Received: by 2002:ab2:7a55:0:b0:1f4:4a7d:290d with SMTP id u21csp187188lqp; Thu, 4 Apr 2024 10:08:39 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXdwvcYXltVHG74rmm6mz1ou5w6FOuH8WMPcpRCg6PcKi1c7jWsKIrAqakaA9DqAoDlcfIGsRy9T3tbcnEVahQxWUBzdzGLSKUifw1KEA== X-Google-Smtp-Source: AGHT+IH3nImdjisonH+snt0SH24ZcDvwa5AeeUuVGvs7i2JbkboOHvzPQkFYLagJFNM27/ptt4B5 X-Received: by 2002:a17:906:2618:b0:a4e:9e94:6bbe with SMTP id h24-20020a170906261800b00a4e9e946bbemr223258ejc.34.1712250519013; Thu, 04 Apr 2024 10:08:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712250519; cv=pass; d=google.com; s=arc-20160816; b=nbtbXMBo+LsnfoZZdl9tmFgUlPeyLjD61XOsiO7gS71cuJS4kb274cEKuzYei03Mtt MD+rX/a3bw6vd6n8ab7Kb5vFtwXFqDTwhTOUGc+rCyAvFWwUTCiDfHJXtEzi3eEqhr5c B6T66BSNR/P+Ul6lkFiEjPYTzRRnkKTGR1zWp80EPwu5xwHO5EX2VCAq7sm9BISgvXYg YDG94U5S61Y6Czf5yXNED1P4slGmMN//s9jZn+Pa2NQ30xZodltmDQCH1iaQD+ML2KFn sa13O3gEG9zXNi0+rEH0hwuB+OabES+GMYIkGUcNudSdIBxJ9YJb93Jrf+ASPBFv+N1y lcnQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature :dkim-filter; bh=72abs/jZSWLvmWAMUPLH/C4UA5U70IV/0GN6RCUuyvc=; fh=Il59IoUtHn7TpHabbAr/ygHb2lfI/EyPXOOmaJ2OhEw=; b=Ur/ewHp0JbeRyPRdId/hTv5Rjd8TfM4klASka6K/702F4gkq02qRLLHQFTVvTUD+iS wDifWY5ApivZL6d+5cqzOFl7oAMyDoaqv53X5QGr3yxhCmlBuDrr4hYFJ57FXv0kd7sd nojolxc+pG1SR7Zu+8y650qz5n1sUk8pWZP3mZrWeQ3HW1doIUhX2Ic/3Vqlpn20Y4CB KFlHjCb2QklEsSxfqYqs+89WBzmfdE66ycey/nYMMj4lciaIKflYgyMla3g2Xl/oanpB 1IXBpDxd6tc24K5R7PsyV5hS//izqNww0+Mr8cAKYCObuyJseAABl91X+L9ne48WG6ZK XkzQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=F2H76ow5; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-131872-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-131872-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id d26-20020a170906041a00b00a48a7fccad6si8153592eja.679.2024.04.04.10.08.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 10:08:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-131872-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=F2H76ow5; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-131872-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-131872-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 242041F231AA for ; Thu, 4 Apr 2024 17:07:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 05C7712D1EB; Thu, 4 Apr 2024 17:07:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="F2H76ow5" Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CE09A12B82; Thu, 4 Apr 2024 17:07:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712250451; cv=none; b=V1+t/HslF9Sciq0tZhHKq/TQ0ML2OnmcRIOQuC3W7tqgPbLRiodLHWP5W+BdqKU5A52R9Sfpozt37PEQnXQHvtJFwEWU3zxgQCn98W0ZSkqaSbylQ+PggJ16sN1f/wgTi9ewmu6SDQP9kQyiz2A0/fNgs1jih0ykjO5p0aSF6Xg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712250451; c=relaxed/simple; bh=80vC5r0T6UXs+U9Ol1rgtY347RqFa7tSqjNTx7djY0I=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=jYYANVJQZOqxgDcVcc7hgNcIVifpK81bpTB7rIUTReZ+9aPRSxQU3ZK+C841EDDHpZ6B7DB7otbV5ghT3Gus/o1DKtARBQK4VewgcsgqSOTUEAIoSjVuZSS8KkO7G2RHJ6/jXpZ1EhKDagSRSF2ciZfxXwD688Cl5kQbdMsBh+U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=F2H76ow5; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Received: from [100.66.208.34] (unknown [108.143.43.187]) by linux.microsoft.com (Postfix) with ESMTPSA id DB70B20E94A4; Thu, 4 Apr 2024 10:07:27 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com DB70B20E94A4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1712250449; bh=72abs/jZSWLvmWAMUPLH/C4UA5U70IV/0GN6RCUuyvc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=F2H76ow5rcwnwLy2p9aJA7bpF0N9MZ1LBBjScin0cGtJ+3U+IvW4qtjHa9lPOsWhE WWGfoIGOOpTwTy8O6fJRl5HurbvSEUthk6qWqo6jbxldtkuuROfpwp7iTZjGIS/LPf /a6pgm6LVRPaKXZlfodKCCVWIx09r4ycXgPx/bto= Message-ID: Date: Thu, 4 Apr 2024 19:07:26 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 5/5] x86/CPU/AMD: Track SNP host status with cc_platform_*() To: Borislav Petkov Cc: X86 ML , LKML , KVM , Ashish Kalra , Joerg Roedel , Michael Roth , Tom Lendacky References: <20240327154317.29909-1-bp@alien8.de> <20240327154317.29909-6-bp@alien8.de> <20240328134109.GAZgVzdfQob43XAIr9@fat_crate.local> <20240328153914.GBZgWPIvLT6EXAPJci@fat_crate.local> Content-Language: en-CA From: Jeremi Piotrowski In-Reply-To: <20240328153914.GBZgWPIvLT6EXAPJci@fat_crate.local> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 28/03/2024 16:39, Borislav Petkov wrote: > On Thu, Mar 28, 2024 at 03:24:29PM +0100, Jeremi Piotrowski wrote: >> It's not but if you set it before the check it will be set for all AMD >> systems, even if they are neither CC hosts nor CC guests. > > That a problem? > No problem now but I did find it odd that cc_vendor will now always be set for AMD but not for Intel. For Intel the various checks would automatically return true. Something to look out for in the future when adding CC_ATTR's - no one can assume that the checks will only run when actively dealing with confidential computing. > It is under a CONFIG_ARCH_HAS_CC_PLATFORM... >>> To leave open the possibility of an SNP hypervisor running nested. > > But !CC_ATTR_GUEST_SEV_SNP doesn't mean that. It means it is not > a SEV-SNP guest. > >> I thought you wanted to filter out SEV-SNP guests, which also have >> X86_FEATURE_SEV_SNP CPUID bit set. > > I want to run snp_probe_rmptable_info() only on baremetal where it makes > sense. >>> My understanding is that these are the cases: >> >> CPUID(SEV_SNP) | MSR(SEV_SNP) | what am I >> --------------------------------------------- >> set | set | SNP-guest >> set | unset | SNP-host >> unset | ?? | not SNP > > So as you can see, we can't use X86_FEATURE_SEV_SNP for anything due to > the late disable need. So we should be moving away from it. > I see your point about the disable needing to happen late - but then how about we remove the setup_clear_cpu_cap(X86_FEATURE_SEV_SNP) too? No code depends on it any more and it would help my cause as well. > So we need a test for "am I a nested SNP hypervisor?" > > So, can your thing clear X86_FEATURE_HYPERVISOR and thus "emulate" > baremetal? > Can't do that... it is a VM and hypervisor detection and various paravirt interfaces depend on X86_FEATURE_HYPERVISOR.