From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284142; cv=none; d=zohomail.com; s=zohoarc; b=XgXNRFtLA3JPmKPOEdpmu61tt/8+Qt6gh3HotXdIZBk1gGUT53h4ESdLuE/9ZgV/N7oR8hsGwSQlWP11iFw9i3ibePIhoQ4XBPDHmf+MR+LUiLyuu5GqPOhKiLaiay4L9lqIq+Jwwk6udQSb8IZxEKH6/RshFmpmi4BbGkyvW74= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284142; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ab+avnwC+OXfa2KQGdPF3TjXyNIqTw8qRUCUbBjQKyI=; b=br/VLXjjwptWWJmpQzF4v6Gk0tv9oyyDGK35JGFhe5vWJGnPbKIP3jiomI3AJahqcUTQwAtmLVU/ADtJ6gg3iyEDuL+jD0eexTLTpci75MuC5TeYvdmOqs7TFUoefp7LogirS4380d+XPob4MOcjU7KvwMBy0u3/1qDiIw8r9QM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284142375870.062437870319; Wed, 20 May 2026 06:35:42 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh4y-0006Os-IB; Wed, 20 May 2026 09:35:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4N-0005j8-IP for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:44 -0400 Received: from sea.source.kernel.org ([2600:3c0a:e001:78e:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4L-0004aY-S5 for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:43 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id 05C4F40AD4; Wed, 20 May 2026 13:34:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2A5001F0089D; Wed, 20 May 2026 13:34:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284080; bh=ab+avnwC+OXfa2KQGdPF3TjXyNIqTw8qRUCUbBjQKyI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=eC6KtRe1zDW8kQ3ERvhAw+AOVjHfKtN2jgzJ1bydZMIdz1zjOjZchg3APD884apuR UFh83gqi5bN7tN4flq8ar5pdqdX0ycPaO/GSzUFjuB4V2skbhnXCUDGEqTsY6mOPHX XsO+Ts/esdtaHh+I8jUdXAL5uJD/GqTNK7CazxqqJnkqErLLfYvHS7FsmYcSVyUWsB mziavo3efRCAydVtzz1ozo7knTSCGnfy8XP7m8DA6C/dzpZIkQOoTwjznPPexhMtUD 90hmdyoyCGFhlHXhDz9i9I/39t3ZvhfOk9un+0G5WeV6BKIOF+Y93DuST2ggyaYvv4 W2yPq5mOJFfiQ== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 1/9] target/i386: SEV: Generalize handling of SVM_SEV_FEAT_SNP_ACTIVE Date: Wed, 20 May 2026 18:57:54 +0530 Message-ID: <031de849edf2ae4eaa6e00df83b053605a3ecfea.1779281646.git.naveen@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2600:3c0a:e001:78e:0:1991:8:25; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284144372154101 Content-Type: text/plain; charset="utf-8" Align with IGVM files providing SEV features with SVM_SEV_FEAT_SNP_ACTIVE set by setting the same when creating a sev-snp-guest object. Since KVM sets this feature itself, SVM_SEV_FEAT_SNP_ACTIVE is unset before KVM_SEV_INIT2 ioctl is invoked. Move that out of IGVM-specific section to common code. While at it, convert the existing SVM_SEV_FEAT_SNP_ACTIVE definition to use the BIT() macro for consistency with upcoming feature flags. Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.h | 2 +- target/i386/sev.c | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index 4358df40e48b..b84ca3ce0b67 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -46,7 +46,7 @@ bool sev_snp_enabled(void); #define SEV_SNP_POLICY_SMT 0x10000 #define SEV_SNP_POLICY_DBG 0x80000 =20 -#define SVM_SEV_FEAT_SNP_ACTIVE 1 +#define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) =20 typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index b44b5a1c2b94..22c350fe14b7 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -328,6 +328,15 @@ sev_set_guest_state(SevCommonState *sev_common, SevSta= te new_state) sev_common->state =3D new_state; } =20 +static void sev_set_feature(SevCommonState *sev_common, uint64_t feature, = bool set) +{ + if (set) { + sev_common->sev_features |=3D feature; + } else { + sev_common->sev_features &=3D ~feature; + } +} + static void sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size, size_t max_size) @@ -1903,15 +1912,15 @@ static int sev_common_kvm_init(ConfidentialGuestSup= port *cgs, Error **errp) ->process(x86machine->igvm, machine, true, errp) =3D= =3D -1) { return -1; } - /* - * KVM maintains a bitmask of allowed sev_features. This does = not - * include SVM_SEV_FEAT_SNP_ACTIVE which is set accordingly by= KVM - * itself. Therefore we need to clear this flag. - */ - args.vmsa_features =3D sev_common->sev_features & - ~SVM_SEV_FEAT_SNP_ACTIVE; } =20 + /* + * KVM maintains a bitmask of allowed sev_features. This does not + * include SVM_SEV_FEAT_SNP_ACTIVE which is set accordingly by KVM + * itself. Therefore we need to clear this flag. + */ + args.vmsa_features =3D sev_common->sev_features & ~SVM_SEV_FEAT_SN= P_ACTIVE; + ret =3D sev_ioctl(sev_common->sev_fd, KVM_SEV_INIT2, &args, &fw_er= ror); break; } @@ -3192,6 +3201,7 @@ sev_snp_guest_instance_init(Object *obj) =20 /* default init/start/finish params for kvm */ sev_snp_guest->kvm_start_conf.policy =3D DEFAULT_SEV_SNP_POLICY; + sev_set_feature(SEV_COMMON(sev_snp_guest), SVM_SEV_FEAT_SNP_ACTIVE, tr= ue); } =20 /* guest info specific to sev-snp */ --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284102; cv=none; d=zohomail.com; s=zohoarc; b=Q/I3SUYzzsSLzBpF0kcDl/rh/F6rE/ZXrl4QCkGu5v6aq8i4DAiD0+s24buIitWfLyy1Pv9919fe2Vu9pm8m/i9oH/WgEMzyIePxKlPjpj2TdmilgiVdPtS5+3KiHAjVJciM64idV2VwIi2eZ8xOZAunqSBYyN+F91jalVLCDRA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284102; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=E0SC7AD4xg+opLCvydgBAIKYqb02rk7N/+pspd2LlVo=; b=Vmg8v3uFS04iWKlVmeXyxW4OI0CztGow5oGbYrAVZGISHWG5tNtUr/1YoaVgV/CIFVoFmr3P0iQL5ISDWNZFc5QQkbicNA10oUMKsMDbIBQNqxNOj/huCZofM4IwmeeWQLB5kbNEq6W239XEhz+12SwHsS8DIbrOVm0AjqR1k4M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177928410273826.50905450983919; Wed, 20 May 2026 06:35:02 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh3l-0005Z1-Id; Wed, 20 May 2026 09:34:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh3j-0005Yt-VU for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:03 -0400 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh3i-0004Vg-8r for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:03 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by tor.source.kernel.org (Postfix) with ESMTP id 12052601FC; Wed, 20 May 2026 13:34:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 062A71F000E9; Wed, 20 May 2026 13:34:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284040; bh=E0SC7AD4xg+opLCvydgBAIKYqb02rk7N/+pspd2LlVo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=GwsRL/bc/KfBjiBFuJXiCTq4Fh/w1aIecd2WZkBHQSzEM/933Oy8fvI7GomsPs376 PIkGs2/n6IA0tWq5jz+u+pwdlh/HZsfB7TqRq1TsjY0Kh6ob5nLWs0xA2d19g4u5OH +KeRZe3cbFf+jNAMwZ+Y6pMpgNV/IQksyMBtFfGwd0bgwV3kiaR6H0Rm6z+YbZyxXO GWQqcWFGkuMnRzTBkKbNu4oYW4CpIxxDKAdTJ6FvRG2MnaMAgOGq3GEE1tMQ2FtC7L uRyerTVtMIduphf5LFU2JlI1spM03vdChPhci09VPNpQn+9AJOMmDfYW/VWybs1HI6 HHebWPMrGK6kw== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 2/9] target/i386: SEV: Ensure SEV features are only set through qemu cli or IGVM Date: Wed, 20 May 2026 18:57:55 +0530 Message-ID: <6939de99f13d7170af68b74e711eb9f03f32f682.1779281646.git.naveen@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2600:3c04:e001:324:0:1991:8:25; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284106059154100 Content-Type: text/plain; charset="utf-8" In preparation for qemu being able to set SEV features through the cli, add a check to ensure that SEV features are not also set if using IGVM files. Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/target/i386/sev.c b/target/i386/sev.c index 22c350fe14b7..641a295c42b7 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -1908,6 +1908,16 @@ static int sev_common_kvm_init(ConfidentialGuestSupp= ort *cgs, Error **errp) * as SEV_STATE_UNINIT. */ if (x86machine->igvm) { + /* + * Test only the user-set SEV features by masking out + * SVM_SEV_FEAT_SNP_ACTIVE which is set by default. + */ + if (sev_common->sev_features & ~SVM_SEV_FEAT_SNP_ACTIVE) { + error_setg(errp, + "%s: SEV features can't be specified when using= IGVM files", + __func__); + return -1; + } if (IGVM_CFG_GET_CLASS(x86machine->igvm) ->process(x86machine->igvm, machine, true, errp) =3D= =3D -1) { return -1; --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284078; cv=none; d=zohomail.com; s=zohoarc; b=O+31fkoe9O1lRNYGci1oRapbYxCtFA/dxBZ3kafUh1B9F6YhXMECZFW4YaQDSxJ2j13zzMWSjzpHENEOnyTs1TZ9WWWOVk+n7n/BmF68oZ44UdZ4H+BJ6Qe6jYCnj82nsHaB2oe8ctsr9raDnKKGzkTxRd/iIeXsfbXCsOpKu9g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284078; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=We4DUB59nJ7lvfTuVYWrYpFDCVVXBSpa6+QOp4avX3E=; b=kN+IIqnIcCVfyWaQ3+XDfBoFgfc6m9+o57iok+YDcdb5vaRu1BaPkS73JkHui0/MGAq8PcHpfU1Ftl4AlO4UBcp3U+PcNknrr5grvsopfW6VpX//pWIMmsKAR4uJixCj+pldRoPNj/4rcOxqktC+HSGUiyf9sBY2kcqR7ivT+zY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284078859725.059267743518; Wed, 20 May 2026 06:34:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh42-0005b6-JL; Wed, 20 May 2026 09:34:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh3x-0005ab-RW for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:18 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh3v-0004X8-Gp for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:16 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id 4CDC243D9C; Wed, 20 May 2026 13:34:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 740B61F00893; Wed, 20 May 2026 13:34:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284054; bh=We4DUB59nJ7lvfTuVYWrYpFDCVVXBSpa6+QOp4avX3E=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=DqACORSpSxy6CqY/brpmfj6zPkE56I4xAogUD60GrnjANyQwpxp8eDRpn/2EACHp9 NKE00bzFQTzuz2g2o8DAkk5vomdsQSrGwhQU5ep4KBeoyaNgWfFlahia1NSakLM0k6 k+iNTJVjoNI56Lh/iasWm9R3oJ5iAiYltA/Yy46e8e9+TY2YpnfeKi0+P1/CyDveP5 NE2DDgYGiK0ulEfHhSksO2RKahzKnNQxA4WcDEFkDscmV9ZT4w4fWn6sGyKbGOvlad Z78aNerL6dvxxwFW11ngyalhxi79kkXLJ1hqlF0y2SKvGxgY881MHPWngubgCSXQkG cQEb1rQZsDKxg== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 3/9] target/i386: SEV: Consolidate SEV feature validation to common init path Date: Wed, 20 May 2026 18:57:56 +0530 Message-ID: <35449df94eb20c29923a7cd0e2742ddba605928c.1779281646.git.naveen@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=172.234.252.31; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284084048154100 Content-Type: text/plain; charset="utf-8" Currently, check_sev_features() is called in multiple places when processing IGVM files: both when processing the initial VMSA SEV features from IGVM, as well as when validating the full contents of the VMSA. Move this to a single point in sev_common_kvm_init() to simplify the flow, as well as to re-use this function when VMSA SEV features are being set without using IGVM files. Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 641a295c42b7..9857921e5a55 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -604,9 +604,6 @@ static int check_vmsa_supported(SevCommonState *sev_com= mon, hwaddr gpa, vmsa_check.x87_fcw =3D 0; vmsa_check.mxcsr =3D 0; =20 - if (check_sev_features(sev_common, vmsa_check.sev_features, errp) < 0)= { - return -1; - } vmsa_check.sev_features =3D 0; =20 if (!buffer_is_zero(&vmsa_check, sizeof(vmsa_check))) { @@ -1924,6 +1921,10 @@ static int sev_common_kvm_init(ConfidentialGuestSupp= ort *cgs, Error **errp) } } =20 + if (check_sev_features(sev_common, sev_common->sev_features, errp)= < 0) { + return -1; + } + /* * KVM maintains a bitmask of allowed sev_features. This does not * include SVM_SEV_FEAT_SNP_ACTIVE which is set accordingly by KVM @@ -2584,9 +2585,6 @@ static int cgs_set_guest_state(hwaddr gpa, uint8_t *p= tr, uint64_t len, __func__); return -1; } - if (check_sev_features(sev_common, sa->sev_features, errp) < 0= ) { - return -1; - } sev_common->sev_features =3D sa->sev_features; } return 0; --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284083; cv=none; d=zohomail.com; s=zohoarc; b=H90rWRSWjr3ZK+Zs37mwUsJQF2nkcHy1g+pZXEWjoLvZTuefKDU+Ejoi0iyxCevvtZpOVI7/KZxSZ6/fgjYs6KOZXVqnbpg516pU7PkVVX27l31coK9I84pbqsBBeTJhR0GuIzwgT8kf++R12jEaI6gQzdWTgkxryu09a/F39BY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284083; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=r1TWx6OCHBU6/kYeI4mdaP41W71LWq5ioxvn0KhGqiU=; b=l9XLwFXE5bmteSlUZgGVGM6UiGSxeOQQysz9Gf2e2pXVNlQecrnjAYXDn0k7Wk6L+wh72MgvNW6OBvZ+M4Y0Sb0yT0Dd11cqkfIcP+AO1aojSbtV41fC/sUMKG/iJRcmRlNfKfd7gy5i3y3uN1cHsJ9Oq4IH5ZjweUPhyhY2ISU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284083292418.2912903849408; Wed, 20 May 2026 06:34:43 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh4E-0005ce-7a; Wed, 20 May 2026 09:34:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh40-0005b8-Tj for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:22 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh3z-0004XZ-A0 for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:20 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id B17D443A2F; Wed, 20 May 2026 13:34:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D77221F000E9; Wed, 20 May 2026 13:34:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284057; bh=r1TWx6OCHBU6/kYeI4mdaP41W71LWq5ioxvn0KhGqiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=VlX16vJR+OsPY8K2bC65yCeUtUTgbSZAt93A1ggcB5Dn00A5PbNEsI0zxW4+uE3eZ jg0fU5wCKHrYuc1V9cD684CDRFsYeeRQCzdwfDjNZoNN5ePjI5Zocc4Btakv9UgyNH lsT+FhKFwkro/A30v7Mis6h7UrMC3bnqeHJ3PZq6WPNkU+3oGypJ/0I3YgyWlP1mf/ 6pshmsWOftoQTqQ4HhVN3KrfXWPTPWDKWry26hlx29c8pmdqDXXKFYkZnBNJvLMWdy 1L2VDLPwyX4gLbv6q/nA7WW2kMZ0AIARHJO3PKZmEzysPFFtNu0K1GeycGmO5+SyGU IOMbSGJFUa1tA== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 4/9] target/i386: SEV: Validate that SEV-ES is enabled when VMSA features are used Date: Wed, 20 May 2026 18:57:57 +0530 Message-ID: <11e34ae3db91643e45e097404d1aa949a820aa0d.1779281646.git.naveen@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=172.234.252.31; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284084210158500 Content-Type: text/plain; charset="utf-8" SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP guests, as they control aspects of the encrypted guest state that are not relevant for basic SEV guests. Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is enabled when any SEV features are specified. Reviewed-by: Nikunj A Dadhania Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/target/i386/sev.c b/target/i386/sev.c index 9857921e5a55..196a70b35c51 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -527,6 +527,12 @@ static int check_sev_features(SevCommonState *sev_comm= on, uint64_t sev_features, __func__); return -1; } + if (sev_features && !sev_es_enabled()) { + error_setg(errp, + "%s: SEV features require either SEV-ES or SEV-SNP to b= e enabled", + __func__); + return -1; + } if (sev_features & ~sev_common->supported_sev_features) { error_setg(errp, "%s: VMSA contains unsupported sev_features: %lX, " --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284108; cv=none; d=zohomail.com; s=zohoarc; b=KGftDP0Sg9JylRC0uoygB5mQ5nOPYfzWUFjIzXA9+TMLdRUP5jUFMMVmDziDChpxQIzv4fOC5MqjP6txh4EVqNtJUkhmk5a+z+L53WZzY/PEDc6udIwmbJOUNKnBlY+iXGod2GDBzW0N+YywjL4G040to9ceP0NTEM0h7/DSqdw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284108; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=rdJp/J3F9UFFZHU/Ts99uTkuRk+JOQWm2QJtbNtSatc=; b=B/M8odrmYt7XzAzE76jLzfAqlU3Fkzbot85ZdC1xC288tTmiQ8zVT7ZyIYyw05RlAZr4M6FwGRpODdQETAD/zezNbPqp0C7lmHfCpmZcxTpakKX1BwEEEU4peoGva/T3dZtQVjFrw/rDoEWiG1SNXtVKiNcN8C3PoHcdKVIi2X4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284108941881.5546982326858; Wed, 