Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp11856548rwl;
        Tue, 3 Jan 2023 05:52:05 -0800 (PST)
X-Google-Smtp-Source: AMrXdXu70fa/qxfmxnwF5yVwH+4620pzWochE+D+GPOjrAXF4lzo3jrB+FV7t553RHEJC9/rVrZF
X-Received: by 2002:a17:903:2341:b0:192:5e53:15f3 with SMTP id c1-20020a170903234100b001925e5315f3mr59200672plh.48.1672753925759;
        Tue, 03 Jan 2023 05:52:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672753925; cv=none;
        d=google.com; s=arc-20160816;
        b=sJ6hjauFXQ8JQycAKq4tuZS71WFfASS52X7xg4ygRAjA/83QY7hMMn9iWPRUiqn0F7
         aiyD0WA4ZS/eAhcVPaxFVL0Zp7meI2T2dS9xr+66Mv4przNiMrDYD3qetK58JYIeYi6u
         ct6Wpl0JfyPM23A50HkyNsPkrjnLGntcc08nlQJkaWeia1ji+pkn8Iz8uz27awuV5op+
         0gcAmEKilHUv5+sncB7rkz0cpMgJ9ahrd22SMBV1MgIHRHq09rXK6aGyE98dKzSXe3x0
         srv6rkoi7nmATUFni/W6ojaj62vBU9IvL2iiD1as+v017aolYLuJOFSN3f/dKP52ugJr
         qz1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=7WZ2I/kePpaASy/qY+vLm4NwRwJ6Szd4KG46JRy26ow=;
        b=JTxtHfvBev2ueEACBpAndf7wP0ZC6HSw04JkTwpeiXITtGWvUOl+m3RrgYS4IXcXR7
         lTqbYicUqxVI5p9ceQT/cS4PZtIAxHygyhWXT5XzUmCUH57GOMcXZy8/v5+pwQDRsHAu
         bW7TEdKjotpkqn+O5FwdB072C2aMgbtCIuUHJDAIPSQrhZV0lLJDBy3DmYmXByRe36nV
         MH3FnCp8Ll3kE7Pa3OdkmZzi4f1f68qm//g95NI05wxsD7oh7EZeuFBCLTeHmWcGnMad
         SZ/PZyp4m21E8x4uYZjkHuLzPcjWnYbPGQwcAnFVOOFgy0kOT/MDXn9quoviZPJ2qF11
         CFNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@alien8.de header.s=dkim header.b=Cd3iHtUk;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x23-20020a170902b41700b00189ca4f4613si30891221plr.72.2023.01.03.05.51.58;
        Tue, 03 Jan 2023 05:52:05 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@alien8.de header.s=dkim header.b=Cd3iHtUk;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230323AbjACNlG (ORCPT <rfc822;aaronngray.lists@gmail.com>
        + 60 others); Tue, 3 Jan 2023 08:41:06 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40344 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230337AbjACNk5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Jan 2023 08:40:57 -0500
Received: from mail.skyhub.de (mail.skyhub.de [IPv6:2a01:4f8:190:11c2::b:1457])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70706E19;
        Tue,  3 Jan 2023 05:40:53 -0800 (PST)
Received: from zn.tnic (p5de8e9fe.dip0.t-ipconnect.de [93.232.233.254])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 82AA21EC034B;
        Tue,  3 Jan 2023 14:40:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim;
        t=1672753251;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:in-reply-to:in-reply-to:  references:references;
        bh=7WZ2I/kePpaASy/qY+vLm4NwRwJ6Szd4KG46JRy26ow=;
        b=Cd3iHtUkCRfBCwEoy0QhT1+l1dGdwcDQG6hBwbnGP/lQOiIZYKzEes5LgYqJGNpEhFgPs2
        1qCwjW5inVX8Vtxd72WTULF82jle/+plZ1j/S4B2Y0im7H6C2907v7NpAFuL9MYPQ5vv/t
        5GSOnpLGNWkU7BAyw6A1UJV2M0nrCaM=
Date:   Tue, 3 Jan 2023 14:40:45 +0100
From:   Borislav Petkov <bp@alien8.de>
To:     Nikunj A Dadhania <nikunj@amd.com>
Cc:     linux-kernel@vger.kernel.org, x86@kernel.org, kvm@vger.kernel.org,
        mingo@redhat.com, tglx@linutronix.de, dave.hansen@linux.intel.com,
        seanjc@google.com, pbonzini@redhat.com, thomas.lendacky@amd.com,
        michael.roth@amd.com, stable@kernel.org
Subject: Re: [PATCH v3] x86/sev: Add SEV-SNP guest feature negotiation support
Message-ID: <Y7QwXcAUmS3VZcbH@zn.tnic>
References: <20230102083810.71178-1-nikunj@amd.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20230102083810.71178-1-nikunj@amd.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 02, 2023 at 02:08:10PM +0530, Nikunj A Dadhania wrote:
> The hypervisor can enable various new features (SEV_FEATURES[1:63])
> and start the SNP guest. Some of these features need guest side
> implementation. If any of these features are enabled without guest
> side implementation, the behavior of the SNP guest will be undefined.
> The SNP guest boot may fail in a non-obvious way making it difficult
> to debug.
> 
> Instead of allowing the guest to continue and have it fail randomly
> later, detect this early and fail gracefully.
> 
> SEV_STATUS MSR indicates features which hypervisor has enabled. While
					 ^
					 the

