[v1] target/i386: SEV: Add support for enabling VMSA SEV features

[PATCH 6/8] target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests

Posted by Naveen N Rao (AMD) 1 month, 3 weeks ago

Now that users can enable VMSA SEV features, update sev_init2_required()
to return true if any SEV features are requested. This enables qemu to
use KVM_SEV_INIT2 for SEV-ES guests when necessary.

Sample command-line:
  -machine q35,confidential-guest-support=sev0 \
  -object sev-guest,id=sev0,policy=0x5,cbitpos=51,reduced-phys-bits=1,debug-swap=on

Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
---
 target/i386/sev.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index 4f1b0bf6ccc8..6b11359f06dd 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -1704,8 +1704,7 @@ sev_vm_state_change(void *opaque, bool running, RunState state)
  */
 static bool sev_init2_required(SevGuestState *sev_guest)
 {
-    /* Currently no KVM_SEV_INIT2-specific options are exposed via QEMU */
-    return false;
+    return !!SEV_COMMON(sev_guest)->sev_features;
 }
 
 static int sev_kvm_type(X86ConfidentialGuest *cg)
-- 
2.51.0

Re: [PATCH 6/8] target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests

Posted by Tom Lendacky 1 month, 3 weeks ago

On 9/18/25 05:27, Naveen N Rao (AMD) wrote:
> Now that users can enable VMSA SEV features, update sev_init2_required()
> to return true if any SEV features are requested. This enables qemu to
> use KVM_SEV_INIT2 for SEV-ES guests when necessary.
> 
> Sample command-line:
>   -machine q35,confidential-guest-support=sev0 \
>   -object sev-guest,id=sev0,policy=0x5,cbitpos=51,reduced-phys-bits=1,debug-swap=on
> 

Should this patch go before patch #5 from a bisect point of view? Because
won't patch #5 fail because you still aren't using init2?

> Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
>  target/i386/sev.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 4f1b0bf6ccc8..6b11359f06dd 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -1704,8 +1704,7 @@ sev_vm_state_change(void *opaque, bool running, RunState state)
>   */
>  static bool sev_init2_required(SevGuestState *sev_guest)
>  {
> -    /* Currently no KVM_SEV_INIT2-specific options are exposed via QEMU */
> -    return false;
> +    return !!SEV_COMMON(sev_guest)->sev_features;
>  }
>  
>  static int sev_kvm_type(X86ConfidentialGuest *cg)

Re: [PATCH 6/8] target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests

Posted by Naveen N Rao 1 month, 3 weeks ago

On Fri, Sep 19, 2025 at 04:44:34PM -0500, Tom Lendacky wrote:
> On 9/18/25 05:27, Naveen N Rao (AMD) wrote:
> > Now that users can enable VMSA SEV features, update sev_init2_required()
> > to return true if any SEV features are requested. This enables qemu to
> > use KVM_SEV_INIT2 for SEV-ES guests when necessary.
> > 
> > Sample command-line:
> >   -machine q35,confidential-guest-support=sev0 \
> >   -object sev-guest,id=sev0,policy=0x5,cbitpos=51,reduced-phys-bits=1,debug-swap=on
> > 
> 
> Should this patch go before patch #5 from a bisect point of view? Because
> won't patch #5 fail because you still aren't using init2?

I put this patch after the base debug-swap support since it is not 
possible to exercize this code otherwise. But, as you rightly point out, 
this just means that patch 5/8 is buggy and that is not good from a 
bisect standpoint. I will move this before patch 5/8.

> 
> > Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
> > Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
> 
> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

Thanks for the review,
- Naveen