From: Herbert Xu <herbert@gondor.apana.org.au>
To: Ashish Kalra <Ashish.Kalra@amd.com>
Cc: corbet@lwn.net, seanjc@google.com, pbonzini@redhat.com,
tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com,
thomas.lendacky@amd.com, john.allen@amd.com, davem@davemloft.net,
akpm@linux-foundation.org, rostedt@goodmis.org,
paulmck@kernel.org, nikunj@amd.com, Neeraj.Upadhyay@amd.com,
aik@amd.com, ardb@kernel.org, michael.roth@amd.com,
arnd@arndb.de, linux-doc@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org
Subject: Re: [PATCH v7 0/7] Add SEV-SNP CipherTextHiding feature support
Date: Sat, 16 Aug 2025 17:29:49 +0800 [thread overview]
Message-ID: <aKBPjfyIHMc2X_ZL@gondor.apana.org.au> (raw)
In-Reply-To: <cover.1752869333.git.ashish.kalra@amd.com>
On Mon, Jul 21, 2025 at 02:12:15PM +0000, Ashish Kalra wrote:
> From: Ashish Kalra <ashish.kalra@amd.com>
>
> Ciphertext hiding prevents host accesses from reading the ciphertext
> of SNP guest private memory. Instead of reading ciphertext, the host
> will see constant default values (0xff).
>
> The SEV ASID space is split into SEV and SEV-ES/SNP ASID ranges.
> Enabling ciphertext hiding further splits the SEV-ES/SEV-SNP ASID space
> into separate ASID ranges for SEV-ES and SEV-SNP guests.
>
> Add new module parameter to the KVM module to enable ciphertext hiding
> support and a user configurable system-wide maximum SNP ASID value. If
> the module parameter value is "max" then the complete SEV-ES/SEV-SNP
> space is allocated to SEV-SNP guests.
>
> v7:
> - Fix comments.
> - Move the check for module parameter ciphertext_hiding_asids inside
> check_and_enable_sev_snp_ciphertext_hiding(), this keeps all the logic
> related to the parameter in a single function.
>
> v6:
> - Fix module parameter ciphertext_hiding_asids=0 case.
> - Coalesce multiple cases of handling invalid module parameter
> ciphertext_hiding_asids into a single branch/label.
> - Fix commit logs.
> - Fix Documentation.
>
> v5:
> - Add pre-patch to cache SEV platform status and use this cached
> information to set api_major/api_minor/build.
> - Since the SEV platform status and SNP platform status differ,
> remove the state field from sev_device structure and instead track
> SEV platform state from cached SEV platform status.
> - If SNP is enabled then cached SNP platform status is used for
> api_major/api_minor/build.
> - Fix using sev_do_cmd() instead of __sev_do_cmd_locked().
> - Fix commit logs.
> - Fix kernel-parameters documentation.
> - Modify KVM module parameter to enable CipherTextHiding to support
> "max" option to allow complete SEV-ES+ ASID space to be allocated
> to SEV-SNP guests.
> - Do not enable ciphertext hiding if module parameter to specify
> maximum SNP ASID is invalid.
>
> v4:
> - Fix buffer allocation for SNP_FEATURE_INFO command to correctly
> handle page boundary check requirements.
> - Return correct length for SNP_FEATURE_INFO command from
> sev_cmd_buffer_len().
> - Switch to using SNP platform status instead of SEV platform status if
> SNP is enabled and cache SNP platform status and feature information.
> Modify sev_get_api_version() accordingly.
> - Fix commit logs.
> - Expand the comments on why both the feature info and the platform
> status fields have to be checked for CipherTextHiding feature
> detection and enablement.
> - Add new preperation patch for CipherTextHiding feature which
> introduces new {min,max}_{sev_es,snp}_asid variables along with
> existing {min,max}_sev_asid variable to simplify partitioning of the
> SEV and SEV-ES+ ASID space.
> - Switch to single KVM module parameter to enable CipherTextHiding
> feature and the maximum SNP ASID usable for SNP guests when
> CipherTextHiding feature is enabled.
>
> v3:
> - rebase to linux-next.
> - rebase on top of support to move SEV-SNP initialization to
> KVM module from CCP driver.
> - Split CipherTextHiding support between CCP driver and KVM module
> with KVM module calling into CCP driver to initialize SNP with
> CipherTextHiding enabled and MAX ASID usable for SNP guest if
> KVM is enabling CipherTextHiding feature.
> - Move module parameters to enable CipherTextHiding feature and
> MAX ASID usable for SNP guests from CCP driver to KVM module
> which allows KVM to be responsible for enabling CipherTextHiding
> feature if end-user requests it.
>
> v2:
> - Fix and add more description to commit logs.
> - Rename sev_cache_snp_platform_status_and_discover_features() to
> snp_get_platform_data().
