On 6/5/2025 11:23 AM, Tom Lendacky wrote:
> On 6/4/25 19:17, Kalra, Ashish wrote:
>> Hello Tom,
>>
>> On 6/3/2025 11:26 AM, Tom Lendacky wrote:
>>> On 5/19/25 19:02, Ashish Kalra wrote:
>>>> From: Ashish Kalra <ashish.kalra@xxxxxxx>
>>>>
>
>>>
>>> The ciphertext hiding feature partions the joint SEV-ES/SEV-SNP ASID range
>>> into separate SEV-ES and SEV-SNP ASID ranges with teh SEV-SNP ASID range
>>> starting at 1.
>>>
>>
>> Yes that sounds better.
>
> Just fix my spelling errors :)
>
Sure.
>>
>>>> + */
>>>> + if (ciphertext_hiding_nr_asids && sev_is_snp_ciphertext_hiding_supported()) {
>>>> + /* Do sanity checks on user-defined ciphertext_hiding_nr_asids */
>>>> + if (ciphertext_hiding_nr_asids != -1 &&
>>>> + ciphertext_hiding_nr_asids >= min_sev_asid) {
>>>> + pr_info("ciphertext_hiding_nr_asids module parameter invalid, limiting SEV-SNP ASIDs to %d\n",
>>>> + min_sev_asid);
>>>> + ciphertext_hiding_nr_asids = min_sev_asid - 1;
>>>
>>> So specifying a number greater than min_sev_asid will result in enabling
>>> ciphertext hiding and no SEV-ES guests allowed even though you report that
>>> the number is invalid?
>>>
>>
>> Well, the user specified a non-zero ciphertext_hiding_nr_asids, so the intent is to enable ciphertext hiding and therefore
>> sanitize the user specified parameter and enable ciphertext hiding.
>
> Should you support something like ciphertext_hiding_asids=max (similar to
> the 'auto' comment that Dave had) and report an error if a value is
> specified that exceeds min_sev_asid and not enable ciphertext hiding?
>
Ok, that makes sense.
Thanks,
Ashish
> Thanks,
> Tom
>
>>
>
