From: "Pratik R. Sampat" <prsampat@amd.com>
To: Tycho Andersen <tycho@kernel.org>
Cc: ashish.kalra@amd.com, thomas.lendacky@amd.com,
john.allen@amd.com, herbert@gondor.apana.org.au,
davem@davemloft.net, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, aik@amd.com, nikunj@amd.com,
michael.roth@amd.com
Subject: Re: [RFC v2] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command
Date: Mon, 11 May 2026 12:21:35 -0400 [thread overview]
Message-ID: <a15e8eaf-c0fd-44ea-ac5d-9a6bc8b97312@amd.com> (raw)
In-Reply-To: <agHl3ow90IdKTS72@tycho.pizza>
On 5/11/26 10:25 AM, Tycho Andersen wrote:
> On Fri, May 08, 2026 at 05:10:52PM -0400, Pratik R. Sampat wrote:
>> Hi Tycho,
>>
>> Missed this one in my mailbox. Thanks for the review!
>>
>> On 5/4/26 10:32 AM, Tycho Andersen wrote:
>>> On Fri, May 01, 2026 at 11:20:51AM -0400, Pratik R. Sampat wrote:
>>>> - failed_status (read-only): firmware-reported failure status from the
>>>> last operation, as returned alongside the status vectors
>>>
>>> "from the last operation" is not quite right here, it looks like it
>>> re-runs the STATUS command and reports that error?
>>
>> That is correct. It runs the STATUS command and reports the status of the
>> verification operation. Probably better to phrase it as the "last verification
>> operation" instead?
>
> Hmm, I'm not sure what you mean here. The FW spec 1.58 table 132 says:
>
> Command to request the firmware to return information regarding the
> currently supported (available) mitigations, and then the verified
> (processed and completed) mitigations. If DST_PADDR_EN is set,
> DST_PADDR will be populated with the SNP_VERIFY_MITIGATION_DST_PADDR
> structure.
>
> so I don't think it has anything to do with the last VERIFY operation?
>
Right, I had missed that. Table 133 says failure_status is the status of the
verification operation. It also looks like calling STATUS repopulates
SNP_VERIFY_MITIGATION_DST_PADDR anyway.
I am not keen on caching the result either though. For simplicity, we could just
drop the failed_status interface, log failure_status with pr_[err|warn](), and
return -EIO?
> The spec is a bit messy here, though. Table 131 mentions a
> MIT_REQ_CHECK operation, which I assume should really be _STATUS. It
> describes what the output VECTOR should be for VERIFY in table 131,
> but not what it is for STATUS. Table 132 suggests the output VECTOR is
> the list of supported mitigations, which matches what I was seeing
> when I played with this.
>
That is a good catch! We should get that changed in spec.
--Pratik
next prev parent reply other threads:[~2026-05-11 16:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 15:20 [RFC v2] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command Pratik R. Sampat
2026-05-04 14:32 ` Tycho Andersen
2026-05-08 21:10 ` Pratik R. Sampat
2026-05-11 14:25 ` Tycho Andersen
2026-05-11 16:21 ` Pratik R. Sampat [this message]
2026-05-11 16:52 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a15e8eaf-c0fd-44ea-ac5d-9a6bc8b97312@amd.com \
--to=prsampat@amd.com \
--cc=aik@amd.com \
--cc=ashish.kalra@amd.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=john.allen@amd.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=nikunj@amd.com \
--cc=thomas.lendacky@amd.com \
--cc=tycho@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox