From nobody Sun Jun 14 12:44:27 2026 Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazon11012040.outbound.protection.outlook.com [40.93.195.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 387502DEA95; Thu, 2 Apr 2026 20:26:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.195.40 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161591; cv=fail; b=Xb28eqrlImIdF4/wRcVuZBDctgBuz0mFhPx6IiXYD43nyrLhsMj5mpN5Bh0GVwY6FDLDQCeXISOEAZ58T4DnPcR3rtf8i7q8lL7ALRZOl/3EndePJEdLnTWqIthkYV+RQ2uQk7MaIxiBI7PVz+t0OqSp4QJAc7aKPNgq4i15c9k= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161591; c=relaxed/simple; bh=pxIoCWoY3KwTuBWqVNHSn03e6aCyKU8I2cbU2eXlyk0=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Z/XiqF3H85x7SDY8Abojg/LgjLR9rxnmStVrWU6xs7fT/cU22qWLnKE+q+m1g3qMhU5cHb8Hua9yvjEtZhrBDsw3oYqXYWZfbEECDBgF9kgBuAYIb0dGYxRL7FJ8ElrI29i8rTFiHwrq8B1EBztZqDs0prV+CbqlAM9LSvPDB4w= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=f57EqUhf; arc=fail smtp.client-ip=40.93.195.40 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="f57EqUhf" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IBZcDmqWQBdLHm8LX+OAkkp4zVZnoB4m81MP+/9YmGmnSTg/EPcG8Hz0kHNv534IyV9J28obLliWFCdnaHIOi6cI0rJvspLikbQ3mJ5Y5MkhARyd5HrK7vWXKRdarf9CoDev/Ac1LgZXI8l/UZ05eNuIygdlC7kGXg0vrSkmCnyjKzVx/WeqEe439uASOLy8oU+Vvd4HUcx5D4jqMNAmJGcpY+hhkW4WA3d11ETUCCnIR2Uucutq4XM1rwCQ9vLTQPnPneoT3q2B7gUOkH5QN2lglL9xZYrIBF2wiAQLKyrAaj6cA7PmaUIirhLv2b1Ph0Z7ZVDOKC8T+vePmnwjVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=25r1xYYqG2NfVn5K8Ot0Il8LDaKDiW0PpgiHh0oB44Q=; b=wFg/uvfId6IizQoG9b6YXTTWVpsES5ZxG2lU8WKfgQxznI2d96xLSd3KDYwrAxuhcsMcvSQExJ1CwXuaiALmEuDi5pPT11bd4M/x32Rmg4gqDH20Wg5DWac8AeWsbFJ4MJ36qkG2ucAG/L53dhNFjiMtILXG03EenuJE6og5Z+OBR/ojHJ6+OIejuv1vKe0WwSiVqdcjrMQG+1/VJ+aNGbCrpoKpZruC3KAr2VtrpvHO+7Hmh6GBHPqatYONmn8QI9e38rQEYkthKv7ptO5gWZGV/zWBapoWMls82NnaIhjXUSVwURuXWFbXo7M7Cxzwa+FWgCLjIyeVpPxS4quwuQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=25r1xYYqG2NfVn5K8Ot0Il8LDaKDiW0PpgiHh0oB44Q=; b=f57EqUhfp3sOKgjV7qFiiTdEKVY1zgltuguilxiMOhNu+Krv1V3xohk9PWhQSiaIEHYcJ/RhO0KT4nZeOsdfREFGJUBkKRsoQxYC2zAYxFovqpUnWHyDeZb0pwykCA8kUC9E2F9mumAwsfPqcThimZSv9uxEh8Q/dts//XNsESE= Received: from SJ0P220CA0017.NAMP220.PROD.OUTLOOK.COM (2603:10b6:a03:41b::27) by LV8PR12MB9451.namprd12.prod.outlook.com (2603:10b6:408:206::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.18; Thu, 2 Apr 2026 20:26:25 +0000 Received: from SJ1PEPF000026C4.namprd04.prod.outlook.com (2603:10b6:a03:41b:cafe::cd) by SJ0P220CA0017.outlook.office365.com (2603:10b6:a03:41b::27) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9745.30 via Frontend Transport; Thu, 2 Apr 2026 20:26:25 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ1PEPF000026C4.mail.protection.outlook.com (10.167.244.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9745.21 via Frontend Transport; Thu, 2 Apr 2026 20:26:25 +0000 Received: from dryer.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Thu, 2 Apr 2026 15:26:23 -0500 From: Kim Phillips To: , , , CC: Sean Christopherson , Paolo Bonzini , K Prateek Nayak , "Nikunj A Dadhania" , Tom Lendacky , "Michael Roth" , Borislav Petkov , Borislav Petkov , Naveen Rao , David Kaplan , Pawan Gupta , "Kim Phillips" , Dave Hansen , , kernel test robot Subject: [PATCH v3 1/6] cpu/bugs: Allow forcing Automatic IBRS with SNP active using spectre_v2=eibrs Date: Thu, 2 Apr 2026 15:25:53 -0500 Message-ID: <20260402202558.195005-2-kim.phillips@amd.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260402202558.195005-1-kim.phillips@amd.com> References: <20260402202558.195005-1-kim.phillips@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF000026C4:EE_|LV8PR12MB9451:EE_ X-MS-Office365-Filtering-Correlation-Id: a2b5d299-56dc-44d3-315d-08de90f61cd4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|7416014|36860700016|1800799024|13003099007|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: Vvlq2BmGMCYjN92hCZcwnE8sLNIHcMCXOJYMHYdy4kGubdMuIFBP3UnxNMos5k4tLYsKdB1fxoT5Izs//v8p5tGf0E91kW/wpz6BOyebE03MWm/eit77z2qo2MpR6H6sIYgJQAWmn4AoOdKCxixwgOX9+2/ESIvqxiZgsE0OizYsc7OiBMTYbMBLXga2MbS4FgQcI4azP5zud+bXXYQy8G/GRug8k6CXqHJwOfAkcxck9vHPVc22DdtFOxAuP9+T8U8eyR2P2uMn4BHRUi/sdCN2hMJwjvrLJERzc26A7hsI62Lh5cwCquBuFZ9rU6Y4kaQAyIMMxrr5ZaxQuiKh63v9ZNTJQloEDfGySiv7O038jZk1bNMAiRgXYxRtQsfCVwZPt6rXqX8IIS581OSXKsy5lgwkGccmwKJe9KQXGqDbSqxF382rk0+nc0dsKIGL5TMLHkwyyFnRlNcIn4+sCcnPPLzPeqpLJxcke5lTlB0THS52+pTsfrqrwFz7vsT8AAnFAp3qbXoyeW6cZHba+4dxUvQ4mFllt/xF3YFLcGM8JMVeogbvsH/Lqj70aJkwJ+qy3N4dG+M9CdS7fUe9Nhoh674F14W/S203VHLAGPWlQWju5NOZA7RFHcDhkHgVkdJmeuRr8xdFD3TCeqZAxH0F/FBGDGvsv6FAodZ9M+AyrY88MlLUbI5xkY9pok8fQKphMd3SJWcXPD7DJ7t6MyJ2+Atx0vBGW4M62DymLX5jAIzxMqQfw27qlDPxhTU4O0hTCLC2ipRL/0thqWF4TDnTPcHsVhVpp51790nuruE= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(376014)(7416014)(36860700016)(1800799024)(13003099007)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Cn9+mulu8UOsTdyGibxWW1R24SdZMer3iB9JQODLGNhkeOI3cs1SXANMfqhmQvd/AzYXzKNk8j3zgPPRFi8DyHSqrwnaSVwWycjtUFrcDCcGK2sREYi6p/SL872xiynP7dEiiW3fEmdb/iSlALWcLvjVg/E9abhwXOWG/xpYjV9YJOrPjFZGPnDTo7hCX9c7hMgkfXUuzwXQhsDpd+ynHoYfGo0rBy8qjIf2F2pQnZ+OgK7FBardwp/NBqjmpE930D77Q8izzSRJgXFJ5nvu0EHZV4gJq63FnBMkFCng5GaFPx2SdCIUIKug0+PLDEc1hlQqUgl4MzwlPbb0puGb6O6rm0WcWDZVSFRe5DH3A0C/+ZCr2YXwzww5NgyazPePNqBxijjA9B0OOOr4PHLsgQIYo1hAtubu1PXl6kC/ZpY1k3M5HdkjdFCmngGyOwnn X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2026 20:26:25.2475 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a2b5d299-56dc-44d3-315d-08de90f61cd4 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000026C4.