From: "Kalra, Ashish" <ashish.kalra@amd.com>
To: Kim Phillips <kim.phillips@amd.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
corbet@lwn.net, seanjc@google.com, pbonzini@redhat.com,
tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com,
john.allen@amd.com, herbert@gondor.apana.org.au,
davem@davemloft.net, akpm@linux-foundation.org,
rostedt@goodmis.org, paulmck@kernel.org
Cc: nikunj@amd.com, Neeraj.Upadhyay@amd.com, aik@amd.com,
ardb@kernel.org, michael.roth@amd.com, arnd@arndb.de,
linux-doc@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH v7 7/7] KVM: SEV: Add SEV-SNP CipherTextHiding support
Date: Tue, 12 Aug 2025 13:29:13 -0500 [thread overview]
Message-ID: <9b0f1a56-7b8f-45ce-9219-3489faedb06c@amd.com> (raw)
In-Reply-To: <a6864a2c-b88f-4639-bf66-0b0cfbc5b20c@amd.com>
On 8/12/2025 11:45 AM, Kim Phillips wrote:
> On 8/12/25 9:40 AM, Kalra, Ashish wrote:
>> On 8/12/2025 7:06 AM, Kim Phillips wrote:
>>> arch/x86/kvm/svm/sev.c | 47 ++++++++++++++++++-----------------------------
>>> 1 file changed, 18 insertions(+), 29 deletions(-)
>>>
>>> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
>>> index 7ac0f0f25e68..57c6e4717e51 100644
>>> --- a/arch/x86/kvm/svm/sev.c
>>> +++ b/arch/x86/kvm/svm/sev.c
>>> @@ -2970,42 +2970,29 @@ static bool is_sev_snp_initialized(void)
>>>
>>> static bool check_and_enable_sev_snp_ciphertext_hiding(void)
>>> {
>>> - unsigned int ciphertext_hiding_asid_nr = 0;
>>> -
>>> - if (!ciphertext_hiding_asids[0])
>>> - return false;
>>> -
>>> - if (!sev_is_snp_ciphertext_hiding_supported()) {
>>> + if (ciphertext_hiding_asids[0] && !sev_is_snp_ciphertext_hiding_supported()) {
>>> pr_warn("Module parameter ciphertext_hiding_asids specified but ciphertext hiding not supported\n");
>>> return false;
>>> }
>>>
>> This is incorrect, if ciphertext_hiding_asids module parameter is never specified, user will always
>> get a warning of an invalid ciphertext_hiding_asids module parameter.
>>
>> When this module parameter is optional why should the user get a warning about an invalid module parameter.
>
> Ack, sorry, new diff below that fixes this.
>
>> Again, why do we want to do all these checks below if this module parameter has not been specified by
>> the user ?
>
> Not sure what you mean by 'below' here (assuming in the resulting code), but, in general, there are less checks with this diff than the original v7 code.
>
>>> - if (isdigit(ciphertext_hiding_asids[0])) {
>>> - if (kstrtoint(ciphertext_hiding_asids, 10, &ciphertext_hiding_asid_nr))
>>> - goto invalid_parameter;
>>> -
>>> - /* Do sanity check on user-defined ciphertext_hiding_asids */
>>> - if (ciphertext_hiding_asid_nr >= min_sev_asid) {
>>> - pr_warn("Module parameter ciphertext_hiding_asids (%u) exceeds or equals minimum SEV ASID (%u)\n",
>>> - ciphertext_hiding_asid_nr, min_sev_asid);
>> A *combined* error message such as this:
>> "invalid ciphertext_hiding_asids XXX or !(0 < XXX < minimum SEV ASID 100)"
>>
>> is going to be really confusing to the user.
>>
>> It is much simpler for user to understand if the error/warning is:
>> "Module parameter ciphertext_hiding_asids XXX exceeds or equals minimum SEV ASID YYY"
>> OR
>> "Module parameter ciphertext_hiding_asids XXX invalid"
>
> I tend to disagree. If, e.g., the user sets ciphertext_hiding_asids=100, they see:
>
> kvm_amd: invalid ciphertext_hiding_asids "100" or !(0 < 100 < minimum SEV ASID 100)
>
> which the user can easily unmistakably and quickly deduce that the problem is the latter - not the former - condition that has the problem.
>
> The original v7 code in that same case would emit:
>
> kvm_amd: Module parameter ciphertext_hiding_asids (100) exceeds or equals minimum SEV ASID (100)
>
> ...to which the user would ask themselves "What's wrong with equalling the minimum SEV ASID (100)"?
I disagree, the documentation mentions clearly that:
For SEV-ES/SEV-SNP guests the maximum ASID available is MIN_SEV_ASID - 1.
Which the above message conveys quite clearly.
>
> It's not as immediately obvious that it needs to (0 < x < minimum SEV ASID 100).
>
> OTOH, if the user inputs "ciphertext_hiding_asids=0x1", they now see:
>
> kvm_amd: invalid ciphertext_hiding_asids "0x1" or !(0 < 99 < minimum SEV ASID 100)
>
> which - unlike the original v7 code - shows the user that the '0x1' was not interpreted as a number at all: thus the 99 in the latter condition.
This is incorrect, as 0 < 99 < minimum SEV ASID 100 is a valid condition!
And how can user input of 0x1, result in max_snp_asid == 99 ?
This is the issue with combining the checks and emitting a combined error message:
Here, kstroint(0x1) fails with -EINVAL and so, max_snp_asid remains set to 99 and then the combined error conveys a wrong information :
!(0 < 99 < minimum SEV ASID 100)
The original message is much simpler to understand and correct too:
Module parameter ciphertext_hiding_asids (-1) invalid
>
> But all this is nothing compared to the added simplicity resulting from making the change to the original v7 code.
I disagree, combining checks and emitting a combined error message is going to be more confusing to the user as the above case of (ciphertext_hiding_asids=0x1) shows.
Thanks,
Ashish
>
> New diff from original v7 below:
>
> arch/x86/kvm/svm/sev.c | 42 +++++++++++++++++-------------------------
> 1 file changed, 17 insertions(+), 25 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 7ac0f0f25e68..a879ea5f53f2 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -2970,8 +2970,6 @@ static bool is_sev_snp_initialized(void)
>
> static bool check_and_enable_sev_snp_ciphertext_hiding(void)
> {
> - unsigned int ciphertext_hiding_asid_nr = 0;
> -
> if (!ciphertext_hiding_asids[0])
> return false;
>
> @@ -2980,32 +2978,24 @@ static bool check_and_enable_sev_snp_ciphertext_hiding(void)
> return false;
> }
>
> - if (isdigit(ciphertext_hiding_asids[0])) {
> - if (kstrtoint(ciphertext_hiding_asids, 10, &ciphertext_hiding_asid_nr))
> - goto invalid_parameter;
> -
> - /* Do sanity check on user-defined ciphertext_hiding_asids */
> - if (ciphertext_hiding_asid_nr >= min_sev_asid) {
> - pr_warn("Module parameter ciphertext_hiding_asids (%u) exceeds or equals minimum SEV ASID (%u)\n",
> - ciphertext_hiding_asid_nr, min_sev_asid);
> - return false;
> - }
> - } else if (!strcmp(ciphertext_hiding_asids, "max")) {
> - ciphertext_hiding_asid_nr = min_sev_asid - 1;
> - }
> -
> - if (ciphertext_hiding_asid_nr) {
> - max_snp_asid = ciphertext_hiding_asid_nr;
> + if (!strcmp(ciphertext_hiding_asids, "max")) {
> + max_snp_asid = min_sev_asid - 1;
> min_sev_es_asid = max_snp_asid + 1;
> - pr_info("SEV-SNP ciphertext hiding enabled\n");
> -
> return true;
> }
>
> -invalid_parameter:
> - pr_warn("Module parameter ciphertext_hiding_asids (%s) invalid\n",
> - ciphertext_hiding_asids);
> - return false;
> + /* Do sanity check on user-defined ciphertext_hiding_asids */
> + if (kstrtoint(ciphertext_hiding_asids, 10, &max_snp_asid) ||
> + !max_snp_asid || max_snp_asid >= min_sev_asid) {
> + pr_warn("invalid ciphertext_hiding_asids \"%s\" or !(0 < %u < minimum SEV ASID %u)\n",
> + ciphertext_hiding_asids, max_snp_asid, min_sev_asid);
> + max_snp_asid = min_sev_asid - 1;
> + return false;
> + }
> +
> + min_sev_es_asid = max_snp_asid + 1;
> +
> + return true;
> }
>
> void __init sev_hardware_setup(void)
> @@ -3122,8 +3112,10 @@ void __init sev_hardware_setup(void)
> * ASID range into separate SEV-ES and SEV-SNP ASID ranges with
> * the SEV-SNP ASID starting at 1.
> */
> - if (check_and_enable_sev_snp_ciphertext_hiding())
> + if (check_and_enable_sev_snp_ciphertext_hiding()) {
> + pr_info("SEV-SNP ciphertext hiding enabled\n");
> init_args.max_snp_asid = max_snp_asid;
> + }
> if (sev_platform_init(&init_args))
> sev_supported = sev_es_supported = sev_snp_supported = false;
> else if (sev_snp_supported)
>
> Thanks,
>
> Kim
>
next prev parent reply other threads:[~2025-08-12 18:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-21 14:12 [PATCH v7 0/7] Add SEV-SNP CipherTextHiding feature support Ashish Kalra
2025-07-21 14:12 ` [PATCH v7 1/7] crypto: ccp - New bit-field definitions for SNP_PLATFORM_STATUS command Ashish Kalra
2025-07-21 14:12 ` [PATCH v7 2/7] crypto: ccp - Cache SEV platform status and platform state Ashish Kalra
2025-07-21 14:13 ` [PATCH v7 3/7] crypto: ccp - Add support for SNP_FEATURE_INFO command Ashish Kalra
2025-07-21 14:13 ` [PATCH v7 4/7] crypto: ccp - Introduce new API interface to indicate SEV-SNP Ciphertext hiding feature Ashish Kalra
2025-07-21 14:13 ` [PATCH v7 5/7] crypto: ccp - Add support to enable CipherTextHiding on SNP_INIT_EX Ashish Kalra
2025-07-21 14:14 ` [PATCH v7 6/7] KVM: SEV: Introduce new min,max sev_es and sev_snp asid variables Ashish Kalra
2025-07-21 14:14 ` [PATCH v7 7/7] KVM: SEV: Add SEV-SNP CipherTextHiding support Ashish Kalra
2025-07-25 17:58 ` Kim Phillips
2025-07-25 18:28 ` Tom Lendacky
2025-07-25 18:46 ` Kalra, Ashish
2025-08-12 12:06 ` Kim Phillips
2025-08-12 14:40 ` Kalra, Ashish
2025-08-12 16:45 ` Kim Phillips
2025-08-12 18:29 ` Kalra, Ashish [this message]
2025-08-12 18:40 ` Kim Phillips
2025-08-12 18:52 ` Kalra, Ashish
2025-08-12 19:11 ` Kim Phillips
2025-08-12 19:38 ` Kalra, Ashish
2025-08-12 23:30 ` Kim Phillips
2025-08-14 11:54 ` Kim Phillips
2025-08-11 20:30 ` [PATCH v7 0/7] Add SEV-SNP CipherTextHiding feature support Ashish Kalra
2025-08-16 8:39 ` Herbert Xu
2025-08-18 19:16 ` Kalra, Ashish
2025-08-18 19:38 ` Kim Phillips
2025-08-18 20:39 ` Kalra, Ashish
2025-08-18 23:23 ` Kim Phillips
2025-08-18 23:58 ` Kalra, Ashish
2025-08-19 7:59 ` Borislav Petkov
2025-08-20 0:05 ` Sean Christopherson
2025-08-20 1:17 ` Kalra, Ashish
2025-08-20 15:02 ` Sean Christopherson
2025-08-16 9:29 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b0f1a56-7b8f-45ce-9219-3489faedb06c@amd.com \
--to=ashish.kalra@amd.com \
--cc=Neeraj.Upadhyay@amd.com \
--cc=aik@amd.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=john.allen@amd.com \
--cc=kim.phillips@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=nikunj@amd.com \
--cc=paulmck@kernel.org \
--cc=pbonzini@redhat.com \
--cc=rostedt@goodmis.org \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).