20 May 2026 06:35:08 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh4S-0005hS-O0; Wed, 20 May 2026 09:34:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh44-0005bh-En for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:26 -0400 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh42-0004YL-6g for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:23 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by tor.source.kernel.org (Postfix) with ESMTP id 3FD6260121; Wed, 20 May 2026 13:34:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 460571F000E9; Wed, 20 May 2026 13:34:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284061; bh=rdJp/J3F9UFFZHU/Ts99uTkuRk+JOQWm2QJtbNtSatc=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=KR7GJyaTrnu51b7/fPXkXTheJd419p8gctqT7L7hS6xjvzLQzi2Uz4HOALVX+7ATP pXbSqYLXUg32RDm0BlDfNa+V1D4XwYfBkOp4pjA6Rt7gY1GoRHudSbjA8NixbHQ9fk 33msTcFV9QysOwO531pTSBq7N9GL3uXrD3DoSB6B3jieAuIq8V1R+WsOtwx9OEXd8l ygS8L+OiICFD60vWkS64F7KDk3uoSASTxGE3WqEpYbRg0utBT2eecw5h4Q46uUl+uY C9353JVKYEY+JHFWkxqT5tY1wAVAEuswVZ/EC6NV1ur0FVRRlBGgO8b/HXAEvd7Rxx Lw5vRHqx+ApdQ== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 5/9] target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests Date: Wed, 20 May 2026 18:57:58 +0530 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2600:3c04:e001:324:0:1991:8:25; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284112017154100 Content-Type: text/plain; charset="utf-8" In preparation for allowing SEV-ES guests to enable VMSA SEV features, update sev_init2_required() to return true if any SEV features are requested. This enables qemu to use KVM_SEV_INIT2 for SEV-ES guests when necessary. Reviewed-by: Nikunj A Dadhania Reviewed-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 196a70b35c51..4553fe4d6e4a 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -1701,8 +1701,7 @@ sev_vm_state_change(void *opaque, bool running, RunSt= ate state) */ static bool sev_init2_required(SevGuestState *sev_guest) { - /* Currently no KVM_SEV_INIT2-specific options are exposed via QEMU */ - return false; + return !!SEV_COMMON(sev_guest)->sev_features; } =20 static int sev_kvm_type(X86ConfidentialGuest *cg) --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284119; cv=none; d=zohomail.com; s=zohoarc; b=MJfDYZnBrC1QXTmeZOxW1o6hsZQi2ztitcCyisbd0j7WZkRgpPvg9WJdEmnzVhRdYsz3MjYlg5ZIkojoYkdaz9xGtAs5ylcJHW9j0WaqvXchGg//FeHBfdAyMZmEFhl8sHxEoAFrqgQc6RfoE+fg3OY/k++GXH7ag8AJK0LxIwE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284119; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=+k2jL4kdAXoAJqmY8Ukt1559hjuhb6dWxPx7lNS/EI0=; b=fmSG5Xhzz6GptivFvxFoTkzBoViqjfqvCMNI3evA3y+NlZ97xYjsnkiiAhE6NhafX7kisSvi5xtl9ODmc3MWJEWWrkstqlj737Ui0pl8dlnVslUY0X4RHUtUwFdKjQLVnohDdWFI+aiRCKdCcX5x/Ih922JOwrSdnb+BXE82Bn8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284119355463.7554283726422; Wed, 20 May 2026 06:35:19 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh4P-0005hP-9c; Wed, 20 May 2026 09:34:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh48-0005cR-Ov for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:31 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh46-0004Yc-9s for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:27 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id 7E6C940D78; Wed, 20 May 2026 13:34:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4F411F000E9; Wed, 20 May 2026 13:34:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284064; bh=+k2jL4kdAXoAJqmY8Ukt1559hjuhb6dWxPx7lNS/EI0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=R1HuYS9/IvqImSOxoFGj9owcn/uIINPdJfg5qt7fmIMVuOwK+mwI41VJ6jY4dvDZF /kd8IvNN7/o2vohaxvs7AgksaCofTPOuVcMlwFgtMOw9c0r48D+6zigL5Ugkz+Bss4 RoSTYce90YN35+rQCcO9zT/ODSuWSRjC+IjybMfLhjOQys91kl6KinzDWevxLjLEbB 8PT0RHhOD+u36yeAOGc0h6YSQedgfmLt2Fq2hkYguM1BnZWiGzHsSPyn+3b7QjqcY/ mgWd3fN7qXGfGl6T8kds/26yMaZRdbrrDBXUN4v4Ok1H/2L+Mpc2JFuiSRW5NSqipZ NuoYkPFXlmQ+A== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 6/9] target/i386: SEV: Add support for enabling debug-swap SEV feature Date: Wed, 20 May 2026 18:57:59 +0530 Message-ID: <416e7b156e49f95958f8c5c8549b48a88c1995fc.1779281646.git.naveen@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=172.234.252.31; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284121512158500 Content-Type: text/plain; charset="utf-8" Add support for enabling debug-swap VMSA SEV feature in SEV-ES and SEV-SNP guests through a new "debug-swap" boolean property on SEV guest objects. Though the boolean property is available for plain SEV guests, check_sev_features() has a check that rejects attempts to enable any SEV feature for a plain SEV guest. Though this SEV feature is called "Debug virtualization" in the APM, KVM calls this "debug swap" so use the same name for consistency. Sample command-line: -machine q35,confidential-guest-support=3Dsev0 \ -object sev-snp-guest,id=3Dsev0,cbitpos=3D51,reduced-phys-bits=3D1,debug-= swap=3Don Restrict debug-swap to SEV-SNP guests at this time due to a compatibility issue with SEV-ES pflash devices. Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.h | 1 + target/i386/sev.c | 26 ++++++++++++++++++++++++++ qapi/qom.json | 7 ++++++- 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index b84ca3ce0b67..d19a39669747 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -47,6 +47,7 @@ bool sev_snp_enabled(void); #define SEV_SNP_POLICY_DBG 0x80000 =20 #define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) +#define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) =20 typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index 4553fe4d6e4a..4532b1b6a484 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -328,6 +328,11 @@ sev_set_guest_state(SevCommonState *sev_common, SevSta= te new_state) sev_common->state =3D new_state; } =20 +static bool is_sev_feature_set(SevCommonState *sev_common, uint64_t featur= e) +{ + return !!(sev_common->sev_features & feature); +} + static void sev_set_feature(SevCommonState *sev_common, uint64_t feature, = bool set) { if (set) { @@ -527,6 +532,12 @@ static int check_sev_features(SevCommonState *sev_comm= on, uint64_t sev_features, __func__); return -1; } + if (sev_features && sev_es_enabled() && !sev_snp_enabled()) { + error_setg(errp, + "%s: SEV features are not supported with SEV-ES at this= time", + __func__); + return -1; + } if (sev_features && !sev_es_enabled()) { error_setg(errp, "%s: SEV features require either SEV-ES or SEV-SNP to b= e enabled", @@ -2800,6 +2811,16 @@ static int cgs_set_guest_policy(ConfidentialGuestPol= icyType policy_type, return 0; } =20 +static bool sev_common_get_debug_swap(Object *obj, Error **errp) +{ + return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_DEBUG_SWAP); +} + +static void sev_common_set_debug_swap(Object *obj, bool value, Error **err= p) +{ + sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_DEBUG_SWAP, value); +} + static void sev_common_class_init(ObjectClass *oc, const void *data) { @@ -2825,6 +2846,11 @@ sev_common_class_init(ObjectClass *oc, const void *d= ata) sev_common_set_kernel_hashes); object_class_property_set_description(oc, "kernel-hashes", "add kernel hashes to guest firmware for measured Linux boot"); + object_class_property_add_bool(oc, "debug-swap", + sev_common_get_debug_swap, + sev_common_set_debug_swap); + object_class_property_set_description(oc, "debug-swap", + "enable virtualization of debug registers"); } =20 static void diff --git a/qapi/qom.json b/qapi/qom.json index dd45ac1087c3..e2bb716b603e 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1017,6 +1017,10 @@ # designated guest firmware page for measured boot with -kernel # (default: false) (since 6.2) # +# @debug-swap: enable virtualization of debug registers, +# only supported on SEV-ES and SEV-SNP guests +# (default: false) (since 11.1) +# # Features: # # @confidential-guest-reset: If present, the hypervisor supports @@ -1028,7 +1032,8 @@ 'data': { '*sev-device': 'str', '*cbitpos': 'uint32', 'reduced-phys-bits': 'uint32', - '*kernel-hashes': 'bool' }, + '*kernel-hashes': 'bool', + '*debug-swap': 'bool' }, 'features': ['confidential-guest-reset']} =20 ## --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284129; cv=none; d=zohomail.com; s=zohoarc; b=jATOaJyAc7+S4Dj81dWwy6KL4HQxy4wbfCDKzQlSpqdL/hjCtR5gnZmAL8fH3DDPCZnuea5hH2Kd06CFSpp8i361Ryt45ZJmr3SURT97OwtwVKdYM/sZPmc512aJ8gTZnRVVH/bibzaR96VaYlJeYoF0ENgrPIkE+AWKOAMsWU8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284129; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7jY1Xl/nE2K7yyLSCwbE80xENs5KSlFwmUcqOsfvTg4=; b=jJ1FSt6foyo0wWIJZefrIuuAV+xlwK69gEUt31966lj1kUkvt9Gy0m/56eraHdFk1XnP0ecB5KrQV51spfTeNkCn8XcuGFrwu5NiY1KLMsFwyetd4nKWJ6S7XHJEwC6n19el9hGA2M+2mQ1KgzW54GpgQcwZYHsNc69OG0WhQZE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284129910616.0329379738603; Wed, 20 May 2026 06:35:29 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh4h-0005jf-JB; Wed, 20 May 2026 09:35:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4B-0005cg-RD for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:34 -0400 Received: from sea.source.kernel.org ([2600:3c0a:e001:78e:0:1991:8:25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4A-0004Yq-7w for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:31 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id E89EB43C13; Wed, 20 May 2026 13:34:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 20EC91F000E9; Wed, 20 May 2026 13:34:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284067; bh=7jY1Xl/nE2K7yyLSCwbE80xENs5KSlFwmUcqOsfvTg4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=mFtTMnOjYyaay6gszFoYjihMCbOhuXGjQnvIcPeLOAsfqEBAUUG8/Lv1Nh5GOdqR3 NISXR/GiisGG2QJq41G3jH/X1GS6sDP6tYcuS9P3akHsDwA1A7v0UNAV/b+0dTNXga t228VGdW5LSm4jMiSJOmSDyTrsvkZwCnE4sfiCTtYF6jo1YzM8ToTeH4fYuVVcDSAO n5X6FWVIasyxGD6m6OnJLhbz+1M0I8TtPXn+pvqNlKcdcJjchsEsvB1GiQsJ/6Vxnm BaHROTs1CQxGmwXrKjoLK8KUQxlHR1EQEzWiq36K/ujm292wIyvi2e8Dd4QbsDJM2H lo6HNRVn43wfg== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 7/9] target/i386: SEV: Add support for enabling Secure TSC SEV feature Date: Wed, 20 May 2026 18:58:00 +0530 Message-ID: <9f58b92a173f319b3ef725f5ed8a2a173eed55b1.1779281646.git.naveen@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2600:3c0a:e001:78e:0:1991:8:25; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284132255154100 Content-Type: text/plain; charset="utf-8" Add support for enabling Secure TSC VMSA SEV feature in SEV-SNP guests through a new "secure-tsc" boolean property on SEV-SNP guest objects. By default, KVM uses the host TSC frequency for Secure TSC. Sample command-line: -machine q35,confidential-guest-support=3Dsev0 \ -object sev-snp-guest,id=3Dsev0,cbitpos=3D51,reduced-phys-bits=3D1,secure= -tsc=3Don Reviewed-by: Tom Lendacky Co-developed-by: Ketan Chaturvedi Signed-off-by: Ketan Chaturvedi Co-developed-by: Nikunj A Dadhania Signed-off-by: Nikunj A Dadhania Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.h | 1 + target/i386/sev.c | 13 +++++++++++++ qapi/qom.json | 6 +++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index d19a39669747..7725f92e1959 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -48,6 +48,7 @@ bool sev_snp_enabled(void); =20 #define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) +#define SVM_SEV_FEAT_SECURE_TSC BIT(9) =20 typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index 4532b1b6a484..518f0eb91aa1 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -3193,6 +3193,16 @@ sev_snp_guest_set_host_data(Object *obj, const char = *value, Error **errp) memcpy(finish->host_data, blob, len); } =20 +static bool sev_snp_guest_get_secure_tsc(Object *obj, Error **errp) +{ + return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC); +} + +static void sev_snp_guest_set_secure_tsc(Object *obj, bool value, Error **= errp) +{ + sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC, value); +} + static void sev_snp_guest_class_init(ObjectClass *oc, const void *data) { @@ -3228,6 +3238,9 @@ sev_snp_guest_class_init(ObjectClass *oc, const void = *data) object_class_property_add_str(oc, "host-data", sev_snp_guest_get_host_data, sev_snp_guest_set_host_data); + object_class_property_add_bool(oc, "secure-tsc", + sev_snp_guest_get_secure_tsc, + sev_snp_guest_set_secure_tsc); } =20 static void diff --git a/qapi/qom.json b/qapi/qom.json index e2bb716b603e..9c2966b68e8f 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1113,6 +1113,9 @@ # firmware. Set this to true to disable the use of VCEK. # (default: false) (since: 9.1) # +# @secure-tsc: enable Secure TSC +# (default: false) (since 11.1) +# # Since: 9.1 ## { 'struct': 'SevSnpGuestProperties', @@ -1124,7 +1127,8 @@ '*id-auth': 'str', '*author-key-enabled': 'bool', '*host-data': 'str', - '*vcek-disabled': 'bool' } } + '*vcek-disabled': 'bool', + '*secure-tsc': 'bool' } } =20 ## # @TdxGuestProperties: --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284149; cv=none; d=zohomail.com; s=zohoarc; b=lPQWgO3VBK+Y4JQ/NLjB4NkAGvReDPM7tKKB0v8LaLnypBmwdyfaHtDSb5N2wT0owidgKYNo13C0DMzZFmJ6w4uy9KjKxHjHEiYIfDjuflADIOV2t+xUMn7c7LilxTjpWZrrBpRfT9n0/ok2SxUfpOfRCnsfCdar+dMsi+/aOxA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284149; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=JJXjZmxx2na/Hmr+jSEXCqp1hYIjDPmF2n2UyTDMNAo=; b=kMR5gVHCUcNHr1kQSQInByxRlLHT0Z/mZs3jk8tqJ7j6YViEDK8dvabLhnQ+QJ0Hq4YV677nPQQksc+USYe93JZeLyhiCS7KAuSkN4BXtiBW0DtFeF6riFW1rR50/gv8edAuY0J5t7djNABgSKojtRNZ9tlYAxpb8693y8rVlKY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177928414964563.25696681363661; Wed, 20 May 2026 06:35:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh52-000749-Rp; Wed, 20 May 2026 09:35:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4F-0005dJ-3t for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:35 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4C-0004ZM-Ut for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:34 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id 10A6E40605; Wed, 20 May 2026 13:34:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39D931F000E9; Wed, 20 May 2026 13:34:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284071; bh=JJXjZmxx2na/Hmr+jSEXCqp1hYIjDPmF2n2UyTDMNAo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=k8Md7CZbhd9g5wQTAaJzuza7y5JpM+I9euUIHJsArGSsAG2socICGJHf8HftV9ZZq 553+xJsByNQP2aJZk6Z5iLiS1hmyGWFRZW7QULtuMk1UM3QSVBs18EvKqIoWmJhoTy VXhNY3td0T61anQtABy2msG786zQtE4r4bjFxCsqxQoEXN0VkYtF9QcW4rX8Ckrj2p daMSfb2hM4jpwFJk5qfqvc4Qi9s0ytHIxZiXff5SdzMMiVbyCZtp2IkgBBOt96Ms91 Q4HdBkYYCorAUQiZP/PknD9KeL4HtBhO5OAYQRIQTbRbiba4A9OzL02y6eIZD9sbZo HgnlUljBS0euA== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 8/9] target/i386: SEV: Add support for setting TSC frequency for Secure TSC Date: Wed, 20 May 2026 18:58:01 +0530 