> - Add check in snp_get_platform_data to guard against being called
> after SNP_INIT_EX.
> - Fix comments for new structure field definitions being added.
> - Fix naming for new structure being added.
> - Add new vm-type parameter to sev_asid_new().
> - Fix identation.
> - Rename CCP module parameters psp_cth_enabled to cipher_text_hiding and
> psp_max_snp_asid to max_snp_asid.
> - Rename max_snp_asid to snp_max_snp_asid.
>
> Ashish Kalra (7):
> crypto: ccp - New bit-field definitions for SNP_PLATFORM_STATUS
> command
> crypto: ccp - Cache SEV platform status and platform state
> crypto: ccp - Add support for SNP_FEATURE_INFO command
> crypto: ccp - Introduce new API interface to indicate SEV-SNP
> Ciphertext hiding feature
> crypto: ccp - Add support to enable CipherTextHiding on SNP_INIT_EX
> KVM: SEV: Introduce new min,max sev_es and sev_snp asid variables
> KVM: SEV: Add SEV-SNP CipherTextHiding support
>
> .../admin-guide/kernel-parameters.txt | 18 +++
> arch/x86/kvm/svm/sev.c | 96 +++++++++++--
> drivers/crypto/ccp/sev-dev.c | 127 ++++++++++++++++--
> drivers/crypto/ccp/sev-dev.h | 6 +-
> include/linux/psp-sev.h | 44 +++++-
> include/uapi/linux/psp-sev.h | 10 +-
> 6 files changed, 274 insertions(+), 27 deletions(-)
>
> --
> 2.34.1
Patches 1-5 applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
prev parent reply other threads:[~2025-08-16 9:30 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-21 14:12 [PATCH v7 0/7] Add SEV-SNP CipherTextHiding feature support Ashish Kalra
2025-07-21 14:12 ` [PATCH v7 1/7] crypto: ccp - New bit-field definitions for SNP_PLATFORM_STATUS command Ashish Kalra
2025-07-21 14:12 ` [PATCH v7 2/7] crypto: ccp - Cache SEV platform status and platform state Ashish Kalra
2025-07-21 14:13 ` [PATCH v7 3/7] crypto: ccp - Add support for SNP_FEATURE_INFO command Ashish Kalra
2025-07-21 14:13 ` [PATCH v7 4/7] crypto: ccp - Introduce new API interface to indicate SEV-SNP Ciphertext hiding feature Ashish Kalra
2025-07-21 14:13 ` [PATCH v7 5/7] crypto: ccp - Add support to enable CipherTextHiding on SNP_INIT_EX Ashish Kalra
2025-07-21 14:14 ` [PATCH v7 6/7] KVM: SEV: Introduce new min,max sev_es and sev_snp asid variables Ashish Kalra
2025-07-21 14:14 ` [PATCH v7 7/7] KVM: SEV: Add SEV-SNP CipherTextHiding support Ashish Kalra
2025-07-25 17:58 ` Kim Phillips
2025-07-25 18:28 ` Tom Lendacky
2025-07-25 18:46 ` Kalra, Ashish
2025-08-12 12:06 ` Kim Phillips
2025-08-12 14:40 ` Kalra, Ashish
2025-08-12 16:45 ` Kim Phillips
2025-08-12 18:29 ` Kalra, Ashish
2025-08-12 18:40 ` Kim Phillips
2025-08-12 18:52 ` Kalra, Ashish
2025-08-12 19:11 ` Kim Phillips
2025-08-12 19:38 ` Kalra, Ashish
2025-08-12 23:30 ` Kim Phillips
2025-08-14 11:54 ` Kim Phillips
2025-08-11 20:30 ` [PATCH v7 0/7] Add SEV-SNP CipherTextHiding feature support Ashish Kalra
2025-08-16 8:39 ` Herbert Xu
2025-08-18 19:16 ` Kalra, Ashish
2025-08-18 19:38 ` Kim Phillips
2025-08-18 20:39 ` Kalra, Ashish
2025-08-18 23:23 ` Kim Phillips
2025-08-18 23:58 ` Kalra, Ashish
2025-08-19 7:59 ` Borislav Petkov
2025-08-20 0:05 ` Sean Christopherson
2025-08-20 1:17 ` Kalra, Ashish
2025-08-20 15:02 ` Sean Christopherson
2025-08-16 9:29 ` Herbert Xu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aKBPjfyIHMc2X_ZL@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=Ashish.Kalra@amd.com \
--cc=Neeraj.Upadhyay@amd.com \
--cc=aik@amd.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=hpa@zytor.com \
--cc=john.allen@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=nikunj@amd.com \
--cc=paulmck@kernel.org \
--cc=pbonzini@redhat.com \
--cc=rostedt@goodmis.org \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).