From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796237; cv=none; d=zohomail.com; s=zohoarc; b=HzCUnTpxL6tkp4LUVNRYGZ6DPUdO8+YoeSPbpb3AM8kZ3b5s4tqLqF54rVFWzVfIMV+N7bdID2lgUt5IWPkd48qo0tjUDFmzU0dBX2Hrt+jS2PUYNLAQ/KUCpKpybD22guFJpeCWFYQcoRcvnex138vxzpR6e4MRm1VBQil7i58= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796237; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1X3Cvx0xDYSk/Rw52AD+6QSRYyGsoteW5TuQUBul1Hc=; b=UPAgFRaKOo0z6/y0e39Ph6BNZCITSbnnMSHYNkndYv+dkY0c+vB70KPTkPXojsMRgai0nOB8iHcsY9ay25mQc4v+gC2OqmSCcIUQ+DZ+pw76ErYVUDo6fi67cZeMVjVZHvTJGKoP0Vnb1RfZCh44x4zGwg0tJUgDxr/PtmA7WO4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796237034759.256052097874; Thu, 25 Sep 2025 03:30:37 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jEc-0002Tm-Qn; Thu, 25 Sep 2025 06:29:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jE6-0002Eb-Pm for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:29:29 -0400 Received: from tor.source.kernel.org ([172.105.4.254]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDy-0002pT-0M for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:29:26 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 0A922604AC; Thu, 25 Sep 2025 10:29:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3920FC4CEF4; Thu, 25 Sep 2025 10:29:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796153; bh=DMy/sGWIKYOYAjfxscxSO7zrh4vdvWXqXux+y2OofO0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t/EkI5S0VXn22jZ0NfmyryodVuBzaev8zU0XMomxtV/FKlYA3SIrLqQfUKiCh1SDy BEh32ylP4yJC9JVOXLpL1uHrmJVLsn2LQ3VaKPUqMB2OKbkhyG0I1p7eyOJkTDDi2l VCI/uvNJ+NVVSLRXVmz/MwLPRxH9v//24gZ90b47KD+FPdkOGfdwK5aiEbxu4keZgx xuLOEN+ynbZUiiksD82Ah+HPk5R4IwzmLRv1oPB5MQzV1cDvVygHvUAcPzU6Byud4X 4UaMsERSgKbV4CEamdxkjfoZczsiZWJIhs4MQWktPJKLs6SARDf8gWRHsXCSE98u1C lDun9ezTQ+pug== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 1/9] target/i386: SEV: Generalize handling of SVM_SEV_FEAT_SNP_ACTIVE Date: Thu, 25 Sep 2025 15:47:30 +0530 Message-ID: <6dd579655ec0be6183479f6bc75279117403c2b8.1758794556.git.naveen@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=172.105.4.254; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796238225116600 Content-Type: text/plain; charset="utf-8" Align with IGVM files providing SEV features with SVM_SEV_FEAT_SNP_ACTIVE set by setting the same when creating a sev-snp-guest object. Since KVM sets this feature itself, SVM_SEV_FEAT_SNP_ACTIVE is unset before KVM_SEV_INIT2 ioctl is invoked. Move that out of IGVM-specific section to common code. While at it, convert the existing SVM_SEV_FEAT_SNP_ACTIVE definition to use the BIT() macro for consistency with upcoming feature flags. Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.h | 2 +- target/i386/sev.c | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index 9db1a802f6bb..102546b112d6 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -44,7 +44,7 @@ bool sev_snp_enabled(void); #define SEV_SNP_POLICY_SMT 0x10000 #define SEV_SNP_POLICY_DBG 0x80000 =20 -#define SVM_SEV_FEAT_SNP_ACTIVE 1 +#define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) =20 typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index 1057b8ab2c60..2fb1268ed788 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -319,6 +319,15 @@ sev_set_guest_state(SevCommonState *sev_common, SevSta= te new_state) sev_common->state =3D new_state; } =20 +static void sev_set_feature(SevCommonState *sev_common, uint64_t feature, = bool set) +{ + if (set) { + sev_common->sev_features |=3D feature; + } else { + sev_common->sev_features &=3D ~feature; + } +} + static void sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size, size_t max_size) @@ -1897,15 +1906,15 @@ static int sev_common_kvm_init(ConfidentialGuestSup= port *cgs, Error **errp) -1) { return -1; } - /* - * KVM maintains a bitmask of allowed sev_features. This does = not - * include SVM_SEV_FEAT_SNP_ACTIVE which is set accordingly by= KVM - * itself. Therefore we need to clear this flag. - */ - args.vmsa_features =3D sev_common->sev_features & - ~SVM_SEV_FEAT_SNP_ACTIVE; } =20 + /* + * KVM maintains a bitmask of allowed sev_features. This does not + * include SVM_SEV_FEAT_SNP_ACTIVE which is set accordingly by KVM + * itself. Therefore we need to clear this flag. + */ + args.vmsa_features =3D sev_common->sev_features & ~SVM_SEV_FEAT_SN= P_ACTIVE; + ret =3D sev_ioctl(sev_common->sev_fd, KVM_SEV_INIT2, &args, &fw_er= ror); break; } @@ -3127,6 +3136,7 @@ sev_snp_guest_instance_init(Object *obj) =20 /* default init/start/finish params for kvm */ sev_snp_guest->kvm_start_conf.policy =3D DEFAULT_SEV_SNP_POLICY; + sev_set_feature(SEV_COMMON(sev_snp_guest), SVM_SEV_FEAT_SNP_ACTIVE, tr= ue); } =20 /* guest info specific to sev-snp */ --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796191; cv=none; d=zohomail.com; s=zohoarc; b=cbLNLyoVhfLcQkKa3auMgT39liOYDR3z5rjBCUt262He/GPkV9Ep/iDigkBGHgWxJuzeBIXoQXCuykihPx7oarzt2MbqFzVJVfZPJxqHCcgTWGjSUAjeJmXgA2COHWw1kWpdbzDOgyi74c5+E5JuQ/ZZFvjXDurd27zyqW8Qaw4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796191; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=w8T0H3yTPHXcvZtS+Wv6Pv9mng7BcHYhYWXxUSfAlRw=; b=mzxwlzYf7P54NW0NIRtvtoQgNvbldGOxAG1jgTHibMDddbiqn3taHA/4GEtQAF4JT2aSii8XISspq/ql+J1NmobLKsGl5BEwK6FGdkNGTPGkjWpLqw4Eyi3RtdeSchPg+CrUiqOY40gnpFhOIxOKfHJRqbzpfrt6rQczgwXx2ug= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796191781478.8707859562651; Thu, 25 Sep 2025 03:29:51 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jCv-0001rr-SG; Thu, 25 Sep 2025 06:28:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jCs-0001l2-FE for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:11 -0400 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jCo-0002d5-HQ for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:08 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id CF8D1604AC; Thu, 25 Sep 2025 10:28:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9E734C4CEF0; Thu, 25 Sep 2025 10:28:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796081; bh=svkyMfF221tycwz6u0wk23zZbnYE0gSsTIe18ZQ5q+E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e1J3WX54IiZkP+Cvgkur21qsisX7iqAzGnji2CGaxlYaXTTYfdwqcFAp0A4Wl4qZr JZRTsK57sTMWt3IGIxhsVow42zIo9g8AipcjLiQRCOr/8WoRRx/SRwTWKMAo0qwigH eS0xbK/tzyHC5BPA2KSMLm6BE81dbsZPm2LDLRheO/B5Qdo63x1WdYwg3z0344h5Ug y4IlhDG2lDOXE7Wn1ojKxsxJpiJeeUKzHII/0GcRREm/jOhI02OFNn3nQdRqcVdG1p S8/xXacECuaias/mvNUer/+xk0oTve6xn1lE/KtjS5EpuauMgnocMcjTtV5i6e+m00 s2Kmd77zsrYsw== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 2/9] target/i386: SEV: Ensure SEV features are only set through qemu cli or IGVM Date: Thu, 25 Sep 2025 15:47:31 +0530 Message-ID: <9353c74e7d610780bc1638e60ae2bafb5e6012d0.1758794556.git.naveen@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2600:3c04:e001:324:0:1991:8:25; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796193558116600 Content-Type: text/plain; charset="utf-8" In preparation for qemu being able to set SEV features through the cli, add a check to ensure that SEV features are not also set if using IGVM files. Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/target/i386/sev.c b/target/i386/sev.c index 2fb1268ed788..ddd7c01f5a56 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -1901,6 +1901,15 @@ static int sev_common_kvm_init(ConfidentialGuestSupp= ort *cgs, Error **errp) * as SEV_STATE_UNINIT. */ if (x86machine->igvm) { + /* + * Test only the user-set SEV features by masking out + * SVM_SEV_FEAT_SNP_ACTIVE which is set by default. + */ + if (sev_common->sev_features & ~SVM_SEV_FEAT_SNP_ACTIVE) { + error_setg(errp, "%s: SEV features can't be specified when= using IGVM files", + __func__); + return -1; + } if (IGVM_CFG_GET_CLASS(x86machine->igvm) ->process(x86machine->igvm, machine->cgs, true, errp) = =3D=3D -1) { --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796257; cv=none; d=zohomail.com; s=zohoarc; b=lvktRGyZZ8YdrmQ2bVQmZ/kaRanFTEJZfZTSoZ3FCJZSTewj+l4arQBdeaWgudF6SETTmNNent/L9XlY9LnzIq18AQ7eD4/jnQFfq1fsxy+SApXe4IPWMfVkzBEjtkMBCKJi+qDUtuN1EaWTdm0UL1GVJbkxIljwsgUsPw7lGzU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796257; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=rQeroC6vSFs7vug4w5rx/IWV1/a5IIVHN7p0BOAUqKk=; b=QL5j6mkSmAP9AfeP6Oh/kg4dq9xjUlGLzzUXCptZsX5h6o8AztnnuP6dRBrrfj/OLykvQrqy//AwaLzzZEgJav31nS55x4WMZSB3bz7jup7y9QdxTFcovnfZriYTU29l38mWtp4sAnsqxLgxNqbPWywG2ljrvauMI/MFPrfXwmg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796257408775.7762793114384; Thu, 25 Sep 2025 03:30:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jD2-0001vR-8l; Thu, 25 Sep 2025 06:28:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jCz-0001vC-OU for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:18 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jCu-0002eb-P3 for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:17 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 0839441A96; Thu, 25 Sep 2025 10:28:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C04F3C4CEF0; Thu, 25 Sep 2025 10:28:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796088; bh=UPmN8zWX6qK/BDJEkiaVEyjwQcgJbk4nHuayO4CCPGQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Gllvohn9hMnUbf65eidp3x6eELGh8Ch7RfJYKSBm8H0jzJHdX8jItx7JyiCpJhhNO E/IKSsOwpKK4MiHcs/QzEt/mFz29H22JftZAIOmhdRN7d3pmdIs73mX7g1JA2arPGQ xDePhb/ngpahLXdu++eSLQyEGY/WCma3cxR1omoAQTOdlAj1Ro6kPiel3uDtoZY6kQ TIboZS5bWUdXCmJEjh+NKZn9eln7p8byzLS/J3ucM8wUHPVmsSlNJEuB6SKIFaiWRv vcxMsSAZQqMjwSiWmwJ1Bs8eAuu+98bnMCdq8iyMCwktR9zhWg+18cXzZAQHdCH4Sn A4eSfzsLYEDGQ== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 3/9] target/i386: SEV: Consolidate SEV feature validation to common init path Date: Thu, 25 Sep 2025 15:47:32 +0530 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=172.234.252.31; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796258221116600 Content-Type: text/plain; charset="utf-8" Currently, check_sev_features() is called in multiple places when processing IGVM files: both when processing the initial VMSA SEV features from IGVM, as well as when validating the full contents of the VMSA. Move this to a single point in sev_common_kvm_init() to simplify the flow, as well as to re-use this function when VMSA SEV features are being set without using IGVM files. Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index ddd7c01f5a56..3b11e61f78d8 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -595,9 +595,6 @@ static int check_vmsa_supported(SevCommonState *sev_com= mon, hwaddr gpa, vmsa_check.x87_fcw =3D 0; vmsa_check.mxcsr =3D 0; =20 - if (check_sev_features(sev_common, vmsa_check.sev_features, errp) < 0)= { - return -1; - } vmsa_check.sev_features =3D 0; =20 if (!buffer_is_zero(&vmsa_check, sizeof(vmsa_check))) { @@ -1917,6 +1914,10 @@ static int sev_common_kvm_init(ConfidentialGuestSupp= ort *cgs, Error **errp) } } =20 + if (check_sev_features(sev_common, sev_common->sev_features, errp)= < 0) { + return -1; + } + /* * KVM maintains a bitmask of allowed sev_features. This does not * include SVM_SEV_FEAT_SNP_ACTIVE which is set accordingly by KVM @@ -2536,9 +2537,6 @@ static int cgs_set_guest_state(hwaddr gpa, uint8_t *p= tr, uint64_t len, __func__); return -1; } - if (check_sev_features(sev_common, sa->sev_features, errp) < 0= ) { - return -1; - } sev_common->sev_features =3D sa->sev_features; } return 0; --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796191; cv=none; d=zohomail.com; s=zohoarc; b=XvT5V/Pk0eeRkbaFL5LOFRyQ3kK6oNkL1OMoTB21ZAqo47QDtCNH5QFWeEga39C9pFRyCUCHEmJC3fX2/fibvpspsEnXXuDe7zNch2NebglLUAmyie2StobWtfxjaxqb4yuLL3GohIyJ51dSId9trWLDYplN98U2p4bHKA4c3dI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796191; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=uYXfghuhzu+tO3GrCIGFIfxpz1eALQQ2HYX7xd8+LI8=; b=TL06a2C6Xcx2Rg1ure4robQleZYJgTWbzbvgllv+kppdE3iOOHXA4vs4aIw+eVRTUQ4d0BOjLgz9PNzr98VwWeaQ3A1dz3nmgYb0m98qzZShpt7/kRqphr8jYd72gEp3x8EdygBOjv4QmbCXfzgh6AR1dqiSnNkMZyZ6l3P1Qng= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796191464564.478774820797; Thu, 25 Sep 2025 03:29:51 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jDD-0001wF-KX; Thu, 25 Sep 2025 06:28:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDB-0001w5-80 for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:29 -0400 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jD2-0002gU-OQ for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:26 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id EEDF2604C2; Thu, 25 Sep 2025 10:28:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85624C113CF; Thu, 25 Sep 2025 10:28:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796095; bh=zTjyNOX5qfNThUt3QCXjlNUgpQHT7Y8dtEBwrZW4XNI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YYk330OuDfNejjkFh8VB5AzQkWTZ1LZySQ+ol7/zQk/hU2EtnJYGkMXbW3rZi+moE +TDo+fuksDG2Kz9029tMTuWyvuuoly28PkmFcvsh6q4Q48PB4gAPutBe0yulST58fg c8UFzlCQmuZIlboskw4wn55VqFpdBO7ZhdfQMsEK/Pw/bzmRwu9g8GTRIoB2kUjouw zux77B3ABrMPKs2yltOyTGOja0ZCDJLZEB4WLgYv0u9BaN7LQQ3O9aPZ7TfYrx3VP5 gwjUoHrIpGxcYMipIqgA1mTs4CLuCg2B0p7MkZ8H9tSTF3M1+cnF4LFQsbKEqvo7aH PLkF9IycM036g== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 4/9] target/i386: SEV: Validate that SEV-ES is enabled when VMSA features are used Date: Thu, 25 Sep 2025 15:47:33 +0530 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2600:3c04:e001:324:0:1991:8:25; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796193538116600 Content-Type: text/plain; charset="utf-8" SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP guests, as they control aspects of the encrypted guest state that are not relevant for basic SEV guests. Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is enabled when any SEV features are specified. Reviewed-by: Nikunj A Dadhania Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/target/i386/sev.c b/target/i386/sev.c index 3b11e61f78d8..2f41e1c0b688 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -518,6 +518,12 @@ static int check_sev_features(SevCommonState *sev_comm= on, uint64_t sev_features, __func__); return -1; } + if (sev_features && !sev_es_enabled()) { + error_setg(errp, + "%s: SEV features require either SEV-ES or SEV-SNP to b= e enabled", + __func__); + return -1; + } if (sev_features & ~sev_common->supported_sev_features) { error_setg(errp, "%s: VMSA contains unsupported sev_features: %lX, " --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796249; cv=none; d=zohomail.com; s=zohoarc; b=emJS03RaxhRed1VRnKTC+tunCQNAJWIlhk8wM7O8SECZFoLR2QnS/PqO4nhOS/YIaTj4mwTeped2o5HdpHlPsO5KJGHDtdvquZaIFipZ6HDl1yl3NBuo9Xzh3T2oMBimU0ggIoSowBees4447KOgS4WrygYbPAzsDEkXy1yLKoY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796249; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=eDO44BeQvilwc209539nlbzDFy4q/+6+9K5fPytSDQQ=; b=i52VTcQqMzsODAZQmY5gZLOSLWLfw+KZcGd69sJ0xNCsnE0ixTAsS+ptmUkGCu6Ju1i0lCnevLnVn9SXXwMhCvWi1f7D6+Qr2hPkdxMU7JqPOvRtegjqctwQOKRPE6mpWSGTWRZd36Y6CsBf+tIIpev8ji365QSDH/i1357HBTk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796249140902.5897850043385; Thu, 25 Sep 2025 03:30:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jDP-0001zA-C3; Thu, 25 Sep 2025 06:28:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDK-0001wr-9i for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:39 -0400 Received: from sea.source.kernel.org ([2600:3c0a:e001:78e:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDD-0002i2-2j for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:37 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 00E7B40663; Thu, 25 Sep 2025 10:28:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F265FC4CEF0; Thu, 25 Sep 2025 10:28:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796104; bh=2FIJjllcu3jZn+MyRCcCBl6y4Ac7kDylxi5/E7ubZUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UM7/C8GELZGIkyT763gqOIuPVv5wrBPQKvd0FkHDaZSWN+DjPo2XxxR07rfFN+GtR soQDhHh13kb9w8OPuS6TXZWyKD2zsBbyFjvG9Kz2W2TYeUI/2emPcjRt+WtMNQbvWM isN1ELg5rxA5iSukI219xaQviFKGhkCk1/z1hrUOnPpEzs+i4c913IiMyPc8jFch59 4pLzyoAkcMbXCp6FvVbMLHAuMrZDJvwNq5GBRInPl7Mwdc2m+fOmfSsDbi6fROYXiA daSrxyXY8CsEoj3wmNkZrpYBZjvNlFB2rTiseNxnXV+EQtiB5INrzvWylYQ+QtrydN TzO6uggV0LbSA== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 5/9] target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests Date: Thu, 25 Sep 2025 15:47:34 +0530 Message-ID: <508561b1b274584a34f508453cc3ca2e913b5866.1758794556.git.naveen@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2600:3c0a:e001:78e:0:1991:8:25; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796250046116600 Content-Type: text/plain; charset="utf-8" In preparation for allowing SEV-ES guests to enable VMSA SEV features, update sev_init2_required() to return true if any SEV features are requested. This enables qemu to use KVM_SEV_INIT2 for SEV-ES guests when necessary. Reviewed-by: Nikunj A Dadhania Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 2f41e1c0b688..88dd0750d481 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -1699,8 +1699,7 @@ sev_vm_state_change(void *opaque, bool running, RunSt= ate state) */ static bool sev_init2_required(SevGuestState *sev_guest) { - /* Currently no KVM_SEV_INIT2-specific options are exposed via QEMU */ - return false; + return !!SEV_COMMON(sev_guest)->sev_features; } =20 static int sev_kvm_type(X86ConfidentialGuest *cg) --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796191; cv=none; d=zohomail.com; s=zohoarc; b=kN9zrYKiiLlhqEDuVtXsw+OAw1OJcvurM7aZPVRpz1bd2fN3niYPIjGP3/MrBWcQUKZBJMDniSww5oBjWvmo8tjnto99afrzSYUaYfNB6lTI/KUOaOUyUhrKtyaXsEXDfTc06Tsq7Vef774X84Fk/+3eo+UQHVrQ3KF9lnVEU6c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796191; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=DAm7jnMwcEOPFxujUnV4Y0khzTe75SUCrGQJGAyfoMg=; b=iExvIvV6fNf9GlInUkVGiz4Gly8+oGPdgMIDe7peCwNvD5teRBTqwLHfea0aUcTJRBbHpkUk9XYYCHLLlRePM4PXfJVaSuu79fSh6zFtgx6RMlRMRT54Vo6YrznkRrGaK/bE1SIcI/LO544zTsBdXgmuSjWkZ977hbZlC5kzEwA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796191543634.5065214872827; Thu, 25 Sep 2025 03:29:51 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jDX-00023z-Kt; Thu, 25 Sep 2025 06:28:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDS-00023K-On for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:47 -0400 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDK-0002jN-Ac for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:46 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id C3A5C604B8; Thu, 25 Sep 2025 10:28:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 110D2C4CEF0; Thu, 25 Sep 2025 10:28:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796113; bh=66MPz/kZ5VYubvKvzrX3KPVZW96GhE0LtThIizkq+7c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V+PoQa9vxi1puotgt9Xp4O7Y6Wf0qteXCbIlufLMLuvVp2RaqbvwVn/FQe327mToe wJKG5hTs0tqfBV4kzSWT3lKbD3yImpUSBE5XkQM/vGVZ9DXU+0YVF8CLXbfQmFK36R 0KX7jMLTNhmQeaZ5eiPSsbVsSdBImT6hlaQAUIa9Ya/OIxIfZHYKDqjqVsxpXkW9zV LB968jyhKTdzGKb7XBI1MmCOdzoQUGenzwRM2gytiXeD93YKBiLQGZKO0pMmbPYTfZ ziJUMfSsMEuliDHBxJt4WSWSMo8wHco1gcuwlUA7BhUNIbxmYBPl0n89t9xUAsIcfa 5COY1FaoXXepQ== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 6/9] target/i386: SEV: Add support for enabling debug-swap SEV feature Date: Thu, 25 Sep 2025 15:47:35 +0530 Message-ID: <4f0f28154342d562e76107dfd60ed3a02665fbfe.1758794556.git.naveen@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2600:3c04:e001:324:0:1991:8:25; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796193530116600 Content-Type: text/plain; charset="utf-8" Add support for enabling debug-swap VMSA SEV feature in SEV-ES and SEV-SNP guests through a new "debug-swap" boolean property on SEV guest objects. Though the boolean property is available for plain SEV guests, check_sev_features() will reject setting this for plain SEV guests. Though this SEV feature is called "Debug virtualization" in the APM, KVM calls this "debug swap" so use the same name for consistency. Sample command-line: -machine q35,confidential-guest-support=3Dsev0 \ -object sev-snp-guest,id=3Dsev0,cbitpos=3D51,reduced-phys-bits=3D1,debug-= swap=3Don Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.h | 1 + target/i386/sev.c | 20 ++++++++++++++++++++ qapi/qom.json | 6 +++++- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index 102546b112d6..8e09b2ce1976 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -45,6 +45,7 @@ bool sev_snp_enabled(void); #define SEV_SNP_POLICY_DBG 0x80000 =20 #define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) +#define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) =20 typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index 88dd0750d481..e9d84ea25571 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -319,6 +319,11 @@ sev_set_guest_state(SevCommonState *sev_common, SevSta= te new_state) sev_common->state =3D new_state; } =20 +static bool is_sev_feature_set(SevCommonState *sev_common, uint64_t featur= e) +{ + return !!(sev_common->sev_features & feature); +} + static void sev_set_feature(SevCommonState *sev_common, uint64_t feature, = bool set) { if (set) { @@ -2744,6 +2749,16 @@ static int cgs_set_guest_policy(ConfidentialGuestPol= icyType policy_type, return 0; } =20 +static bool sev_common_get_debug_swap(Object *obj, Error **errp) +{ + return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_DEBUG_SWAP); +} + +static void sev_common_set_debug_swap(Object *obj, bool value, Error **err= p) +{ + sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_DEBUG_SWAP, value); +} + static void sev_common_class_init(ObjectClass *oc, const void *data) { @@ -2761,6 +2776,11 @@ sev_common_class_init(ObjectClass *oc, const void *d= ata) sev_common_set_kernel_hashes); object_class_property_set_description(oc, "kernel-hashes", "add kernel hashes to guest firmware for measured Linux boot"); + object_class_property_add_bool(oc, "debug-swap", + sev_common_get_debug_swap, + sev_common_set_debug_swap); + object_class_property_set_description(oc, "debug-swap", + "enable virtualization of debug registers"); } =20 static void diff --git a/qapi/qom.json b/qapi/qom.json index 830cb2ffe781..df962d4a5215 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1010,13 +1010,17 @@ # designated guest firmware page for measured boot with -kernel # (default: false) (since 6.2) # +# @debug-swap: enable virtualization of debug registers +# (default: false) (since 10.2) +# # Since: 9.1 ## { 'struct': 'SevCommonProperties', 'data': { '*sev-device': 'str', '*cbitpos': 'uint32', 'reduced-phys-bits': 'uint32', - '*kernel-hashes': 'bool' } } + '*kernel-hashes': 'bool', + '*debug-swap': 'bool' } } =20 ## # @SevGuestProperties: --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796193; cv=none; d=zohomail.com; s=zohoarc; b=eqN3GxWvXiSK3DqIC/HF8EPoyY1DupYtxeVDbwiFyiMPDFtf3zDNWix+dUnZDBSzY7dMriu+ojJ/dVpV23LqhMh499+Br6WB0z6NF+74BKSj16xIoMxiGswTE4wGDvA6z/5LvotvijOfEss6iPbxUzgY3cAS1JD6kIsTIpXxxj0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796193; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=JmXJ1fHnQK7eqGd9KIsfL4u/n9o1KHri127hkWFwoGQ=; b=A01LNglr0F4rpmFoUo6pQAZRquv3iz5jM+uNL2r6NMLFt5vnT9a7cZk8dBp8Bit3mLSgw/TahOcObnBJHgKnztnKKa0YYUAQpE7jIhHswHBbhJRksB4KzlTrIOIbkdbiOSg/2xqF0RGMsChD6f45qZJhzNRXISulfQszMuBuFpk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796193720533.2183136044323; Thu, 25 Sep 2025 03:29:53 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jDb-000267-UR; Thu, 25 Sep 2025 06:28:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDX-00024O-Gk for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:51 -0400 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDR-0002kl-0q for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:28:48 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id D2FAD604BC; Thu, 25 Sep 2025 10:28:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC736C4CEF0; Thu, 25 Sep 2025 10:28:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796120; bh=Wuc2qfFEjfMhlPNTWgQmKvKYL3mBw8RHG6zBs9vYyK8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IWnWI4E14WC8NK7X26MJ2wISywUhckZqN/7ROXeh0uL5q9fi/fIu9KcN9Y0IKorwM zJwxrFn1jmjuMk5efECFdCJxBSK9KGafkTBksNBI2mKrMIJGQALqG+StNhuGaD2Coc