From nobody Sat Feb 7 23:48:14 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53633200C2 for ; Fri, 9 Jan 2026 03:31:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767929469; cv=none; b=lA9/K3o0y9lbN4rUFUwN4vGZ6uTBGGxMMIwomgzua+0qbYQAvJ8u7nPQzFTCIqRHiDmlWBB7ZWcxYossPZJ5BF9McxeQl5XBUQ6cyT4hKFW16Co1PQL6HZDzUx2os3VCz4vaBZS9O15aAPnd4umJ7GAkytDyXcMEc1IwCVXcGmg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767929469; c=relaxed/simple; bh=2V4BltaQ+YT06u2mT3N06cdcQ3NXx15sNRSCRp+q/gY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=eHdPl1kejBwSKF1Px35ibpNsJrtaDuD8+Oa/5TwRKyy0x1ioAN2cBbuG1jBN6rAAc1d6fwoa199QT0pb/E4WvXlsClsJuIiJ8zjFbkRQ3ixIZGsOTKmUF6JYXcP4mfVPDMIfHw2fxKAsNOEjeLXjuoEpUmJ8EA9eNk5NewjFszI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=JpWode3T; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="JpWode3T" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-34e70e2e363so5201230a91.1 for ; Thu, 08 Jan 2026 19:31:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767929466; x=1768534266; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Mla1DRxHLEybanQJcXviUnnpDYAkH+oHijzXn/g2Vr8=; b=JpWode3TNyM/SCwJr9PAg4JHosSDyYJqfhvHNFfocjLcYh0WZYK139iWthpefqD0Rr 69lqjZKgR7s2XrM7wwn5mcFjg5d8/+aQOKC8MQt0R5D69nHKYiWV+NP7PWHZBkmuG6EM G2Oxha22C+a1sdijrNmX0/OuAlFdmAi/WZtCzxzA6Uj3t9zUCaoskNtnGZU+UWP2lkZx vF/FVSGKrHdP6YY3snZ2MlIUvhH6EgJ5T5hJkyDYQGPNz/rm5oCODPvaazcKSXXvhg+b JF4RoH1f0XS+wVK667fx5OygwP55LIPws26b/06DNeWZbXqhCEj8jYYK20V/CkglG9Gz s9Qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767929466; x=1768534266; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Mla1DRxHLEybanQJcXviUnnpDYAkH+oHijzXn/g2Vr8=; b=xEpBN44RF5803OZWn6Yq+dtpCDxj5YpFUi16cUbpZI5f7gv+4e9M2LG6ImUH2Tl0qR 7rlMb39khywUWHlJ+LX9OxsSJvfFGXAEDiexLmC3fRM4Pm71dIw8yVARTHld6hyMCH/z 0DOq6Bl5J+LucD/sgCb5/0ymIGT7n9jRnXK2kIOlRQxaSV+qJgSK8yvnG9S8HEERTIn+ LOImKukHjPLwgL1/m7uRIUydj9vQS/LaE8VlRFKTjWwsorAyZerF3tHOVd0VjMrtfgWQ Wrw1vDUI5ZtLCyaoLLl8Uele+9QrCAJ7cXtbPjleL7L6tVNSHbKDqtPTILflWn768VH7 f6uQ== X-Forwarded-Encrypted: i=1; AJvYcCUhf2jCw9ow00wNopPHOpI3pHuLEKLVDBFkQ4t4J5MpeIeDIz98yGYAugwYr2tlpetboakdrvBIGxY2vwE=@vger.kernel.org X-Gm-Message-State: AOJu0YyCxGM2pOI4+WCBjvohqmQMzdpSgE3ktnsshimCsZb7qCoha+3A /6KziAe/iDRG8OX42QUsuOlGRpqKRQIxuF1ziau/4yexK1CnJBpxR5TfWuucr8l+PAVvI0RMZlM elR9/Sw== X-Google-Smtp-Source: AGHT+IGLWrXplPynHk8EJUyO1AzJ4B8EBeIefbRuNJ3ysVbIscyNZnWwa9KhrXRUl4V6C3eSPSPHCrxMnas= X-Received: from pjbnm2.prod.google.com ([2002:a17:90b:19c2:b0:340:5073:f80f]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:350b:b0:32c:2cd:4d67 with SMTP id 98e67ed59e1d1-34f68c204e2mr7331315a91.13.1767929466108; Thu, 08 Jan 2026 19:31:06 -0800 (PST) Reply-To: Sean Christopherson Date: Thu, 8 Jan 2026 19:31:00 -0800 In-Reply-To: <20260109033101.1005769-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260109033101.1005769-1-seanjc@google.com> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog Message-ID: <20260109033101.1005769-2-seanjc@google.com> Subject: [PATCH 1/2] KVM: SVM: Drop the module param to control SEV-ES DebugSwap From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Rip out the DebugSwap module param, as the sequence of events that led to its inclusion was one big mistake, the param no longer serves any purpose. Commit d1f85fbe836e ("KVM: SEV: Enable data breakpoints in SEV-ES") goofed by not adding a way for the userspace VMM to control the feature. Functionally, that was fine, but it broke attestation signatures because SEV_FEATURES are included in the signature. Commit 5abf6dceb066 ("SEV: disable SEV-ES DebugSwap by default") fixed that issue, but the underlying flaw of userspace not having a way to control SEV_FEATURES was still there. That flaw was addressed by commit 4f5defae7089 ("KVM: SEV: introduce KVM_SEV_INIT2 operation"), and so then 4dd5ecacb9a4 ("KVM: SEV: allow SEV-ES DebugSwap again") re-enabled DebugSwap by default. Now that the dust has settled, the module param doesn't serve any meaningful purpose. Cc: Tom Lendacky Signed-off-by: Sean Christopherson Reviewed-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index f59c65abe3cf..9b92f0cccfe6 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -53,9 +53,6 @@ module_param_named(sev_es, sev_es_enabled, bool, 0444); static bool sev_snp_enabled =3D true; module_param_named(sev_snp, sev_snp_enabled, bool, 0444); =20 -/* enable/disable SEV-ES DebugSwap support */ -static bool sev_es_debug_swap_enabled =3D true; -module_param_named(debug_swap, sev_es_debug_swap_enabled, bool, 0444); static u64 sev_supported_vmsa_features; =20 static unsigned int nr_ciphertext_hiding_asids; @@ -3150,12 +3147,10 @@ void __init sev_hardware_setup(void) sev_es_enabled =3D sev_es_supported; sev_snp_enabled =3D sev_snp_supported; =20 - if (!sev_es_enabled || !cpu_feature_enabled(X86_FEATURE_DEBUG_SWAP) || - !cpu_feature_enabled(X86_FEATURE_NO_NESTED_DATA_BP)) - sev_es_debug_swap_enabled =3D false; - sev_supported_vmsa_features =3D 0; - if (sev_es_debug_swap_enabled) + + if (sev_es_enabled && cpu_feature_enabled(X86_FEATURE_DEBUG_SWAP) && + cpu_feature_enabled(X86_FEATURE_NO_NESTED_DATA_BP)) sev_supported_vmsa_features |=3D SVM_SEV_FEAT_DEBUG_SWAP; =20 if (sev_snp_enabled && tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SEC= URE_TSC)) --=20 2.52.0.457.g6b5491de43-goog From nobody Sat Feb 7 23:48:14 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 535B3500970 for ; Fri, 9 Jan 2026 03:31:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767929469; cv=none; b=EsGiMfhFpAv31Z5mC67gTvxb1rgSjsixTxVo7dNY/A4LvHKqAt1KPN4xrDkbEkFpmiaGzGMgH2xgr/Ud913I/h+m4mb125JnjiUBVsGyZxgTiXaBl4ru2z8h/d1rAblhFPruRX4c1xQEbha3FhYDehtRBgwtwPz5E8JciNnECUM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767929469; c=relaxed/simple; bh=VQk4kuLqxT4b14/XgZB7ISx/GE32ATVfrNfCmSw6uUE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=czowM3rQXlytxJD2c3L8mcSr+B6YAc4pHcF4l5oKz8/xpI8SuJg6pOdYGdAMTCk4ZrFn6XKWGXqUae9ICDPmeeBmEy/1OdCIrA6gbDEER+xBX2MP+fWfrp3s6w9/z+BJhDz1/YJbJj7qzn54aVeCh6HboPgqPOlLr2DYp9yB18s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=AE1xCXbs; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="AE1xCXbs" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-34e5a9de94bso7159369a91.0 for ; Thu, 08 Jan 2026 19:31:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767929468; x=1768534268; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=1CosggHBR0O1gxFtXIarEWoLXwsPD2jUMsMkTQvLSbE=; b=AE1xCXbsAyH5QM/QGLAPTzMWA7yIMcT9ZrKFg0RwCAWYH0EX+PHeF4ayvS6AqcI8dy Yg23qT/KNYHXryw/glUDvwhsU+MoHH31hZPcBLZ1/+jisaRWa/mvYYDcNmfnF94jrXNP +01kbOqi2w8zvczSbkr/sGpYbSQlBffuSRVDYxd/cpk/En90tugg+1te5gQR0zI2BujR E8uaxbQrPub0bNnTLARe4laxV6BMan6hOYOaqGmkUjNWwtbXc+xZpDmyeSb9PSqqNKsi 2+I0+/zY92ACLTuVpVy4v6GCCzGOZLleYuN4Epe8PIdC43bG0sfjpmKsdOWMag9imKPU 9EaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767929468; x=1768534268; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1CosggHBR0O1gxFtXIarEWoLXwsPD2jUMsMkTQvLSbE=; b=IyyFbbBeJm1Tafvb7VJ2pQlEvBM0WB6IAT59SgR0KDiSyFK4hvqj+n0u7zYAHx1mhM VW6jxOtFjvzrNtpu+6nmnrc5AX8o2raszWj3HwtQOQyMeqIjbQUaikOdA9tJPliX2EJY 0G1VlHRHjE3rxL71BWSHqNb//2DC8kPP3WUPFPZbp1b81CNaiCt7ggkK61heS7COUQSk GjYrUB1gq1OBbeHQLMoDHXpt/15JMxJznd+zO6RZE1NX1sqt81Y7iUHYA+c22RG3kGnn /jJDxe/3ESppmjFH0VNkmr9BOL8YsqE7YmN9J9wiQpG/miD7d5EABkr5VfaV2RmreNMK Nqfw== X-Forwarded-Encrypted: i=1; AJvYcCVvhEsmguM27ChRiGlpiPtG+tOm5SjNNZxxnVF54gf3F0Ax7h0xnYoWQsI7DTiZ5wqGs1mj+rYo9CnlqYw=@vger.kernel.org X-Gm-Message-State: AOJu0YxsstX8NzCPi8SwunAnf9Woq7JS2yt5nabU40zA2ms12g685oNO Y0uLLPmU3lsziHTPYdv6Y0hzax1bwXPaxyL/7qITwfnFcVg6hyf35qqVZTejaiT7Yfh/tnvadUM lvj2d0Q== X-Google-Smtp-Source: AGHT+IGIYiBNKkOkGz6qEANHpd7Pim3Ibu+bG1/VliV/OvTCLYe+rexBq/JVo18CIsGFfmpH3LZ2dlF1+pY= X-Received: from pjte19.prod.google.com ([2002:a17:90a:c213:b0:33b:51fe:1a73]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:560c:b0:32e:7bbc:bf13 with SMTP id 98e67ed59e1d1-34f68d3b47bmr7418627a91.34.1767929467706; Thu, 08 Jan 2026 19:31:07 -0800 (PST) Reply-To: Sean Christopherson Date: Thu, 8 Jan 2026 19:31:01 -0800 In-Reply-To: <20260109033101.1005769-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260109033101.1005769-1-seanjc@google.com> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog Message-ID: <20260109033101.1005769-3-seanjc@google.com> Subject: [PATCH 2/2] KVM: SVM: Tag sev_supported_vmsa_features as read-only after init From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Tom Lendacky Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Tag sev_supported_vmsa_features with __ro_after_init as it's configured by sev_hardware_setup() and never written after initial configuration (and if it were, that'd be a blatant bug). Opportunistically relocate the variable out of the module params area now that sev_es_debug_swap_enabled is gone (which largely motivated its original location). Signed-off-by: Sean Christopherson Reviewed-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 9b92f0cccfe6..28150506b18c 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -53,8 +53,6 @@ module_param_named(sev_es, sev_es_enabled, bool, 0444); static bool sev_snp_enabled =3D true; module_param_named(sev_snp, sev_snp_enabled, bool, 0444); =20 -static u64 sev_supported_vmsa_features; - static unsigned int nr_ciphertext_hiding_asids; module_param_named(ciphertext_hiding_asids, nr_ciphertext_hiding_asids, ui= nt, 0444); =20 @@ -81,6 +79,8 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertext= _hiding_asids, uint, 04 =20 static u64 snp_supported_policy_bits __ro_after_init; =20 +static u64 sev_supported_vmsa_features __ro_after_init; + #define INITIAL_VMSA_GPA 0xFFFFFFFFF000 =20 static u8 sev_enc_bit; --=20 2.52.0.457.g6b5491de43-goog