From: Sean Christopherson <seanjc@google.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Nikunj A Dadhania <nikunj@amd.com>,
pbonzini@redhat.com, kvm@vger.kernel.org,
santosh.shukla@amd.com
Subject: Re: [PATCH] KVM: SVM: Add module parameter to control SEV-SNP Secure TSC feature
Date: Wed, 29 Oct 2025 09:52:36 -0700 [thread overview]
Message-ID: <aQJGVDSQruEooAE5@google.com> (raw)
In-Reply-To: <0a327c8d-c8a2-4b73-9231-bc5201e36e1e@amd.com>
On Wed, Oct 29, 2025, Tom Lendacky wrote:
> On 10/29/25 08:58, Sean Christopherson wrote:
> > On Wed, Oct 29, 2025, Nikunj A Dadhania wrote:
> >> Add a module parameter secure_tsc to allow control of the SEV-SNP Secure
> >> TSC feature at module load time, providing administrators with the ability
> >> to disable Secure TSC support even when the hardware and kernel support it.
> >
> > Why?
>
> That's on me. Based on the debug_swap parameter I thought we wanted to
> be able to control all SEV features that are advertised and thought this
> was just missed for Secure TSC. I'm good with not adding it we don't
> need to do that.
DebugSwap was one big mistake. At this point, I think we can and should rip out
its module param.
Commit d1f85fbe836e ("KVM: SEV: Enable data breakpoints in SEV-ES") goofed by not
adding a way for the userspace VMM to control the feature. Functionally, that was
fine, but it broke attestation signatures because SEV_FEATURES are included in the
signature.
Commit 5abf6dceb066 ("SEV: disable SEV-ES DebugSwap by default") fixed that issue,
but the underlying flaw of userspace not having a way to control SEV_FEATURES was
still there.
That flaw was addressed by commit 4f5defae7089 ("KVM: SEV: introduce KVM_SEV_INIT2
operation"), and so then 4dd5ecacb9a4 ("KVM: SEV: allow SEV-ES DebugSwap again")
re-enabled DebugSwap by default.
Now that the dust is settled, the module param doesn't serve any meaningful purpose.
prev parent reply other threads:[~2025-10-29 16:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-29 5:57 [PATCH] KVM: SVM: Add module parameter to control SEV-SNP Secure TSC feature Nikunj A Dadhania
2025-10-29 13:18 ` Tom Lendacky
2025-10-29 13:58 ` Sean Christopherson
2025-10-29 15:38 ` Tom Lendacky
2025-10-29 16:52 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQJGVDSQruEooAE5@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=nikunj@amd.com \
--cc=pbonzini@redhat.com \
--cc=santosh.shukla@amd.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.