KnKkpSoZlQU6tuDZqd/MRo0R/kxq/2sZuqPdBAS3o1bl4MINeyCmCZ1vx3TSmjsphj Fes/TCBtJUYqzvJKj2BtnjNp6P+a2J7G1ZJhTclakRLYbwFJ68I12K5c8DfOJTJcmH M9AgN6aewEsxIpCj2WRHraSIVwJQVKueIJvGqGKJPnQTGGGGXiz3NUOmX+ZaxHmjHX ESGZOW4vBKkgQ== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 7/9] target/i386: SEV: Add support for enabling Secure TSC SEV feature Date: Thu, 25 Sep 2025 15:47:36 +0530 Message-ID: <00290b0b185152d8ddfd36f552006b0d6d2d0172.1758794556.git.naveen@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2600:3c04:e001:324:0:1991:8:25; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796195377116600 Content-Type: text/plain; charset="utf-8" Add support for enabling Secure TSC VMSA SEV feature in SEV-SNP guests through a new "secure-tsc" boolean property on SEV-SNP guest objects. By default, KVM uses the host TSC frequency for Secure TSC. Sample command-line: -machine q35,confidential-guest-support=3Dsev0 \ -object sev-snp-guest,id=3Dsev0,cbitpos=3D51,reduced-phys-bits=3D1,secure= -tsc=3Don Reviewed-by: Tom Lendacky Co-developed-by: Ketan Chaturvedi Signed-off-by: Ketan Chaturvedi Co-developed-by: Nikunj A Dadhania Signed-off-by: Nikunj A Dadhania Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.h | 1 + target/i386/sev.c | 13 +++++++++++++ qapi/qom.json | 6 +++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index 8e09b2ce1976..87e73034ad15 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -46,6 +46,7 @@ bool sev_snp_enabled(void); =20 #define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) +#define SVM_SEV_FEAT_SECURE_TSC BIT(9) =20 typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index e9d84ea25571..68d193402de3 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -3121,6 +3121,16 @@ sev_snp_guest_set_host_data(Object *obj, const char = *value, Error **errp) memcpy(finish->host_data, blob, len); } =20 +static bool sev_snp_guest_get_secure_tsc(Object *obj, Error **errp) +{ + return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC); +} + +static void sev_snp_guest_set_secure_tsc(Object *obj, bool value, Error **= errp) +{ + sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC, value); +} + static void sev_snp_guest_class_init(ObjectClass *oc, const void *data) { @@ -3156,6 +3166,9 @@ sev_snp_guest_class_init(ObjectClass *oc, const void = *data) object_class_property_add_str(oc, "host-data", sev_snp_guest_get_host_data, sev_snp_guest_set_host_data); + object_class_property_add_bool(oc, "secure-tsc", + sev_snp_guest_get_secure_tsc, + sev_snp_guest_set_secure_tsc); } =20 static void diff --git a/qapi/qom.json b/qapi/qom.json index df962d4a5215..52c23e85e349 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1100,6 +1100,9 @@ # firmware. Set this to true to disable the use of VCEK. # (default: false) (since: 9.1) # +# @secure-tsc: enable Secure TSC +# (default: false) (since 10.2) +# # Since: 9.1 ## { 'struct': 'SevSnpGuestProperties', @@ -1111,7 +1114,8 @@ '*id-auth': 'str', '*author-key-enabled': 'bool', '*host-data': 'str', - '*vcek-disabled': 'bool' } } + '*vcek-disabled': 'bool', + '*secure-tsc': 'bool' } } =20 ## # @TdxGuestProperties: --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796259; cv=none; d=zohomail.com; s=zohoarc; b=EV8tKjUEyMXsIdSBrqy4xFjmJVnHM59E4n+Cwo5SvfSPu4kM7+07WYvNHuk7gEiFGPliCNV9NGa0jT0H/+5JbpA67DTTj6fv79tWLuSgCQF+HO8zSKg6T5I4BLlFjrSI+ATbKrPleZUd3p8P5r3TezaglACzP6R5oFeQfnWWVKM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796259; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ee1Zt1kMxg1SqFPpXxgxUjr3pXdBVe9tRNPvJ6JmSGk=; b=ZFA6B/b6kvB44eBfOTGhbFFptOfjVEribNLV0VhXx75jGhVpgSLrnZ0B71VYWt7ryJLrdQl24z3RyNG74UTlIiiE1UNU+lJTyyD8OaR4zpulTDji+GwJR+Zu5rNOr099wIr2pqyJS1QC9cAeUcYnhUjHiaGZbgkUGUxN4QDZXhE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796259012865.7534063758194; Thu, 25 Sep 2025 03:30:59 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jDv-0002B1-1Y; Thu, 25 Sep 2025 06:29:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDs-0002Ak-QZ for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:29:12 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDc-0002mj-6O for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:29:11 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 091E544069; Thu, 25 Sep 2025 10:28:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0CB37C4CEF0; Thu, 25 Sep 2025 10:28:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796131; bh=nqt/0v6fScpAySGbSzbJexqzz+EVFvG4h18Bsf2cVmo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s+FFOdkVB4hDsfPGEw42AJlUSZTb+mfGXsdYJzed5TSaCYrhcy0DD76H5+eKT19fI L822/HWowkqzGrM4lIpLimXanspHpmOK+AGlte2B7+KJRzejB4S/l+j+irySb3DQh2 fKayi2rZHGzOhmfoznz2Lg8xyo8OV50WErbCTXYWm4zQ0sV1Zsz2EE0IiLjJGGUa+Q 3043Yk9nJmPrnwvJiiJ0EipgjqVD0A/fNRFt5ToFEiKj/MgQEWMqnl4cP5D86KbIxK 5ozv3maSUUaw1mJrNzaMavJsa88NVKUOyPPCdg2wDHmjdf+ssPvbGWM4BpQS1ovh+t