From: Brijesh Singh <brijesh.singh-5C7GfCeVMHo@public.gmane.org>
To: Borislav Petkov <bp-l3A5Bk7waGM@public.gmane.org>
Cc: brijesh.singh-5C7GfCeVMHo@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linuxppc-dev-uLR06cmDAlY/bJ5BZ2RsiQ@public.gmane.org,
kvm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>,
Ingo Molnar <mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"H . Peter Anvin" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Tony Luck <tony.luck-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Piotr Luc <piotr.luc-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Tom Lendacky <thomas.lendacky-5C7GfCeVMHo@public.gmane.org>,
Fenghua Yu <fenghua.yu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Lu Baolu <baolu.lu-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>,
Reza Arbab
<arbab-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>,
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Matt Fleming
<matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>,
"Kirill A . Shutemov"
<kirill.shutemov-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>,
Laura Abbott <labbott-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Ard Biesheuvel
<ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Andrew Morton <akpm@linux-foundat>
Subject: Re: [RFC Part1 PATCH v3 01/17] Documentation/x86: Add AMD Secure Encrypted Virtualization (SEV) descrption
Date: Tue, 25 Jul 2017 09:59:21 -0500 [thread overview]
Message-ID: <6273a2f0-151a-e8c2-6f4c-09d397446128@amd.com> (raw)
In-Reply-To: <20170725054522.GA21822-K5JNixvcfoxupOikMc4+xw@public.gmane.org>
On 07/25/2017 12:45 AM, Borislav Petkov wrote:
> On Mon, Jul 24, 2017 at 02:07:41PM -0500, Brijesh Singh wrote:
>
> Subject: Re: [RFC Part1 PATCH v3 01/17] Documentation/x86: Add AMD Secure Encrypted Virtualization (SEV) descrption
> ^^^^^^^^^^
>
> Please introduce a spellchecker into your workflow.
>
>> Update amd-memory-encryption document describing the AMD Secure Encrypted
>
> "Update the AMD memory encryption document...
>
> The patch has the proper URL already.
>
>> Virtualization (SEV) feature.
>>
>> Signed-off-by: Brijesh Singh <brijesh.singh-5C7GfCeVMHo@public.gmane.org>
>> ---
>> Documentation/x86/amd-memory-encryption.txt | 29 ++++++++++++++++++++++++++---
>> 1 file changed, 26 insertions(+), 3 deletions(-)
>>
>> diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt
>> index f512ab7..747df07 100644
>> --- a/Documentation/x86/amd-memory-encryption.txt
>> +++ b/Documentation/x86/amd-memory-encryption.txt
>> @@ -1,4 +1,5 @@
>> -Secure Memory Encryption (SME) is a feature found on AMD processors.
>> +Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
>> +features found on AMD processors.
>>
>> SME provides the ability to mark individual pages of memory as encrypted using
>> the standard x86 page tables. A page that is marked encrypted will be
>> @@ -6,6 +7,12 @@ automatically decrypted when read from DRAM and encrypted when written to
>> DRAM. SME can therefore be used to protect the contents of DRAM from physical
>> attacks on the system.
>>
>> +SEV enables running encrypted virtual machine (VMs) in which the code and data
>
> machines
>
>> +of the virtual machine are secured so that decrypted version is available only
>
> ... of the guest VM ... ... so that a decrypted ...
>
>> +within the VM itself. SEV guest VMs have concept of private and shared memory.
>
> have *the* concept - you need to use
> definite and indefinite articles in your
> text.
>
>> +Private memory is encrypted with the guest-specific key, while shared memory
>> +may be encrypted with hypervisor key.
>
> And here you explain that the hypervisor key is the same key which we
> use in SME. So that people can make the connection.
>
>> +
>> A page is encrypted when a page table entry has the encryption bit set (see
>> below on how to determine its position). The encryption bit can also be
>> specified in the cr3 register, allowing the PGD table to be encrypted. Each
>> @@ -19,11 +26,20 @@ so that the PGD is encrypted, but not set the encryption bit in the PGD entry
>> for a PUD which results in the PUD pointed to by that entry to not be
>> encrypted.
>>
>> -Support for SME can be determined through the CPUID instruction. The CPUID
>> -function 0x8000001f reports information related to SME:
>> +When SEV is enabled, certain type of memory (namely insruction pages and guest
>
> When SEV is enabled, instruction pages and guest page tables are ...
>
>> +page tables) are always treated as private. Due to security reasons all DMA
>
> security reasons??
>
>> +operations inside the guest must be performed on shared memory. Since the
>> +memory encryption bit is only controllable by the guest OS when it is operating
>
> ... is controlled ...
