From: Ani Sinha <anisinha@redhat.com>
The guest policy is set either through command-line or through IGVM. If none of
the above applies, default guest policy applies. However, if IGVM does not set
the guest policy, currently the policy gets set to 0 regardless of whether it
was previously set to default value or command line. This change fixes this by
checking if IGVM indeed has set a policy value. If not, do not reset existing
value.
This avoids guest crashes such as the following during reset when the IGVM
has not explicitly set any guest policies:
qemu-system-x86_64: sev_snp_launch_start: SNP_LAUNCH_START ret=-22 fw_error=0 ''
qemu-system-x86_64: sev_common_kvm_init: failed to create encryption context
qemu-system-x86_64: unable to rebuild guest: Operation not permitted(-1)
Reported-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Ani Sinha <anisinha@redhat.com>
Message-ID: <20260310094450.35861-3-anisinha@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
target/i386/sev.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 549e6241769b..cddffe0da8dd 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -2760,7 +2760,11 @@ static int cgs_set_guest_policy(ConfidentialGuestPolicyType policy_type,
id_auth->author_key[0] ? 1 : 0;
finish->id_block_en = 1;
}
- sev_snp_guest->kvm_start_conf.policy = policy;
+
+ /* do not reset existing policy if policy was not set in IGVM */
+ if (policy != 0) {
+ sev_snp_guest->kvm_start_conf.policy = policy;
+ }
} else {
SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs);
/* Only the policy flags are supported for SEV and SEV-ES */
@@ -2769,7 +2773,11 @@ static int cgs_set_guest_policy(ConfidentialGuestPolicyType policy_type,
"but SEV-SNP is not enabled", __func__);
return -1;
}
- sev_guest->policy = policy;
+
+ /* do not reset existing policy if policy was not set in IGVM */
+ if (policy != 0) {
+ sev_guest->policy = policy;
+ }
}
return 0;
}
--
2.53.0