Index | Thread | Search

From:
Mike Larkin <mlarkin@nested.page>
Subject:
Re: [EXT] Re: AMD SEV: confidential autoconf whitelist
To:
Alexander Bluhm <alexander.bluhm@gmx.net>
Cc:
tech@openbsd.org
Date:
Mon, 15 Sep 2025 17:17:59 -0700

Download raw body.

Thread 
On Mon, Sep 15, 2025 at 06:29:15PM +0200, Alexander Bluhm wrote:
> On Mon, Sep 15, 2025 at 06:52:59AM -0700, Mike Larkin wrote:
> > On Mon, Sep 15, 2025 at 02:50:14PM +0200, Hans-J?rg H?xer wrote:
> > > Hi,
> > >
> > > On Mon, Sep 15, 2025 at 05:46:32AM -0700, Mike Larkin wrote:
> > > > >
> > > > > well, I'd say we all agree that depending on ACPI is problematic.
> > > > > Mark suggested to try to use the static tables only.  As we want to
> > > > > ignore most of the qemu emulated hardware (in a confidentail comp setting)
> > > > > anyway, this migth work good enough.  I will look into this.
> > > > >
> > > > > For qemu/kvm we need busspace paravirtualization which is not (yet)
> > > > > supported by vmm and vmd.  When using the proposed whitelist diff, we
> > > > > only attach devices, that work in both settings (qemu and vmm/vmd with
> > > > > confidentiallity enabled; other configurations are not affected anyway).
> > > > > So this should help us to improve and test both scenarios more easily.
> > > >
> > > > So, to recap -
> > > >
> > > > 1. you're going to try to use the static tables, and we should see a diff
> > > >    for that at some point
> > > >
> > > > 2. we can do the whitelist but not until #1 is done
> > > >
> > > > is that right?
> > >
> > > I'd say the other way round:
> > >
> > >  1. do the whitelist now
> > >
> > >  2. improve further by using the static table apporach
> > >
> > > Take care,
> > > HJ.
> >
> > I worry that if we do it in this order, we won't be incentivized to do the
> > static table stuff. We will end up committing it and not fixing it.
> >
> > Is there a reason we can't quickly verify that the static table approach works?
>
> The whitelist is the next step.  Otherwise I cannot test anything.
> Either my KVM/qemu or vmm/vmd setup will break without it.  Any
> further diff is untested unless combined with whitelist.
>
> bluhm

If you feel strongly that this should go in, then you guys can commit the diff.
I just wanted to see the result of the static table approach since if that
doesn't work then the whitelist doesn't make sense IMO. There seems to be some
progress off-list, so I'll leave it to you to decide if this is the right time
or if this should wait until after release.

-ml