>
>> +in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware forces memory
>
> ... forces the memory ...
>
>> +encryption bit to 1.
>> +
>> +Support for SME and SEV can be determined through the CPUID instruction. The
>> +CPUID function 0x8000001f reports information related to SME:
>>
>> 0x8000001f[eax]:
>> Bit[0] indicates support for SME
>> + 0x800001f[eax]:
>
> There's a 0 missing and you don't really need it as it is already above.
>
>> + Bit[1] indicates support for SEV
>> 0x8000001f[ebx]:
>> Bits[5:0] pagetable bit number used to activate memory
>> encryption
>> @@ -39,6 +55,13 @@ determine if SME is enabled and/or to enable memory encryption:
>> Bit[23] 0 = memory encryption features are disabled
>> 1 = memory encryption features are enabled
>>
>> +If SEV is supported, MSR 0xc0010131 (MSR_F17H_SEV) can be used to determine if
>
> If this MSR is going to be part of the architecture - and I really think
> it is - then call it MSR_AMD64_SEV.
>
Thanks Boris, I'll update the doc per your feedbacks. And will rename the MSR to
MSR_AMD64_SEV.
-Brijesh
next prev parent reply other threads:[~2017-07-25 14:59 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-24 19:07 [RFC Part1 PATCH v3 00/17] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 02/17] x86/CPU/AMD: Add the Secure Encrypted Virtualization CPU feature Brijesh Singh
[not found] ` <20170724190757.11278-3-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-25 10:26 ` Borislav Petkov
[not found] ` <20170725102657.GD21822-K5JNixvcfoxupOikMc4+xw@public.gmane.org>
2017-07-25 14:29 ` Tom Lendacky
[not found] ` <7236d267-ebcb-8b45-b8d3-5955903e395f-5C7GfCeVMHo@public.gmane.org>
2017-07-25 14:36 ` Borislav Petkov
2017-07-25 14:58 ` Tom Lendacky
2017-07-25 15:13 ` Borislav Petkov
2017-07-25 15:29 ` Tom Lendacky
2017-07-25 15:33 ` Borislav Petkov
2017-08-09 18:17 ` Tom Lendacky
2017-08-17 8:12 ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 03/17] x86/mm: Secure Encrypted Virtualization (SEV) support Brijesh Singh
[not found] ` <20170724190757.11278-4-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-26 4:28 ` Borislav Petkov
2017-07-26 16:47 ` Tom Lendacky
[not found] ` <facf3ac6-ebda-57a7-f961-6029b3ac7be7-5C7GfCeVMHo@public.gmane.org>
2017-07-27 13:39 ` Borislav Petkov
[not found] ` <20170724190757.11278-1-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-24 19:07 ` [RFC Part1 PATCH v3 01/17] Documentation/x86: Add AMD Secure Encrypted Virtualization (SEV) descrption Brijesh Singh
[not found] ` <20170724190757.11278-2-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-25 5:45 ` Borislav Petkov
[not found] ` <20170725054522.GA21822-K5JNixvcfoxupOikMc4+xw@public.gmane.org>
2017-07-25 14:59 ` Brijesh Singh [this message]
2017-07-24 19:07 ` [RFC Part1 PATCH v3 04/17] x86/mm: Don't attempt to encrypt initrd under SEV Brijesh Singh
2017-07-26 14:44 ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 05/17] x86, realmode: Don't decrypt trampoline area " Brijesh Singh
[not found] ` <20170724190757.11278-6-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-26 16:03 ` Borislav Petkov
2017-08-10 13:03 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 06/17] x86/mm: Use encrypted access of boot related data with SEV Brijesh Singh
2017-07-27 13:31 ` Borislav Petkov
2017-08-17 18:05 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 09/17] resource: Consolidate resource walking code Brijesh Singh
2017-07-28 15:23 ` Borislav Petkov
[not found] ` <20170728152342.GB11564-K5JNixvcfoxupOikMc4+xw@public.gmane.org>
2017-08-17 18:55 ` Tom Lendacky
2017-08-17 19:03 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 12/17] x86/mm: DMA support for SEV memory encryption Brijesh Singh
2017-08-07 3:48 ` Borislav Petkov
2017-08-17 19:35 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 14/17] x86/boot: Add early boot support when running with SEV active Brijesh Singh
2017-08-23 15:30 ` Borislav Petkov
2017-08-24 18:54 ` Tom Lendacky
[not found] ` <42cf82fc-03be-c4c7-eaab-b2306a049d20-5C7GfCeVMHo@public.gmane.org>
2017-08-25 12:54 ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 17/17] X86/KVM: Clear encryption attribute when SEV is active Brijesh Singh
[not found] ` <20170724190757.11278-18-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-08-31 15:06 ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 07/17] x86/mm: Include SEV for encryption memory attribute changes Brijesh Singh
[not found] ` <20170724190757.11278-8-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-27 14:58 ` Borislav Petkov
2017-07-28 8:47 ` David Laight
[not found] ` <063D6719AE5E284EB5DD2968C1650D6DD0045508-VkEWCZq2GCInGFn1LkZF6NBPR1lH4CV8@public.gmane.org>
2017-08-17 18:21 ` Tom Lendacky
2017-08-17 18:10 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 08/17] x86/efi: Access EFI data as encrypted when SEV is active Brijesh Singh
[not found] ` <20170724190757.11278-9-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-07-28 10:31 ` Borislav Petkov
2017-08-17 18:42 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 10/17] resource: Provide resource struct in resource walk callback Brijesh Singh
2017-07-31 8:26 ` Borislav Petkov
2017-07-31 22:19 ` Kees Cook
2017-07-24 19:07 ` [RFC Part1 PATCH v3 11/17] x86/mm, resource: Use PAGE_KERNEL protection for ioremap of memory pages Brijesh Singh
[not found] ` <20170724190757.11278-12-brijesh.singh-5C7GfCeVMHo@public.gmane.org>
2017-08-02 4:02 ` Borislav Petkov
2017-08-17 19:22 ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 13/17] x86/io: Unroll string I/O when SEV is active Brijesh Singh
2017-07-25 9:51 ` David Laight
2017-07-26 10:45 ` Arnd Bergmann
[not found] ` <CAK8P3a3h7JpmkW7W=HwqAuWWmro=ngj6HSeiiML_=T82x-FtZQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-07-26 19:24 ` Brijesh Singh
2017-07-26 19:26 ` H. Peter Anvin
2017-07-26 20:07 ` Brijesh Singh
2017-07-27 7:45 ` David Laight
[not found] ` <589d65a4-eb09-bae9-e8b4-a2d78ca6b509-5C7GfCeVMHo@public.gmane.org>
2017-08-22 16:52 ` Borislav Petkov
2017-09-15 12:24 ` Borislav Petkov
2017-09-15 14:13 ` Brijesh Singh
2017-09-15 14:40 ` Borislav Petkov
2017-09-15 14:48 ` Brijesh Singh
[not found] ` <ad628a45-8e4e-9cfc-2cc4-33dc6bf4613a-5C7GfCeVMHo@public.gmane.org>
2017-09-15 16:22 ` Borislav Petkov
[not found] ` <20170915162256.7l4vyy4ee5zeqbir-fF5Pk5pvG8Y@public.gmane.org>
2017-09-15 16:27 ` Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 15/17] x86: Add support for changing memory encryption attribute in early boot Brijesh Singh
2017-08-28 10:51 ` Borislav Petkov
2017-08-28 11:49 ` Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 16/17] X86/KVM: Provide support to create Guest and HV shared per-CPU variables Brijesh Singh
2017-08-29 10:22 ` Borislav Petkov
2017-08-30 16:18 ` Brijesh Singh
2017-08-30 17:46 ` Borislav Petkov
2017-09-01 22:52 ` Brijesh Singh
2017-09-02 3:21 ` Andy Lutomirski
[not found] ` <CALCETrV+rv=9Rg5V1z8vHtVDW64eCNtZHQMW8DipRADvm+qP5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-09-03 2:34 ` Brijesh Singh
[not found] ` <8155b5b2-b2b3-bc8f-33ae-b81b661a2e38-5C7GfCeVMHo@public.gmane.org>
2017-09-04 17:05 ` Borislav Petkov
2017-09-04 17:47 ` Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6273a2f0-151a-e8c2-6f4c-09d397446128@amd.com \
--to=brijesh.singh-5c7gfcevmho@public.gmane.org \
--cc=akpm@linux-foundat \
--cc=arbab-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=baolu.lu-VuQAYsv1563Yd54FQh9/CA@public.gmane.org \
--cc=bp-l3A5Bk7waGM@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=fenghua.yu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org \
--cc=kirill.shutemov-VuQAYsv1563Yd54FQh9/CA@public.gmane.org \
--cc=kvm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=labbott-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linuxppc-dev-uLR06cmDAlY/bJ5BZ2RsiQ@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org \
--cc=mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=piotr.luc-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org \
--cc=thomas.lendacky-5C7GfCeVMHo@public.gmane.org \
--cc=tony.luck-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox