Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller

[Patch v4 0/2] cgroup: KVM: New Encryption IDs cgroup controller · Vipin Sharma <hidden> · 2021-01-08
[Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-08
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Brijesh Singh <hidden> · 2021-01-13
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-15
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-15
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-16
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-16
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-19
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-20
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-20
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-21
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-21
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-22
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tom Lendacky <thomas.lendacky@amd.com> · 2021-01-21
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-21
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tom Lendacky <thomas.lendacky@amd.com> · 2021-01-21
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Sean Christopherson <seanjc@google.com> · 2021-01-22
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · David Rientjes <rientjes@google.com> · 2021-01-27
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-27
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-27
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Vipin Sharma <hidden> · 2021-01-27
Re: [Patch v4 1/2] cgroup: svm: Add Encryption ID controller · Tejun Heo <tj@kernel.org> · 2021-01-27
[Patch v4 2/2] cgroup: svm: Encryption IDs cgroup documentation. · Vipin Sharma <hidden> · 2021-01-08
Re: [Patch v4 2/2] cgroup: svm: Encryption IDs cgroup documentation. · Tejun Heo <tj@kernel.org> · 2021-01-15
Re: [Patch v4 2/2] cgroup: svm: Encryption IDs cgroup documentation. · Vipin Sharma <hidden> · 2021-01-15

From: Tejun Heo <hidden>
Date: 2021-01-21 16:50:01
Also in: kvm, linux-doc, lkml

Hello,

On Thu, Jan 21, 2021 at 08:55:07AM -0600, Tom Lendacky wrote:

The hardware will allow any SEV capable ASID to be run as SEV-ES, however,
the SEV firmware will not allow the activation of an SEV-ES VM to be
assigned to an ASID greater than or equal to the SEV minimum ASID value. The
reason for the latter is to prevent an !SEV-ES ASID starting out as an
SEV-ES guest and then disabling the SEV-ES VMCB bit that is used by VMRUN.
This would result in the downgrading of the security of the VM without the
VM realizing it.

As a result, you have a range of ASIDs that can only run SEV-ES VMs and a
range of ASIDs that can only run SEV VMs.

I see. That makes sense. What's the downside of SEV-ES compared to SEV w/o
ES? Are there noticeable performance / feature penalties or is the split
mostly for backward compatibility?

Thanks.

-- 
tejun

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help