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR12MB9451 Content-Type: text/plain; charset="utf-8" spectre_v2=3Deibrs currently enables retpolines when SNP is enabled, instead of AutoIBRS (EIBRS) because the commit that disabled AutoIBRS if SNP is enabled stopped short of enabling X86_FEATURE_IBRS_ENHANCED. Change the logic to enable X86_FEATURE_IBRS_ENHANCED, and move the decision to switch to retpolines in the default/"auto" case in spectre_v2_select_mitigation(). This allows the existing spectre_v2=3Deibrs logic to work as intended. Also emit a performance loss warning for using AutoIBRS with SNP enabled. Fixes: acaa4b5c4c85 ("x86/speculation: Do not enable Automatic IBRS if SEV-= SNP is enabled") Reported-by: Tom Lendacky Cc: Borislav Petkov (AMD) Cc: Pawan Gupta Cc: Dave Hansen Cc: Sean Christopherson Cc: stable@kernel.org Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202603121136.bc8zNsHS-lkp@int= el.com/ Signed-off-by: Kim Phillips Reviewed-by: Pawan Gupta --- v3: - Addressed Pawan Gupta's comment and remove wrong SPECTRE_V2_CMD_FORCE ("= =3Don") check - Addressed kernel test robot's !A || A && B is equivalent to !A || B warn= ing - Preferred to add new AutoIBRS with SEV-SNP enabled performance warning i= nstead of muting legacy IBRS in use vs. eIBRS messaging in the context of SNP, = since SNP users' IBRS performance varies whether they enable SNP BTB Isolation v2: https://lore.kernel.org/kvm/20260311130611.2201214-2-kim.phillips@amd.c= om/ - Address Dave Hansen's comment to adhere to using the IBRS_ENHANCED Intel feature flag also for AutoIBRS. v1: https://lore.kernel.org/kvm/20260224180157.725159-2-kim.phillips@amd.com/ arch/x86/kernel/cpu/bugs.c | 10 +++++++++- arch/x86/kernel/cpu/common.c | 6 +----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 83f51cab0b1e..dfefbde10646 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1658,6 +1658,7 @@ static inline const char *spectre_v2_module_string(vo= id) { return ""; } #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommend= ed for this CPU, data leaks possible!\n" #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled w= ith eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF i= s enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spe= ctre v2 BHB attacks!\n" +#define SPECTRE_V2_EIBRS_SNP_PERF_MSG "WARNING: AutoIBRS mitigation select= ed on SEV-SNP enabled CPU, this may cause unnecessary performance loss\n" #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enh= anced IBRS CPU, this may cause unnecessary performance loss\n" =20 #ifdef CONFIG_BPF_SYSCALL @@ -2181,7 +2182,12 @@ static void __init spectre_v2_select_mitigation(void) break; fallthrough; case SPECTRE_V2_CMD_FORCE: - if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { + /* + * Don't use AutoIBRS when SNP is enabled because it degrades + * host userspace indirect branch performance. + */ + if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) && + !boot_cpu_has(X86_FEATURE_SEV_SNP)) { spectre_v2_enabled =3D SPECTRE_V2_EIBRS; break; } @@ -2257,6 +2263,8 @@ static void __init spectre_v2_apply_mitigation(void) return; =20 case SPECTRE_V2_EIBRS: + if (boot_cpu_has(X86_FEATURE_SEV_SNP)) + pr_warn(SPECTRE_V2_EIBRS_SNP_PERF_MSG); break; =20 case SPECTRE_V2_IBRS: diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 4e1f0c4afe3a..0cdcbbedf883 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1485,13 +1485,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x= 86 *c) /* * AMD's AutoIBRS is equivalent to Intel's eIBRS - use the Intel feature * flag and protect from vendor-specific bugs via the whitelist. - * - * Don't use AutoIBRS when SNP is enabled because it degrades host - * userspace indirect branch performance. */ if ((x86_arch_cap_msr & ARCH_CAP_IBRS_ALL) || - (cpu_has(c, X86_FEATURE_AUTOIBRS) && - !cpu_feature_enabled(X86_FEATURE_SEV_SNP))) { + cpu_has(c, X86_FEATURE_AUTOIBRS)) { setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); if (!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) && !(x86_arch_cap_msr & ARCH_CAP_PBRSB_NO)) --=20 2.43.0 From nobody Sun Jun 14 12:44:27 2026 Received: from PH8PR06CU001.outbound.protection.outlook.com (mail-westus3azon11012029.outbound.protection.outlook.com [40.107.209.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8B1F39098C; Thu, 2 Apr 2026 20:26:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.209.29 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161608; cv=fail; b=cVPYxYpKvr68xNqPnzH0Y8YBrburDGNUFp3MtCbUxwpW47cnj1PU4ulC3t6qIw5dorLvcv9vpATBHhUwS18qnImFnxfmBObZrZ1b120jKn9e8grp66tLiA9ykI4O9ILsIn6GTFKzyTsFmYo8FrcOuc1kMU7BqByqQ5LtJQO+Odg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161608; c=relaxed/simple; bh=ZXl5X/K2XVT2Q9tItJOBE0mnRHwYyXuIN7KzTz2pW5M=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QZ92yGRvVsPOob0kC3rKrGfw2WhTTxZedmgUFHWdqm/eGaX6hs220ZLWLEYsXgIpbK1P0xvY+mMF275mHuENNk6dFrFmy8VvL2JZAaMlUrmpUKbjZ6lvSTLEJ2SbjpexktwGivD8Hz2fq2i3/HbfB2HkLXWqXu7LabFTnQyqSCo= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=Id+emxnS; arc=fail smtp.client-ip=40.107.209.29 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="Id+emxnS" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=oPG3VBgF3mAzXSw3057P/qimeIkK2VkhWRwArXkP/iUdjSkJT9BM5/Zc78/uj6g2SFJEjTSywV60vFmEYk2EJZHy1PB2MSNmC740MVBzxErvjtTI7zXbwxMxAvYHcnQR9+xgsSKf6FQ+XxX/qgik9ZjBZsvgS5QO6J8+KDPChrZq1KDB7juw3Y/56Lg1CQ4gOpaWMYrf1Ndw9GyuohnNrpKDdhW10+krxVgm4npxnDeWx3E0VTFaVaOky4SMfuHSwIelJQqrEVASybOJ6lnFHAyBWezhIOP34gJloshRC4Z78GH2xUoJbaD8twpeg0i3b/vxzQMKRsMxhzDb4WQS1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GPQypGpBaNLlMfV6fhqHDHq9GmWnnkegmBb8IVscIDc=; b=zMNkIq1n8dG9L/v3WQrYuRc84B16ElEizN9+Hb9puUsM2w0V0XciDAJhr7I61QaetsEy66h3hP2QQxGDx0aD6JOWutqzht7tPUCixUXsfI43JZX03Jsn/oqecPof1wocakeWuQ/sKoVTZdG0nl9/l8BLkcF7u1W1J2jyK2RcigX/peYsCagygDM6i0FLQZOSw6KHlXza/tyGdb9t0zr0fRvb8G7Ee2YQn+2MkiDhxBooQ6cSTgzo5iCbrMeRNz86X1t779lM1M9Q3tYUdEFoLs4DZ8CHy4m+EVPTKrgdnDnzNPCSH9sw41lRAiO7xI21y8SYmZz500/RjmaOH/Btdg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GPQypGpBaNLlMfV6fhqHDHq9GmWnnkegmBb8IVscIDc=; b=Id+emxnSFgxbJ/JzCbiWNMWcpbDYrUNQ7f2HgUeaZh0Y5iP/J+10KT3ZE6HNq4tXsiuABo3kjj1kgCClFSjuYS0tPFPM4YkKgr6M+bzf5ZXHhTSIpyEPJXqVo8fP6X2fcZs9tRAXBL5VMvqg7Bb7W1BYXyc5FhEvZf/GGSl//Dg= Received: from SJ0PR05CA0011.namprd05.prod.outlook.com (2603:10b6:a03:33b::16) by LV0PR12MB999092.namprd12.prod.outlook.com (2603:10b6:408:32e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Thu, 2 Apr 2026 20:26:36 +0000 Received: from SJ1PEPF000026C3.namprd04.prod.outlook.com (2603:10b6:a03:33b:cafe::fd) by SJ0PR05CA0011.outlook.office365.com (2603:10b6:a03:33b::16) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.16 via Frontend Transport; Thu, 2 Apr 2026 20:26:36 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ1PEPF000026C3.mail.protection.outlook.com (10.167.244.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9745.21 via Frontend Transport; Thu, 2 Apr 2026 20:26:36 +0000 Received: from dryer.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Thu, 2 Apr 2026 15:26:34 -0500 From: Kim Phillips To: , , , CC: Sean Christopherson , Paolo Bonzini , K Prateek Nayak , "Nikunj A Dadhania" , Tom Lendacky , "Michael Roth" , Borislav Petkov , Borislav Petkov , Naveen Rao , David Kaplan , Pawan Gupta , "Kim Phillips" , Dave Hansen , Subject: [PATCH v3 2/6] cpu/bugs: Allow spectre_v2=ibrs on x86 vendors other than Intel Date: Thu, 2 Apr 2026 15:25:54 -0500 Message-ID: <20260402202558.195005-3-kim.phillips@amd.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260402202558.195005-1-kim.phillips@amd.com> References: <20260402202558.195005-1-kim.phillips@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF000026C3:EE_|LV0PR12MB999092:EE_ X-MS-Office365-Filtering-Correlation-Id: f5891943-ef79-4633-0736-08de90f62388 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|7416014|82310400026|376014|1800799024|13003099007|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: cVbTiaMMaX4nSUeYLtASyve7NUzhxxcV6vpj4/9JNsXkVXtIy/2hIQQJQIpULebez768AmPH3XyC8+0tlNjvnYjotdBCLMdBnyWOfYANOskp1lu5Ff9vD/cBBQfLt5lUG+wTWtPoW65JhK6LSJO+4KbOROAOGNqzQjffhpql6lGFY2bxcRIUCV1dMHPCUhLX/QNv9Bfd0sBWD7g7tLGvr+WSJTAEsMRoSuEJz+Q+aSGZjTJ8DuOW9bw6uSAT6voUw6Bu6kJAfcHw5MBQHR5pwNGM4hRAsM9nyuMLiL1mNvvll0+jKNdnzEFXlMn+OE+9MPUvbUXs775YZvmQqQPE/uYqjGj5JJDLtNBm+vh0m+yjlN1T9Je6nX2rBTdPk9imLeylWThlHvjDc1NIh+JpkZHC4lEvE3pODoq2K0fIMYi2GMAwkHTfQsIAKQXrYNf7GmYUii+ek1J2lB5De43SzNbmYWjG8pdWz1nlsRBgecNqIME2OQ7ePRxQ+7wrr0G6MuIM0U5M0FKz6csixCwWsW3pq5EjYdvh6yE21dixGjSqHI4aDc9AUIgw60XMXr7Va1osMEci1pZWnLqJNPrN1sJLhdsaV+PCy+W1aYy8Epgcffhj+j3DE5TApdWDGBzI2peOWihUXJwNi48XVL0HT5N/8vfwjiUSo8/MVQ7CjPcIDXkKACaOyzOP85UP94SEK78ZabNqc/scShS6LIfNQxIbc3ZCRBbGoteziE9N7Of0PYR2eS03NtDn8QEUe12pc/owoyq8YGhT9qoYrNqxsCvDwLeGvqsXNr1+dzTOTh4= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700016)(7416014)(82310400026)(376014)(1800799024)(13003099007)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Rvaa6ulZcECK+gOSSu0nEb0H4mjOawGQB/1UXl6+ae2/7Pvge1IuGw9gFWZtoxisvUiLJWIn8AG/iPhD5cuRChH34l/Hs2l52trWaUhFjE8y1S/iVhBHSMjK5Z3PREm9c0qfLpvOAdhlZn0r/Xp9zC58BMU3AiblgoCJOONPIbzzWSXm5sK6XPdw/hytQP25EAX5hZplmIWddKANLfqR99FVgXnyDIEHs/yzzYnxI3PyIkF2mS52EexnhPIPBt6hbN9SWlsizwGwgo+vDWs56Z+EsXCIh7XCtHBTWEnXEv90T33R+yTZHxfuLSc6/Qb9nYP3L9cCmdwtMzHQIy9F8gS/27JrUcQd0uztQvP2dHV9/WTYRukn55cSutNaSL+HxUx2jJwC755GmV9aVAjHeoEne3CpZz2kLRnzzNxilTvNVjXs56PmG3tLbSq98oGL X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2026 20:26:36.4586 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f5891943-ef79-4633-0736-08de90f62388 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000026C3.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV0PR12MB999092 Content-Type: text/plain; charset="utf-8" This is to prepare to allow legacy IBRS toggling on AMD systems, where the BTB Isolation SEV-SNP feature can use it to optimize the quick VM exit to re-entry path. There is no reason this wasn't allowed in the first place, therefore adding the cc: stable and Fixes: tags. Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=3Dibrs option to supp= ort Kernel IBRS") Reported-by: Tom Lendacky Cc: Pawan Gupta Cc: Dave Hansen Cc: Sean Christopherson Cc: Borislav Petkov (AMD) Cc: stable@kernel.org Signed-off-by: Kim Phillips --- v3: No changes v2: No changes https://lore.kernel.org/kvm/20260311130611.2201214-3-kim.phillips@amd.c= om/ v1: https://lore.kernel.org/kvm/20260224180157.725159-3-kim.phillips@amd.co= m/ arch/x86/kernel/cpu/bugs.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index dfefbde10646..eed5a72a870c 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2153,11 +2153,6 @@ static void __init spectre_v2_select_mitigation(void) spectre_v2_cmd =3D SPECTRE_V2_CMD_AUTO; } =20 - if (spectre_v2_cmd =3D=3D SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor= !=3D X86_VENDOR_INTEL) { - pr_err("IBRS selected but not Intel CPU. Switching to AUTO select\n"); - spectre_v2_cmd =3D SPECTRE_V2_CMD_AUTO; - } - if (spectre_v2_cmd =3D=3D SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATUR= E_IBRS)) { pr_err("IBRS selected but CPU doesn't have IBRS. Switching to AUTO selec= t\n"); spectre_v2_cmd =3D SPECTRE_V2_CMD_AUTO; @@ -2250,7 +2245,8 @@ static void __init spectre_v2_apply_mitigation(void) pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); =20 if (spectre_v2_in_ibrs_mode(spectre_v2_enabled)) { - if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) { + if (boot_cpu_has(X86_FEATURE_AUTOIBRS) && + spectre_v2_enabled !=3D SPECTRE_V2_IBRS) { msr_set_bit(MSR_EFER, _EFER_AUTOIBRS); } else { x86_spec_ctrl_base |=3D SPEC_CTRL_IBRS; --=20 2.43.0 From nobody Sun Jun 14 12:44:27 2026 Received: from CY3PR05CU001.outbound.protection.outlook.com (mail-westcentralusazon11013068.outbound.protection.outlook.com [40.93.201.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39FB238C43A; Thu, 2 Apr 2026 20:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.201.68 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161612; cv=fail; b=F7t5+SWlGwL4lbf7S1rbTgAKBYDnR1BuW/4E7FfRZkxb/merzGBxDQRb9ZXvF8I12oYIPCrM1UVehapFChb/FFvx6si7sQmeYpqqOqkOgdv9AauwNhEWgr8odKbzeR4w3D1rIHeley/6wT04vAT+1h3HOemMm6mng/Qp03MA3KA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161612; c=relaxed/simple; bh=f+KVPsWcd+kA8nBaVaSzHWSeBR+s6M0YkHriF2lu3Ko=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=IhHO8GTkACz0i3AjFxRLpLL0vMS+oFtw4T7D6rhl+8XgHiGOCadCFdItbj6R9W02laoZhwpXE3248BvnH2gK+tz38j9gy2hi2X6J/rp8GQH+Lvxecc8E+2btc76NEMWply0lPns30h8FWmNnK+gW8Mt9l6CrD5MidvejLUi1z7c= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=pF/LE5ui; arc=fail smtp.client-ip=40.93.201.