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=172.234.252.31; envelope-from=naveen@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284152707154100 Content-Type: text/plain; charset="utf-8" Add support for configuring the TSC frequency when Secure TSC is enabled in SEV-SNP guests through a new "tsc-frequency" property on SEV-SNP guest objects, similar to the vCPU-specific property used by regular guests and TDX. A new property is needed since SEV-SNP guests require the TSC frequency to be specified during early SNP_LAUNCH_START command before any vCPUs are created. The user-provided TSC frequency is set through KVM_SET_TSC_KHZ before issuing KVM_SEV_SNP_LAUNCH_START. Attempts to set TSC frequency on both the SEV_SNP object and the cpu object result in an error from KVM (on the vCPU ioctl), so do not add separate checks for the same. Sample command-line: -machine q35,confidential-guest-support=3Dsev0 \ -object sev-snp-guest,id=3Dsev0,cbitpos=3D51,reduced-phys-bits=3D1,secure= -tsc=3Don,tsc-frequency=3D2500000000 Co-developed-by: Ketan Chaturvedi Signed-off-by: Ketan Chaturvedi Co-developed-by: Nikunj A Dadhania Signed-off-by: Nikunj A Dadhania Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ qapi/qom.json | 6 +++++- 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 518f0eb91aa1..0009b03bdf7d 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -187,6 +187,7 @@ struct SevSnpGuestState { char *id_auth_base64; uint8_t *id_auth; char *host_data; + uint32_t tsc_khz; =20 struct kvm_sev_snp_launch_start kvm_start_conf; struct kvm_sev_snp_launch_finish kvm_finish_conf; @@ -551,6 +552,13 @@ static int check_sev_features(SevCommonState *sev_comm= on, uint64_t sev_features, __func__, sev_features, sev_common->supported_sev_featu= res); return -1; } + if (sev_snp_enabled() && SEV_SNP_GUEST(sev_common)->tsc_khz && + !(sev_features & SVM_SEV_FEAT_SECURE_TSC)) { + error_setg(errp, + "%s: TSC frequency can only be set if Secure TSC is ena= bled", + __func__); + return -1; + } return 0; } =20 @@ -1099,6 +1107,19 @@ sev_snp_launch_start(SevCommonState *sev_common) return 1; } =20 + if (is_sev_feature_set(sev_common, SVM_SEV_FEAT_SECURE_TSC) && + sev_snp_guest->tsc_khz) { + rc =3D -EINVAL; + if (kvm_check_extension(kvm_state, KVM_CAP_VM_TSC_CONTROL)) { + rc =3D kvm_vm_ioctl(kvm_state, KVM_SET_TSC_KHZ, sev_snp_guest-= >tsc_khz); + } + if (rc < 0) { + error_report("%s: Unable to set Secure TSC frequency to %u kHz= ret=3D%d", + __func__, sev_snp_guest->tsc_khz, rc); + return 1; + } + } + rc =3D sev_ioctl(sev_common->sev_fd, KVM_SEV_SNP_LAUNCH_START, start, &fw_error); if (rc < 0) { @@ -3203,6 +3224,28 @@ static void sev_snp_guest_set_secure_tsc(Object *obj= , bool value, Error **errp) sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC, value); } =20 +static void +sev_snp_guest_get_tsc_frequency(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value =3D SEV_SNP_GUEST(obj)->tsc_khz * 1000; + + visit_type_uint32(v, name, &value, errp); +} + +static void +sev_snp_guest_set_tsc_frequency(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value; + + if (!visit_type_uint32(v, name, &value, errp)) { + return; + } + + SEV_SNP_GUEST(obj)->tsc_khz =3D value / 1000; +} + static void sev_snp_guest_class_init(ObjectClass *oc, const void *data) { @@ -3241,6 +3284,9 @@ sev_snp_guest_class_init(ObjectClass *oc, const void = *data) object_class_property_add_bool(oc, "secure-tsc", sev_snp_guest_get_secure_tsc, sev_snp_guest_set_secure_tsc); + object_class_property_add(oc, "tsc-frequency", "uint32", + sev_snp_guest_get_tsc_frequency, + sev_snp_guest_set_tsc_frequency, NULL, NULL); } =20 static void diff --git a/qapi/qom.json b/qapi/qom.json index 9c2966b68e8f..ef7df6b05a0b 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1116,6 +1116,9 @@ # @secure-tsc: enable Secure TSC # (default: false) (since 11.1) # +# @tsc-frequency: set secure TSC frequency. Only valid if Secure TSC +# is enabled (default: zero) (since 11.1) +# # Since: 9.1 ## { 'struct': 'SevSnpGuestProperties', @@ -1128,7 +1131,8 @@ '*author-key-enabled': 'bool', '*host-data': 'str', '*vcek-disabled': 'bool', - '*secure-tsc': 'bool' } } + '*secure-tsc': 'bool', + '*tsc-frequency': 'uint32' } } =20 ## # @TdxGuestProperties: --=20 2.54.0 From nobody Sat May 30 17:43:44 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1779284147; cv=none; d=zohomail.com; s=zohoarc; b=Xw9g5hn1mpdsG4NlRiMWaAtiot4shhvlxrMQC1C17EcZHM9DNIPR7g+0QD7bIgNtNG+y+yhqSJ2LGEY+4e6rOopukIcjGscMnVBVzTm8NSCog+GBOVovEbTVvrzsW2swJNbX85ek46eGCOwUY+X/G2aeazITE0NSdOUWEPG9xZw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779284147; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=UmjysPT0Ys97F2nZix4DsrsLKeKdeAt3nq7oHxKcr8g=; b=NoZsimimX0kRh7RKraYVM+kNODWK+Y/TllHZCITK+HoioNI5SItRpWUz0QSY1gp07WowVKEccf5VcbwfFk1vZVlOtH4WEMSOKE3627Z84lurNGgevZaZnBRTYHL2AKnqf9wvaGFZr9lj/geaAibfKIwIJCO+vvzGOjWZfAbD97k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779284147637573.3874431413356; Wed, 20 May 2026 06:35:47 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPh4z-0006Yj-Cw; Wed, 20 May 2026 