| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a5dbf066-a999-42d4-8d0f-6dae66ef0b98@amd.com> Date: Wed, 9 Jul 2025 10:14:17 -0500 From: "Pratik R. Sampat" <prsampat@....com> To: Sean Christopherson <seanjc@...gle.com> Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, ashish.kalra@....com, thomas.lendacky@....com, john.allen@....com, herbert@...dor.apana.org.au, bp@...en8.de, michael.roth@....com, aik@....com, pbonzini@...hat.com Subject: Re: [PATCH 1/1] crypto: ccp - Add the SNP_VERIFY_MITIGATION command Hi Sean, On 7/8/25 8:57 AM, Sean Christopherson wrote: > On Mon, Jun 30, 2025, Pratik R. Sampat wrote: >> The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which >> can be used to query the status of currently supported vulnerability >> mitigations and to initiate mitigations within the firmware. >> >> See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for >> more details. > > Nothing here explains why this needs to be exposed directly to userspace. The general idea is that not all mitigations may/can be applied immediately, for ex: some mitigations may require all the guest to be shutdown before they can be applied. So a host userspace interface to query+apply mitigations can be useful for that coordination before attempting to apply the mitigation. I also realized that I could use SNP_FEATURE_INFO's cached results from Ashish's CipherTextHiding series[1] to save us a firmware call if the verify mitigation in the ECX vector is unsupported. [1]: https://lore.kernel.org/kvm/cover.1751397223.git.ashish.kalra@amd.com/ Thanks, Pratik
Powered by blists - more mailing lists