lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250927060910.2933942-8-seanjc@google.com>
Date: Fri, 26 Sep 2025 23:09:07 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Sean Christopherson <seanjc@...gle.com>
Subject: [GIT PULL] KVM: x86: SNP CipherTextHiding for 6.18

The tag has all the details of the feature.  Note that this is based directly
on the v6.18-ccp tag from the cryptodev tree.  I included all of the ccp
commits in the shortlog just in case the KVM pull request lands before the
crypto pull request.

The following changes since commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585:

  Linux 6.17-rc1 (2025-08-10 19:41:16 +0300)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-ciphertext-6.18

for you to fetch changes up to 6c7c620585c6537dd5dcc75f972b875caf00f773:

  KVM: SEV: Add SEV-SNP CipherTextHiding support (2025-09-15 10:14:11 -0700)

----------------------------------------------------------------
KVM SEV-SNP CipherText Hiding support for 6.18

Add support for SEV-SNP's CipherText Hiding, an opt-in feature that prevents
unauthorized CPU accesses from reading the ciphertext of SNP guest private
memory, e.g. to attempt an offline attack.  Instead of ciphertext, the CPU
will always read back all FFs when CipherText Hiding is enabled.

Add new module parameter to the KVM module to enable CipherText Hiding and
control the number of ASIDs that can be used for VMs with CipherText Hiding,
which is in effect the number of SNP VMs.  When CipherText Hiding is enabled,
the hared SEV-ES/SEV-SNP ASID space is split into separate ranges for SEV-ES
and SEV-SNP guests, i.e. ASIDs that can be used for CipherText Hiding cannot
be used to run SEV-ES guests.

----------------------------------------------------------------
Ashish Kalra (7):
      crypto: ccp - New bit-field definitions for SNP_PLATFORM_STATUS command
      crypto: ccp - Cache SEV platform status and platform state
      crypto: ccp - Add support for SNP_FEATURE_INFO command
      crypto: ccp - Introduce new API interface to indicate SEV-SNP Ciphertext hiding feature
      crypto: ccp - Add support to enable CipherTextHiding on SNP_INIT_EX
      KVM: SEV: Introduce new min,max sev_es and sev_snp asid variables
      KVM: SEV: Add SEV-SNP CipherTextHiding support

 Documentation/admin-guide/kernel-parameters.txt |  21 ++++
 arch/x86/kvm/svm/sev.c                          |  68 +++++++++++--
 drivers/crypto/ccp/sev-dev.c                    | 127 +++++++++++++++++++++---
 drivers/crypto/ccp/sev-dev.h                    |   6 +-
 include/linux/psp-sev.h                         |  44 +++++++-
 include/uapi/linux/psp-sev.h                    |  10 +-
 6 files changed, 249 insertions(+), 27 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