When a guest issues a cpuid instruction for Fn0000000D_{x00,x01}, the
hypervisor will be intercepting the CPUID instruction and will need to access
the guest XSS value. For SEV-ES, the XSS value is encrypted and needs to be
included in the GHCB to be visible to the hypervisor.
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: John Allen <john.allen@amd.com>
---
arch/x86/coco/sev/vc-shared.c | 11 +++++++++++
arch/x86/include/asm/svm.h | 1 +
2 files changed, 12 insertions(+)
diff --git a/arch/x86/coco/sev/vc-shared.c b/arch/x86/coco/sev/vc-shared.c
index 2c0ab0fdc060..079fffdb12c0 100644
--- a/arch/x86/coco/sev/vc-shared.c
+++ b/arch/x86/coco/sev/vc-shared.c
@@ -1,5 +1,9 @@
// SPDX-License-Identifier: GPL-2.0
+#ifndef __BOOT_COMPRESSED
+#define has_cpuflag(f) boot_cpu_has(f)
+#endif
+
static enum es_result vc_check_opcode_bytes(struct es_em_ctxt *ctxt,
unsigned long exit_code)
{
@@ -452,6 +456,13 @@ static enum es_result vc_handle_cpuid(struct ghcb *ghcb,
/* xgetbv will cause #GP - use reset value for xcr0 */
ghcb_set_xcr0(ghcb, 1);
+ if (has_cpuflag(X86_FEATURE_SHSTK) && regs->ax == 0xd && regs->cx <= 1) {
+ struct msr m;
+
+ raw_rdmsr(MSR_IA32_XSS, &m);
+ ghcb_set_xss(ghcb, m.q);
+ }
+
ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_CPUID, 0, 0);
if (ret != ES_OK)
return ret;
diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index 17f6c3fedeee..0581c477d466 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -701,5 +701,6 @@ DEFINE_GHCB_ACCESSORS(sw_exit_info_1)
DEFINE_GHCB_ACCESSORS(sw_exit_info_2)
DEFINE_GHCB_ACCESSORS(sw_scratch)
DEFINE_GHCB_ACCESSORS(xcr0)
+DEFINE_GHCB_ACCESSORS(xss)
#endif
--
2.47.3On 9/8/25 15:20, John Allen wrote:
> When a guest issues a cpuid instruction for Fn0000000D_{x00,x01}, the
> hypervisor will be intercepting the CPUID instruction and will need to access
> the guest XSS value. For SEV-ES, the XSS value is encrypted and needs to be
> included in the GHCB to be visible to the hypervisor.
>
> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: John Allen <john.allen@amd.com>
> ---
> arch/x86/coco/sev/vc-shared.c | 11 +++++++++++
> arch/x86/include/asm/svm.h | 1 +
> 2 files changed, 12 insertions(+)
>
> diff --git a/arch/x86/coco/sev/vc-shared.c b/arch/x86/coco/sev/vc-shared.c
> index 2c0ab0fdc060..079fffdb12c0 100644
> --- a/arch/x86/coco/sev/vc-shared.c
> +++ b/arch/x86/coco/sev/vc-shared.c
> @@ -1,5 +1,9 @@
> // SPDX-License-Identifier: GPL-2.0
>
> +#ifndef __BOOT_COMPRESSED
> +#define has_cpuflag(f) boot_cpu_has(f)
> +#endif
> +
> static enum es_result vc_check_opcode_bytes(struct es_em_ctxt *ctxt,
> unsigned long exit_code)
> {
> @@ -452,6 +456,13 @@ static enum es_result vc_handle_cpuid(struct ghcb *ghcb,
> /* xgetbv will cause #GP - use reset value for xcr0 */
> ghcb_set_xcr0(ghcb, 1);
>
> + if (has_cpuflag(X86_FEATURE_SHSTK) && regs->ax == 0xd && regs->cx <= 1) {
Just a nit, but I wonder if we should be generic here and just do
has_cpuflag(X86_FEATURE_XSAVES) since that should be set if shadow stack
is enabled, right? And when X86_FEATURE_XSAVES is set, we don't
intercept XSS access (see sev_es_recalc_msr_intercepts()).
Thoughts?
Thanks,
Tom
> + struct msr m;
> +
> + raw_rdmsr(MSR_IA32_XSS, &m);
> + ghcb_set_xss(ghcb, m.q);
> + }
> +
> ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_CPUID, 0, 0);
> if (ret != ES_OK)
> return ret;
> diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
> index 17f6c3fedeee..0581c477d466 100644
> --- a/arch/x86/include/asm/svm.h
> +++ b/arch/x86/include/asm/svm.h
> @@ -701,5 +701,6 @@ DEFINE_GHCB_ACCESSORS(sw_exit_info_1)
> DEFINE_GHCB_ACCESSORS(sw_exit_info_2)
> DEFINE_GHCB_ACCESSORS(sw_scratch)
> DEFINE_GHCB_ACCESSORS(xcr0)
> +DEFINE_GHCB_ACCESSORS(xss)
>
> #endif
On Tue, Sep 09, 2025, Tom Lendacky wrote:
> On 9/8/25 15:20, John Allen wrote:
> > When a guest issues a cpuid instruction for Fn0000000D_{x00,x01}, the
> > hypervisor will be intercepting the CPUID instruction and will need to access
> > the guest XSS value. For SEV-ES, the XSS value is encrypted and needs to be
> > included in the GHCB to be visible to the hypervisor.
> >
> > Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> > Signed-off-by: John Allen <john.allen@amd.com>
> > ---
> > arch/x86/coco/sev/vc-shared.c | 11 +++++++++++
> > arch/x86/include/asm/svm.h | 1 +
> > 2 files changed, 12 insertions(+)
> >
> > diff --git a/arch/x86/coco/sev/vc-shared.c b/arch/x86/coco/sev/vc-shared.c
> > index 2c0ab0fdc060..079fffdb12c0 100644
> > --- a/arch/x86/coco/sev/vc-shared.c
> > +++ b/arch/x86/coco/sev/vc-shared.c
> > @@ -1,5 +1,9 @@
> > // SPDX-License-Identifier: GPL-2.0
> >
> > +#ifndef __BOOT_COMPRESSED
> > +#define has_cpuflag(f) boot_cpu_has(f)
> > +#endif
> > +
> > static enum es_result vc_check_opcode_bytes(struct es_em_ctxt *ctxt,
> > unsigned long exit_code)
> > {
> > @@ -452,6 +456,13 @@ static enum es_result vc_handle_cpuid(struct ghcb *ghcb,
> > /* xgetbv will cause #GP - use reset value for xcr0 */
> > ghcb_set_xcr0(ghcb, 1);
> >
> > + if (has_cpuflag(X86_FEATURE_SHSTK) && regs->ax == 0xd && regs->cx <= 1) {
Only CPUID.0xD.1 consumes XSS. CPUID.0xD.0 only consumes XCR0. I.e. this could
be "&& regs->cx == 1".
> Just a nit, but I wonder if we should be generic here and just do
> has_cpuflag(X86_FEATURE_XSAVES) since that should be set if shadow stack
> is enabled, right? And when X86_FEATURE_XSAVES is set, we don't
> intercept XSS access (see sev_es_recalc_msr_intercepts()).
On the other hand, by exposing XSS to the host only on CPUID #VCs, you've already
"optimized" this code based on presumed usage of XSS by the hypervisor.
© 2016 - 2026 Red Hat, Inc.