Use SYSFS to read MSR_SEV_STATUS#88
Conversation
The function is only ever used to read the SEV_STATUS MSR, so rename it and hard-code the function parameters. This helps adding alternative means to read SEV_STATUS. Signed-off-by: Joerg Roedel <jroedel@suse.de>
Since reading MSRs using the Linux MSR kernel module is generally discouraged and disabled by default in many Linux distributions, add another way of reading the SEV_STATUS value via SYSFS. If that does not work the MSR module is still used as a fall-back. Signed-off-by: Joerg Roedel <jroedel@suse.de>
tylerfanelli
left a comment
tylerfanelli
left a comment
There was a problem hiding this comment.
LGTM, we'll wait for the changes to be upstream. Let us know when that's completed and we can merge this.
Just out of curiosity, why is the MSR module generally discouraged/disabled?
The MSR module does not only give access to SEV_STATUS, but to all MSRs, including those that can affect system stability and security. |
|
I don't have any arguments against using the sysfs approach. One reason we were leaning so heavily on the MSR implementation is that 1) there was no other implementation, and 2) the MSR in question is a protected MSR. DO you know if the method of providing this through sysfs will be protected from hypervisor modification, as well? |
There is no change in security by using SYSFS instead of the MSR module, as there is also no guarantee that the MSR module behaves correctly and does actually read the MSR in question. |
|
@joergroedel is this PR ready for merging, I know it's been a while but it's been in Draft for a while? |
4 participants
Avoid using the insecure MSR kernel module and use a file in SYSFS to read the SEV_STATUS MSR.
This is a draft PR as the SYSFS support patch is still under discussion here