From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Teddy Astie <teddy.astie@vates.tech>
Cc: xen-devel@lists.xenproject.org,
Andrew Cooper <andrew.cooper3@citrix.com>,
Anthony PERARD <anthony.perard@vates.tech>,
Michal Orzel <michal.orzel@amd.com>,
Jan Beulich <jbeulich@suse.com>, Julien Grall <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>
Subject: Re: [RFC PATCH] pvh: Introduce SIF_HVM_GHCB for SEV-ES/SNP guests
Date: Thu, 8 Jan 2026 18:44:11 +0100 [thread overview]
Message-ID: <aV_s6ySoXU-G7Gno@Mac.lan> (raw)
In-Reply-To: <0c9c1dbb-28e1-479b-a680-e99150b3f0da@vates.tech>
On Thu, Jan 08, 2026 at 04:50:51PM +0000, Teddy Astie wrote:
> Le 28/12/2025 à 13:54, Teddy Astie a écrit :
> > Under SEV, the pagetables needs to be post-processed to add the C-bit
> > (to make the mapping encrypted). The guest is expected to query the C-bit
> > through CPUID. However, under SEV-ES and SEV-SNP modes, this instruction
> > now triggers #VC instead. The guest would need to setup a IDT very early
> > and instead use the early-GHCB protocol to emulate CPUID, which is
> > complicated.
Possibly a stupid question, but how is this information expected to
be propagated to the guest when there's a guest firmware and
bootloader in use?
How is OVMF and/or grub propagating this information between
themselves and to Linux?
Are they relying on the CPUID discovery logic mentioned above, or
there's some shadow infra used by KVM for example to already convey
it?
Adding Xen side-channels when there's an architectural defined way to
obtain the information is a duplication of interfaces, and could lead
to issues in the long run. We can not possibly be adding all vendor
SEV options to SIF_ flags just because they are cumbersome to fetch.
I know this is just one right now, but we don't know whether more of
those CPUID options would be needed at the start of day in the future.
> > ## AP startup ##
> >
> > AP startup can be performed using hypercalls or the local APIC if present.
> > diff --git a/xen/include/public/xen.h b/xen/include/public/xen.h
> > index 7f15204c38..9b84df573b 100644
> > --- a/xen/include/public/xen.h
> > +++ b/xen/include/public/xen.h
> > @@ -890,6 +890,8 @@ typedef struct start_info start_info_t;
> > #define SIF_MOD_START_PFN (1<<3) /* Is mod_start a PFN? */
> > #define SIF_VIRT_P2M_4TOOLS (1<<4) /* Do Xen tools understand a virt. mapped */
> > /* P->M making the 3 level tree obsolete? */
> > +#define SIF_HVM_GHCB (1<<5) /* Domain is SEV-ES/SNP guest that requires */
> > + /* use of GHCB. */
A concern I have with this is that we are adding vendor-specific
terminology to what should otherwise be a vendor-agnostic interface.
There's already a fair amount of arch-specific information encoded in
there, so maybe not that much of a big deal.
Thanks, Roger.
next prev parent reply other threads:[~2026-01-08 17:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-28 12:49 [RFC PATCH] pvh: Introduce SIF_HVM_GHCB for SEV-ES/SNP guests Teddy Astie
2025-12-29 8:21 ` Jan Beulich
2025-12-29 12:39 ` Teddy Astie
2025-12-29 14:13 ` Jan Beulich
2026-01-05 13:50 ` Teddy Astie
2026-01-08 16:50 ` Teddy Astie
2026-01-08 17:44 ` Roger Pau Monné [this message]
2026-01-08 19:12 ` Teddy Astie
2026-01-09 8:57 ` Roger Pau Monné
2026-01-09 10:31 ` Teddy Astie
2026-01-09 11:37 ` Roger Pau Monné
2026-01-12 12:47 ` Anthony PERARD
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aV_s6ySoXU-G7Gno@Mac.lan \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=michal.orzel@amd.com \
--cc=sstabellini@kernel.org \
--cc=teddy.astie@vates.tech \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.