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="pF/LE5ui" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=l1ospXz5/xbbCbeW0+d9XsNKp+8qKkuC6uiuTOOfJuBUWxftGsZ/WynSbIGTtXWEx18dwnGmHBcw19OmrS8G+GBwH8VgOsbvH1lTLbwopvmYWkK/VVaFTgtjq/WKsFE73kOAKWI0OL8jWI0ftEo9/Vuk6Nn6JSRnFLsQ+CbPUGynbabJlmyGuEbYQvGeVTlqKAIkobRleSs9sMNP6I6/W3E5MRwpwz180asxDuNVg/2S4RB9dxlZetU9rnakQ9ExBjVbDyJwO+TBsYjyZSpVeaC8LSuljF1DIJ+foELnHwU+9k10hB02J3uKZfbQINVzhxYf7ueaoKQYSWt9BvfyMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LG1Qe65iI3pxNftN0aHj+9K+eUE/N5crIQpu5JWTokY=; b=wZZYFKwPHlvw3kSGq6AvL4qjDlrBhE65DgkbfjijIOMZ5WmL9A3REz1b1xACRkpan9uq4jAK3tSMg8LxoHPgQgN7Lj6S7jYeWeBtyNSZ5QG2cSIjeU2C8t6x5cgMv68vsBP4LlgcnaHWP2Wa8/RVVM2bbJt/91q/G30MuZTtn87SoKcKk61R50VowaFSCLsmv84MpuUcweJPbMuSWeCsrKqdWwxDb6rB7G8TOopqNkLuyDuxqdRsq/Xu3fIpaoQri6It6KoyZVQz5zagmTRnwrAI1T7r1O8ZogWEKjKbyAwM2IgY5YC5o2qcIawWUuavYa/ybeY9/ypl9vu8W8zJCg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LG1Qe65iI3pxNftN0aHj+9K+eUE/N5crIQpu5JWTokY=; b=pF/LE5uisH+fsuY5qfO2XGxkRXRLXywHwkSTZDuDtLUeNlmBCXn6RQGNtark+eakvgbFSHYiQKwg6MZXkjWdDfMdhNGJoSJJDcsRzItq9eQs7j51b06MqXWlvwmPttPprpJNExkkOZY46vqdJPb6OY4AnIWwIebMNXlGmsIrBmU= Received: from SJ0PR13CA0009.namprd13.prod.outlook.com (2603:10b6:a03:2c0::14) by DM6PR12MB4171.namprd12.prod.outlook.com (2603:10b6:5:21f::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Thu, 2 Apr 2026 20:26:47 +0000 Received: from SJ1PEPF000026C7.namprd04.prod.outlook.com (2603:10b6:a03:2c0:cafe::da) by SJ0PR13CA0009.outlook.office365.com (2603:10b6:a03:2c0::14) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.18 via Frontend Transport; Thu, 2 Apr 2026 20:26:47 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ1PEPF000026C7.mail.protection.outlook.com (10.167.244.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9745.21 via Frontend Transport; Thu, 2 Apr 2026 20:26:47 +0000 Received: from dryer.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Thu, 2 Apr 2026 15:26:46 -0500 From: Kim Phillips To: , , , CC: Sean Christopherson , Paolo Bonzini , K Prateek Nayak , "Nikunj A Dadhania" , Tom Lendacky , "Michael Roth" , Borislav Petkov , Borislav Petkov , Naveen Rao , David Kaplan , Pawan Gupta , "Kim Phillips" Subject: [PATCH v3 3/6] KVM: SEV: Disallow setting SNP-only features for non-SNP guests via a single mask Date: Thu, 2 Apr 2026 15:25:55 -0500 Message-ID: <20260402202558.195005-4-kim.phillips@amd.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260402202558.195005-1-kim.phillips@amd.com> References: <20260402202558.195005-1-kim.phillips@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF000026C7:EE_|DM6PR12MB4171:EE_ X-MS-Office365-Filtering-Correlation-Id: 8ee69840-97d9-4c39-46b1-08de90f62a2c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|1800799024|36860700016|13003099007|22082099003|56012099003|18002099003; X-Microsoft-Antispam-Message-Info: Sl1Qr/31L4NUMG/3F6eXo4uW1wzUYX0XAqvoTQRLygS3wrqf60QqBGPGQ/ZoOSHUejwyKJQJJrxhN5dBYiJbd97O188YcY7RczgJG4FicSSy6mzQkRW0s/VK/saq6Lv35+djhRq/ZMbPvcRujP59D8B4ONLphypreDBThTJrFE7abgn1AZhfWciSXXiPSBn8kdjzg6SEZ9bMIz0Gv0pgcL2KKk/mJJ6Cji13P9tfYvrvWKrJvVT4URTKAwRz5d754KoLExY9IZjpH/HXt6odRqd/HHXthdDL/u1e1rCw5T2+w+8yKTUiE9PpCZyq7aVFk7Daa5D4oI82PfVhS+E0A33iILk74iroViCeWhDeAn5Uz/GJ1W4GbF9F+qrLneb1jjpZq2ja+oF6Q8N+R4VovAJf9skUaFTgHN/n8HtvBywsPRMqSWIfGuTr4+hBryn/GNc3ialhQeCmFdTsV7bgCL1FHMN0A49Gweo4nV3I1Ki6ESepPZbSSpc1uBOy8ouswynR8vNP6nni1CWRQTlDXsFFB2Y62v1RwCwoZzBgRDYpE5KUWmUdFRgfeEpWOtcUVHFfwRylyyTnr3JaXCS+jwuSVse1floTFKCs0A3icsNYfQMmGjMFoq6xhhH6QntJqCy9vvcDzPsFR512KsLt4gWCVjg2G7d/nECdBM7+0nSJUFOhTSI7pfd/ZnWeU5tuDlWQRqCp/a6KGQPP5V+0a+tuTt2MebK/6DRdJcKIs1vgFich4Wg+/Hx9is4leHZLQFA5XK3XU+uEfwH/SzdMwA== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(376014)(1800799024)(36860700016)(13003099007)(22082099003)(56012099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: cnrYVD8bdw/vfozPFf9hjIN0RTvZUZ2WbAhGnJvWFB5V6HEZ5A4IsRke6OIY510y+EzFM9oebiN0iDQ2meNahrBRAdmcjO/at0SZZC+TUe0UOTcWmwGQzj2WyQ76oXe8QoRJXzrMSiJsf+jKrHJ3QUYRAgxQ2AnlIp+FDlPXRDanW94pNIXVgB9+xWx5iyheRFK6G7sVUBVSV/cKqFLLT+4oAMdDF7BtgX9bD/sPP4PpcgtJhhyH0l947q3AiQJCI2K3B5KnjEs+vWTAC7E3F+hARImxXxeeIIcJD/PC/cf89c804kUlq6kZLmhnY2Vp2EkYDahnC4hzaQVDc0cjLsBLOvOpB1ievw96a3fMYnQQJFc57NDEKPX78PUAxTVHDMdmGnUUbdRHs/CP6XgYF2sl/BNa/gbn1gNLkXSIK52SQaA71O2huUEsksVdNUnE X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2026 20:26:47.6292 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 8ee69840-97d9-4c39-46b1-08de90f62a2c X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000026C7.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4171 Content-Type: text/plain; charset="utf-8" As SNP-only features get added, adding them to the valid_vmsa_features mask in __sev_guest_init() often gets neglected. Add SVM_SEV_FEAT_SNP_ONLY_MASK to help group these common features together. Suggested-by: Sean Christopherson Cc: Borislav Petkov (AMD) Link: https://lore.kernel.org/kvm/aaWog_UjW-M3412C@google.com/ Signed-off-by: Kim Phillips --- v3: new arch/x86/include/asm/svm.h | 2 ++ arch/x86/kvm/svm/sev.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index edde36097ddc..7e3f9d92351a 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -307,6 +307,8 @@ static_assert((X2AVIC_4K_MAX_PHYSICAL_ID & AVIC_PHYSICA= L_MAX_INDEX_MASK) =3D=3D X2AV #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) #define SVM_SEV_FEAT_SECURE_TSC BIT(9) =20 +#define SVM_SEV_FEAT_SNP_ONLY_MASK SVM_SEV_FEAT_SECURE_TSC + #define VMCB_ALLOWED_SEV_FEATURES_VALID BIT_ULL(63) =20 struct vmcb_seg { diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 3f9c1aa39a0a..2b4f3c05e282 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -456,7 +456,7 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm= _sev_cmd *argp, return -EINVAL; =20 if (!snp_active) - valid_vmsa_features &=3D ~SVM_SEV_FEAT_SECURE_TSC; + valid_vmsa_features &=3D ~SVM_SEV_FEAT_SNP_ONLY_MASK; =20 if (data->vmsa_features & ~valid_vmsa_features) return -EINVAL; --=20 2.43.0 From nobody Sun Jun 14 12:44:27 2026 Received: from PH7PR06CU001.outbound.protection.outlook.com (mail-westus3azon11010034.outbound.protection.outlook.com [52.101.201.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EDB62DCF57; Thu, 2 Apr 2026 20:27:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.201.34 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161624; cv=fail; b=hRMbcMM+IAIr5yQSksYcXro5XQT0kfc8PQ5v99N5Df3GBwJws3cCLeOmPabsymUi0YkCm+SsXfLptC4GhjmbE5mS43Zz3AxgQPsGwApqJRmNGYM8xFRO14flGkeJu3C1N77fPWEoSTQT1mlWfqzfOCZtyFGhAvN6vhRYHPBJ2NQ= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161624; c=relaxed/simple; bh=ztDaPdPck81fomMf2AmV3MOuXgScj0mrJ5Oeseus6Yo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=lgeBHTMe6qh8kkftRMxeDTlj9NcorUih0HjuuFyKxueLBLsM/xWkJeslG3QUBkSYr/skiOc8emUaHR1uLneoJlsqtXTZtb/E9LWgPGS8HmDJ4KbdAts+t+MtgVXEy5ESJqjHanCoSJP5EzVN5pQR9zU3ESnd3YiiXSvNH/b0xog= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=Wtxa40zh; arc=fail smtp.client-ip=52.101.201.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="Wtxa40zh" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=WrjHCVN44j0CgruQR4pAeeXqsmoLj8bOEgp0rwqv2iLzITLB2xiIoNE9riLc9rkfVnc1+RFpbFN1+yRvKEnkP4jDUqwq0GD/e0jmOIBpv5+KtlCCwMJvt+VtennrMCpnvNr4pfSjolJ3UiebBJlIqlSiHkEs24xGMRB5DG2q+teXC3fcw9BE7nfJrsOjN2ZWhJ4cQ4dPMy7Doz1naqmfoxkYidHzoUL4JRl/4xdFDMntXljdzoCNQZR5PhEDtzDpUyVe63HZdGIO3WtvIv4byMC/VSYl660ompF4H0y/gnLrpe7pZWh2q42WILAi636UQElfICPWw4lFmItpOrW6sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YCMaKi19xBd+cPMD1FVpqGAue83F+LqlnrPgKCQqQD4=; b=jC2xmNM//7mFQUGYi1WSeGMs5K6alltAO5XHAy7WmolP5/aBByo3Wn5eMniEY2AtwjillRrsWVoyb3G9QOuvtaaLkfQhUDO4V2j+Fuqv4yDvGFMJ4IGzPSQMpzjRzf7MStLzV9+q6lnLYDG1bTubhd/8ECxTcCnakwwB7526EBBSn+wABM+7xlI6wI/CrhPUbkpEvIwZYznuhioWRcU13cv80hCX2Vo2/uXF8IBUC8tUQhgeT1xE1hfOB9mmlhoWHREpqtgpMmVv2bECOy9tFTJyaCrfNLyIeV6g/NlgOVZTih+R+rELw3AHW0kR246LkIx3dWi7M6f47mKVloFl8A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YCMaKi19xBd+cPMD1FVpqGAue83F+LqlnrPgKCQqQD4=; b=Wtxa40zhRoBo24M9q838cR5dyY3AgWi4oa/pwXzno26y74M8QXjk8xaYjVvfoidxwwyBqgM5IWTc6ls7f9oH6CdNXlQ3TRFAp+9bKAPWkcJmnl9Ykk6qg3U8R5xS6FXOslXTUxr5ZdAMULfnAUJTeszEdhnrMpzNssEx7jL64Co= Received: from SJ0PR05CA0058.namprd05.prod.outlook.com (2603:10b6:a03:33f::33) by BY5PR12MB4306.namprd12.prod.outlook.com (2603:10b6:a03:206::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.16; Thu, 2 Apr 2026 20:26:59 +0000 Received: from SJ1PEPF000026CA.namprd04.prod.outlook.com (2603:10b6:a03:33f:cafe::3a) by SJ0PR05CA0058.outlook.office365.com (2603:10b6:a03:33f::33) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.18 via Frontend Transport; Thu, 2 Apr 2026 20:26:59 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ1PEPF000026CA.mail.protection.outlook.com (10.167.244.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Thu, 2 Apr 2026 20:26:58 +0000 Received: from dryer.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Thu, 2 Apr 2026 15:26:57 -0500 From: Kim Phillips To: , , , CC: Sean Christopherson , Paolo Bonzini , K Prateek Nayak , "Nikunj A Dadhania" , Tom Lendacky , "Michael Roth" , Borislav Petkov , Borislav Petkov , Naveen Rao , David Kaplan , Pawan Gupta , "Kim Phillips" Subject: [PATCH v3 4/6] KVM: SEV: Advertise SVM_SEV_FEAT_SNP_ACTIVE Date: Thu, 2 Apr 2026 15:25:56 -0500 Message-ID: <20260402202558.195005-5-kim.phillips@amd.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260402202558.195005-1-kim.phillips@amd.com> References: <20260402202558.195005-1-kim.phillips@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF000026CA:EE_|BY5PR12MB4306:EE_ X-MS-Office365-Filtering-Correlation-Id: 9ab681bd-5b37-496a-0bda-08de90f630f5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|1800799024|82310400026|376014|13003099007|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: IWPVYKjaSe2BI2TXMRJPnwFQ0w1+W0oMCKnL4MMKf2T/e2kKNRDX83XQXiG7ER+OrO9dwDSDw25bCHRcoSXSTsqTXcvDQ/V7r8OjPsNghrwn/d8L2QNF0QZ2UrBbr1e6AUpSZ9YM+webs467ETJ94YL8/6pgdUbKxSAkMVhrIwWkcXFcL7bpwomoypj4u5bXmjXpkVHREDcuTxJSQOn8e5W8wniCTO89PNUGmVkw7+IuZBxqr1Aak/RA1V8stA3CbS6VVLNN1aifenLbiWDmPir0IiEu6CHEdwOC90OoFpJmI3qjnnf3ObcEXgL372PtDoslBkBoXvj1p85Lsgflnt9KUzZ8lrTk8TTpALFMIhFtWgSzFBoON8WXFIUIFyUcvi/0eCgCKwj55Vc58EKEkmDNV63cu7/wZfBnpj/xsOeS4OKvxDxz60aTKCZnZRVEzATThWyBee/zL8kEHTVh7mND5qEEvK/3wSy17sf8wrDguRnttocDqxfxSOoYkPwuHnmIJEDzcH5Vok7l9smzsL+kptfXSNi11BMV5Z2hlwAMa0eNN2tgztgGn0tN90VxtfCQQ53AJi8Fyz2t7MW/I2GgfYkaDsyP2yg8NIlSpDElNAvwXU2mjvuRGZfev9zfVGI+NNAaZVTy1ev8w09zN6g5kFQ7aUpPBy9BXyumAE/e6ggNTM18U4AXr1n8JbjboVgjR8V5Q+32s2oKY1+mu+9tVaMy86XGv3kcCznqJefO+dxGmhyfpi0JZu8K0C+jzDGsboLW55n/2eUViln/LA== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700016)(1800799024)(82310400026)(376014)(13003099007)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: zxc3ziOUYNdpkJ1sjsSY6PwPDejcPuFDjyuWGXOoG4+ezVd6+BAhOKX9Ov8amQcwfbFNOnwwie2KGuAqq1rNcTxNNsSYZjuIO0BTnh7CKZB24a4bpz1nM8YnMkPe8zZU4LK3P97IXbMTVIxnGvu5h2lsqetumYnRqnFjgdIGWnGAEHGUuVCKRljckYgKnt5OJFbwhWSOxZEXukHCxH3K/WX8DcQKEadBfZ9xxOkdk7k8JZkF97PHAbhPrTNPwfcxi9rTmOPsQefVTA/ai+XHEVAo1S/c89csLO/lEQPzrFCj8HVCebrU/+dvRY/xRdproDjiumqBoC97WmiP2kDvwJfcVSnGQ4/vhb6vggY3pLor3g7Gi8Ea4XQOzjJFMbNSNKsUTmnZ8irWJywdc4UG3OmBKbrADeKA50HIbVg/knBuipzDwprtXiBXnNRBGVPo X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2026 20:26:58.9559 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9ab681bd-5b37-496a-0bda-08de90f630f5 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000026CA.