Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller

From: Tejun Heo
Date: Thu Jan 21 2021 - 11:50:38 EST

Next message: Mike Looijmans: "[PATCH v7 1/2] dt-bindings: iio: accel: Add bmi088 accelerometer bindings"
Previous message: Maxime Ripard: "[PATCH v2 06/11] drm: Use state helper instead of plane state pointer in atomic_check"
In reply to: Tom Lendacky: "Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller"
Next in thread: Tom Lendacky: "Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Thu, Jan 21, 2021 at 08:55:07AM -0600, Tom Lendacky wrote:
> The hardware will allow any SEV capable ASID to be run as SEV-ES, however,
> the SEV firmware will not allow the activation of an SEV-ES VM to be
> assigned to an ASID greater than or equal to the SEV minimum ASID value. The
> reason for the latter is to prevent an !SEV-ES ASID starting out as an
> SEV-ES guest and then disabling the SEV-ES VMCB bit that is used by VMRUN.
> This would result in the downgrading of the security of the VM without the
> VM realizing it.
>
> As a result, you have a range of ASIDs that can only run SEV-ES VMs and a
> range of ASIDs that can only run SEV VMs.

I see. That makes sense. What's the downside of SEV-ES compared to SEV w/o
ES? Are there noticeable performance / feature penalties or is the split
mostly for backward compatibility?

Thanks.

--
tejun

Next message: Mike Looijmans: "[PATCH v7 1/2] dt-bindings: iio: accel: Add bmi088 accelerometer bindings"
Previous message: Maxime Ripard: "[PATCH v2 06/11] drm: Use state helper instead of plane state pointer in atomic_check"
In reply to: Tom Lendacky: "Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller"
Next in thread: Tom Lendacky: "Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]