izxeVDOdoDJ+w== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 8/9] target/i386: SEV: Add support for setting TSC frequency for Secure TSC Date: Thu, 25 Sep 2025 15:47:37 +0530 Message-ID: <65400881e426aa0e412eb431099626dceb145ddd.1758794556.git.naveen@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=172.234.252.31; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796260493116600 Content-Type: text/plain; charset="utf-8" Add support for configuring the TSC frequency when Secure TSC is enabled in SEV-SNP guests through a new "tsc-frequency" property on SEV-SNP guest objects, similar to the vCPU-specific property used by regular guests and TDX. A new property is needed since SEV-SNP guests require the TSC frequency to be specified during early SNP_LAUNCH_START command before any vCPUs are created. The user-provided TSC frequency is set through KVM_SET_TSC_KHZ before issuing KVM_SEV_SNP_LAUNCH_START. Sample command-line: -machine q35,confidential-guest-support=3Dsev0 \ -object sev-snp-guest,id=3Dsev0,cbitpos=3D51,reduced-phys-bits=3D1,secure= -tsc=3Don,tsc-frequency=3D2500000000 Co-developed-by: Ketan Chaturvedi Signed-off-by: Ketan Chaturvedi Co-developed-by: Nikunj A Dadhania Signed-off-by: Nikunj A Dadhania Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ qapi/qom.json | 6 +++++- 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 68d193402de3..8bb9faaa7779 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -178,6 +178,7 @@ struct SevSnpGuestState { char *id_auth_base64; uint8_t *id_auth; char *host_data; + uint32_t tsc_khz; =20 struct kvm_sev_snp_launch_start kvm_start_conf; struct kvm_sev_snp_launch_finish kvm_finish_conf; @@ -536,6 +537,13 @@ static int check_sev_features(SevCommonState *sev_comm= on, uint64_t sev_features, __func__, sev_features, sev_common->supported_sev_featu= res); return -1; } + if (sev_snp_enabled() && SEV_SNP_GUEST(sev_common)->tsc_khz && + !(sev_features & SVM_SEV_FEAT_SECURE_TSC)) { + error_setg(errp, + "%s: TSC frequency can only be set if Secure TSC is ena= bled", + __func__); + return -1; + } return 0; } =20 @@ -1085,6 +1093,19 @@ sev_snp_launch_start(SevCommonState *sev_common) return 1; } =20 + if (is_sev_feature_set(sev_common, SVM_SEV_FEAT_SECURE_TSC) && + sev_snp_guest->tsc_khz) { + rc =3D -EINVAL; + if (kvm_check_extension(kvm_state, KVM_CAP_VM_TSC_CONTROL)) { + rc =3D kvm_vm_ioctl(kvm_state, KVM_SET_TSC_KHZ, sev_snp_guest-= >tsc_khz); + } + if (rc < 0) { + error_report("%s: Unable to set Secure TSC frequency to %u kHz= ret=3D%d", + __func__, sev_snp_guest->tsc_khz, rc); + return 1; + } + } + rc =3D sev_ioctl(sev_common->sev_fd, KVM_SEV_SNP_LAUNCH_START, start, &fw_error); if (rc < 0) { @@ -3131,6 +3152,28 @@ static void sev_snp_guest_set_secure_tsc(Object *obj= , bool value, Error **errp) sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC, value); } =20 +static void +sev_snp_guest_get_tsc_frequency(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value =3D SEV_SNP_GUEST(obj)->tsc_khz * 1000; + + visit_type_uint32(v, name, &value, errp); +} + +static void +sev_snp_guest_set_tsc_frequency(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value; + + if (!visit_type_uint32(v, name, &value, errp)) { + return; + } + + SEV_SNP_GUEST(obj)->tsc_khz =3D value / 1000; +} + static void sev_snp_guest_class_init(ObjectClass *oc, const void *data) { @@ -3169,6 +3212,9 @@ sev_snp_guest_class_init(ObjectClass *oc, const void = *data) object_class_property_add_bool(oc, "secure-tsc", sev_snp_guest_get_secure_tsc, sev_snp_guest_set_secure_tsc); + object_class_property_add(oc, "tsc-frequency", "uint32", + sev_snp_guest_get_tsc_frequency, + sev_snp_guest_set_tsc_frequency, NULL, NULL); } =20 static void diff --git a/qapi/qom.json b/qapi/qom.json index 52c23e85e349..c01ae70dd43d 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1103,6 +1103,9 @@ # @secure-tsc: enable Secure TSC # (default: false) (since 10.2) # +# @tsc-frequency: set secure TSC frequency. Only valid if Secure TSC +# is enabled (default: zero) (since 10.2) +# # Since: 9.1 ## { 'struct': 'SevSnpGuestProperties', @@ -1115,7 +1118,8 @@ '*author-key-enabled': 'bool', '*host-data': 'str', '*vcek-disabled': 'bool', - '*secure-tsc': 'bool' } } + '*secure-tsc': 'bool', + '*tsc-frequency': 'uint32' } } =20 ## # @TdxGuestProperties: --=20 2.51.0 From nobody Sun Sep 28 14:52:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1758796240; cv=none; d=zohomail.com; s=zohoarc; b=czxUPGRGnknM0JAUtQPfbcqoWqatxDSrLAAOQ1TVwjKHMKjGhJUxRGgRL7BND+JueN/Jd7KSUijaJLlJu6C0nI3kdlVrCM+aioMfl5CJ8zKUzTbi3YC/V2N8Ok7vW+Morw9TxBgyPw34JmxdxwH0KTWGInbJt3Pl7azCVExW89g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758796240; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MP84XgRXejLAMyu1p6QtoBxTDJJ0lxGoqncCshEkzUs=; b=Ql851duhDy3keI9Dmo5ReivDdy1FeycvhH2GTqHPQSn8ncWHPDr+QYzlaradIOQGShonYcqZkNBB4G+1ZVnenLIzCMZYygpOWVEU11nTfs8oDs07mVbax7g8si9LZ7e+4EjgJq6SI7hjLdi/tWnwtZvHtoteLx7J81eUh4QhB+8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758796240359832.3835767415782; Thu, 