From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.272.1635861237518339351 for ; Tue, 02 Nov 2021 06:53:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=SDszP/xi; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1A2CLitx031894; Tue, 2 Nov 2021 13:53:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=4OiLDHfcvjaZHIuM3iShS8m72plVI1z5FDyF8BhCVxI=; b=SDszP/xi3zaev4jNJ6yMEZFc/z1jINxXCat4if4fPEnOVRZ1eFBV07jdHxywOhU5BYpZ uSyjVafkUVbeYVfjQ0aU8HoxUqbi9NVa5Zwli7zTIoDzDg1kpjqr3lHnhlNvXPfu9gHj TtR6Ic02l09xfxsURoo3Uiquswoh1qvRGFWNsG9oQsfkCQfCbTSXgjLmcKTLA8911yYI wzKKQC5NN+8HYUSDWmCj67+/FafZpTqXGva/hroeFZO0ooYuJly6cXRLOxnw3vgGfmI3 2g2CvW/bpjrYvNA0CPhvQzJpNcUtO5WBMIl3CGHIpNLhnc8LYA5qNGfB5wjvKkGtKgyT uQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3c35942787-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Nov 2021 13:53:53 +0000 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1A2DolnB019698; Tue, 2 Nov 2021 13:53:53 GMT Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 3c3594277s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Nov 2021 13:53:53 +0000 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1A2Dgs9o010258; Tue, 2 Nov 2021 13:53:52 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma02dal.us.ibm.com with ESMTP id 3c22ts1pak-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Nov 2021 13:53:52 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1A2Droug16515394 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 2 Nov 2021 13:53:50 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CA5E912405C; Tue, 2 Nov 2021 13:53:50 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6D9AC12405B; Tue, 2 Nov 2021 13:53:48 +0000 (GMT) Received: from [9.65.202.213] (unknown [9.65.202.213]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 2 Nov 2021 13:53:48 +0000 (GMT) Message-ID: Date: Tue, 2 Nov 2021 15:53:47 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Subject: Re: [PATCH 1/2] OvmfPkg/OvmfPkgX64: Add SEV launch secret and hashes table areas to MEMFD To: Gerd Hoffmann , James Bottomley Cc: devel@edk2.groups.io, Brijesh Singh , Ard Biesheuvel , Jordan Justen , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky , Dov Murik References: <20211102073422.340858-1-dovmurik@linux.ibm.com> <20211102073422.340858-2-dovmurik@linux.ibm.com> <20211102100347.ulf4mt4fwjrsbaud@sirius.home.kraxel.org> <07819666-8465-6e46-7e07-a99b1b793073@linux.ibm.com> <20211102132954.5q2dxrbrz77fcdao@sirius.home.kraxel.org> From: "Dov Murik" In-Reply-To: <20211102132954.5q2dxrbrz77fcdao@sirius.home.kraxel.org> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: zSkqIwuCH6isqFSqSoVT084rAOgvntIu X-Proofpoint-ORIG-GUID: KeEtI6AYtMRxvy5xpLdI9HpLxxXIGI6P X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-02_08,2021-11-02_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 malwarescore=0 impostorscore=0 priorityscore=1501 mlxscore=0 suspectscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111020080 Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 02/11/2021 15:29, Gerd Hoffmann wrote: > Hi, > >>> I'm wondering whenever you actually tried to boot a sev guest >>> in microvm? >> >> No I haven't tried. Do you want Microvm to be able to boot SEV guests, >> or do you intentionally want to keep functionality out so it stays small? > > Need to look at it on a case by case base. It is clearly not a > priority, but if it makes sense we can discuss adding it. > > microvm has no support for SMM mode, and that is unlikely to change, > so anything requiring SMM mode is not going to work, thats why I dropped > SMM + secure boot + TPM bits for the initial patch series. > > Having support for tpm makes sense even without secure boot, so we might > bring that back, but it'll also require some (small) changes on the host > side so qemu allows creating a tpm, generates acpi tables for the tpm etc. > > Does SEV need and/or use SMM mode? Looking through AmdSevX64.dsc > doesn't give a clear answer, on one hand there is a > LibraryClasses.common.SMM_CORE section, but on the other hand it uses > the non-SMM variable driver stack. I think SEV doesn't work with SMM. James - can you please give a more definitive answer here? -Dov