On Fri, Sep 29, 2017 at 10:54:39AM -0500, Brijesh Singh wrote:
> In production, you do not want to run encrypted guest on an unencrypted
> hypervisor -- I was thinking about the debug environment. We can start
> with mem_encrypt=sme and if we see the need for 'sev' arg then we can
> extend it
On Fri, Sep 29, 2017 at 10:54:39AM -0500, Brijesh Singh wrote:
> In production, you do not want to run encrypted guest on an unencrypted
> hypervisor -- I was thinking about the debug environment. We can start
> with mem_encrypt=sme and if we see the need for 'sev' arg then we can
> extend it
On 09/29/2017 09:41 AM, Borislav Petkov wrote:
On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote:
if we are adding a chicken bits then I think we should do it for both
"smeonly" and "sevonly". We can boot host OS with SME disabled and SEV
enabled, and still be able to create the
On 09/29/2017 09:41 AM, Borislav Petkov wrote:
On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote:
if we are adding a chicken bits then I think we should do it for both
"smeonly" and "sevonly". We can boot host OS with SME disabled and SEV
enabled, and still be able to create the
On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote:
> if we are adding a chicken bits then I think we should do it for both
> "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV
> enabled, and still be able to create the SEV guest from the hypervisor.
Sure, but is
On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote:
> if we are adding a chicken bits then I think we should do it for both
> "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV
> enabled, and still be able to create the SEV guest from the hypervisor.
Sure, but is
On 9/28/17 2:23 PM, Borislav Petkov wrote:
...
> So actually we need chicken bits to be able to *enable* both when
> CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set.
>
> I.e.,
>
> * mem_encrypt=on - both SME and SEV enabled
>
> * mem_encrypt=smeonly - only SME, no SEV on the host. This
On 9/28/17 2:23 PM, Borislav Petkov wrote:
...
> So actually we need chicken bits to be able to *enable* both when
> CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set.
>
> I.e.,
>
> * mem_encrypt=on - both SME and SEV enabled
>
> * mem_encrypt=smeonly - only SME, no SEV on the host. This
Hi,
On Thu, Sep 28, 2017 at 01:48:48PM -0500, Brijesh Singh wrote:
> Let me understand the ask, are you saying that we need a method to disable
> the SEV
> feature from the host OS so that Hypervisor will not be able to create a SEV
> guest?
> Because once a guest is booted with SEV feature,
Hi,
On Thu, Sep 28, 2017 at 01:48:48PM -0500, Brijesh Singh wrote:
> Let me understand the ask, are you saying that we need a method to disable
> the SEV
> feature from the host OS so that Hypervisor will not be able to create a SEV
> guest?
> Because once a guest is booted with SEV feature,
Hi Boris,
On 09/28/2017 04:02 AM, Borislav Petkov wrote:
...
+bool sev_active(void)
+{
+ return sme_me_mask && sev_enabled;
What I'm still missing is the chicken bit. I.e., to be able to boot with
"mem_encrypt=smeonly" or so, which disables the SEV side but can still
allow SME. For
Hi Boris,
On 09/28/2017 04:02 AM, Borislav Petkov wrote:
...
+bool sev_active(void)
+{
+ return sme_me_mask && sev_enabled;
What I'm still missing is the chicken bit. I.e., to be able to boot with
"mem_encrypt=smeonly" or so, which disables the SEV side but can still
allow SME. For
On Wed, Sep 27, 2017 at 10:13:14AM -0500, Brijesh Singh wrote:
> From: Tom Lendacky
>
> Provide support for Secure Encrypted Virtualization (SEV). This initial
> support defines a flag that is used by the kernel to determine if it is
> running with SEV active.
>
> Cc:
On Wed, Sep 27, 2017 at 10:13:14AM -0500, Brijesh Singh wrote:
> From: Tom Lendacky
>
> Provide support for Secure Encrypted Virtualization (SEV). This initial
> support defines a flag that is used by the kernel to determine if it is
> running with SEV active.
>
> Cc: Thomas Gleixner
> Cc:
From: Tom Lendacky
Provide support for Secure Encrypted Virtualization (SEV). This initial
support defines a flag that is used by the kernel to determine if it is
running with SEV active.
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc:
From: Tom Lendacky
Provide support for Secure Encrypted Virtualization (SEV). This initial
support defines a flag that is used by the kernel to determine if it is
running with SEV active.
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: Borislav Petkov
Cc: Andy Lutomirski
Cc:
16 matches
Mail list logo