All of
 help / color / mirror / Atom feed
From: Borislav Petkov <>
To: Tom Lendacky <>
Cc: Sean Christopherson <>, Pu Wen <>,
	Joerg Roedel <>,,,,,,,,,,,,
Subject: Re: [PATCH] x86/sev: Check whether SEV or SME is supported first
Date: Tue, 1 Jun 2021 18:59:37 +0200	[thread overview]
Message-ID: <YLZneRWzoujEe+6b@zn.tnic> (raw)
In-Reply-To: <>

On Tue, Jun 01, 2021 at 11:36:31AM -0500, Tom Lendacky wrote:
> That is the reason for checking the maximum supported leaf being at least
> 0x8000001f. If that leaf is supported, we expect the SEV status MSR to be
> valid. The problem is that the Hygon ucode does not support the MSR in
> question. I'm not sure what it would take for that to be added to their
> ucode and just always return 0.

Yap, that sounds good too.

> Because a hypervisor can put anything it wants in the CPUID 0x0 /
> 0x80000000 fields, I don't think we can just check for "AuthenticAMD".

By that logic you can forget even checking CPUID at all in that case.
The only reliable check you can do is MSR_AMD64_SEV which is guest-only.

> If we want the read of CPUID 0x8000001f done before reading the SEV status
> MSR, then the original patch is close, but slightly flawed, e.g. only SME
> can be indicated but then MSR_AMD64_SEV can say SEV active.
> If we want to introduce support for handling/detecting #GP, this might
> become overly complicated because of the very early, identity mapped state
> the code is in - especially for backport to stable.

Yah, ain't gonna happen. I'm not taking some #GP handler to the early
code just because some hardware is operating out of spec.

If some hypervisor running on Hygon hardware is lying and says it is an
AMD which supports the 0x8000001f leaf, then that hypervisor gets to
keep both pieces.


  reply	other threads:[~2021-06-01 16:59 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-26  7:24 [PATCH] x86/sev: Check whether SEV or SME is supported first Pu Wen
2021-05-26 17:27 ` Sean Christopherson
2021-05-27 15:08   ` Pu Wen
2021-05-31  9:37     ` Joerg Roedel
2021-05-31 14:56       ` Pu Wen
2021-06-01 14:39         ` Borislav Petkov
2021-06-01 16:14           ` Sean Christopherson
2021-06-01 16:36             ` Tom Lendacky
2021-06-01 16:59               ` Borislav Petkov [this message]
2021-06-01 17:16                 ` Sean Christopherson
2021-06-01 17:48                   ` Borislav Petkov
2021-06-01 18:08                     ` Sean Christopherson
2021-06-01 18:24                       ` Borislav Petkov
2021-06-01 17:09               ` Sean Christopherson
2021-06-01 18:30 ` Tom Lendacky
2021-06-02  6:55   ` Wen Pu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YLZneRWzoujEe+6b@zn.tnic \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.