SNP bit checks on the host and ubuntu guest from instruction set #12
Conversation
There was a problem hiding this comment.
Will you please run these through shellcheck? There are a number of changes which I would like to see applied for this PR before we approve it.
|
Hi @larrydewey, I made few changes and did shellcheck... Please let me know if any further changes are required. |
LakshmiSaiHarika
force-pushed
the
add-snp-check-via-instruction-set
branch
from
4ba7408 to
4ff4dcd
Compare
|
Hi @larrydewey I addressed the changes as per the conversation above, please let me know if any additional changes are required |
docs/snp.md
Outdated
| Read the dedicated host cpuid Fn8000_001F[EAX] instruction set to verify if the SNP is on and supported on the host: | ||
| ``` | ||
| ./snp.sh check-host-snp-cpuid | ||
| ``` | ||
|
|
||
|
|
There was a problem hiding this comment.
Do we want this to be it's own individual command? I see that it is being called when people are setting up the host and launching the guest. Is there additional functionality to be it's own individual command?
LakshmiSaiHarika
force-pushed
the
add-snp-check-via-instruction-set
branch
from
4ff4dcd to
699d8b1
Compare
LakshmiSaiHarika
force-pushed
the
add-snp-check-via-instruction-set
branch
from
699d8b1 to
0c98f29
Compare
LakshmiSaiHarika
changed the title
This module verifies if all the security bits are set to 1 for any given instruction set Signed-off-by: Harika Nittala <[email protected]>
This verifies if CPU is capable of SNP based on the SNP bit value present in the CPUID 0x8000001f Signed-off-by: Harika Nittala <[email protected]>
LakshmiSaiHarika
force-pushed
the
add-snp-check-via-instruction-set
branch
from
0c98f29 to
8e655eb
Compare
LakshmiSaiHarika
force-pushed
the
add-snp-check-via-instruction-set
branch
from
8e655eb to
235f4a8
Compare
LakshmiSaiHarika
changed the title
LakshmiSaiHarika
changed the title
tools/snp.sh
Outdated
| verify_host_snp_enablement() { | ||
| echo -e "Verifying if SME, SNP are enabled in the host from MSR 0xC0010010..." | ||
|
|
||
| sudo modprobe msr |
There was a problem hiding this comment.
if ! sudo modprobe msr; then
>&2 echo "ERROR: Failed to load MSR kernel module. Ensure you have the necessary sudo permissions."
return 1
fi
|
|
||
| case ${guest_linux_distro} in | ||
| ubuntu) | ||
| ssh_guest_command "sudo DEBIAN_FRONTEND=noninteractive sudo apt install -y msr-tools > /dev/null 2>&1" > /dev/null 2>&1 |
There was a problem hiding this comment.
Are we assuming that the user will have sudo permissions by default?
If yes, disregard my comments.
Else, we might have to modify the code to handle that permission errors aren't misconstrued as actual errors
There was a problem hiding this comment.
yes, I tested this, this works by default
This verifies if SME, SNP are enabled in the host BIOS settings by reading SME and SNP bit status from MSR 0xC0010010 Bit amd#23 corresponds to the SME bit status Bit amd#24 corresponds to the SNP bit status Signed-off-by: Harika Nittala <[email protected]>
Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit amd#1 corresponds to SEV-ES bit status Bit amd#2 corresponds to SNP bit status Signed-off-by: Harika Nittala <[email protected]>
LakshmiSaiHarika
force-pushed
the
add-snp-check-via-instruction-set
branch
from
235f4a8 to
e82f96e
Compare
I validated all the added checks in this PR as follows: