| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aHBCosztx8QWC4G0@google.com> Date: Thu, 10 Jul 2025 15:45:54 -0700 From: Sean Christopherson <seanjc@...gle.com> To: "Pratik R. Sampat" <prsampat@....com> Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, ashish.kalra@....com, thomas.lendacky@....com, john.allen@....com, herbert@...dor.apana.org.au, bp@...en8.de, michael.roth@....com, aik@....com, pbonzini@...hat.com Subject: Re: [PATCH 1/1] crypto: ccp - Add the SNP_VERIFY_MITIGATION command On Wed, Jul 09, 2025, Pratik R. Sampat wrote: > Hi Sean, > > On 7/8/25 8:57 AM, Sean Christopherson wrote: > > On Mon, Jun 30, 2025, Pratik R. Sampat wrote: > >> The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which > >> can be used to query the status of currently supported vulnerability > >> mitigations and to initiate mitigations within the firmware. > >> > >> See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for > >> more details. > > > > Nothing here explains why this needs to be exposed directly to userspace. > > The general idea is that not all mitigations may/can be applied > immediately, for ex: some mitigations may require all the guest to be > shutdown before they can be applied. So a host userspace interface to > query+apply mitigations can be useful for that coordination before > attempting to apply the mitigation. But why expose ioctls to effectively give userspace direct access to firmware? E.g. why not configure firmware mitigations via the kernel's upcoming Attack Vector Controls. https://lore.kernel.org/all/20250707183316.1349127-1-david.kaplan@amd.com
Powered by blists - more mailing lists