Re: [PATCH v8 06/40] x86/sev: Check SEV-SNP features support

[PATCH v8 00/40] Add AMD Secure Nested Paging (SEV-SNP) Guest Support · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 01/40] x86/compressed/64: detect/setup SEV/SME features earlier in boot · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 01/40] x86/compressed/64: detect/setup SEV/SME features earlier in boot · Dave Hansen <hidden> · 2021-12-10
Re: [PATCH v8 01/40] x86/compressed/64: detect/setup SEV/SME features earlier in boot · Venu Busireddy <hidden> · 2021-12-13
Re: [PATCH v8 01/40] x86/compressed/64: detect/setup SEV/SME features earlier in boot · Borislav Petkov <bp@alien8.de> · 2021-12-13
Re: [PATCH v8 01/40] x86/compressed/64: detect/setup SEV/SME features earlier in boot · Venu Busireddy <hidden> · 2021-12-14
[PATCH v8 02/40] x86/sev: detect/setup SEV/SME features earlier in boot · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 02/40] x86/sev: detect/setup SEV/SME features earlier in boot · Venu Busireddy <hidden> · 2021-12-13
[PATCH v8 05/40] x86/sev: Save the negotiated GHCB version · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 05/40] x86/sev: Save the negotiated GHCB version · Venu Busireddy <hidden> · 2021-12-14
[PATCH v8 04/40] x86/sev: Define the Linux specific guest termination reasons · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 04/40] x86/sev: Define the Linux specific guest termination reasons · Venu Busireddy <hidden> · 2021-12-14
[PATCH v8 09/40] x86/compressed: Add helper for validating pages in the decompression stage · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 09/40] x86/compressed: Add helper for validating pages in the decompression stage · Venu Busireddy <hidden> · 2021-12-17
Re: [PATCH v8 09/40] x86/compressed: Add helper for validating pages in the decompression stage · Brijesh Singh <hidden> · 2021-12-17
Re: [PATCH v8 09/40] x86/compressed: Add helper for validating pages in the decompression stage · Venu Busireddy <hidden> · 2022-01-03
[PATCH v8 15/40] x86/mm: Add support to validate memory when changing C-bit · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 15/40] x86/mm: Add support to validate memory when changing C-bit · Venu Busireddy <hidden> · 2022-01-04
[PATCH v8 16/40] KVM: SVM: Define sev_features and vmpl field in the VMSA · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 16/40] KVM: SVM: Define sev_features and vmpl field in the VMSA · Venu Busireddy <hidden> · 2022-01-04
[PATCH v8 17/40] KVM: SVM: Create a separate mapping for the SEV-ES save area · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 17/40] KVM: SVM: Create a separate mapping for the SEV-ES save area · Venu Busireddy <hidden> · 2022-01-05
[PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Venu Busireddy <hidden> · 2022-01-04
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Brijesh Singh <hidden> · 2022-01-05
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Dave Hansen <hidden> · 2022-01-05
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Brijesh Singh <hidden> · 2022-01-05
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Venu Busireddy <hidden> · 2022-01-06
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Tom Lendacky <thomas.lendacky@amd.com> · 2022-01-06
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Venu Busireddy <hidden> · 2022-01-06
Re: [PATCH v8 13/40] x86/kernel: Make the bss.decrypted section shared in RMP table · Tom Lendacky <thomas.lendacky@amd.com> · 2022-01-06
[PATCH v8 14/40] x86/kernel: Validate rom memory before accessing when SEV-SNP is active · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 19/40] KVM: SVM: Update the SEV-ES save area mapping · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 19/40] KVM: SVM: Update the SEV-ES save area mapping · Venu Busireddy <hidden> · 2022-01-05
[PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Sean Christopherson <seanjc@google.com> · 2021-12-30
