From: Borislav Petkov <bp@suse.de>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>,
Paolo Bonzini <pbonzini@redhat.com>,
simon.guinot@sequanux.org, linux-efi@vger.kernel.org,
kvm@vger.kernel.org, rkrcmar@redhat.com,
matt@codeblueprint.co.uk, linux-pci@vger.kernel.org,
linus.walleij@linaro.org, gary.hook@amd.com, linux-mm@kvack.org,
paul.gortmaker@windriver.com, hpa@zytor.com, cl@linux.com,
dan.j.williams@intel.com, aarcange@redhat.com,
sfr@canb.auug.org.au, andriy.shevchenko@linux.intel.com,
herbert@gondor.apana.org.au, bhe@redhat.com, xemul@parallels.com,
joro@8bytes.org, x86@kernel.org, peterz@infradead.org,
piotr.luc@intel.com, mingo@redhat.com, msalter@redhat.com,
ross.zwisler@linux.intel.com, dyoung@redhat.com, jroedel@suse.de,
keescook@chromium.org, arnd@arndb.de, toshi.kani@hpe.com,
mathieu.desnoyers@efficios.com, luto@kernel.org,
devel@linuxdriverproject.org, bhelgaas@google.com,
tglx@linutronix.de, mchehab@kernel.org, iamjoonsoo.kim@lge.com,
labbott@fedoraproject.org, tony.luck@intel.com,
alexandre.bounine@idt.com, kuleshovmail@gmail.com,
linux-kernel@vger.kernel.org, mcgrof@kernel.org, mst@redhat.com,
linux-crypto@vger.kernel.org, tj@kernel.org,
akpm@linux-foundation.org, davem@davemloft.net
Subject: Re: [RFC PATCH v2 12/32] x86: Add early boot support when running with SEV active
Date: Thu, 16 Mar 2017 16:09:57 +0100 [thread overview]
Message-ID: <20170316150957.dos6wp3pmhos4hkj@pd.tnic> (raw)
In-Reply-To: <b27126ee-aff0-ab11-706b-fc6d8d4901db@amd.com>
On Thu, Mar 16, 2017 at 09:28:58AM -0500, Tom Lendacky wrote:
> Because there are differences between how SME and SEV behave
> (instruction fetches are always decrypted under SEV, DMA to an
> encrypted location is not supported under SEV, etc.) we need to
> determine which mode we are in so that things can be setup properly
> during boot. For example, if SEV is active the kernel will already
> be encrypted and so we don't perform that step or the trampoline area
> for bringing up an AP must be decrypted for SME but encrypted for SEV.
So with SEV enabled, it seems to me a guest doesn't know anything about
encryption and can run as if SME is disabled. So sme_active() will be
false. And then the kernel can bypass all that code dealing with SME.
So a guest should simply run like on baremetal with no SME, IMHO.
But then there's that part: "instruction fetches are always decrypted
under SEV". What does that mean exactly? And how much of that code can
be reused so that
* SME on baremetal
* SEV on guest
use the same logic?
Having the larger SEV preparation part on the kvm host side is perfectly
fine. But I'd like to keep kernel initialization paths clean.
Thanks.
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix ImendA?rffer, Jane Smithard, Graham Norton, HRB 21284 (AG NA 1/4 rnberg)
--
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-03-16 15:10 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-02 15:12 [RFC PATCH v2 00/32] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-03-02 15:12 ` [RFC PATCH v2 01/32] x86: Add the Secure Encrypted Virtualization CPU feature Brijesh Singh
2017-03-03 16:59 ` Borislav Petkov
2017-03-03 21:01 ` Brijesh Singh
2017-03-04 10:11 ` Borislav Petkov
2017-03-06 18:11 ` Brijesh Singh
2017-03-06 20:54 ` Borislav Petkov
2017-03-02 15:12 ` [RFC PATCH v2 02/32] x86: Secure Encrypted Virtualization (SEV) support Brijesh Singh
2017-03-07 11:19 ` Borislav Petkov
2017-03-08 15:06 ` Borislav Petkov
