Re: [PATCH kernel v3 3/3] x86/sev: Do not handle #VC for DR7 read/write

From: Nikunj A. Dadhania
Date: Tue Jan 24 2023 - 08:17:58 EST

Next message: Christoph Hellwig: "Re: [PATCH v8 10/10] mm: Renumber FOLL_PIN and FOLL_GET down"
Previous message: bchihi: "[PATCH v11 6/6] arm64/dts/mt8195: Add temperature mitigation threshold"
In reply to: Alexey Kardashevskiy: "Re: [PATCH kernel v3 3/3] x86/sev: Do not handle #VC for DR7 read/write"
Next in thread: Alexey Kardashevskiy: "Re: [PATCH kernel v3 3/3] x86/sev: Do not handle #VC for DR7 read/write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 24/01/23 18:07, Alexey Kardashevskiy wrote:
>
>
> On 24/1/23 21:37, Nikunj A. Dadhania wrote:
>> It is MSR_AMD64_SEV_DEBUG_SWAP (SEV, not SNP), it is an SEV-ES thing.
> Yes, noticed that, earlier analysis was that Debug Swap shouldn't need any guest side changes, but it does need it.

>>> Why is that feature negotiation SNP-only and not SEV?

>> As per the spec, GHCB termination request: reason code: 0x2 is SNP features specific.
> Does the guest really need to terminate in such case?

The termination is from the guest that do not have implementation for the hypervisor enabled feature, in this case DebugSwap.
If DebugSwap is enabled by the hypervisor and not handled in guest #VC, then DR7 read/write can be intercepted by the malicious
hypervisor, which can return unexpected values.

> A VM could just not do the GHCB thing if it does not want to.

In that case, the VM can have unexpected failures.

Regards
Nikunj

Next message: Christoph Hellwig: "Re: [PATCH v8 10/10] mm: Renumber FOLL_PIN and FOLL_GET down"
Previous message: bchihi: "[PATCH v11 6/6] arm64/dts/mt8195: Add temperature mitigation threshold"
In reply to: Alexey Kardashevskiy: "Re: [PATCH kernel v3 3/3] x86/sev: Do not handle #VC for DR7 read/write"
Next in thread: Alexey Kardashevskiy: "Re: [PATCH kernel v3 3/3] x86/sev: Do not handle #VC for DR7 read/write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]