From d352a8900feace60262fde87e5e783ddd66486f0 Mon Sep 17 00:00:00 2001 From: Jon Lange Date: Tue, 2 Jan 2024 04:15:18 -0800 Subject: [PATCH] Change SEV_STATUS check from not-supported to supported Since the set of defined SEV features can change over time, it is not possible for the code to stay current with the set of features that should not be supported. Instead, it is safer for the code to enumerate the set of features that can be supported, with the assumption that any unknown feature must be rejected. BTB isolation and debug register isolation offer security and do not have any impact to software functionality so they can safely be accepted if present. Other features may require explicit software support. Signed-off-by: Jon Lange --- src/sev/status.rs | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/sev/status.rs b/src/sev/status.rs index 162259eb3..7570553cc 100644 --- a/src/sev/status.rs +++ b/src/sev/status.rs @@ -155,19 +155,14 @@ pub fn sev_snp_enabled() -> bool { pub fn sev_status_verify() { let required = SEVStatusFlags::SEV | SEVStatusFlags::SEV_ES | SEVStatusFlags::SEV_SNP; - let not_supported = SEVStatusFlags::VTOM - | SEVStatusFlags::REFLECT_VC - | SEVStatusFlags::REST_INJ - | SEVStatusFlags::ALT_INJ - | SEVStatusFlags::DBGSWP + let supported = SEVStatusFlags::DBGSWP | SEVStatusFlags::PREV_HOST_IBS | SEVStatusFlags::BTB_ISOLATION - | SEVStatusFlags::SECURE_TSC | SEVStatusFlags::VMSA_REG_PROT; let status = sev_flags(); let required_check = status & required; - let supported_check = status & not_supported; + let not_supported_check = status & !(supported | required); if required_check != required { log::error!( @@ -177,8 +172,8 @@ pub fn sev_status_verify() { panic!("Required SEV features not available"); } - if !supported_check.is_empty() { - log::error!("Unsupported features enabled: {}", supported_check); + if !not_supported_check.is_empty() { + log::error!("Unsupported features enabled: {}", not_supported_check); panic!("Unsupported SEV features enabled"); } }