2017-03-02 15:12 ` [RFC PATCH v2 03/32] KVM: SVM: prepare for new bit definition in nested_ctl Brijesh Singh
2017-03-02 15:12 ` [RFC PATCH v2 04/32] KVM: SVM: Add SEV feature definitions to KVM Brijesh Singh
2017-03-07 0:50 ` Borislav Petkov
2017-03-02 15:12 ` [RFC PATCH v2 05/32] x86: Use encrypted access of BOOT related data with SEV Brijesh Singh
2017-03-07 11:09 ` Borislav Petkov
2017-03-16 19:03 ` Tom Lendacky
2017-03-02 15:13 ` [RFC PATCH v2 06/32] x86/pci: Use memremap when walking setup data Brijesh Singh
2017-03-03 20:42 ` Bjorn Helgaas
2017-03-03 21:15 ` Tom Lendacky
2017-03-07 0:03 ` Bjorn Helgaas
2017-03-13 20:08 ` Tom Lendacky
2017-03-02 15:13 ` [RFC PATCH v2 07/32] x86/efi: Access EFI data as encrypted when SEV is active Brijesh Singh
2017-03-07 11:57 ` Borislav Petkov
2017-03-02 15:13 ` [RFC PATCH v2 08/32] x86: Use PAGE_KERNEL protection for ioremap of memory page Brijesh Singh
2017-03-07 14:59 ` Borislav Petkov
2017-03-16 20:04 ` Tom Lendacky
2017-03-17 14:32 ` Tom Lendacky
2017-03-17 14:55 ` Tom Lendacky
2017-03-02 15:13 ` [RFC PATCH v2 09/32] x86: Change early_ioremap to early_memremap for BOOT data Brijesh Singh
2017-03-08 8:46 ` Borislav Petkov
2017-03-02 15:14 ` [RFC PATCH v2 10/32] x86: DMA support for SEV memory encryption Brijesh Singh
2017-03-08 10:56 ` Borislav Petkov
2017-03-02 15:14 ` [RFC PATCH v2 11/32] x86: Unroll string I/O when SEV is active Brijesh Singh
2017-03-02 15:14 ` [RFC PATCH v2 12/32] x86: Add early boot support when running with SEV active Brijesh Singh
2017-03-09 14:07 ` Borislav Petkov
2017-03-09 16:13 ` Paolo Bonzini
2017-03-09 16:29 ` Borislav Petkov
2017-03-10 16:35 ` Brijesh Singh
2017-03-16 10:16 ` Borislav Petkov
2017-03-16 14:28 ` Tom Lendacky
2017-03-16 15:09 ` Borislav Petkov [this message]
2017-03-16 16:11 ` Tom Lendacky
2017-03-16 16:29 ` Borislav Petkov
2017-03-02 15:15 ` [RFC PATCH v2 13/32] KVM: SVM: Enable SEV by setting the SEV_ENABLE CPU feature Brijesh Singh
2017-03-09 19:29 ` Borislav Petkov
2017-03-02 15:15 ` [RFC PATCH v2 14/32] x86: mm: Provide support to use memblock when spliting large pages Brijesh Singh
2017-03-10 11:06 ` Borislav Petkov
2017-03-10 22:41 ` Brijesh Singh
2017-03-16 13:15 ` Paolo Bonzini
2017-03-16 18:28 ` Borislav Petkov
2017-03-16 22:25 ` Paolo Bonzini
2017-03-17 10:17 ` Borislav Petkov
2017-03-17 10:47 ` Paolo Bonzini
2017-03-17 10:56 ` Borislav Petkov
2017-03-17 11:03 ` Paolo Bonzini
2017-03-17 11:33 ` Borislav Petkov
2017-03-17 14:45 ` Paolo Bonzini
2017-03-18 16:37 ` Borislav Petkov
2017-04-06 14:05 ` Brijesh Singh
2017-04-06 17:25 ` Borislav Petkov
2017-04-06 18:37 ` Brijesh Singh
2017-04-07 11:33 ` Borislav Petkov
2017-04-07 14:50 ` Brijesh Singh
2017-03-16 12:28 ` Paolo Bonzini
2017-03-02 15:15 ` [RFC PATCH v2 15/32] x86: Add support for changing memory encryption attribute in early boot Brijesh Singh
2017-03-24 17:12 ` Borislav Petkov
2017-03-27 15:07 ` Brijesh Singh
2017-03-02 15:15 ` [RFC PATCH v2 16/32] x86: kvm: Provide support to create Guest and HV shared per-CPU variables Brijesh Singh
2017-03-16 11:06 ` Paolo Bonzini
2017-03-28 18:39 ` Borislav Petkov
2017-03-29 15:21 ` Paolo Bonzini
2017-03-29 15:32 ` Borislav Petkov
2017-03-02 15:15 ` [RFC PATCH v2 17/32] x86: kvmclock: Clear encryption attribute when SEV is active Brijesh Singh
2017-03-02 15:16 ` [RFC PATCH v2 18/32] kvm: svm: Use the hardware provided GPA instead of page walk Brijesh Singh
2017-03-29 15:14 ` Borislav Petkov
2017-03-29 17:08 ` Brijesh Singh