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB4306 Content-Type: text/plain; charset="utf-8" Allow userspace to set the flag in kvm_sev_init.flags. KVM still needs to set the flag for backwards compatibility, but disallowing SVM_SEV_FEAT_SNP_ACTIVE for an SNP guest is "bizarre." Suggested-by: Sean Christopherson Cc: Borislav Petkov (AMD) Link: https://lore.kernel.org/kvm/aaWog_UjW-M3412C@google.com/ Signed-off-by: Kim Phillips --- v3: new arch/x86/include/asm/svm.h | 3 ++- arch/x86/kvm/svm/sev.c | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index 7e3f9d92351a..4f844a72890c 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -307,7 +307,8 @@ static_assert((X2AVIC_4K_MAX_PHYSICAL_ID & AVIC_PHYSICA= L_MAX_INDEX_MASK) =3D=3D X2AV #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) #define SVM_SEV_FEAT_SECURE_TSC BIT(9) =20 -#define SVM_SEV_FEAT_SNP_ONLY_MASK SVM_SEV_FEAT_SECURE_TSC +#define SVM_SEV_FEAT_SNP_ONLY_MASK (SVM_SEV_FEAT_SNP_ACTIVE | \ + SVM_SEV_FEAT_SECURE_TSC) =20 #define VMCB_ALLOWED_SEV_FEATURES_VALID BIT_ULL(63) =20 diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 2b4f3c05e282..9663424c0cf0 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3165,8 +3165,12 @@ void __init sev_hardware_setup(void) cpu_feature_enabled(X86_FEATURE_NO_NESTED_DATA_BP)) sev_supported_vmsa_features |=3D SVM_SEV_FEAT_DEBUG_SWAP; =20 - if (sev_snp_enabled && tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SEC= URE_TSC)) - sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SECURE_TSC; + if (sev_snp_enabled) { + sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SNP_ACTIVE; + + if (tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SECURE_TSC)) + sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SECURE_TSC; + } } =20 void sev_hardware_unsetup(void) --=20 2.43.0 From nobody Sun Jun 14 12:44:27 2026 Received: from SA9PR02CU001.outbound.protection.outlook.com (mail-southcentralusazon11013016.outbound.protection.outlook.com [40.93.196.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D0BE2DEA95; Thu, 2 Apr 2026 20:27:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.196.16 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161640; cv=fail; b=f5uxXcs5Y7tJh3ozfJEvI+8FHSkUsNhjf7ov5xBZ6B6Yd+6JIDoVwzKcBaQRrYJQUyRn1VvClJ5xbC2FMNTraUdtKaZTL3xY/siwf1LZjShomYzek4vmGxJF1UDqSF32B14q59++Iln2KHjxQ68RCH2XTM6nMI344fiQ7ZhQXis= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161640; c=relaxed/simple; bh=kMvEna96QtqymHpyh9krhFebBu+h1u9v1Lgx9NLCjRg=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fODG9hnWmNOfR73UjRFAvS9lFXRsr3OyWxDvOHfMj51TeafkDFTI7G7BsXjFe41+i1ZhSitLqWR4qySXFCMf/+IUKEFE2IRexPtQp6mW5mjqpkPx0d/Wr5yfRcQ8xSwaXgBRY8gWIp+HxkMTW3fFjKe/6Spd3+41tJHUfMmIC7M= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=bKsLCRYV; arc=fail smtp.client-ip=40.93.196.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="bKsLCRYV" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=raKMG18J8sKmSpYZZsYMcABN47kNWxa1bubSF3lo1pZ0EtzBwRuJnh7Sw9oWfEOB5rMDdK2R/+JfHE00iouAwk19g7ie8WcUqHY1ZdM29Y9A+QIBGrAg9RokyEOS8gnywXiSsbB5s29d69QjtTw2W0ufULwKVWa67uHuPM4atJ6PKR230WusyjCdNRmGT18DnigURqzXLnh0aZ2OEetZ1yjAZjCWrL5KUT+Ndp2VTUfhp0BrJyIBiKNleL4HJuLhT49rKYULrQJGy7vxBdEiu8Pu8dMCg/sDn50JMV+KKRM/YLjrfITgUjiTpPmr9FG+DvSNl7GapUgrrJI+3QyKUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BcafCRsEbnLA8pjFAxThusE21PeEN+HdiGQ7wh9Bj8I=; b=D6zYAeJqTrf+wYrJ12yZw1o2hdSIhucbvoU68IFA6DpadpJFnYk6EuVi0ZXDEIqecs2ZXMxICdPHJknvdmVG6W6RyBCnrCM7Q521IolYA2Er6nG+O3bVLeaucnYSKYWigAmgg6M+9Dov3iaoKpUghuG6WrZUAa8AvbMhLLZHxfISu3zVR5Tq/Y6dHJC3rtTRXfIFk5Mmv8wY/oaw7MpAG4LxvjDmC/0I80SdvWyHXTCEyeJjdEy4GkWEDdzKoE9rY64Frfy8tecZ/oSOMhZe++a6U7tSwL73uwn1yaYRnETCWJ+g5quRiiVozLoardE3qGkZ8MgnmcsnJqLHG0QhqQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BcafCRsEbnLA8pjFAxThusE21PeEN+HdiGQ7wh9Bj8I=; b=bKsLCRYVy+grw3WDZ1mTZk34M40PGtFHHpbdsKxsETNKAzsdREZdA1U1rHE/ZoRu5fI/lcCCkJFGvWwJOs6bsgPfsCdjvcy3AWeTViw8b3QIzHT7EIkgXPhz4O6/83Q5HlXpa3eSjU9zS9HszgQ/Ji6ltGvOP4ox05tCHqRG7fo= Received: from SJ0PR05CA0056.namprd05.prod.outlook.com (2603:10b6:a03:33f::31) by LV8PR12MB9451.namprd12.prod.outlook.com (2603:10b6:408:206::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.18; Thu, 2 Apr 2026 20:27:15 +0000 Received: from SJ1PEPF000026CA.namprd04.prod.outlook.com (2603:10b6:a03:33f:cafe::6f) by SJ0PR05CA0056.outlook.office365.com (2603:10b6:a03:33f::31) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Thu, 2 Apr 2026 20:27:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ1PEPF000026CA.mail.protection.outlook.com (10.167.244.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Thu, 2 Apr 2026 20:27:15 +0000 Received: from dryer.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Thu, 2 Apr 2026 15:27:13 -0500 From: Kim Phillips To: , , , CC: Sean Christopherson , Paolo Bonzini , K Prateek Nayak , "Nikunj A Dadhania" , Tom Lendacky , "Michael Roth" , Borislav Petkov , Borislav Petkov , Naveen Rao , David Kaplan , Pawan Gupta , "Kim Phillips" Subject: [PATCH v3 5/6] KVM: SEV: Add support for IBPB-on-Entry Date: Thu, 2 Apr 2026 15:25:57 -0500 Message-ID: <20260402202558.195005-6-kim.phillips@amd.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260402202558.195005-1-kim.phillips@amd.com> References: <20260402202558.195005-1-kim.phillips@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF000026CA:EE_|LV8PR12MB9451:EE_ X-MS-Office365-Filtering-Correlation-Id: b6cdfb7c-9408-4455-ec66-08de90f63aa9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|36860700016|1800799024|13003099007|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: zilZMSNWEF5MPnlvaEE3pWJCPd+dIgi1C11D3MMP4ZDyxfUVJ45EpCly0KxblvfBXFdQHYlryFnw760ElPM1C2BEyJpu8COV4hLscauld+Cl7hu0+8J2vN3WXZlGpfc0gGdZNu84YqX4MRVwPt0a/qI3Di4OS/Sl9+AXYKO61TCD9O4UKxeoeFfxyA3BFIvBRZkZBdeqtBAVuDgGZ7wbTb0dBM1p9k6e8FKm7aORjs6KPxxC82DpbdHDMxvudokV0y9HZY1vzz6JHGQIdsvtN+HgWkED2Q6Hb78jxPgOVXFtOfVxvjLtG6IknmRa5ENzfKMPM2XuUJBYIoKDGCmKoMOh/6kZyJaU06ApIKJZNcGU6wdUmfTQCgn7hmGxcBzt34SOD3gipDc5MVhfckV7HlhAp2eLOK66T8cOF0jsSrL9ymShQbqzoE7wBv/J0v4y44QJBX/7e8Vh3FmgrealJoClV66++syKf92f66/1WA/jIwNmMvs1aT1Lgsj0/TLbyiiCeNC90xO02i3GNG1UFG3faR1Onv5iFjj0/DVBhQOSWxPA3/78RcmMYyKwSlwyKpcHzmCdhyQyA9xiDFQOHZLcRx0LNlYGQbBOdI2TZEIOvfaXdDc+YeK4xT8dhZbgd8dn5qRMJ/ldmnRmkHFJ2tDkL70sB1D0wW6ka4JmT3z+FsBPSVTI2AwzbyvWbC8YeY6tr/XSpHohBVvPyFkOsnjJdELMnZL8x0GtXXCaaRS0cSg75FgBYfW6rDl25DRYA/sABU9Y0c91HRgbpDqpmGf+ZfMmRn9syEjr4DSAK+U= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(376014)(36860700016)(1800799024)(13003099007)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: D8imLXrCYyiIZ2GkfnhK9JbIE4K4KOIBIlmmaXodQxeFWVU0OD/TJdevGSQUM4qT0pB8YSgbaE4ZTK642/jjZud3m85/gZfB20E9k6v5jQ7QWxUVVQpGQ3CNHYMMY3cooPqhYhUd9vMPTeiRiXli+DjSM/dlJDUuEnyqmDE+2Klr26lFlCwfGLLUdalC0nVMxtEJKe7U4LgdwrYQI+uUi5LuPo7RLLZ/0pQaoiTaYC1n+PdsK1RUPlaGIp80MdlZZHV0cIEWm+vCQOhCZhx7z/5KESuAB1GUOYuHKCng5cx9RsGbAaJA1na20vrwl1QTJL6RarD/GdWR9WjWCFeWWZwhKjdakW75o/Z2/3wxvqAmO1npvsm1bvxFK+N/Ltgp1AJ/GhMed6AO3JkvCAi0EAeWdUOdGF2m3VlHqf+GBZOfwGaXiCTZSnYinde2FxWH X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2026 20:27:15.2665 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b6cdfb7c-9408-4455-ec66-08de90f63aa9 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000026CA.