25 Sep 2025 03:30:40 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v1jEF-0002Ed-Ar; Thu, 25 Sep 2025 06:29:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jE2-0002DZ-67 for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:29:22 -0400 Received: from tor.source.kernel.org ([172.105.4.254]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v1jDn-0002oh-Vh for qemu-devel@nongnu.org; Thu, 25 Sep 2025 06:29:21 -0400 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 0EF4C604B8; Thu, 25 Sep 2025 10:29:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D00DFC4CEF0; Thu, 25 Sep 2025 10:29:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1758796145; bh=wJSo3WQzSH71VjjXufSwDyaPJVRkcT9QbNW+ZtCSfRU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Nmjr/fmrX1SmcYzZFFXfUwm1twPQFmiJs8Dy94G1uTMg26WiE1GHfmg1rIA0ntjAc Z+4y1sMn41qq5EJXSFRMn5cPJRUS4//evh2FpAtE02tPOKGlmPnunf/hzCyX/hJCYR ULgVVRxn6vsLYXGOA6f2w/l9mxSBUSFLkHIqYUWxBm4AmNR0E74yeut+ahwd942PlO tixTKdu/ljo/vzzjzJ7pTkN9HQYDTSHj4moN7s5zPFNVcaXtRvMWw+2bqB/xhBrfkv k5Q/qAleWa16a41L65IgyWhHf+NS663fBtxwAtTf3HlQdJW/DRcZx/rm6N4Y995TMG 25qv7QlicoeVQ== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , Eric Blake , Markus Armbruster , Marcelo Tosatti Cc: qemu-devel , , Tom Lendacky , Nikunj A Dadhania , "Daniel P. Berrange" , Eduardo Habkost , Zhao Liu , Michael Roth , Roy Hopkins Subject: [PATCH v2 9/9] target/i386: SEV: Refactor check_sev_features() Date: Thu, 25 Sep 2025 15:47:38 +0530 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=172.105.4.254; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.444, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1758796241952116600 Content-Type: text/plain; charset="utf-8" Refactor check_sev_features() to consolidate SEV-SNP checks to a single if block. This is also helpful when adding checks for future SEV features. While at it, move the comment about the checks being done outside of the function body and expand it to describe what this function does. Update error_setg() invocations to use a consistent format. No functional change intended. Suggested-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 55 ++++++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 8bb9faaa7779..138210e24124 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -502,34 +502,22 @@ static void sev_apply_cpu_context(CPUState *cpu) } } =20 +/* + * Ensure SEV_FEATURES is configured for correct SEV hardware and that + * the requested features are supported. In addition, ensure feature + * dependencies are satisfied (allow tsc-frequency only if secure-tsc + * is also enabled, as an example). + */ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_fea= tures, Error **errp) { - /* - * Ensure SEV_FEATURES is configured for correct SEV hardware and that - * the requested features are supported. If SEV-SNP is enabled then - * that feature must be enabled, otherwise it must be cleared. - */ - if (sev_snp_enabled() && !(sev_features & SVM_SEV_FEAT_SNP_ACTIVE)) { - error_setg( - errp, - "%s: SEV_SNP is enabled but is not enabled in VMSA sev_feature= s", - __func__); - return -1; - } else if (!sev_snp_enabled() && - (sev_features & SVM_SEV_FEAT_SNP_ACTIVE)) { - error_setg( - errp, - "%s: SEV_SNP is not enabled but is enabled in VMSA sev_feature= s", - __func__); - return -1; - } if (sev_features && !sev_es_enabled()) { error_setg(errp, "%s: SEV features require either SEV-ES or SEV-SNP to b= e enabled", __func__); return -1; } + if (sev_features & ~sev_common->supported_sev_features) { error_setg(errp, "%s: VMSA contains unsupported sev_features: %lX, " @@ -537,13 +525,30 @@ static int check_sev_features(SevCommonState *sev_com= mon, uint64_t sev_features, __func__, sev_features, sev_common->supported_sev_featu= res); return -1; } - if (sev_snp_enabled() && SEV_SNP_GUEST(sev_common)->tsc_khz && - !(sev_features & SVM_SEV_FEAT_SECURE_TSC)) { - error_setg(errp, - "%s: TSC frequency can only be set if Secure TSC is ena= bled", - __func__); - return -1; + + if (sev_snp_enabled()) { + if (!(sev_features & SVM_SEV_FEAT_SNP_ACTIVE)) { + error_setg(errp, + "%s: SEV_SNP is enabled but is not enabled in VMSA = sev_features", + __func__); + return -1; + } + if (SEV_SNP_GUEST(sev_common)->tsc_khz && + !(sev_features & SVM_SEV_FEAT_SECURE_TSC)) { + error_setg(errp, + "%s: TSC frequency can only be set if Secure TSC is= enabled", + __func__); + return -1; + } + } else { + if (sev_features & SVM_SEV_FEAT_SNP_ACTIVE) { + error_setg(errp, + "%s: SEV_SNP is not enabled but is enabled in VMSA = sev_features", + __func__); + return -1; + } } + return 0; } =20 --=20 2.51.0