On Tue, Mar 03, 2026, Tycho Andersen wrote:
> From: "Tycho Andersen (AMD)" <tycho@kernel.org>
>
> Recent SEV firmware [1] does not support SEV-ES VMs when SNP is enabled.
> Sean suggested [2] adding an API so that userspace can check for this
> condition, so do that. Also introduce and use SNP_VERIFY_MITIGATION to
> determine whether it is present or not.
>
> [1]: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3023.html
> [2]: https://lore.kernel.org/all/aZyLIWtffvEnmtYh@google.com/
>
> Tycho Andersen (AMD) (5):
> kvm/sev: don't expose unusable VM types
> crypto/ccp: introduce SNP_VERIFY_MITIGATION
> crypto/ccp: export firmware supported vm types
> kvm/sev: mask off firmware unsupported vm types
> selftests/kvm: teach sev_*_test about revoking VM types
>
> arch/x86/kvm/svm/sev.c | 16 +++-
> drivers/crypto/ccp/sev-dev.c | 84 +++++++++++++++++++
> include/linux/psp-sev.h | 56 +++++++++++++
> .../selftests/kvm/x86/sev_init2_tests.c | 14 ++--
> .../selftests/kvm/x86/sev_migrate_tests.c | 2 +-
> .../selftests/kvm/x86/sev_smoke_test.c | 4 +-
> 6 files changed, 162 insertions(+), 14 deletions(-)
Other than a few nits, this LGTM. Even though the sev-dev.c changes are far more
extensive, I would prefer to take the KVM changes through kvm-x86 due to the
effective change in KVM's ABI. I'd be happy to carry the whole thing, or use a
stable topic branch as a base (patch 1 can easily become patch 3).