RE: [Patch v4 01/13] x86/ioapic: Gate decrypted mapping on cc_platform_has() attribute

From: Michael Kelley (LINUX)
Date: Tue Dec 06 2022 - 14:54:15 EST

Next message: Michal Hocko: "Re: [PATCH v3] [mm-unstable] mm: Fix memcg reclaim on memory tiered systems"
Previous message: Jakub Kicinski: "Re: [PATCH AUTOSEL 6.0 09/13] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type"
In reply to: Borislav Petkov: "Re: [Patch v4 01/13] x86/ioapic: Gate decrypted mapping on cc_platform_has() attribute"
Next in thread: Sathyanarayanan Kuppuswamy: "Re: [Patch v4 01/13] x86/ioapic: Gate decrypted mapping on cc_platform_has() attribute"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Borislav Petkov <bp@xxxxxxxxx> Sent: Tuesday, December 6, 2022 11:23 AM
>
> On Thu, Dec 01, 2022 at 07:30:19PM -0800, Michael Kelley wrote:
> > Current code always maps the IO-APIC as shared (decrypted) in a
> > confidential VM. But Hyper-V guest VMs on AMD SEV-SNP with vTOM
> > enabled use a paravisor running in VMPL0 to emulate the IO-APIC.
> > In such a case, the IO-APIC must be accessed as private (encrypted).
>
> Lemme see I understand this correctly:
>
> the paravisor is emulating the IO-APIC in the lower range of the address
> space, under the vTOM which is accessed encrypted.
>
> That's why you need to access it encrypted in the guest.
>
> Close?
>

Exactly correct.

Michael

Next message: Michal Hocko: "Re: [PATCH v3] [mm-unstable] mm: Fix memcg reclaim on memory tiered systems"
Previous message: Jakub Kicinski: "Re: [PATCH AUTOSEL 6.0 09/13] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type"
In reply to: Borislav Petkov: "Re: [Patch v4 01/13] x86/ioapic: Gate decrypted mapping on cc_platform_has() attribute"
Next in thread: Sathyanarayanan Kuppuswamy: "Re: [Patch v4 01/13] x86/ioapic: Gate decrypted mapping on cc_platform_has() attribute"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]