Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On Fri, Sep 29, 2017 at 10:54:39AM -0500, Brijesh Singh wrote: > In production, you do not want to run encrypted guest on an unencrypted > hypervisor -- I was thinking about the debug environment. We can start > with mem_encrypt=sme and if we see the need for 'sev' arg then we can > extend it

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On Fri, Sep 29, 2017 at 10:54:39AM -0500, Brijesh Singh wrote: > In production, you do not want to run encrypted guest on an unencrypted > hypervisor -- I was thinking about the debug environment. We can start > with mem_encrypt=sme and if we see the need for 'sev' arg then we can > extend it

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On 09/29/2017 09:41 AM, Borislav Petkov wrote: On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote: if we are adding a chicken bits then I think we should do it for both "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV enabled, and still be able to create the

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On 09/29/2017 09:41 AM, Borislav Petkov wrote: On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote: if we are adding a chicken bits then I think we should do it for both "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV enabled, and still be able to create the

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote: > if we are adding a chicken bits then I think we should do it for both > "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV > enabled, and still be able to create the SEV guest from the hypervisor. Sure, but is

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On Fri, Sep 29, 2017 at 07:28:47AM -0500, Brijesh Singh wrote: > if we are adding a chicken bits then I think we should do it for both > "smeonly" and "sevonly". We can boot host OS with SME disabled and SEV > enabled, and still be able to create the SEV guest from the hypervisor. Sure, but is

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On 9/28/17 2:23 PM, Borislav Petkov wrote: ... > So actually we need chicken bits to be able to *enable* both when > CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set. > > I.e., > > * mem_encrypt=on - both SME and SEV enabled > > * mem_encrypt=smeonly - only SME, no SEV on the host. This

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On 9/28/17 2:23 PM, Borislav Petkov wrote: ... > So actually we need chicken bits to be able to *enable* both when > CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set. > > I.e., > > * mem_encrypt=on - both SME and SEV enabled > > * mem_encrypt=smeonly - only SME, no SEV on the host. This

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

Hi, On Thu, Sep 28, 2017 at 01:48:48PM -0500, Brijesh Singh wrote: > Let me understand the ask, are you saying that we need a method to disable > the SEV > feature from the host OS so that Hypervisor will not be able to create a SEV > guest? > Because once a guest is booted with SEV feature,

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

Hi, On Thu, Sep 28, 2017 at 01:48:48PM -0500, Brijesh Singh wrote: > Let me understand the ask, are you saying that we need a method to disable > the SEV > feature from the host OS so that Hypervisor will not be able to create a SEV > guest? > Because once a guest is booted with SEV feature,

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

Hi Boris, On 09/28/2017 04:02 AM, Borislav Petkov wrote: ... +bool sev_active(void) +{ + return sme_me_mask && sev_enabled; What I'm still missing is the chicken bit. I.e., to be able to boot with "mem_encrypt=smeonly" or so, which disables the SEV side but can still allow SME. For

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

Hi Boris, On 09/28/2017 04:02 AM, Borislav Petkov wrote: ... +bool sev_active(void) +{ + return sme_me_mask && sev_enabled; What I'm still missing is the chicken bit. I.e., to be able to boot with "mem_encrypt=smeonly" or so, which disables the SEV side but can still allow SME. For

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On Wed, Sep 27, 2017 at 10:13:14AM -0500, Brijesh Singh wrote: > From: Tom Lendacky > > Provide support for Secure Encrypted Virtualization (SEV). This initial > support defines a flag that is used by the kernel to determine if it is > running with SEV active. > > Cc:

Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

On Wed, Sep 27, 2017 at 10:13:14AM -0500, Brijesh Singh wrote: > From: Tom Lendacky > > Provide support for Secure Encrypted Virtualization (SEV). This initial > support defines a flag that is used by the kernel to determine if it is > running with SEV active. > > Cc: Thomas Gleixner > Cc:

[Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

From: Tom Lendacky Provide support for Secure Encrypted Virtualization (SEV). This initial support defines a flag that is used by the kernel to determine if it is running with SEV active. Cc: Thomas Gleixner Cc: Ingo Molnar Cc:

[Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

From: Tom Lendacky Provide support for Secure Encrypted Virtualization (SEV). This initial support defines a flag that is used by the kernel to determine if it is running with SEV active. Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Borislav Petkov Cc: Andy Lutomirski Cc: