lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <02a2e641-6b6d-e1c5-2c43-8815306d92a0@amd.com>
Date:   Tue, 3 Jan 2023 09:07:14 +0530
From:   "Nikunj A. Dadhania" <nikunj@....com>
To:     Borislav Petkov <bp@...en8.de>,
        David Rientjes <rientjes@...gle.com>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org, kvm@...r.kernel.org,
        mingo@...hat.com, tglx@...utronix.de, dave.hansen@...ux.intel.com,
        seanjc@...gle.com, pbonzini@...hat.com, thomas.lendacky@....com,
        michael.roth@....com, stable@...nel.org
Subject: Re: [PATCH v3] x86/sev: Add SEV-SNP guest feature negotiation support

On 03/01/23 01:32, Borislav Petkov wrote:
> On Mon, Jan 02, 2023 at 08:50:23PM +0530, Nikunj A. Dadhania wrote:
>>>> +		/*
>>>> +		 * Terminate the boot if hypervisor has enabled any feature
>>>> +		 * lacking guest side implementation.
>>>> +		 */
>>>> +		if (sev_status & SNP_FEATURES_IMPL_REQ & ~SNP_FEATURES_PRESENT)
>>>> +			sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_FEAT_NOT_IMPLEMENTED);
>>>
>>> We can't help out by specifying which feature(s)?
>>
>> The purpose of SNP_FEATURES_PRESENT is just that, at present no features that need guest 
>> implementation is part of the kernel. For e.g. I will be posting patches with SecureTSC 
>> enabled, that will make the following change.
> 
> I think what David means is, can we have sev_es_terminate() say exactly which
> feature wasn't implemented instead of users having to dig out which one exactly
> wasn't by trying to find out what their SNP_FEATURES_IMPL_REQ and
> SNP_FEATURES_PRESENT masks are.
> 
> Looking at the GHCB protocol, where GHCB_SNP_FEAT_NOT_IMPLEMENTED reason code
> goes is GHCBData[23:16] which is not enough... And the VMSA has SEV_FEATURES but
> that's guest-only.

Currently, GHCBData[24:63] is unused. If we intend to use the bit range(40bits), GHCB spec 
will need to be updated. And probably would not be enough.
 
> I guess we need a way to communicate those masks in a more user-friendly way so
> that it is exactly clear because of which missing feature(s) has the guest
> terminated.

As the termination request is done using GHCB MSR protocol, exit codes cannot be used.

Regards,
Nikunj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