Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2960670rwd; Mon, 22 May 2023 06:53:25 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6lG6vrgTNALmzr77nT2muPKvMuCakd2FKQgAGqxFwxGEcTHmzD5i9sRVaIB2mAKYPfvKDT X-Received: by 2002:a05:6a20:8f05:b0:10b:d045:f0cf with SMTP id b5-20020a056a208f0500b0010bd045f0cfmr2619837pzk.23.1684763604801; Mon, 22 May 2023 06:53:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684763604; cv=none; d=google.com; s=arc-20160816; b=VoNW/RLLlIkrBEBSzRfC8vqKDmHoqE8ksKsA7L2sfCLeRBELqWfx3JD+LKz1XsAEc8 k/DusjxJsV3ngRG5w94ySNWkonKH5/2zaDr4mhZttg0Gc838gZjfFCeaD2OVNfqvA/up rNvOD8qpvVQu3fXUdznUS9aZvAyCFLiWmlV4OsmeyePxKhixnpgNirXUtAY2kLduAtpg GSwvhdygDO+zpYYU3coN7z0b9fTvzZlI1fXBq3QyDTJZI0smJRqb8utfn9p3HHrjq7Bo ZjQ/hZiSckN8Y09nrseOdCRzMz3BVesZRazVR76OqLz50xyal6BQs+11PekkbXDduePz qUaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=ZwgZPSVQU88xY0ZuspB0YnyfVDoSsMQeh+w6yWQbG00=; b=QVqJt7r3iq7CGH9n0DDTVpm2tZtyGqwu/texuIXcUFj2Z04A23TpZ87i/HyW1maTe+ 8C7+BVQRhJdxXg0Q0Plxd1tdSxgtSTVgSGj1Nv1WwZO9T8Cr9zftqU7rXF0jSQpUrcXF LoQdHWsvOKj/FjsE01SGsJ68bmfVCLOXQUr8H4HZvhvcdofMFt9DjdfNALs6t0IPCUbo d40VMGUhmqwcd3Pg+4G/KxHI0NIz69kVWBEaEPSrwNT+MNEWin+XQTJzd6+20bUAr7nI 2Vv5wTWjVqiYV/wh636IroATFD0f3Wedp4N1o6qlTEDp/kqUThlGmHy3wPCXYH4yhlmC dpJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=V11m+Xim; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=i722WT24; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j6-20020a17090a94c600b0024bc03cfa95si6691010pjw.156.2023.05.22.06.53.05; Mon, 22 May 2023 06:53:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=V11m+Xim; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=i722WT24; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233083AbjEVNfK (ORCPT + 99 others); Mon, 22 May 2023 09:35:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230293AbjEVNfJ (ORCPT ); Mon, 22 May 2023 09:35:09 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FFD7B3; Mon, 22 May 2023 06:35:08 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 046161FF22; Mon, 22 May 2023 13:35:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1684762507; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZwgZPSVQU88xY0ZuspB0YnyfVDoSsMQeh+w6yWQbG00=; b=V11m+XimLIAJUvZk+8dpYiYuCMTXNW23lbOGhoW3+FIfNNTqjQmH7adJtuLANzfrhW/lpN khCq8DgNcGnBtllWaMw5B0WaGdz5/zvkn4+HIJvglTRLAPpXeR31z2RQfyY/TG8sXGJHek TdtiDK7w7b+Y3Tns3X7cO7vi9jmsUzQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1684762507; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZwgZPSVQU88xY0ZuspB0YnyfVDoSsMQeh+w6yWQbG00=; b=i722WT24nV5NvTt1wzMBdAxalDnA6FboXuj30errRw45wTfx3Rdq8MPdRaRX6FPtr6JKvI JaijZ7Xa/f41YpBg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 7369613336; Mon, 22 May 2023 13:35:06 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id RJmjGopva2Q/fwAAMHmgww (envelope-from ); Mon, 22 May 2023 13:35:06 +0000 Date: Mon, 22 May 2023 15:35:05 +0200 From: Joerg Roedel To: Ard Biesheuvel Cc: Tom Lendacky , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Evgeniy Baskov , Borislav Petkov , Andy Lutomirski , Dave Hansen , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Alexey Khoroshilov , Peter Jones , Gerd Hoffmann , Dave Young , Mario Limonciello , Kees Cook , "Kirill A . Shutemov" , Linus Torvalds Subject: Re: [PATCH v2 17/20] x86: efistub: Check SEV/SNP support while running in the firmware Message-ID: References: <20230508070330.582131-1-ardb@kernel.org> <20230508070330.582131-18-ardb@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 22, 2023 at 03:07:12PM +0200, Ard Biesheuvel wrote: > So IIUC, we could just read sev_status much earlier just to perform > the SNP feature check, and fail the boot gracefully on a mismatch. And > the sev_enable() call needs to move after ExitBootServices(), right? Right, sev_enable() negotiates the GHCB protocol version, which needs the GHCB MSR, so that has to stay after ExitBootServices(). The SEV feature check on the other side only needs to read the sev-status MSR, which is no problem before ExitBootServices() (as long as it is only read on SEV platforms). > That would result in only very minor duplication, afaict. I'll have a > stab at implementing this for v4. Thanks, -- J?rg R?del jroedel@suse.de SUSE Software Solutions Germany GmbH Frankenstra?e 146 90461 N?rnberg Germany (HRB 36809, AG N?rnberg) Gesch?ftsf?hrer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman