lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e2484cdf-2adc-49d3-8b5f-8c8ac3941b10@amd.com>
Date: Mon, 13 Jan 2025 09:40:06 +0530
From: "Nikunj A. Dadhania" <nikunj@....com>
To: Pratik Rajesh Sampat <prsampat@....com>,
 "Pratik R. Sampat" <pratikrajesh.sampat@....com>, kvm@...r.kernel.org
Cc: seanjc@...gle.com, pbonzini@...hat.com, pgonda@...gle.com,
 thomas.lendacky@....com, michael.roth@....com, shuah@...nel.org,
 linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [sos-linux-ext-patches] [PATCH v4 1/8] KVM: SEV: Disable SEV-SNP
 on FW validation failure



On 1/11/2025 3:20 AM, Pratik Rajesh Sampat wrote:
> Hi Nikunj,
> 
> On 1/9/25 11:21 PM, Nikunj A. Dadhania wrote:
>>
>>
>> On 11/15/2024 5:10 AM, Pratik R. Sampat wrote:
>>> On incompatible firmware versions, SEV-SNP support is pulled and the
>>> setup is not performed. However, the platform and subsequently the KVM
>>> capability may continue to advertize support for it. Disable support for
>>> SEV-SNP if the FW version validation fails.
>>
>> Additionally, can we ensure that if sev_platform_init() fails, we do not
>> indicate SNP support?
> 
> That sounds good to me. Although if the platform initialization fails,
> I think we should not be advertising SEV, SEV-ES as well.

Even better!

> 
> If that makes sense, we could do something similar to before by
> exporting another function from ccp that returns whether the platform
> is initialized. Then, within kvm's sev_hardware_setup(), we can check
> this to ensure that none of the capabilities are set if the platform
> initialization has failed?

Yes, that will ensure we do not advertise any of the SEV capabilities
if the ccp driver has failed loading the firmware or initializing the
platform.

Regards
Nikunj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