1. Patchew
  2. QEMU
  3. [RFC PATCH 0/7] target/i386: SEV: Add support for enabling VMSA SEV features
  4. View patch

[RFC PATCH 2/7] target/i386: SEV: Validate that SEV-ES is enabled when VMSA features are used

Naveen N Rao (AMD) posted 7 patches 2 weeks, 3 days ago
Maintainers: Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, "Daniel P. Berrangé" <berrange@redhat.com>, Eduardo Habkost <eduardo@habkost.net>, Zhao Liu <zhao1.liu@intel.com>, Marcelo Tosatti <mtosatti@redhat.com>
There is a newer version of this series
[RFC PATCH 2/7] target/i386: SEV: Validate that SEV-ES is enabled when VMSA features are used
Posted by Naveen N Rao (AMD) 2 weeks, 3 days ago 
SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP
guests, as they control aspects of the encrypted guest state that are
not relevant for basic SEV guests.

Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is
enabled when any SEV features are specified.

Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
---
 target/i386/sev.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index 243e9493ba8d..fa23b5c38e9b 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -509,6 +509,12 @@ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_features,
             __func__);
         return -1;
     }
+    if (sev_features && !sev_es_enabled()) {
+        error_setg(errp,
+                   "%s: SEV features require either SEV-ES or SEV-SNP to be enabled",
+                   __func__);
+        return -1;
+    }
     if (sev_features & ~sev_common->supported_sev_features) {
         error_setg(errp,
                    "%s: VMSA contains unsupported sev_features: %lX, "
-- 
2.50.1
Re: [RFC PATCH 2/7] target/i386: SEV: Validate that SEV-ES is enabled when VMSA features are used
Posted by Tom Lendacky 2 weeks, 2 days ago 
On 9/11/25 06:54, Naveen N Rao (AMD) wrote:
> SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP
> guests, as they control aspects of the encrypted guest state that are
> not relevant for basic SEV guests.
> 
> Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is
> enabled when any SEV features are specified.
> 
> Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
>  target/i386/sev.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 243e9493ba8d..fa23b5c38e9b 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -509,6 +509,12 @@ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_features,
>              __func__);
>          return -1;
>      }
> +    if (sev_features && !sev_es_enabled()) {
> +        error_setg(errp,
> +                   "%s: SEV features require either SEV-ES or SEV-SNP to be enabled",
> +                   __func__);
> +        return -1;
> +    }
>      if (sev_features & ~sev_common->supported_sev_features) {
>          error_setg(errp,
>                     "%s: VMSA contains unsupported sev_features: %lX, "

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.