Petkov <bp@...en8.de>
To: Nikunj A Dadhania <nikunj@....com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org, kvm@...r.kernel.org,
mingo@...hat.com, tglx@...utronix.de, dave.hansen@...ux.intel.com,
seanjc@...gle.com, pbonzini@...hat.com, thomas.lendacky@....com,
michael.roth@....com, stable@...nel.org
Subject: Re: [PATCH v3] x86/sev: Add SEV-SNP guest feature negotiation support
On Mon, Jan 02, 2023 at 02:08:10PM +0530, Nikunj A Dadhania wrote:
> The hypervisor can enable various new features (SEV_FEATURES[1:63])
> and start the SNP guest. Some of these features need guest side
> implementation. If any of these features are enabled without guest
> side implementation, the behavior of the SNP guest will be undefined.
> The SNP guest boot may fail in a non-obvious way making it difficult
> to debug.
>
> Instead of allowing the guest to continue and have it fail randomly
> later, detect this early and fail gracefully.
>
> SEV_STATUS MSR indicates features which hypervisor has enabled. While
^
the
> booting, SNP guests should ascertain that all the enabled features
> have guest side implementation. In case any feature is not implemented
> in the guest, the guest terminates booting with SNP feature
> unsupported exit code.
>
> More details in AMD64 APM[1] Vol 2: 15.34.10 SEV_STATUS MSR
>
> [1] https://www.amd.com/system/files/TechDocs/40332_4.05.pdf
>
> Fixes: cbd3d4f7c4e5 ("x86/sev: Check SEV-SNP features support")
> CC: Borislav Petkov <bp@...en8.de>
> CC: Michael Roth <michael.roth@....com>
> CC: Tom Lendacky <thomas.lendacky@....com>
> CC: <stable@...nel.org>
> Signed-off-by: Nikunj A Dadhania <nikunj@....com>
...
> diff --git a/Documentation/x86/amd-memory-encryption.rst b/Documentation/x86/amd-memory-encryption.rst
> index a1940ebe7be5..b8b6b87be995 100644
> --- a/Documentation/x86/amd-memory-encryption.rst
> +++ b/Documentation/x86/amd-memory-encryption.rst
> @@ -95,3 +95,38 @@ by supplying mem_encrypt=on on the kernel command line. However, if BIOS does
> not enable SME, then Linux will not be able to activate memory encryption, even
> if configured to do so by default or the mem_encrypt=on command line parameter
> is specified.
> +
> +Secure Nested Paging (SNP):
No ":"
> +===========================
<---- newline here.
> +SEV-SNP introduces new features (SEV_FEATURES[1:63]) which can be enabled
> +by the hypervisor for security enhancements. Some of these features need
> +guest side implementation to function correctly. The below table lists the
> +expected guest behavior with various possible scenarios of guest/hypervisor
> +SNP feature support.
> +
> ++---------------+---------------+---------------+---------------+
> +|Feature Enabled| Guest needs | Guest has | Guest boot |
> +| by HV |implementation |implementation | behavior |
> ++---------------+---------------+---------------+---------------+
> +| No | No | No | Boot |
> +| | | | |
> ++---------------+---------------+---------------+---------------+
> +| No | Yes | No | Boot |
> +| | | | |
> ++---------------+---------------+---------------+---------------+
> +| No | Yes | Yes | Boot |
> +| | | | |
> ++---------------+---------------+---------------+---------------+
> +| Yes | No | No | Boot with |
> +| | | |feature enabled|
> ++---------------+---------------+---------------+---------------+
> +| Yes | Yes | No | Graceful Boot |
> +| | | | Failure |
> ++---------------+---------------+---------------+---------------+
> +| Yes | Yes | Yes | Boot with |
> +| | | |feature enabled|
> ++---------------+---------------+---------------+---------------+
sphinx is not happy about that table for some reason. I always find the error
messages cryptic though:
Documentation/x86/amd-memory-encryption.rst:110: WARNING: Block quote ends without a blank line; unexpected unindent.
Documentation/x86/amd-memory-encryption.rst:110: WARNING: Block quote ends without a blank line; unexpected unindent.
Documentation/x86/amd-memory-encryption.rst:122: WARNING: Block quote ends without a blank line; unexpected unindent.
Documentation/x86/amd-memory-encryption.rst:128: WARNING: Block quote ends without a blank line; unexpected unindent.
You can repro by doing "make htmldocs".
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists