Re: [Part1 PATCH v5 02/17] x86/mm: Add Secure Encrypted Virtualization (SEV) support

[Brijesh Singh]

Hi Boris,

On 09/28/2017 04:02 AM, Borislav Petkov wrote:
...

> > +bool sev_active(void)
> > +{
> > +	return sme_me_mask && sev_enabled;
>
> What I'm still missing is the chicken bit. I.e., to be able to boot with
> "mem_encrypt=smeonly" or so, which disables the SEV side but can still
> allow SME. For when SEV has issues and people want to disable it.


Let me understand the ask, are you saying that we need a method to disable the SEV
feature from the host OS so that Hypervisor will not be able to create a SEV guest?
Because once a guest is booted with SEV feature, there is no way to disable the SEV
feature from the guest.

i.e if "mem_encrypt=smeonly" is set then we clear X86_FEATURE_SEV capability flag
defined in [1].

[1] https://marc.info/?l=linux-kernel&m=150585470323923&w=2


> You can do the patch ontop of those and send it as a reply to this
> thread - no need to wait to resend the whole thing again.