| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f58d3b55-352f-4771-8b73-5ac81025a162@amd.com>
Date: Thu, 23 Oct 2025 12:36:39 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, x86@...nel.org,
linux-crypto@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
Ingo Molnar <mingo@...hat.com>, Thomas Gleixner <tglx@...utronix.de>,
Michael Roth <michael.roth@....com>, Ashish Kalra <ashish.kalra@....com>,
Herbert Xu <herbert@...dor.apana.org.au>, David Miller <davem@...emloft.net>
Subject: Re: [PATCH v3 3/4] crypto: ccp - Add an API to return the supported
SEV-SNP policy bits
On 10/23/25 11:37, Sean Christopherson wrote:
> On Wed, Oct 22, 2025, Tom Lendacky wrote:
>> Supported policy bits are dependent on the level of SEV firmware that is
>> currently running. Create an API to return the supported policy bits for
>> a given level of firmware. KVM will AND that value with the KVM supported
>
> Given "KVM will AND" and the shortlog, I expected a _future_ patch to have the
> ^^^^
> KVM changes.
>
> That's partly a PEBKAC on my end (I mean, it's literally the first diff), but I
> do think it highlights that we should probably separate the KVM change from the
> PSP support.
>
> Hmm, actually, the patch ordering is bad. There shouldn't need to be a separate
> KVM change after this commit, because as things are ordered now, there will be an
> ABI change between patch 1 and this patch.
>
> So I think what you want is:
>
> 1. KVM: SEV: Consolidate the SEV policy bits in a single header file
> 2. crypto: ccp - Add an API to return the supported SEV-SNP policy bits
> 3. KVM: SEV: Publish supported SEV-SNP policy bits
> 4. KVM: SEV: Add known supported SEV-SNP policy bits
>
> where #3 uses sev_get_snp_policy_bits() straightaway.
Ok, let me rearrange things, resend, and see how it looks.
>
>> policy bits to generate the actual supported policy bits.
>>
>> Signed-off-by: Tom Lendacky <thomas.lendacky@....com>
>> ---
>> arch/x86/kvm/svm/sev.c | 3 ++-
>> drivers/crypto/ccp/sev-dev.c | 37 ++++++++++++++++++++++++++++++++++++
>> include/linux/psp-sev.h | 20 +++++++++++++++++++
>> 3 files changed, 59 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
>> index 45e87d756e15..24167178bf05 100644
>> --- a/arch/x86/kvm/svm/sev.c
>> +++ b/arch/x86/kvm/svm/sev.c
>> @@ -3099,7 +3099,8 @@ void __init sev_hardware_setup(void)
>> sev_snp_supported = is_sev_snp_initialized();
>>
>> if (sev_snp_supported) {
>> - snp_supported_policy_bits = KVM_SNP_POLICY_MASK_VALID;
>> + snp_supported_policy_bits = sev_get_snp_policy_bits();
>> + snp_supported_policy_bits &= KVM_SNP_POLICY_MASK_VALID;
>
> I vote for:
>
> snp_supported_policy_bits = sev_get_snp_policy_bits() &
> KVM_SNP_POLICY_MASK_VALID;
>
> which makes it visually easier to see the policy bits logic.
Will do.
Thanks,
Tom
>
>> nr_ciphertext_hiding_asids = init_args.max_snp_asid;
>> }
Powered by blists - more mailing lists