Re: [PATCH v3 2/5] x86/boot/compressed/64: Add CPUID sanity check to early #VC handler

From: Joerg Roedel
Date: Wed Oct 28 2020 - 18:36:35 EST

Next message: Viresh Kumar: "Re: [PATCH 1/2] cpufreq: mediatek: Add support for mt8167"
Previous message: Jean Delvare: "Re: [PATCH] firmware/dmi: Include product_sku info to modalias"
In reply to: Borislav Petkov: "Re: [PATCH v3 2/5] x86/boot/compressed/64: Add CPUID sanity check to early #VC handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 27, 2020 at 11:38:46AM +0100, Borislav Petkov wrote:
> So why are we doing those checks here at all then? I mean, the HV
> can tell us whatever it wants, i.e., make sure those checks pass but
> still report the C-bit at the wrong position. Which means that those
> checks are simply meh. So why are we doing them at all? To catch stupid
> hypervisors who can't even lie properly to the guest? :-)

To avoid that the HV tricks the kernel into the no_sev boot path, where
it would map memory unencrypted and possibly leak sensitive data. The HV
can do so by pretending SEV is disabled at all and by reporting the
wrond C-bit position. Both cases need to be checked.

Regards,

Joerg

Next message: Viresh Kumar: "Re: [PATCH 1/2] cpufreq: mediatek: Add support for mt8167"
Previous message: Jean Delvare: "Re: [PATCH] firmware/dmi: Include product_sku info to modalias"
In reply to: Borislav Petkov: "Re: [PATCH v3 2/5] x86/boot/compressed/64: Add CPUID sanity check to early #VC handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]