On 6/4/25 19:17, Kalra, Ashish wrote:
> Hello Tom,
>
> On 6/3/2025 11:26 AM, Tom Lendacky wrote:
>> On 5/19/25 19:02, Ashish Kalra wrote:
>>> From: Ashish Kalra <ashish.kalra@xxxxxxx>
>>>
>>
>> The ciphertext hiding feature partions the joint SEV-ES/SEV-SNP ASID range
>> into separate SEV-ES and SEV-SNP ASID ranges with teh SEV-SNP ASID range
>> starting at 1.
>>
>
> Yes that sounds better.
Just fix my spelling errors :)
>
>>> + */
>>> + if (ciphertext_hiding_nr_asids && sev_is_snp_ciphertext_hiding_supported()) {
>>> + /* Do sanity checks on user-defined ciphertext_hiding_nr_asids */
>>> + if (ciphertext_hiding_nr_asids != -1 &&
>>> + ciphertext_hiding_nr_asids >= min_sev_asid) {
>>> + pr_info("ciphertext_hiding_nr_asids module parameter invalid, limiting SEV-SNP ASIDs to %d\n",
>>> + min_sev_asid);
>>> + ciphertext_hiding_nr_asids = min_sev_asid - 1;
>>
>> So specifying a number greater than min_sev_asid will result in enabling
>> ciphertext hiding and no SEV-ES guests allowed even though you report that
>> the number is invalid?
>>
>
> Well, the user specified a non-zero ciphertext_hiding_nr_asids, so the intent is to enable ciphertext hiding and therefore
> sanitize the user specified parameter and enable ciphertext hiding.
Should you support something like ciphertext_hiding_asids=max (similar to
the 'auto' comment that Dave had) and report an error if a value is
specified that exceeds min_sev_asid and not enable ciphertext hiding?
Thanks,
Tom
>