Re: [PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Borislav Petkov <bp@alien8.de> · 2022-01-04
Re: [PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Michael Roth <hidden> · 2022-01-04
Re: [PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Venu Busireddy <hidden> · 2022-01-06
Re: [PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Michael Roth <hidden> · 2022-01-06
Re: [PATCH v8 22/40] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Venu Busireddy <hidden> · 2022-01-06
[PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Dave Hansen <hidden> · 2021-12-10
Re: [PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Brijesh Singh <hidden> · 2022-01-12
Re: [PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Borislav Petkov <bp@alien8.de> · 2021-12-31
Re: [PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Vlastimil Babka <hidden> · 2022-01-03
Re: [PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Brijesh Singh <hidden> · 2022-01-12
Re: [PATCH v8 20/40] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Tom Lendacky <thomas.lendacky@amd.com> · 2022-01-12
[PATCH v8 24/40] x86/compressed/acpi: move EFI system table lookup to helper · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 24/40] x86/compressed/acpi: move EFI system table lookup to helper · Dave Hansen <hidden> · 2021-12-10
Re: [PATCH v8 24/40] x86/compressed/acpi: move EFI system table lookup to helper · Michael Roth <hidden> · 2021-12-13
Re: [PATCH v8 24/40] x86/compressed/acpi: move EFI system table lookup to helper · Dave Hansen <hidden> · 2021-12-13
Re: [PATCH v8 24/40] x86/compressed/acpi: move EFI system table lookup to helper · Michael Roth <hidden> · 2021-12-13
Re: [PATCH v8 24/40] x86/compressed/acpi: move EFI system table lookup to helper · Venu Busireddy <hidden> · 2022-01-06
[PATCH v8 23/40] KVM: x86: move lookup of indexed CPUID leafs to helper · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 23/40] KVM: x86: move lookup of indexed CPUID leafs to helper · Venu Busireddy <hidden> · 2022-01-06
[PATCH v8 21/40] x86/head: re-enable stack protection for 32/64-bit builds · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 18/40] KVM: SVM: Create a separate mapping for the GHCB save area · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 18/40] KVM: SVM: Create a separate mapping for the GHCB save area · Venu Busireddy <hidden> · 2022-01-05
[PATCH v8 27/40] x86/boot: Add Confidential Computing type to setup_data · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 27/40] x86/boot: Add Confidential Computing type to setup_data · Dave Hansen <hidden> · 2021-12-10
Re: [PATCH v8 27/40] x86/boot: Add Confidential Computing type to setup_data · Venu Busireddy <hidden> · 2022-01-06
[PATCH v8 28/40] KVM: SEV: Add documentation for SEV-SNP CPUID Enforcement · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 26/40] x86/compressed/acpi: move EFI vendor table lookup to helper · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 26/40] x86/compressed/acpi: move EFI vendor table lookup to helper · Venu Busireddy <hidden> · 2022-01-06
[PATCH v8 12/40] x86/sev: Add helper for validating pages in early enc attribute changes · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 12/40] x86/sev: Add helper for validating pages in early enc attribute changes · Venu Busireddy <hidden> · 2022-01-03
Re: [PATCH v8 12/40] x86/sev: Add helper for validating pages in early enc attribute changes · Brijesh Singh <hidden> · 2022-01-11
Re: [PATCH v8 12/40] x86/sev: Add helper for validating pages in early enc attribute changes · Venu Busireddy <hidden> · 2022-01-11
Re: [PATCH v8 12/40] x86/sev: Add helper for validating pages in early enc attribute changes · Brijesh Singh <hidden> · 2022-01-11
Re: [PATCH v8 12/40] x86/sev: Add helper for validating pages in early enc attribute changes · Venu Busireddy <hidden> · 2022-01-11
