From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: Dov Murik <dovmurik@linux.ibm.com>,
Gerd Hoffmann <kraxel@redhat.com>,
James Bottomley <jejb@linux.ibm.com>
Cc: devel@edk2.groups.io, Brijesh Singh <brijesh.singh@amd.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jordan Justen <jordan.l.justen@intel.com>,
Erdem Aktas <erdemaktas@google.com>,
Jiewen Yao <jiewen.yao@intel.com>, Min Xu <min.m.xu@intel.com>
Subject: Re: [PATCH 1/2] OvmfPkg/OvmfPkgX64: Add SEV launch secret and hashes table areas to MEMFD
Date: Tue, 2 Nov 2021 09:11:07 -0500 [thread overview]
Message-ID: <5f3cbabe-9a50-662a-16d9-09a1d04a3542@amd.com> (raw)
In-Reply-To: <f72120e6-8854-0e52-5b4d-aadd6fed8c5a@linux.ibm.com>
On 11/2/21 8:53 AM, Dov Murik wrote:
>
>
> On 02/11/2021 15:29, Gerd Hoffmann wrote:
>> Hi,
>>
>>>> I'm wondering whenever you actually tried to boot a sev guest
>>>> in microvm?
>>>
>>> No I haven't tried. Do you want Microvm to be able to boot SEV guests,
>>> or do you intentionally want to keep functionality out so it stays small?
>>
>> Need to look at it on a case by case base. It is clearly not a
>> priority, but if it makes sense we can discuss adding it.
>>
>> microvm has no support for SMM mode, and that is unlikely to change,
>> so anything requiring SMM mode is not going to work, thats why I dropped
>> SMM + secure boot + TPM bits for the initial patch series.
>>
>> Having support for tpm makes sense even without secure boot, so we might
>> bring that back, but it'll also require some (small) changes on the host
>> side so qemu allows creating a tpm, generates acpi tables for the tpm etc.
>>
>> Does SEV need and/or use SMM mode? Looking through AmdSevX64.dsc
>> doesn't give a clear answer, on one hand there is a
>> LibraryClasses.common.SMM_CORE section, but on the other hand it uses
>> the non-SMM variable driver stack.
>
> I think SEV doesn't work with SMM. James - can you please give a more
> definitive answer here?
SEV works with SMM, but SEV-ES (and likely SEV-SNP) doesn't work with SMM
because of the fact that the hypervisor wants to change the guest register
state to enter SMM, which isn't allowed and results in a VMRUN failure.
It might be possible to get SMM to work by having separate VMSAs for the
SMM state, but it is not anything that really has been investigated too
deeply.
Thanks,
Tom
>
> -Dov
>
next prev parent reply other threads:[~2021-11-02 14:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 7:34 [PATCH 0/2] OvmgPkg: Add SEV launch secret and hashes table areas Dov Murik
2021-11-02 7:34 ` [PATCH 1/2] OvmfPkg/OvmfPkgX64: Add SEV launch secret and hashes table areas to MEMFD Dov Murik
2021-11-02 10:03 ` Gerd Hoffmann
2021-11-02 11:46 ` Dov Murik
2021-11-02 13:29 ` Gerd Hoffmann
2021-11-02 13:53 ` Dov Murik
2021-11-02 14:11 ` Lendacky, Thomas [this message]
2021-11-03 6:07 ` Gerd Hoffmann
2021-11-03 8:13 ` Dov Murik
2021-11-02 7:34 ` [PATCH 2/2] OvmfPkg/Microvm: " Dov Murik
2021-11-02 10:04 ` [PATCH 0/2] OvmgPkg: Add SEV launch secret and hashes table areas Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5f3cbabe-9a50-662a-16d9-09a1d04a3542@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox