Re: [PATCH] x86/CPU/AMD, mm: Extend with mem_encrypt=sme option

[Borislav Petkov]

On Sun, Oct 01, 2017 at 12:00:31PM -0500, Brijesh Singh wrote:
> When SEV feature is disabled, KVM will not be able to launch any SEV
> guests. When SEV support is available, KVM can enable it in a specific
> VM by setting SEV bit before executing the VMRUN instruction.

So I want to be able to disable SEV and the whole code that comes with
it in the *host*.

> Guest OS:
> --------
> Checks the MSR_AMD64_SEV to determine if SEV feature is enabled. Please
> note that the MSR is a read-only. IOW, MSR is not intercepted by the
> hypervisor.
> 
> Currently, mem_encrypt=xxx and CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
> is don't care. We can not depend on the command line because when SEV is
> enabled in a VM then instruction fetch will be decrypted by the
> hardware. If we want then we can perform the comparison between the SEV
> state obtained through MSR with user supplied command line and trigger
> BUG() if they don't match.

And when we have supplied mem_encrypt=sme to the *host* cmdline, it
should be impossible to start SEV guests. IOW, that feature mask test
should not happen and I should do instead:

        } else if (!strncmp(buffer, cmd_sme, sizeof(buffer))) {
                sme_only = true;
		sev_enabled = false;
        }

Or, respectively, not set it here as it is false already but set it at
the end of the function like this:

        if (sme_only)
                return;

	sev_enabled = true;
}

Hmmm?

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--