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR12MB9451 Content-Type: text/plain; charset="utf-8" AMD EPYC 5th generation and above processors support IBPB-on-Entry for SNP guests. By invoking an Indirect Branch Prediction Barrier (IBPB) on VMRUN, old indirect branch predictions are prevented from influencing indirect branches within the guest. SNP guests may choose to enable IBPB-on-Entry by setting SEV_FEATURES bit 21 (IbpbOnEntry). Host support for IBPB on Entry is indicated by CPUID Fn8000_001F[IbpbOnEntry], bit 31. If supported, indicate support for IBPB on Entry in sev_supported_vmsa_features bit 23 (IbpbOnEntry). For more info, refer to page 615, Section 15.36.17 "Side-Channel Protection", AMD64 Architecture Programmer's Manual Volume 2: System Programming Part 2, Pub. 24593 Rev. 3.42 - March 2024 (see Link). Link: https://bugzilla.kernel.org/attachment.cgi?id=3D306250 Cc: Sean Christopherson Cc: Borislav Petkov (AMD) Signed-off-by: Kim Phillips Reviewed-by: Tom Lendacky --- v3: Rebased on top of new SNP_ONLY_MASK etc. changes v2: https://lore.kernel.org/kvm/20260203222405.4065706-3-kim.phillips@amd.c= om/ - Added Tom's Reviewed-by. v1: https://lore.kernel.org/kvm/20260126224205.1442196-3-kim.phillips@amd.c= om/ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/svm.h | 4 +++- arch/x86/kvm/svm/sev.c | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index dbe104df339b..236411a1a86a 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -459,6 +459,7 @@ #define X86_FEATURE_ALLOWED_SEV_FEATURES (19*32+27) /* Allowed SEV Feature= s */ #define X86_FEATURE_SVSM (19*32+28) /* "svsm" SVSM present */ #define X86_FEATURE_HV_INUSE_WR_ALLOWED (19*32+30) /* Allow Write to in-us= e hypervisor-owned pages */ +#define X86_FEATURE_IBPB_ON_ENTRY (19*32+31) /* SEV-SNP IBPB on VM Entry */ =20 /* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word = 20 */ #define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* No Nested Data Breakpo= ints */ diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index 4f844a72890c..2a2b8705b2c0 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -306,9 +306,11 @@ static_assert((X2AVIC_4K_MAX_PHYSICAL_ID & AVIC_PHYSIC= AL_MAX_INDEX_MASK) =3D=3D X2AV #define SVM_SEV_FEAT_ALTERNATE_INJECTION BIT(4) #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) #define SVM_SEV_FEAT_SECURE_TSC BIT(9) +#define SVM_SEV_FEAT_IBPB_ON_ENTRY BIT(21) =20 #define SVM_SEV_FEAT_SNP_ONLY_MASK (SVM_SEV_FEAT_SNP_ACTIVE | \ - SVM_SEV_FEAT_SECURE_TSC) + SVM_SEV_FEAT_SECURE_TSC | \ + SVM_SEV_FEAT_IBPB_ON_ENTRY) =20 #define VMCB_ALLOWED_SEV_FEATURES_VALID BIT_ULL(63) =20 diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 9663424c0cf0..561023486253 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3170,6 +3170,9 @@ void __init sev_hardware_setup(void) =20 if (tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SECURE_TSC)) sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SECURE_TSC; + + if (cpu_feature_enabled(X86_FEATURE_IBPB_ON_ENTRY)) + sev_supported_vmsa_features |=3D SVM_SEV_FEAT_IBPB_ON_ENTRY; } } =20 --=20 2.43.0 From nobody Sun Jun 14 12:44:27 2026 Received: from CO1PR03CU002.outbound.protection.outlook.com (mail-westus2azon11010008.outbound.protection.outlook.com [52.101.46.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 472852DCF57; Thu, 2 Apr 2026 20:27:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.46.8 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161652; cv=fail; b=bJQ4SN8gwM+4vCf4TAWTeKe3nOjRlcStRW3i0CFNi6+pId1N9aHfsA56OPB80VbS38b1lj6HgxxTfKMXbK5/EnrEBKHgAzvuOYf8BaXsW5L80InmL5geyj1rl1oxqLHMTSzfxE4xsTuCJmRRR1IaI6pLwV+D+3C+QYdSGgtD2y0= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775161652; c=relaxed/simple; bh=dEwL8xi0TkZnfNjDAywWJ5C4wKqn19L/jRczUAYK1XY=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=UVncpub/euWZ0Fwd4wDm3R3BZKGXkm4cpM07jtbfj5lEcLk72voqBIJKMKqIebuJZH4SJaFRRYGce3ilpWi24a9OeKtXDoY15Ll7LqY+clCnoHZuJU0KjNBhwvvmZYXV8ffsnuF9Q687C9yLVTHDc8sS5iurRGqB/GAQbs2MJ5A= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=1eQB/lvC; arc=fail smtp.client-ip=52.101.46.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="1eQB/lvC" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=idj/GAvtLpykdnbgy2x8ncfi0frnmDrhVVBHKuUhDmhjHfkCepjFLSCpAbJSJJFN75bd0jMbqD+jpkC/rvFQD9iUJOxuPWrfisabcrKPa5Oo4VbMX2rMpJXy7BkObvrXOox5p/imcUu7LfYzz8QOGXjjJy87rMQFQdhjm2hEfu59wt5Lbm+az6X52iTJGyZ0/vzM0RzCFEO/Cx4Bkayee63fxMBtJDGmKlDyAzgFbJBuALkxhZXSCRSApQJwghN/em7Qui4klsa3NEA71+8AHax2X+5Uzc9Opwnmp7k+4Udn/Z0de0kycT/wlUvfoD6BeqG+U0lwRjI2C7EIBttzjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qJCF6Voz4k7YVShF8JLVLdCUBy2L41c/c1J2Bt2WIaI=; b=s7oXixNkMLTJljXPtxzdzL3sloUysNe/4fDl8sH60Ze8FPRCryzIpoh6g/CZDuKdr6NUOkX/OGTRC1paENqtX93y19/F0pWbsIomLQ/+fWhx3Xwwu/5zCYwDNMbsLc9/1RhCSrmrKYVtaZ1VVHaucFiyXWz1MbaLndbG4+AbWS5fAr8FGLkt+c3D5EpTYLm7Bi6mbHnGjosWmJObjB0wMhaOXKAHBWuYmsj8ADZ+ev1VSxR4IsNOCyIkeuJ4zLXpQ3kCdjFuAG50KUxt8iTED8NzqPFZ+r1dN53oEE1T4uqPATp1O9lb9JDbhTvyElApXsrfbA1xkxIZ0ddarIGa5Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qJCF6Voz4k7YVShF8JLVLdCUBy2L41c/c1J2Bt2WIaI=; b=1eQB/lvCvehQRrV5smfRRblAPC6rb9+Vwfw0IABdJY5KE3iid3nz87tGFW/MtK9G6j8cJLGEcNWdFeZfzMn/t7hMm2MGHk3+gQ7BQ1wQPTS27d9qXsZx7VjIz8A4m6an+EnE1rq4120qcyde8/OzwDAUSrA9qLAVUT0Xdx8NzRs= Received: from SJ0PR03CA0174.namprd03.prod.outlook.com (2603:10b6:a03:338::29) by SJ2PR12MB8955.namprd12.prod.outlook.com (2603:10b6:a03:542::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.15; Thu, 2 Apr 2026 20:27:26 +0000 Received: from SJ1PEPF000026C6.namprd04.prod.outlook.com (2603:10b6:a03:338:cafe::9a) by SJ0PR03CA0174.outlook.office365.com (2603:10b6:a03:338::29) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.18 via Frontend Transport; Thu, 2 Apr 2026 20:27:26 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ1PEPF000026C6.mail.protection.outlook.com (10.167.244.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Thu, 2 Apr 2026 20:27:26 +0000 Received: from dryer.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Thu, 2 Apr 2026 15:27:25 -0500 From: Kim Phillips To: , , , CC: Sean Christopherson , Paolo Bonzini , K Prateek Nayak , "Nikunj A Dadhania" , Tom Lendacky , "Michael Roth" , Borislav Petkov , Borislav Petkov , Naveen Rao , David Kaplan , Pawan Gupta , "Kim Phillips" Subject: [PATCH v3 6/6] KVM: SEV: Add support for SNP BTB Isolation Date: Thu, 2 Apr 2026 15:25:58 -0500 Message-ID: <20260402202558.195005-7-kim.phillips@amd.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260402202558.195005-1-kim.phillips@amd.com> References: <20260402202558.195005-1-kim.phillips@amd.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF000026C6:EE_|SJ2PR12MB8955:EE_ X-MS-Office365-Filtering-Correlation-Id: c024b790-6667-444a-644f-08de90f64129 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|1800799024|36860700016|13003099007|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: ZzG4iv0Kq9C5dMso82CuzZtUSAGmBObthzN8OIlUvlCWYQlL4dNDPcnumpEWpTPfdo3zq5ebPs+QIhHZ+++/hVceydNGH4AQWRqOar0ZSDfxeEi3mZy2IDN7wV6fc8sbfQv/kvGL4uRN/O17WAPNWArR/Dzf5s4vpDNDCgTjxba1spUZvTuB/pQiYZYLlOFEXu/YbrmdM6GOTR8goJkbFUV6ao3kNW8VVb9dp3Zgpu5C0csdxm/5M7EPTUvxw7S8bu1VqkuJ+r39ulzIUZETz6GQYyBD0gSo0cEgebmbdOYfOTTuWHvTHPMdwhYKZ/Pf94XLmXLJq/zL+py9J6TyTLQyNi1VpWBCA7eZUMQOOZ3J3QKDg5C4Y+8WuojBCz9tnv7Shakz0M9zHltx+x2l/fK+BhCRaIHBEtTRm6v2w3XxWf5L6jBhiJ9O4iRaMZ0qWS2k8KIzhkvRxPRYVapscaMzijo3YzV/kbLlGCjg464b83rSTrEeuTqk0HvRt+mIqgOBMbnMWmlgoo0GaM47upJi2Cq0vBMsYuVQe5TQ8UxoCcdhDDCwhanUH01jJ7PpwPvAlSoQxV92aeYT2dZAgjfqQ39LoGzbcFLcPVpWrFuEztARSemWcqDzu2DlBML01vp7DPFj/+M15bwLuKcH0fuX7WOjLAQVsqc7lcmo/L1uTnSHT2anatV+bgQUnDzYQ+DfT+zPJCYF+bJCU32HSAgOsJs/Ac1RUzDkoDYFvScfUpe4e9P38Sc/TyLgj6CsrOvBJqNR224m2NfPsUswAf+YfLV7rSpxd+T1VM6b1+o= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(376014)(1800799024)(36860700016)(13003099007)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3PZi7+kv7dQiV29eKBPf0BlWVIVsKVnYgx5hVBZedUNb9oX+zwod24US32LU0wx6EGb0bJ1szOgPgiBBNE3SduxdA8uIg+iIzv7l4gApshZqeFTEqN1x1USWu59WnFdzR2Y7dtw5deaTGPF5QHEM1YVoeMNIwqbIj71G5MMheZ68LyZSKBQJSYSzg6SbH4PQ/5y9f6TxJYd1zMG8oiPoPAp15vuJK2GqrOHiApfZcsGTVogbKSV59yIVGmtIoK+cXIpO2a1lgMzIeP+i+c3lF51EZ4UwtmS9gh+85qSwaMP/c3Rts2McwYncmb1hSFVuoi8qVyYtXccN1qbX7EACECHrlepwaoI/oN11tOFZmNSXtoCwcOe0/mOI8z6Zywmra2CKHFdQNTx7+NYAn9yd676A9Nqgsy5beId31ro8u2ZlcA9292i1m31JIua2+n+G X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2026 20:27:26.1986 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c024b790-6667-444a-644f-08de90f64129 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF000026C6.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR12MB8955 Content-Type: text/plain; charset="utf-8" Advertise support for BTB Isolation via SEV_VMSA_FEATURES when SNP is enabled, as all hardware that supports SNP also support BTB Isolation. BTB Isolation is an optional feature that can be enabled by the guest to ensure its guest Branch Target Buffers (BTBs) are not affected by any context outside that guest. SNP-active guests may choose to enable the Branch Target Buffer Isolation mode through SEV_FEATURES bit 7 (BTBIsolation). For more info, refer to page 615, Section 15.36.17 "Side-Channel Protection", AMD64 Architecture Programmer's Manual Volume 2: System Programming Part 2, Pub. 24593 Rev. 3.42 - March 2024 (see Link). Link: https://bugzilla.kernel.org/attachment.cgi?id=3D306250 Cc: Sean Christopherson Cc: Borislav Petkov (AMD) Signed-off-by: Kim Phillips --- v3: Reworded, Rebased on top of new SNP_ONLY_MASK etc. changes v2: https://lore.kernel.org/kvm/20260203222405.4065706-3-kim.phillips@amd.c= om/ - Added Tom's Reviewed-by. v1: https://lore.kernel.org/kvm/20260126224205.1442196-3-kim.phillips@amd.c= om/ arch/x86/include/asm/svm.h | 2 ++ arch/x86/kvm/svm/sev.c | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index 2a2b8705b2c0..d3a15a40a09b 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -305,10 +305,12 @@ static_assert((X2AVIC_4K_MAX_PHYSICAL_ID & AVIC_PHYSI= CAL_MAX_INDEX_MASK) =3D=3D X2AV #define SVM_SEV_FEAT_RESTRICTED_INJECTION BIT(3) #define SVM_SEV_FEAT_ALTERNATE_INJECTION BIT(4) #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) +#define SVM_SEV_FEAT_BTB_ISOLATION BIT(7) #define SVM_SEV_FEAT_SECURE_TSC BIT(9) #define SVM_SEV_FEAT_IBPB_ON_ENTRY BIT(21) =20 #define SVM_SEV_FEAT_SNP_ONLY_MASK (SVM_SEV_FEAT_SNP_ACTIVE | \ + SVM_SEV_FEAT_BTB_ISOLATION | \ SVM_SEV_FEAT_SECURE_TSC | \ SVM_SEV_FEAT_IBPB_ON_ENTRY) =20 diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 561023486253..733423000bc8 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3166,7 +3166,12 @@ void __init sev_hardware_setup(void) sev_supported_vmsa_features |=3D SVM_SEV_FEAT_DEBUG_SWAP; =20 if (sev_snp_enabled) { - sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SNP_ACTIVE; + /* + * Some SNP-only features such as BTB Isolation are + * available on all systems that support SNP. + */ + sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SNP_ACTIVE | + SVM_SEV_FEAT_BTB_ISOLATION; =20 if (tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SECURE_TSC)) sev_supported_vmsa_features |=3D SVM_SEV_FEAT_SECURE_TSC; --=20 2.43.0