09:35:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4L-0005hQ-Nf for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:43 -0400 Received: from tor.source.kernel.org ([172.105.4.254]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPh4I-0004Zx-9t for qemu-devel@nongnu.org; Wed, 20 May 2026 09:34:41 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by tor.source.kernel.org (Postfix) with ESMTP id AB6D860129; Wed, 20 May 2026 13:34:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D62E61F000E9; Wed, 20 May 2026 13:34:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779284077; bh=UmjysPT0Ys97F2nZix4DsrsLKeKdeAt3nq7oHxKcr8g=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=MGIMsMqkkWPPXVANaMZ4VcbGiIUiOIwzMkiIHDqvLpeZTIILS7lbwZtGMYteA4AqT LDdf9QI7D4hLfSsW8A2Qw5Wb11nGwv/2otADzJEyZZyXpqWMDpUjK2g83GtnLKHTmU 26crBN0X5jBBN9UiTMm4/vXbXwm/IBRt22v9uR1GlHMF/FLNDZoQ0r9AqDiVrVlpdS wR1g6UEovGEMXEa5m5cpnrQIkV4MGtz6+vmVWJhKjnthnTgMG7Yx9tNkTkXfKBxVgd AM9zcA7tKjd9C8vUh4/6jw0yxcf6QNZZbdQD6DgG5N1yDDJvV9DkdEuJvy6c7TgOYx 286fKTpCFmMdg== From: "Naveen N Rao (AMD)" To: Paolo Bonzini , qemu-devel Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Eric Blake , Markus Armbruster , Marcelo Tosatti , Zhao Liu , Nikunj A Dadhania , Tom Lendacky , Michael Roth , Roy Hopkins , Srikanth Aithal , Kim Phillips , Joerg Roedel Subject: [PATCH v4 9/9] target/i386: SEV: Refactor check_sev_features() Date: Wed, 20 May 2026 18:58:02 +0530 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=172.105.4.254; envelope-from=naveen@kernel.org; helo=tor.source.kernel.org X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @kernel.org) X-ZM-MESSAGEID: 1779284148569154100 Content-Type: text/plain; charset="utf-8" Refactor check_sev_features() to consolidate SEV-SNP checks to a single if block. This is also helpful when adding checks for future SEV features. While at it, move the comment about the checks being done outside of the function body and expand it to describe what this function does. Update error_setg() invocations to use a consistent format. No functional change intended. Suggested-by: Tom Lendacky Signed-off-by: Naveen N Rao (AMD) --- target/i386/sev.c | 67 +++++++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 31 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 0009b03bdf7d..f04ae4e91f3e 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -511,40 +511,22 @@ static void sev_apply_cpu_context(CPUState *cpu) } } =20 +/* + * Ensure SEV_FEATURES is configured for correct SEV hardware and that + * the requested features are supported. In addition, ensure feature + * dependencies are satisfied (allow tsc-frequency only if secure-tsc + * is also enabled, as an example). + */ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_fea= tures, Error **errp) { - /* - * Ensure SEV_FEATURES is configured for correct SEV hardware and that - * the requested features are supported. If SEV-SNP is enabled then - * that feature must be enabled, otherwise it must be cleared. - */ - if (sev_snp_enabled() && !(sev_features & SVM_SEV_FEAT_SNP_ACTIVE)) { - error_setg( - errp, - "%s: SEV_SNP is enabled but is not enabled in VMSA sev_feature= s", - __func__); - return -1; - } else if (!sev_snp_enabled() && - (sev_features & SVM_SEV_FEAT_SNP_ACTIVE)) { - error_setg( - errp, - "%s: SEV_SNP is not enabled but is enabled in VMSA sev_feature= s", - __func__); - return -1; - } - if (sev_features && sev_es_enabled() && !sev_snp_enabled()) { - error_setg(errp, - "%s: SEV features are not supported with SEV-ES at this= time", - __func__); - return -1; - } if (sev_features && !sev_es_enabled()) { error_setg(errp, "%s: SEV features require either SEV-ES or SEV-SNP to b= e enabled", __func__); return -1; } + if (sev_features & ~sev_common->supported_sev_features) { error_setg(errp, "%s: VMSA contains unsupported sev_features: %lX, " @@ -552,13 +534,36 @@ static int check_sev_features(SevCommonState *sev_com= mon, uint64_t sev_features, __func__, sev_features, sev_common->supported_sev_featu= res); return -1; } - if (sev_snp_enabled() && SEV_SNP_GUEST(sev_common)->tsc_khz && - !(sev_features & SVM_SEV_FEAT_SECURE_TSC)) { - error_setg(errp, - "%s: TSC frequency can only be set if Secure TSC is ena= bled", - __func__); - return -1; + + if (sev_snp_enabled()) { + if (!(sev_features & SVM_SEV_FEAT_SNP_ACTIVE)) { + error_setg(errp, + "%s: SEV_SNP is enabled but is not enabled in VMSA = sev_features", + __func__); + return -1; + } + if (SEV_SNP_GUEST(sev_common)->tsc_khz && + !(sev_features & SVM_SEV_FEAT_SECURE_TSC)) { + error_setg(errp, + "%s: TSC frequency can only be set if Secure TSC is= enabled", + __func__); + return -1; + } + } else { + if (sev_features && sev_es_enabled()) { + error_setg(errp, + "%s: SEV features are not supported with SEV-ES at = this time", + __func__); + return -1; + } + if (sev_features & SVM_SEV_FEAT_SNP_ACTIVE) { + error_setg(errp, + "%s: SEV_SNP is not enabled but is enabled in VMSA = sev_features", + __func__); + return -1; + } } + return 0; } =20 --=20 2.54.0