2017-03-02 15:16 ` [RFC PATCH v2 19/32] crypto: ccp: Introduce the AMD Secure Processor device Brijesh Singh
2017-03-02 17:39 ` Mark Rutland
2017-03-02 19:11 ` Brijesh Singh
2017-03-03 13:55 ` Andy Shevchenko
2017-03-02 15:16 ` [RFC PATCH v2 20/32] crypto: ccp: Add Platform Security Processor (PSP) interface support Brijesh Singh
2017-03-02 15:16 ` [RFC PATCH v2 21/32] crypto: ccp: Add Secure Encrypted Virtualization (SEV) " Brijesh Singh
2017-03-02 15:16 ` [RFC PATCH v2 22/32] kvm: svm: prepare to reserve asid for SEV guest Brijesh Singh
2017-03-02 15:17 ` [RFC PATCH v2 23/32] kvm: introduce KVM_MEMORY_ENCRYPT_OP ioctl Brijesh Singh
2017-03-16 10:25 ` Paolo Bonzini
2017-03-02 15:17 ` [RFC PATCH v2 24/32] kvm: x86: prepare for SEV guest management API support Brijesh Singh
2017-03-16 10:33 ` Paolo Bonzini
2017-03-02 15:17 ` [RFC PATCH v2 25/32] kvm: svm: Add support for SEV LAUNCH_START command Brijesh Singh
2017-03-02 15:17 ` [RFC PATCH v2 26/32] kvm: svm: Add support for SEV LAUNCH_UPDATE_DATA command Brijesh Singh
2017-03-16 10:48 ` Paolo Bonzini
2017-03-16 18:20 ` Brijesh Singh
2017-03-02 15:17 ` [RFC PATCH v2 27/32] kvm: svm: Add support for SEV LAUNCH_FINISH command Brijesh Singh
2017-03-02 15:18 ` [RFC PATCH v2 28/32] kvm: svm: Add support for SEV GUEST_STATUS command Brijesh Singh
2017-03-02 15:18 ` [RFC PATCH v2 29/32] kvm: svm: Add support for SEV DEBUG_DECRYPT command Brijesh Singh
2017-03-16 10:54 ` Paolo Bonzini
2017-03-16 18:41 ` Brijesh Singh
2017-03-17 11:09 ` Paolo Bonzini
2017-03-02 15:18 ` [RFC PATCH v2 30/32] kvm: svm: Add support for SEV DEBUG_ENCRYPT command Brijesh Singh
2017-03-16 11:03 ` Paolo Bonzini
2017-03-16 18:34 ` Brijesh Singh
2017-03-02 15:18 ` [RFC PATCH v2 31/32] kvm: svm: Add support for SEV LAUNCH_MEASURE command Brijesh Singh
2017-03-02 15:18 ` [RFC PATCH v2 32/32] x86: kvm: Pin the guest memory when SEV is active Brijesh Singh
2017-03-16 10:38 ` Paolo Bonzini
2017-03-16 18:17 ` Brijesh Singh
2017-03-03 20:33 ` [RFC PATCH v2 00/32] x86: Secure Encrypted Virtualization (AMD) Bjorn Helgaas
2017-03-03 20:51 ` Borislav Petkov
2017-03-03 21:15 ` Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170316150957.dos6wp3pmhos4hkj@pd.tnic \
--to=bp@suse.de \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alexandre.bounine@idt.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=bhe@redhat.com \
--cc=bhelgaas@google.com \
--cc=brijesh.singh@amd.com \
--cc=cl@linux.com \
--cc=dan.j.williams@intel.com \
--cc=davem@davemloft.net \
--cc=devel@linuxdriverproject.org \
--cc=dyoung@redhat.com \
--cc=gary.hook@amd.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=keescook@chromium.org \
--cc=kuleshovmail@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=labbott@fedoraproject.org \
--cc=linus.walleij@linaro.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-pci@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=matt@codeblueprint.co.uk \
--cc=mcgrof@kernel.org \
--cc=mchehab@kernel.org \
--cc=mingo@redhat.com \
--cc=msalter@redhat.com \
--cc=mst@redhat.com \
--cc=paul.gortmaker@windriver.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=piotr.luc@intel.com \
--cc=rkrcmar@redhat.com \
--cc=ross.zwisler@linux.intel.com \
--cc=sfr@canb.auug.org.au \
--cc=simon.guinot@sequanux.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tj@kernel.org \
--cc=tony.luck@intel.com \
--cc=toshi.kani@hpe.com \
--cc=x86@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).