This series adds support for enabling VMSA SEV features for SEV-ES and
SEV-SNP guests. Since that is already supported for IGVM files, some of
that code is moved to generic path and reused.

Debug-swap is already supported in KVM today, while patches for enabling
Secure TSC have been accepted for the upcoming kernel release.

Roy,
I haven't been able to test IGVM, so would be great if that is tested to 
confirm there are no unintended changes there.

Changes since v1 (*):
- Move patch enabling use of KVM_SEV_INIT2 for SEV-ES guests before 
  patch enabling use of debug-swap VMSA SEV feature (Tom)
- Only issue KVM_SET_TSC_KHZ if user has specified a tsc-frequency for 
  Secure TSC (Tom)
- Patch 9/9 is new and refactors check_sev_features in preparation for 
  future SEV feature support (Tom)
- Minor updates to commit log and comments (Tom)
- Collect review tags from Tom

(*) http://lkml.kernel.org/r/cover.1758189463.git.naveen@kernel.org


- Naveen

Naveen N Rao (AMD) (9):
  target/i386: SEV: Generalize handling of SVM_SEV_FEAT_SNP_ACTIVE
  target/i386: SEV: Ensure SEV features are only set through qemu cli or
    IGVM
  target/i386: SEV: Consolidate SEV feature validation to common init
    path
  target/i386: SEV: Validate that SEV-ES is enabled when VMSA features
    are used
  target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests
  target/i386: SEV: Add support for enabling debug-swap SEV feature
  target/i386: SEV: Add support for enabling Secure TSC SEV feature
  target/i386: SEV: Add support for setting TSC frequency for Secure TSC
  target/i386: SEV: Refactor check_sev_features()

 target/i386/sev.h |   4 +-
 target/i386/sev.c | 170 +++++++++++++++++++++++++++++++++++++---------
 qapi/qom.json     |  16 ++++-
 3 files changed, 155 insertions(+), 35 deletions(-)


base-commit: 95b9e0d2ade5d633fd13ffba96a54e87c65baf39
-- 
2.51.0

On Thu, Sep 25, 2025 at 03:47:29PM +0530, Naveen N Rao (AMD) wrote:
> This series adds support for enabling VMSA SEV features for SEV-ES and
> SEV-SNP guests. Since that is already supported for IGVM files, some of
> that code is moved to generic path and reused.
> 
> Debug-swap is already supported in KVM today, while patches for enabling
> Secure TSC have been accepted for the upcoming kernel release.

Any other comments on this series?

So far, the only minor change I have on top of this series is the change 
suggested by Markus:

diff --git a/qapi/qom.json b/qapi/qom.json
index 5b830a9ba000..a2b9ccdfe43e 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -1010,7 +1010,8 @@
 #     designated guest firmware page for measured boot with -kernel
 #     (default: false) (since 6.2)
 #
-# @debug-swap: enable virtualization of debug registers
+# @debug-swap: enable virtualization of debug registers. This is only
+#     supported on SEV-ES/SEV-SNP guests
 #     (default: false) (since 10.2)
 #
 # Since: 9.1

Otherwise, this series still applies cleanly to current master.

> 
> Roy,
> I haven't been able to test IGVM, so would be great if that is tested to 
> confirm there are no unintended changes there.

I took a stab at this with the buildigvm tool from Roy. I am able to 
boot a Linux guest with an IGVM file generated from that using qemu 
built with this series applied. In addition, with the below change to 
buildigvm, I am able to see Secure TSC being enabled in the guest:

diff --git a/src/vmsa.rs b/src/vmsa.rs
index 3d67a953055e..ac150264c244 100644
--- a/src/vmsa.rs
+++ b/src/vmsa.rs
@@ -70,6 +70,7 @@ fn construct_vmsa(reset_addr: u32, platform: Platform) -> Result<Box<SevVmsa>, B

     if let Platform::SevSnp = platform {
         vmsa.sev_features.set_snp(true);
+        vmsa.sev_features.set_secure_tsc(true);
     }

     Ok(vmsa_box)

I couldn't get it to work with > 1 vCPUs though (I'm possibly missing 
OVMF changes or such).


- Naveen