[PATCH v8 30/40] x86/boot: add a pointer to Confidential Computing blob in bootparams · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 25/40] x86/compressed/acpi: move EFI config table lookup to helper · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 25/40] x86/compressed/acpi: move EFI config table lookup to helper · Venu Busireddy <hidden> · 2022-01-06
[PATCH v8 31/40] x86/compressed: add SEV-SNP feature detection/setup · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 11/40] x86/sev: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 11/40] x86/sev: Register GHCB memory when SEV-SNP is active · Venu Busireddy <hidden> · 2022-01-03
[PATCH v8 33/40] x86/compressed/64: add identity mapping for Confidential Computing blob · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 33/40] x86/compressed/64: add identity mapping for Confidential Computing blob · Dave Hansen <hidden> · 2021-12-10
Re: [PATCH v8 33/40] x86/compressed/64: add identity mapping for Confidential Computing blob · Michael Roth <hidden> · 2021-12-13
[PATCH v8 38/40] virt: Add SEV-SNP guest driver · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 37/40] x86/sev: Register SNP guest request platform device · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 40/40] virt: sevguest: Add support to get extended report · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 39/40] virt: sevguest: Add support to derive key · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 39/40] virt: sevguest: Add support to derive key · Liam Merwick <hidden> · 2021-12-10
[PATCH v8 36/40] x86/sev: Provide support for SNP guest request NAEs · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 35/40] x86/sev: use firmware-validated CPUID for SEV-SNP guests · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 32/40] x86/compressed: use firmware-validated CPUID for SEV-SNP guests · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 32/40] x86/compressed: use firmware-validated CPUID for SEV-SNP guests · Borislav Petkov <bp@alien8.de> · 2022-01-20
[PATCH v8 34/40] x86/sev: add SEV-SNP feature detection/setup · Brijesh Singh <hidden> · 2021-12-10
[PATCH v8 03/40] x86/mm: Extend cc_attr to include AMD SEV-SNP · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 03/40] x86/mm: Extend cc_attr to include AMD SEV-SNP · Venu Busireddy <hidden> · 2021-12-13
[PATCH v8 10/40] x86/compressed: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 10/40] x86/compressed: Register GHCB memory when SEV-SNP is active · Venu Busireddy <hidden> · 2022-01-03
[PATCH v8 08/40] x86/sev: Check the vmpl level · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 08/40] x86/sev: Check the vmpl level · Venu Busireddy <hidden> · 2021-12-16
Re: [PATCH v8 08/40] x86/sev: Check the vmpl level · Mikolaj Lisik <hidden> · 2021-12-16
Re: [PATCH v8 08/40] x86/sev: Check the vmpl level · Brijesh Singh <hidden> · 2021-12-17
Re: [PATCH v8 08/40] x86/sev: Check the vmpl level · Tom Lendacky <thomas.lendacky@amd.com> · 2021-12-17
[PATCH v8 07/40] x86/sev: Add a helper for the PVALIDATE instruction · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 07/40] x86/sev: Add a helper for the PVALIDATE instruction · Venu Busireddy <hidden> · 2021-12-16
[PATCH v8 06/40] x86/sev: Check SEV-SNP features support · Brijesh Singh <hidden> · 2021-12-10
Re: [PATCH v8 06/40] x86/sev: Check SEV-SNP features support · Borislav Petkov <bp@alien8.de> · 2021-12-16
Re: [PATCH v8 06/40] x86/sev: Check SEV-SNP features support · Brijesh Singh <hidden> · 2021-12-16
Re: [PATCH v8 06/40] x86/sev: Check SEV-SNP features support · Borislav Petkov <bp@alien8.de> · 2021-12-16
Re: [PATCH v8 06/40] x86/sev: Check SEV-SNP features support · Venu Busireddy <hidden> · 2021-12-16
Re: [PATCH v8 00/40] Add AMD Secure Nested Paging (SEV-SNP) Guest Support · Dave Hansen <hidden> · 2021-12-10

From: Borislav Petkov <bp@alien8.de>
Date: 2021-12-16 15:47:53
Also in: kvm, linux-coco, linux-efi, lkml, platform-driver-x86

On Fri, Dec 10, 2021 at 09:42:58AM -0600, Brijesh Singh wrote:

Version 2 of the GHCB specification added the advertisement of features
that are supported by the hypervisor. If hypervisor supports the SEV-SNP
then it must set the SEV-SNP features bit to indicate that the base
SEV-SNP is supported.

Check the SEV-SNP feature while establishing the GHCB, if failed,
terminate the guest.

Version 2 of GHCB specification adds several new NAEs, most of them are
optional except the hypervisor feature. Now that hypervisor feature NAE
is implemented, so bump the GHCB maximum support protocol version.

While at it, move the GHCB protocol negotitation check from VC exception

Unknown word [negotitation] in commit message, suggestions:
        ['negotiation', 'negotiator', 'negotiate', 'abnegation', 'vegetation']

quoted hunk ↗ jump to hunk

handler to sev_enable() so that all feature detection happens before
the first VC exception.

Signed-off-by: Brijesh Singh <redacted>
---
 arch/x86/boot/compressed/sev.c    | 21 ++++++++++++++++-----
 arch/x86/include/asm/sev-common.h |  6 ++++++
 arch/x86/include/asm/sev.h        |  2 +-
 arch/x86/include/uapi/asm/svm.h   |  2 ++
 arch/x86/kernel/sev-shared.c      | 20 ++++++++++++++++++++
 arch/x86/kernel/sev.c             | 16 ++++++++++++++++
 6 files changed, 61 insertions(+), 6 deletions(-)

diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
index 0b6cc6402ac1..a0708f359a46 100644
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c

@@ -119,11 +119,8 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 /* Include code for early handlers */
 #include "../../kernel/sev-shared.c"
 
-static bool early_setup_sev_es(void)
+static bool early_setup_ghcb(void)
 {
-	if (!sev_es_negotiate_protocol())
-		sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED);
-
 	if (set_page_decrypted((unsigned long)&boot_ghcb_page))
 		return false;

@@ -174,7 +171,7 @@ void do_boot_stage2_vc(struct pt_regs *regs, unsigned long exit_code)
 	struct es_em_ctxt ctxt;
 	enum es_result result;
 
-	if (!boot_ghcb && !early_setup_sev_es())
+	if (!boot_ghcb && !early_setup_ghcb())
 		sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ);

Can you setup the GHCB in sev_enable() too, after the protocol version
negotiation succeeds?

quoted hunk ↗ jump to hunk

 	vc_ghcb_invalidate(boot_ghcb);

@@ -247,5 +244,19 @@ void sev_enable(struct boot_params *bp)
 	if (!(sev_status & MSR_AMD64_SEV_ENABLED))
 		return;
 
+	/* Negotiate the GHCB protocol version */
+	if (sev_status & MSR_AMD64_SEV_ES_ENABLED)
+		if (!sev_es_negotiate_protocol())
+			sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED);
+
+	/*
+	 * SNP is supported in v2 of the GHCB spec which mandates support for HV
+	 * features. If SEV-SNP is enabled, then check if the hypervisor supports
+	 * the SEV-SNP features.
+	 */
+	if (sev_status & MSR_AMD64_SEV_SNP_ENABLED && !(get_hv_features() & GHCB_HV_FT_SNP))
+		sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED);
+
+

^ Superfluous newline.

 	sme_me_mask = BIT_ULL(ebx & 0x3f);

...

quoted hunk ↗ jump to hunk

diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index 19ad09712902..a0cada8398a4 100644
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c

@@ -43,6 +43,10 @@ static struct ghcb boot_ghcb_page __bss_decrypted __aligned(PAGE_SIZE);
  */
 static struct ghcb __initdata *boot_ghcb;
 
+/* Bitmap of SEV features supported by the hypervisor */
+static u64 sev_hv_features;

__ro_after_init

quoted hunk ↗ jump to hunk

+
+
 /* #VC handler runtime per-CPU data */
 struct sev_es_runtime_data {
 	struct ghcb ghcb_page;

@@ -766,6 +770,18 @@ void __init sev_es_init_vc_handling(void)
 	if (!sev_es_check_cpu_features())
 		panic("SEV-ES CPU Features missing");
 
+	/*
+	 * SNP is supported in v2 of the GHCB spec which mandates support for HV
+	 * features. If SEV-SNP is enabled, then check if the hypervisor supports

s/SEV-SNP/SNP/g

And please do that everywhere in sev-specific files.

This file is called sev.c and there's way too many acronyms flying
around so the simpler the better.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help