On 3 July 2018 at 15:32, Brijesh Singh brijesh.singh@amd.com wrote:
SEV guest fails to update the UEFI runtime variables stored in the flash. commit 1379edd59673 ("x86/efi: Access EFI data as encrypted when SEV is active") unconditionally maps all the UEFI runtime data as 'encrypted' (C=1). When SEV is active the UEFI runtime data marked as EFI_MEMORY_MAPPED_IO should be mapped as 'unencrypted' so that both guest and hypervisor can access the data.
I'm uncomfortable having to carry these heuristics in the kernel. The UEFI memory map should be the definitive source of information regarding how the OS should map the regions it describes, and if we need to guess the encryption status, we are likely to get it wrong at least some of the times.
Is any work underway to get the UEFI spec extended to take encrypted memory into account? I am aware that we cannot disclose specifics, but you should be able to disclose whether it is under discussion or not.
In the mean time, we will have to do something, I know that, but I would like to discuss the proper solution before proceeding with the stop gap one.