On Mon, Sep 29, 2025 at 1:50 PM Dave Hansen <dave.han...@intel.com> wrote: > > On 9/29/25 13:33, Nataliia Bondarevska wrote: > >> Could someone please spend a few minutes to explain what this tag means? > > My apologies; I've clarified the details of the testing below. > > > > The verification was performed on a SPR machine. The objective was to > > confirm the successful, runtime update of the CPUSVN using a targeted > > microcode package. > > Steps Taken: > > - identified a microcode package version, designed to update CPUSVN > > number on the machine; > > - initiated a dynamic load of the package during OS runtime; > > - confirmed the CPUSVN was upgraded post-load. > > OK, so you're basically saying it managed to update the SVN on real > hardware. You also had to go run an enclave or at least open /dev/sgx, > right? >
To confirm the CPUSVN update, I did run an enclave to retrieve the attestation report and compare cpusvn values generated before and after microcode load + the custom logs I incorporated into the sgx_update_svn execution helped me to confirm the expected logic. > Also, does this tag mean, "I tested this in my company's environment and > this ABI is sufficient for us until the end of time?" Because there was > also some feedback on earlier work that this series as-is was going to > be insufficient. The test was performed on a SPR machine using the kernel version deployed across Google's TDX production fleet. Yes, this ABI is sufficient enough for us.