> booting, SNP guests should ascertain that all the enabled features
> have guest side implementation. In case any feature is not implemented
> in the guest, the guest terminates booting with SNP feature
> unsupported exit code.
> 
> More details in AMD64 APM[1] Vol 2: 15.34.10 SEV_STATUS MSR
> 
> [1] https://www.amd.com/system/files/TechDocs/40332_4.05.pdf
> 
> Fixes: cbd3d4f7c4e5 ("x86/sev: Check SEV-SNP features support")
> CC: Borislav Petkov <bp@alien8.de>
> CC: Michael Roth <michael.roth@amd.com>
> CC: Tom Lendacky <thomas.lendacky@amd.com>
> CC: <stable@kernel.org>
> Signed-off-by: Nikunj A Dadhania <nikunj@amd.com>

...

> diff --git a/Documentation/x86/amd-memory-encryption.rst b/Documentation/x86/amd-memory-encryption.rst
> index a1940ebe7be5..b8b6b87be995 100644
> --- a/Documentation/x86/amd-memory-encryption.rst
> +++ b/Documentation/x86/amd-memory-encryption.rst
> @@ -95,3 +95,38 @@ by supplying mem_encrypt=on on the kernel command line.  However, if BIOS does
>  not enable SME, then Linux will not be able to activate memory encryption, even
>  if configured to do so by default or the mem_encrypt=on command line parameter
>  is specified.
> +
> +Secure Nested Paging (SNP):

No ":"

> +===========================

<---- newline here.

> +SEV-SNP introduces new features (SEV_FEATURES[1:63]) which can be enabled
> +by the hypervisor for security enhancements. Some of these features need
> +guest side implementation to function correctly. The below table lists the
> +expected guest behavior with various possible scenarios of guest/hypervisor
> +SNP feature support.
> +
> ++---------------+---------------+---------------+---------------+
> +|Feature Enabled|  Guest needs  |   Guest has   |  Guest boot   |
> +|     by HV     |implementation |implementation |   behavior    |
> ++---------------+---------------+---------------+---------------+
> +|      No       |      No       |      No       |     Boot      |
> +|               |               |               |               |
> ++---------------+---------------+---------------+---------------+
> +|      No       |      Yes      |      No       |     Boot      |
> +|               |               |               |               |
> ++---------------+---------------+---------------+---------------+
> +|      No       |      Yes      |      Yes      |     Boot      |
> +|               |               |               |               |
> ++---------------+---------------+---------------+---------------+
> +|      Yes      |      No       |      No       |   Boot with   |
> +|               |               |               |feature enabled|
> ++---------------+---------------+---------------+---------------+
> +|      Yes      |      Yes      |      No       | Graceful Boot |
> +|               |               |               |    Failure    |
> ++---------------+---------------+---------------+---------------+
> +|      Yes      |      Yes      |      Yes      |   Boot with   |
> +|               |               |               |feature enabled|
> ++---------------+---------------+---------------+---------------+

sphinx is not happy about that table for some reason. I always find the error
messages cryptic though:

Documentation/x86/amd-memory-encryption.rst:110: WARNING: Block quote ends without a blank line; unexpected unindent.
Documentation/x86/amd-memory-encryption.rst:110: WARNING: Block quote ends without a blank line; unexpected unindent.
Documentation/x86/amd-memory-encryption.rst:122: WARNING: Block quote ends without a blank line; unexpected unindent.
Documentation/x86/amd-memory-encryption.rst:128: WARNING: Block quote ends without a blank line; unexpected unindent.

You can repro by doing "make htmldocs".

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette