Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp2585277rwb; Fri, 20 Jan 2023 05:02:29 -0800 (PST) X-Google-Smtp-Source: AMrXdXu8PKBf5gEa3FFdMbWHEY+EkqWUoxw01/gQ6s36VlT8oqHVNtSxwNbNCGrWOyV4zPKlWriJ X-Received: by 2002:aa7:c1d7:0:b0:479:971e:58f6 with SMTP id d23-20020aa7c1d7000000b00479971e58f6mr14396575edp.19.1674219749441; Fri, 20 Jan 2023 05:02:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674219749; cv=none; d=google.com; s=arc-20160816; b=GsLAJD3eQ5Gd3REKpu8hm8SyUYWZdnbyejAur73sGa77CnaZhROMNHNuwvtLf9LgmE FF2pNQsZ2MAtEhM0IIhWrX0yCwCl+qGB2sMKuC7sYdqGK5Z3o9redRIY1p0xxuPlzzjX 8iA7hpzLEz8zYyxp5guWKvj4Y6xTVXsbi2JhBH1GWv/NWcTW9ufPj4W+nIZBgJolEYAb JZW6wXjBskLEdrje04cjd+tgDYhwwiKZQA4S7cQO1xfPQwJN0uqeX6iKCYwSmAM6LVDo EaUeslGqVLHs8e9yaG25zHtAKqnqrd9xRYrUdAkwsAgPPTPH22SiR0b+xXhM73BwGCNa YMKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=HXaw0TrKRop/UJvJ7ZRd7k2DOJk1kCCX4YsvlpqPOL4=; b=od0nRUBJinoqR+L6A+dk9aiXjwrS84tfBDhW0nBGeWWZNKixyXCGtGrTi9JBIb9mct SLqGbJ6elMqOmYLOOtx9/D8Ahp2M7Enw2z1S/r+TwJ67G3g3F1ZcJJ19MiOqrwKNZ86I EWj+X+v8F2gyVsW6ZvLqlLHCP4fjr2SEYfhIQ5IggRlPCwYo3pF5RUCOXkeATV4KDcLj oemJXL5F3IcQoWyhKeJswgI/kxVtElZYEFWw4L7fT0Qd8mZdGhu7Tdpxk+oj/oiEzxzy 0LL3a3jIifzoMVD9uaS1UtNd9a52AJvkvYPeMKenBga1/s389l6FnYfM6CM/3CyCbLK9 br7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@8bytes.org header.s=default header.b=IPQE8Zu4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d5-20020a056402078500b0049dfd2a39a8si17920587edy.153.2023.01.20.05.02.16; Fri, 20 Jan 2023 05:02:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@8bytes.org header.s=default header.b=IPQE8Zu4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230182AbjATMn4 (ORCPT + 49 others); Fri, 20 Jan 2023 07:43:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230133AbjATMnz (ORCPT ); Fri, 20 Jan 2023 07:43:55 -0500 Received: from mail.8bytes.org (mail.8bytes.org [IPv6:2a01:238:42d9:3f00:e505:6202:4f0c:f051]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7CC5F7A50A for ; Fri, 20 Jan 2023 04:43:52 -0800 (PST) Received: from 8bytes.org (p200300c27714bc0086ad4f9d2505dd0d.dip0.t-ipconnect.de [IPv6:2003:c2:7714:bc00:86ad:4f9d:2505:dd0d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.8bytes.org (Postfix) with ESMTPSA id 583BB262AD8; Fri, 20 Jan 2023 13:43:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=8bytes.org; s=default; t=1674218631; bh=sZNmqKbvZoiovCzlI6WBiaIn/1uSYIe/nS6jVFFARMs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IPQE8Zu4cQksOFQUyswavYY4LJUrlMt8lxJm+3ahDYd+mZFXwGtyKeIQiaTg9xx6t XoR/R4zuZsPcWpd9otIOIqrWFKbf0GyoVlPAjf7IhQpqGh1zw08+91/R5sFqDlxF36 6X3Iigbgw0xZG1NFBkWTE/fIj3zY1tK+FSVOC7yBrZtGOWxNW+nsLLmSbs+C4H1kP3 mk9MA5YIesE4zA1Aabvkey/nokvwF4sQaoft0Cm4GSIXGJ1MS3iEJ2sPjAATJGGzkB SZ5XVMlEyaoXBpIi4mwhOn4QXQHrOE8MkL0RbA3pDV9iCa5bFlLis+fL7yqLWrCJNZ IVfun9JOL6CwQ== Date: Fri, 20 Jan 2023 13:43:50 +0100 From: =?iso-8859-1?Q?J=F6rg_R=F6del?= To: Borislav Petkov Cc: Peter Zijlstra , x86@kernel.org, Joan Bruguera , linux-kernel@vger.kernel.org, Juergen Gross , "Rafael J. Wysocki" , xen-devel , Jan Beulich , Roger Pau Monne , Kees Cook , mark.rutland@arm.com, Andrew Cooper , "H. Peter Anvin" Subject: Re: [PATCH v2 2/7] x86/boot: Delay sev_verify_cbit() a bit Message-ID: References: <20230116142533.905102512@infradead.org> <20230116143645.649204101@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 19, 2023 at 02:18:47PM +0100, Borislav Petkov wrote: > So, can we do that C-bit verification once on the BSP, *in C* which would be a > lot easier, and be done with it? > > Once it is verified there, the bit is the same on all APs so all good. Yes, I think this is safe to do. The page-table the APs will use to boot already has the correct C-bit set, and the position is verified on the BSP. Further, the C-bit position is a hardware capability and there is no chance the APs will have it at a different position than the BSP. Even if the HV is lying to the VM by faking CPUID on the APs it wouldn't matter, because the position is not read again on the APs. Regards, Joerg