From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2D533A1695
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381821; cv=none;
 b=gvDlwUiUIelJJwynFC1HkR6bWSrjZfoVm8XPTbW5LDSbxafFdy0xh7bd7nfPjy+nPCVLi21gzGQy+iz+v3kRAYFAszI2qlP7COce1xaRUMJCNOkGwhiLzRRkG4q/jFoojLghLTYarKWEgb9gp2Ium29O3gXEAwGTr0wN4nFj4Ag=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381821; c=relaxed/simple;
	bh=F9hu7bNzeCBOlvwlFHXUfWgAmqd09v8gpi7nWJIWB7M=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=I7mEZ7vfxmdpSFfU15DhI+XAZNOJPs+UhtxjLcTJSnFg6SxU+8vMKvxTiEe19tLhRfLHHNoM2yJH8Ptxb2d0En0BEo5AdSY0CBAz5E4/WOLV/rFaKn9MKAr0KIMTFMXRhnPWEMR86iW7lyogsDvqPxu+ZcaDKZKR5U8clTeWDTM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Ox3Eeemb; arc=none smtp.client-ip=209.85.210.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Ox3Eeemb"
Received: by mail-pf1-f202.google.com with SMTP id
 d2e1a72fcca58-82f6b0a7164so265698b3a.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381820; x=1776986620;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=dmXOa8CgzaXjhBu8qlmeOtW0FfPQWyidUD9n4wlGJ1o=;
        b=Ox3Eeembh3AWL6N/FtayZCxSNuQO35OIwSZKYu7fB35TIgU7JtHCHfDNgoDTT+EHbX
         nRHe1JyCX4KMqvzT4wnK6IhetYPFQAGYNkfRwiUwzFFQmZfGno3HGl5Ak3ti6WR9wbVe
         HSOK15XLPp3x3BJQ4nN+PLeU/M0cWSL4njY0vEWAZkjTIo0gNRzLndNM6fvT+fyuMh5R
         9OQ2osAuD92lDpsmezO0pq5CR45qDykzRZLbtXPM0JZ2RLtYSaaZE7gZ9EaqdKVHnlZU
         eBzJ+IDOyTVhEOtvjzMCbG/U8Hag8EmpwXUbNiPco0LfHQLY3NrXh4VqSP+wA107zOJw
         SYHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381820; x=1776986620;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dmXOa8CgzaXjhBu8qlmeOtW0FfPQWyidUD9n4wlGJ1o=;
        b=iG/nzW/+hSLvMTfoH5JKwpplCegpXc4JLLUyBG8gdFZGmwTUYffQDcyvtVdwVh0Jbw
         8Yhlun3DjlK8aQQf1e5k8vLqFjo8K9vR1PZRqw04BNSLZm+nKGQSvgdNAcV3/nDk1NW3
         b+PetC+aemL0YdqcaAbPKJEglwchVCRHA6EdInZDjctGVt+G85V8oQMA2OLEnGRiIvfl
         XpXO5mTx7yw3Un0cJ07TsIIaQTRmLdRX5j8g3WxfDcJF/xX3cDsNfh/VjcU8bvu1WVNX
         AgBQ7RHkoE1uDrA9OVZbIDPkZDlPQllRPOQzrclK2IPOxeVWiZ/y0k4NpAditx9LixmU
         ZEzQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ+uwNV/2QEmyTlQTQUrkwpelTUeReGyUt98PVlFaODF6NhrONl9yYYzCdRHbr0qspGQATmIaV7C3lNgcss=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw0ElaOQg5BllYckrSiVh2GbK+mhaLtAsfcE5BpyIKr7norjB1z
	eh75ggsZB0crUE65rlb2+cIrPC+8qQi0Sbc7F4IL0TKJEcB5Ua4M90vgnLdGwfk5ebTuEanPmP4
	/n/zLBw==
X-Received: from pfwp27.prod.google.com ([2002:a05:6a00:26db:b0:82f:5a4:a02c])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:391c:b0:82f:250b:9f1b
 with SMTP id d2e1a72fcca58-82f8c8c299dmr257458b3a.23.1776381819591; Thu, 16
 Apr 2026 16:23:39 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:23 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-2-seanjc@google.com>
Subject: [PATCH v3 1/7] crypto/ccp: hoist kernel part of SNP_PLATFORM_STATUS
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Tycho Andersen <tycho@kernel.org>

...to its own function. This way it can be used when the kernel needs
access to the platform status regardless of the INIT state of the firmware.

No functional change intended.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 drivers/crypto/ccp/sev-dev.c | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index aebf4dad545e..64fc402f58df 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2367,7 +2367,8 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_c=
md *argp, bool writable)
 	return ret;
 }
=20
-static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp)
+static int __sev_do_snp_platform_status(struct sev_user_data_snp_status *s=
tatus,
+					int *error)
 {
 	struct sev_device *sev =3D psp_master->sev_data;
 	struct sev_data_snp_addr buf;
@@ -2375,9 +2376,6 @@ static int sev_ioctl_do_snp_platform_status(struct se=
v_issue_cmd *argp)
 	void *data;
 	int ret;
=20
-	if (!argp->data)
-		return -EINVAL;
-
 	status_page =3D alloc_page(GFP_KERNEL_ACCOUNT);
 	if (!status_page)
 		return -ENOMEM;
@@ -2400,7 +2398,7 @@ static int sev_ioctl_do_snp_platform_status(struct se=
v_issue_cmd *argp)
 	}
=20
 	buf.address =3D __psp_pa(data);
-	ret =3D __sev_do_cmd_locked(SEV_CMD_SNP_PLATFORM_STATUS, &buf, &argp->err=
or);
+	ret =3D __sev_do_cmd_locked(SEV_CMD_SNP_PLATFORM_STATUS, &buf, error);
=20
 	if (sev->snp_initialized) {
 		/*
@@ -2415,15 +2413,32 @@ static int sev_ioctl_do_snp_platform_status(struct =
sev_issue_cmd *argp)
 	if (ret)
 		goto cleanup;
=20
-	if (copy_to_user((void __user *)argp->data, data,
-			 sizeof(struct sev_user_data_snp_status)))
-		ret =3D -EFAULT;
+	memcpy(status, data, sizeof(*status));
=20
 cleanup:
 	__free_pages(status_page, 0);
 	return ret;
 }
=20
+static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp)
+{
+	struct sev_user_data_snp_status status;
+	int ret;
+
+	if (!argp->data)
+		return -EINVAL;
+
+	ret =3D __sev_do_snp_platform_status(&status, &argp->error);
+	if (ret < 0)
+		return ret;
+
+	if (copy_to_user((void __user *)argp->data, &status,
+			 sizeof(struct sev_user_data_snp_status)))
+		ret =3D -EFAULT;
+
+	return ret;
+}
+
 static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp)
 {
 	struct sev_device *sev =3D psp_master->sev_data;
--=20
2.54.0.rc1.513.gad8abe7a5a-goog
From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BDB73A1D0F
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381823; cv=none;
 b=WUEls1X/Aziy3svymODVZPGQVD47uAUizr925uk3f/efPv+SAxUDJZe9uSC4+oWtIpmWa2N5THjij0B9HXEssZfaTIBeOuR3/vZ2vKQvq/yHtJ8WOPXlBgECqx8l0hbonVCugFBBB3SQQ0IfsVBc4gcWzoGae19KcRDIK/f7cxQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381823; c=relaxed/simple;
	bh=RsjAKRrEYZCTRIS2Y5hyeh5t+5s8fBvhV87/GYsU3E8=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=VAM2DjzcK7Mkx1/f7EH+Q+TOu2BXpGdKj8DPLvTf2mCLLGmdoqfRAfjikykRaoBNZoZYVskBLU9bDuKxqC0mRys4pIYlKSf1ZAa6jBCUlcO6qC7vA+Z4I6IdRqWGFi7+dYkSBysHJJVBg7QWn0dNI7UGDd0lxHth05Fe4JvyoE8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=YxkKmOGe; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="YxkKmOGe"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-c769b25315eso145363a12.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381822; x=1776986622;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=qd/yhxMU8fzlyLqFZ1FuD00KAmIXoxNzpVPShyy4Zq4=;
        b=YxkKmOGeHBNyxLbBLyg/d1hrntuI/iib6CRg3z0mn828vMybSfm0wdKSpDhW1WGv8J
         IkLE68L3I1eCirsUvp66K9x3rNJ+V93kdXia+D55qMLa/t6nC8yqnFSIp8pTaCdWRqHA
         AO5QMpBCQpssKlWGJ9094GoLIxoQ8/XIoGfxnzz0pcFjd/CJ8bZEp0/GPkEqeKQNMQ5R
         gS+jhDAsux0whdZklGrjVir3qJT8M12Fh34KaT/cSfUzS2vSWoEir3iRpgzxHEgtdH4L
         FbhuGvFkLZtIvOVe8LqvTjf4M1oUdXEPsWTqfj6EUwLOK+n3pLtYIcUOqtjR4sMlZkSX
         6SEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381822; x=1776986622;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=qd/yhxMU8fzlyLqFZ1FuD00KAmIXoxNzpVPShyy4Zq4=;
        b=pdIDP3gC2gFglamRHpXYlpghc6ivsFQZG4vAhFaL2NdpjI2dvjiDc1bSxlLL8Oek/7
         QQ20GH0KLKml+9Fkmf1pUBnFIoIg0Ekt7hDlJ5tKKaix57i5LzP72iFhA+4hRrtq0MLM
         MUi1yWSoTaZbddYwB3NwUzOwowaUdWlC1QOuDJpPkT28SfSAyKNKorKa60voDUYvnRR7
         xiltbrTAO3AGFOy+VC5FNHH7+wS0AypwGHhDHitAPuwxCPaHh2s/gTcGutYYTmCdNIeh
         SEFIjAkc/RHC+NCgtqTfKlCGalikoXEE+DKcMVdUHjvZHKIyNZUD+kvfdV5wC9qevzeF
         e7Dg==
X-Forwarded-Encrypted: i=1;
 AFNElJ/WUtcKej3A4BdjHm9eRBZgxCW9A1QsGrW4jwJ1jWdA4YahVrGPlXALlGddaiIxinX/pRBOlTGDaQdKwU0=@vger.kernel.org
X-Gm-Message-State: AOJu0YzQyrLRBHud/xcdD/2MrwTRiKhFspFAgI3DQijkOze4/svXbY+K
	R3CO0i7gJ4iMK+cLaU/2yL9kjduwtkC8VCu1RkbhT6BHpg33McqSutidw+HrTnmTxpfTNKZChXJ
	ZdiItNg==
X-Received: from pfbli8.prod.google.com
 ([2002:a05:6a00:7188:b0:82f:54e9:c13e])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:cc1:b0:82c:2555:b9b2
 with SMTP id d2e1a72fcca58-82f8c7db2b1mr334223b3a.10.1776381821642; Thu, 16
 Apr 2026 16:23:41 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:24 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-3-seanjc@google.com>
Subject: [PATCH v3 2/7] crypto/ccp: export firmware supported vm types
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Tycho Andersen <tycho@kernel.org>

In some configurations, the firmware does not support all VM types. The SEV
firmware has an entry in the TCB_VERSION structure referred to as the
Security Version Number in the SEV-SNP firmware specification and referred
to as the "SPL" in SEV firmware release notes. The SEV firmware release
notes say:

    On every SEV firmware release where a security mitigation has been
    added, the SNP SPL gets increased by 1. This is to let users know that
    it is important to update to this version.

The SEV firmware release that fixed CVE-2025-48514 by disabling SEV-ES
support on vulnerable platforms has this SVN increased to reflect the fix.
The SVN is platform-specific, as is the structure of TCB_VERSION.

Check CURRENT_TCB instead of REPORTED_TCB, since the firmware behaves with
the CURRENT_TCB SVN level and will reject SEV-ES VMs accordingly.

Parse the SVN, and mask off the SEV_ES supported VM type from the list of
supported types if it is above the per-platform threshold for the relevant
platforms.

Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 drivers/crypto/ccp/sev-dev.c | 70 ++++++++++++++++++++++++++++++++++++
 include/linux/psp-sev.h      | 37 +++++++++++++++++++
 2 files changed, 107 insertions(+)

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 64fc402f58df..1e3286c048fe 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2940,3 +2940,73 @@ void sev_pci_exit(void)
=20
 	sev_firmware_shutdown(sev);
 }
+
+static int get_v1_svn(struct sev_device *sev)
+{
+	struct sev_snp_tcb_version_genoa_milan *tcb;
+	struct sev_user_data_snp_status status;
+	int ret, error =3D 0;
+
+	mutex_lock(&sev_cmd_mutex);
+	ret =3D __sev_do_snp_platform_status(&status, &error);
+	mutex_unlock(&sev_cmd_mutex);
+	if (ret < 0)
+		return ret;
+
+	tcb =3D (struct sev_snp_tcb_version_genoa_milan *)&status
+		      .current_tcb_version;
+	return tcb->snp;
+}
+
+static int get_v2_svn(struct sev_device *sev)
+{
+	struct sev_user_data_snp_status status;
+	struct sev_snp_tcb_version_turin *tcb;
+	int ret, error =3D 0;
+
+	mutex_lock(&sev_cmd_mutex);
+	ret =3D __sev_do_snp_platform_status(&status, &error);
+	mutex_unlock(&sev_cmd_mutex);
+	if (ret < 0)
+		return ret;
+
+	tcb =3D (struct sev_snp_tcb_version_turin *)&status
+		      .current_tcb_version;
+	return tcb->snp;
+}
+
+static bool sev_firmware_allows_es(struct sev_device *sev)
+{
+	/* Documented in AMD-SB-3023 */
+	if (boot_cpu_has(X86_FEATURE_ZEN4) || boot_cpu_has(X86_FEATURE_ZEN3))
+		return get_v1_svn(sev) < 0x1b;
+	else if (boot_cpu_has(X86_FEATURE_ZEN5))
+		return get_v2_svn(sev) < 0x4;
+	else
+		return true;
+}
+
+int sev_firmware_supported_vm_types(void)
+{
+	int supported_vm_types =3D 0;
+	struct sev_device *sev;
+
+	if (!psp_master || !psp_master->sev_data)
+		return supported_vm_types;
+	sev =3D psp_master->sev_data;
+
+	supported_vm_types |=3D BIT(KVM_X86_SEV_VM);
+	supported_vm_types |=3D BIT(KVM_X86_SEV_ES_VM);
+
+	if (!sev->snp_initialized)
+		return supported_vm_types;
+
+	supported_vm_types |=3D BIT(KVM_X86_SNP_VM);
+
+	if (!sev_firmware_allows_es(sev))
+		supported_vm_types &=3D ~BIT(KVM_X86_SEV_ES_VM);
+
+	return supported_vm_types;
+
+}
+EXPORT_SYMBOL_FOR_MODULES(sev_firmware_supported_vm_types, "kvm-amd");
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 69ffa4b4d1fa..383a682e94fd 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -899,6 +899,42 @@ struct snp_feature_info {
 /* Feature bits in EBX */
 #define SNP_SEV_TIO_SUPPORTED			BIT(1)
=20
+/**
+ * struct sev_snp_tcb_version_genoa_milan
+ *
+ * @boot_loader: SVN of PSP bootloader
+ * @tee: SVN of PSP operating system
+ * @reserved: reserved
+ * @snp: SVN of SNP firmware
+ * @microcode: Lowest current patch level of all cores
+ */
+struct sev_snp_tcb_version_genoa_milan {
+	u8 boot_loader;
+	u8 tee;
+	u8 reserved[4];
+	u8 snp;
+	u8 microcode;
+};
+
+/**
+ * struct sev_snp_tcb_version_turin
+ *
+ * @fmc: SVN of FMC firmware
+ * @boot_loader: SVN of PSP bootloader
+ * @tee: SVN of PSP operating system
+ * @snp: SVN of SNP firmware
+ * @reserved: reserved
+ * @microcode: Lowest current patch level of all cores
+ */
+struct sev_snp_tcb_version_turin {
+	u8 fmc;
+	u8 boot_loader;
+	u8 tee;
+	u8 snp;
+	u8 reserved[3];
+	u8 microcode;
+};
+
 #ifdef CONFIG_CRYPTO_DEV_SP_PSP
=20
 /**
@@ -1045,6 +1081,7 @@ void snp_free_firmware_page(void *addr);
 void sev_platform_shutdown(void);
 bool sev_is_snp_ciphertext_hiding_supported(void);
 u64 sev_get_snp_policy_bits(void);
+int sev_firmware_supported_vm_types(void);
=20
 #else	/* !CONFIG_CRYPTO_DEV_SP_PSP */
=20
--=20
2.54.0.rc1.513.gad8abe7a5a-goog
From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DB483A257C
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381826; cv=none;
 b=Qu258/7B1Ra9+w8vUHaCX+fOqVfUlnWSsxHGacQRGNK0MxcY+Aq/jeZA0WAFHRa+3JaI+1p6KsxOeErL2PWcSU0/KhCN4qmi7Uw64/QYV7g7Wva20QoK8xO3YqLi7fmL3JdCbJ/nTAp+MXt+hJba/R7bNNz1jDe0IFE6K7yc684=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381826; c=relaxed/simple;
	bh=jxXG1p7zC04tYFTfJPIVEx/ypGFjINDEhD2100oJ18Q=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=dXiA1rbi0EefIDmxvw82vacNVAca5Pcl0WmXWo6kpRYdwv9sASLjSm18yesfpGoZ1dIHz8wJZf2MoKxGvQnbhuGXz5bt7bmQ3EcN1NxJXt2PXGKDNZAoHcYDz5/F4HsN0kXbJHPt/Qy8KlflrEn5jlmtAFEvkr+IgRHpl2eiUms=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=llbPAxo8; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="llbPAxo8"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-c6e24ee93a6so647433a12.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381823; x=1776986623;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=s+DOdHTafr7BremJNOxlZjtkuJmIgjyz+aBnTy0imDs=;
        b=llbPAxo8QE5Iq5sD0NBopoHqTHST0ohLT32dTMypQEDaar8DnBZTIsBd8pU+95hW5a
         GslF38zKjjP0locuDJdzAe7Bny1UC4R3wAPaO7mc1dECVz5n1gzbxlhfiQ3t4q3xzd0b
         NXCC+SnYV6gUYWIRsYvYGjcX/SFHnqkJdB3EriT8A41F7IvCmjwBmdFF/qIlTaE52Inf
         BdAsaF1NzGXLZNW9Q73szUY3n+amA3CWe/8VA95dv1mSm3REdt1Qr0N5Hq+1Wbtufk3x
         D1+pG1Ta7YrYIVgxEJCJOFj6DAIERdKoowSE3pxiwqr7JCHlteVJ3KlD7AcSY1l1QucD
         Bzrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381823; x=1776986623;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=s+DOdHTafr7BremJNOxlZjtkuJmIgjyz+aBnTy0imDs=;
        b=WPJWMA1kZIGhnexwJbODHVapIxxdaXR7dgAxi+ucz6ienO2yRGAa2mZGGg/Ho0QoOu
         XRazl2M1fMRcCr2qfZ0NEQyZD4+cctdGz3iwWD8BvosGKIJILpA4dymvtxm66rNBP/jA
         fttQiIn2Ikf5ZaM355Xz5Zfr01SsZ/9aeTVqoPks+BRFipspJj6zcjrJODOaMh8klbvo
         9tO5hxr9gnXZoFMDIepe89HYArqBfeax82+IJ2wUAe357AZUkZUQU8lzw4clxV5Jlcad
         bliAiwrHZ1FiiM1YOm7eB42UsToKpdwhLFk7eaXe9Epdf/zlIoGP0D/7cJXStj353w3V
         YH3g==
X-Forwarded-Encrypted: i=1;
 AFNElJ9Owk29M4KB4C5AP1P8l/pfcHZHY6u0bZrHQoO26mhK/Or4NA1lBDQDCJr2Lfxpr41MZ9r///LW3vp5vN0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwPLHWszEGywJePYZODzfNqV7aJYTwHOmy/cRXKnHB5OVoYd4bH
	HKm7zkfdFuqEAvmreZdrAzsvf63NuyAs0K8yt0zJrFSctG2HYBS9igiCfPg4vZM8uH37orKQzQH
	l4rVbWQ==
X-Received: from pfaz1.prod.google.com ([2002:aa7:91c1:0:b0:82f:2efd:4159])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:9389:b0:398:7daf:6d7e
 with SMTP id adf61e73a8af0-3a08ca74edbmr302078637.17.1776381823334; Thu, 16
 Apr 2026 16:23:43 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:25 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-4-seanjc@google.com>
Subject: [PATCH v3 3/7] KVM: SEV: Set supported SEV+ VM types during
 sev_hardware_setup()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Set the supported SEV+ VM types during sev_hardware_setup() instead of
waiting until sev_set_cpu_caps().  This will using the set of *fully*
supported VM types to print the enabled/unusable/disabled messaged.

For all intents and purposes, no functional change intended.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 arch/x86/kvm/svm/sev.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index c2126b3c3072..ea4ce371d5f3 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3013,18 +3013,14 @@ void sev_vm_destroy(struct kvm *kvm)
=20
 void __init sev_set_cpu_caps(void)
 {
-	if (sev_enabled) {
+	if (sev_enabled)
 		kvm_cpu_cap_set(X86_FEATURE_SEV);
-		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SEV_VM);
-	}
-	if (sev_es_enabled) {
+
+	if (sev_es_enabled)
 		kvm_cpu_cap_set(X86_FEATURE_SEV_ES);
-		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SEV_ES_VM);
-	}
-	if (sev_snp_enabled) {
+
+	if (sev_snp_enabled)
 		kvm_cpu_cap_set(X86_FEATURE_SEV_SNP);
-		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SNP_VM);
-	}
 }
=20
 static bool is_sev_snp_initialized(void)
@@ -3194,6 +3190,13 @@ void __init sev_hardware_setup(void)
 		}
 	}
=20
+	if (sev_supported)
+		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SEV_VM);
+	if (sev_es_supported)
+		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SEV_ES_VM);
+	if (sev_snp_supported)
+		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SNP_VM);
+
 	if (boot_cpu_has(X86_FEATURE_SEV))
 		pr_info("SEV %s (ASIDs %u - %u)\n",
 			sev_supported ? min_sev_asid <=3D max_sev_asid ? "enabled" :
--=20
2.54.0.rc1.513.gad8abe7a5a-goog
From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 231A83A1E9F
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381829; cv=none;
 b=BNqI2FG6dIZTUWFJc9dAeRi9AaWcWUbfPGZjLVd8JnbdefPWf+bzSvBrEqJHUdGZ2oF1dzhsgGPMJwuWWLH8MyM9PmnB2uL8GvUfnq+CMqlEfvHrGfGcCZ0lJqi67OXblLStgvsmGZjfinSTXBnxwbJ4p5s53Rh4gcbJJQ4pIzs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381829; c=relaxed/simple;
	bh=o/KPCcv0d3ZIO//tblY3V4eqnr+bbXLhDZG9zf54a2g=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=DkVq7dL3waW6IqIQaJ6NZjKvbeJv+CJM0ZPY8lpsn62uTtCjZOlCS20zT0lfEe4fuUxCMo5LwAkq3y7f9pwdk/ZdzUMz5ne9inHBlPBlqIJ0jxA8eHuSV45qiBvQqerD+jh1btSAyNH0NxbdVoxlAumJZe0MbH3QC4NvbOupq5g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=QrA5+Jhs; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="QrA5+Jhs"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-35d9e67f6dcso394999a91.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381825; x=1776986625;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=e3Dmu6K5niFFPRiSYNEdPEZTFH/H4F7a2yY+viQuAo0=;
        b=QrA5+JhssQGYrUNyT548L3KGgUM0TyTJ9dz7SBXp3+DtjJrCFn05MIn0ODXSq0QSMR
         PVz/02/lrTxD5gwuOZsTbqEi5bgx847+JCOMJo8xjTMHZnwJDDL/lkNq9TLYWqeUXTnO
         yASXxbbibh8nO6WybmCGP1OO9S2V2H0jjcOB8/k9/899jsOQ8k6sH+MQKy/vN3o0TrT9
         KYT8UjISJz7DEqdjIOXzft9SaqO7ssSHT7A0IdKquJ/P+KGdWBtk/gPK4g8o+fKLgioH
         P382XiYaHSuccz92292cmd9yCl9WK2FJKDCD3ScsRuI1ln2tEKzN4VkpbyR+WvbpRosY
         Wqcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381825; x=1776986625;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=e3Dmu6K5niFFPRiSYNEdPEZTFH/H4F7a2yY+viQuAo0=;
        b=k6UrSGU4hOfcA8d1J49s4yLikZgSd9OnQ/XL3Rfpnoohak4SFV23q+tuFIqajzBXc9
         7G9lvLx+TRIGYPQRUokfhnbpRM1kppJnLzTgrDEPcerivS2eWif3jSahZlbyfdSXyFpO
         vtVh6yAb7U0M9VuDxa84uv67XvEi4S5ZEJjzcLqDlPIy5Z8VAksdhwJhhVrVXWAL1pRM
         dCAPyFkR1V2pTlA3AHbTSRezru447wGKW5zT7y8FyPADXeJmNK/MvZLf1tsBjtUGGiNz
         BuhVAthnkLMHXGEyibOyteTVJ+C3I3MS3KbEulPOUwxqJChUZTMYSXu6UEXqrF8rmWTj
         B6ag==
X-Forwarded-Encrypted: i=1;
 AFNElJ91Sut1alCjI4armTOLNk9AMJF/Yzi2KeshgOxZOfX+Wh/qmJObq7ChdEV/zXWGId1QSirs4Uq+dJ2rc8k=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw0EGEvfEhrCh/qlgk0qyONU/CAFn9FHrMegrx6bIOFbx2ih2UR
	Gu/plWlARyV/TxC+Pj28fcl3YVppUFakBIid5l2h2Cr8+yMMbFkQDnYdb/F1auBgMJEYm20Hg/H
	/DXQzAw==
X-Received: from pgac11.prod.google.com
 ([2002:a05:6a02:294b:b0:c63:55bd:18f0])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:7354:b0:398:8002:8033
 with SMTP id adf61e73a8af0-3a08d9362d0mr332172637.49.1776381825229; Thu, 16
 Apr 2026 16:23:45 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:26 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-5-seanjc@google.com>
Subject: [PATCH v3 4/7] KVM: SEV: Consolidate logic for printing state of
 SEV{,-ES,-SNP} enabling
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a helper to print enabled/unusable/disabled for SEV+ VM types in
anticipation of SNP also being subjecting to "unusable" logic.

No functional change intended.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 arch/x86/kvm/svm/sev.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index ea4ce371d5f3..dfeb660b8f5d 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3050,6 +3050,11 @@ static bool is_sev_snp_initialized(void)
 	return initialized;
 }
=20
+static const char * __init sev_str_feature_state(bool is_supported, bool i=
s_usable)
+{
+	return is_supported ? is_usable ? "enabled" : "unusable" : "disabled";
+}
+
 void __init sev_hardware_setup(void)
 {
 	unsigned int eax, ebx, ecx, edx, sev_asid_count, sev_es_asid_count;
@@ -3199,19 +3204,15 @@ void __init sev_hardware_setup(void)
=20
 	if (boot_cpu_has(X86_FEATURE_SEV))
 		pr_info("SEV %s (ASIDs %u - %u)\n",
-			sev_supported ? min_sev_asid <=3D max_sev_asid ? "enabled" :
-								       "unusable" :
-								       "disabled",
+			sev_str_feature_state(sev_supported, min_sev_asid <=3D max_sev_asid),
 			min_sev_asid, max_sev_asid);
 	if (boot_cpu_has(X86_FEATURE_SEV_ES))
 		pr_info("SEV-ES %s (ASIDs %u - %u)\n",
-			sev_es_supported ? min_sev_es_asid <=3D max_sev_es_asid ? "enabled" :
-										"unusable" :
-										"disabled",
+			sev_str_feature_state(sev_es_supported, min_sev_es_asid <=3D max_sev_es=
_asid),
 			min_sev_es_asid, max_sev_es_asid);
 	if (boot_cpu_has(X86_FEATURE_SEV_SNP))
 		pr_info("SEV-SNP %s (ASIDs %u - %u)\n",
-			str_enabled_disabled(sev_snp_supported),
+			sev_str_feature_state(sev_snp_supported, true),
 			min_snp_asid, max_snp_asid);
=20
 	sev_enabled =3D sev_supported;
--=20
2.54.0.rc1.513.gad8abe7a5a-goog
From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 272EE3A2576
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381829; cv=none;
 b=abCQg7CFOliURufzPKOyDM5Z29Zl3v9FV9DrKHE3feOBya2zh6Pp2KZ9dxpW9F9ybQSf0QIfHg2x1kUg8q3vId+7RBAwKMMA5Pa++u5NghMCMLALuXjVqswaWTWgq6qGaLH2JyuGjJvEzuU3v0ULWdRFtOYga+kBl5DNZuW6j6I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381829; c=relaxed/simple;
	bh=zKm4jq2+Ev4Sd7cYDHKHfbI/oMMYXorfvBJC06pU4MY=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=iuOBIoFvIzASHMXZ+3c1nEE+bjfzBd3+x/Y7tStlhYWUqxf9azfAwzz1M5jImbYGupHUdisT7LfUVr7Nf15E2cNM4c5nyZ88oEn6k4sOl8VZ3a6sdOM5NAvsBIQDb+KjQma4J0wiotVh/GFuHH/Q/crn0Gxnvx1xF/0byQkeoKo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=wNgtltwl; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="wNgtltwl"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-35d9e67f6dcso395089a91.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381827; x=1776986627;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=jdKPTqMov8cbfemJo4nynbMk23/qpGeXeEBr2ivwq2M=;
        b=wNgtltwlPHR7ofdEbgL01zPz7+zQKZKEEgGED+irQdlbrazUeZ/pd1nHYdKmAKd5bS
         5DluXPgk+t0eSKC8TqsOQFTNLrT9uxzZ3nSIKHf69Se/0ZNwcfswo4ezhbMAnG8qBvV7
         wYM9kfyHBuVoiwkGMmgFgl6ux61yYs3WoAl5QmhWw4/jHwkN/2tNkP1clgsAhWzgMJ85
         9ASswKIyo+2QeSAIousThIWFrBtH7kHgNBXVE0aj1wjdwhl+irV+T/nxKwecNO0y8eKu
         Fz0A/xp3LzfntpXRPuv8RkNK1E4F01GUrzCSXAy01XFdxgYvwJmWQle9w1X4I6O2O+YC
         1cmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381827; x=1776986627;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jdKPTqMov8cbfemJo4nynbMk23/qpGeXeEBr2ivwq2M=;
        b=gQQ9jZFDCHIYiVcBHXuOqsvfVJNfiG946S82eo/4RfahT5ef6ypsyGE9KMCndeZbeS
         3UQeuZmrWSyUtpSNcnDVvz/fkx/J6PxrkYByIPZsSz1nxABqI6l4UtySpafYDe52c3n8
         KAOytlnnWI1ypH7HDKPAMN9ulpvP6+K6aBvZdR+bTgTd4JcBNZpCjfJI4ooQiKmV3Gtn
         t0phdxT0Gi9k+NIIn7rs4KM8BFjiQmHC/CYXATuwc70PK6U1V0DlD1UI7LMFIMoNPMa1
         /9KHJoKHlqe2gANcweVFg3WV5fqxswxh3qx04ETAeckEqZpWD95tVQ9vAWFd/RpOCX9Z
         Ut5g==
X-Forwarded-Encrypted: i=1;
 AFNElJ/hHLayxS8h9aA+RaycLDWHNlXI4OhFL2RUPvCYTWHNfHJtFG8VJQmQCz/HxF9+qP1Aiw88/lSLHGDmTdM=@vger.kernel.org
X-Gm-Message-State: AOJu0YyAqPgveVNV/1oYjVpFtSKYyXGBQnyU1ExkKk7VYfQMTaftTdYj
	D6MYkXBECePc2YOaHusTiV7w3/wcuX6u+uTSIzJLN66M9EbdVi3n2hTya7zrMooPdFSqRy+NFZd
	9E9jhJw==
X-Received: from pgac12.prod.google.com
 ([2002:a05:6a02:294c:b0:c76:8acb:773d])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:5288:b0:359:fe72:3559
 with SMTP id 98e67ed59e1d1-3614048b1aemr440448a91.21.1776381827205; Thu, 16
 Apr 2026 16:23:47 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:27 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-6-seanjc@google.com>
Subject: [PATCH v3 5/7] KVM: SEV: Don't advertise support for unusable VM
 types
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Commit 0aa6b90ef9d7 ("KVM: SVM: Add support for allowing zero SEV ASIDs")
made it possible to make it impossible to use SEV VMs by not allocating
them any ASIDs.

Commit 6c7c620585c6 ("KVM: SEV: Add SEV-SNP CipherTextHiding support") did
the same thing for SEV-ES.

Do not export KVM_X86_SEV(_ES)_VM as supported types if in either of these
situations, so that userspace can use them to determine what is actually
supported by the current kernel configuration.

Also move the buildup to a local variable so it is easier to add additional
masking in future patches.

Link: https://lore.kernel.org/all/aZyLIWtffvEnmtYh@google.com/
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
[sean: land code in sev_hardware_setup()]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 arch/x86/kvm/svm/sev.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index dfeb660b8f5d..0971cf652b0b 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3062,6 +3062,7 @@ void __init sev_hardware_setup(void)
 	bool sev_snp_supported =3D false;
 	bool sev_es_supported =3D false;
 	bool sev_supported =3D false;
+	u32 vm_types =3D 0;
=20
 	if (!sev_enabled || !npt_enabled || !nrips)
 		goto out;
@@ -3195,24 +3196,26 @@ void __init sev_hardware_setup(void)
 		}
 	}
=20
-	if (sev_supported)
-		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SEV_VM);
-	if (sev_es_supported)
-		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SEV_ES_VM);
+	if (sev_supported && min_sev_asid <=3D max_sev_asid)
+		vm_types |=3D BIT(KVM_X86_SEV_VM);
+	if (sev_es_supported && min_sev_es_asid <=3D max_sev_es_asid)
+		vm_types |=3D BIT(KVM_X86_SEV_ES_VM);
 	if (sev_snp_supported)
-		kvm_caps.supported_vm_types |=3D BIT(KVM_X86_SNP_VM);
+		vm_types |=3D BIT(KVM_X86_SNP_VM);
+
+	kvm_caps.supported_vm_types |=3D vm_types;
=20
 	if (boot_cpu_has(X86_FEATURE_SEV))
 		pr_info("SEV %s (ASIDs %u - %u)\n",
-			sev_str_feature_state(sev_supported, min_sev_asid <=3D max_sev_asid),
+			sev_str_feature_state(sev_supported, vm_types & BIT(KVM_X86_SEV_VM)),
 			min_sev_asid, max_sev_asid);
 	if (boot_cpu_has(X86_FEATURE_SEV_ES))
 		pr_info("SEV-ES %s (ASIDs %u - %u)\n",
-			sev_str_feature_state(sev_es_supported, min_sev_es_asid <=3D max_sev_es=
_asid),
+			sev_str_feature_state(sev_es_supported, vm_types & BIT(KVM_X86_SEV_ES_V=
M)),
 			min_sev_es_asid, max_sev_es_asid);
 	if (boot_cpu_has(X86_FEATURE_SEV_SNP))
 		pr_info("SEV-SNP %s (ASIDs %u - %u)\n",
-			sev_str_feature_state(sev_snp_supported, true),
+			sev_str_feature_state(sev_snp_supported, vm_types & BIT(KVM_X86_SNP_VM)=
),
 			min_snp_asid, max_snp_asid);
=20
 	sev_enabled =3D sev_supported;
--=20
2.54.0.rc1.513.gad8abe7a5a-goog
From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE24D3A257C
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381836; cv=none;
 b=c1/cVnqH8TTJTtUcS/r5AZgQO2y6jGpKDj8a+0X/3m4NtTnBOOkWH+Ds3Y3L1uZfwY5vktCeKbtVKC8bc1tCITjYy621DmnT2SWa8Wh029qdgJB6XPnypNGvT75vVBxWS+YtAvDg0mg+gfEf7hyOv7Wf6V/hSSVBP4SRdwx80wk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381836; c=relaxed/simple;
	bh=5y9MQzmnNdA8fG73zq4cTMXDW78U5CKZAEWBePI7SwQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=gXkwmLW28FUw2HvnUUHgnatogka0o2lV2E7DwVtHh1PG1XWnEyJLdMUKeoZtDMYsf3gSoGVJS/zee9iYwXxF/IO/k3Cuacpxx/wpgUzrfXLgdtkuaeyQWRUAIE3+Xp2jX8sDAQQ6AUkXEQNatOQlzyvYNsaQtbJdPITS28aRZEU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=PzwauzUp; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="PzwauzUp"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-82f6610a6c8so55153b3a.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381829; x=1776986629;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=I8i9cxkTxORgkUnwzKhG1n+FrAvtgU2d9BkG0Hg1zPQ=;
        b=PzwauzUpASwgA6Rj6RSH/q/ggEzXA3HKTbyVkWG1uAoF3sCfi5COqAqDYQLeCpn8GT
         NLwfGNqeffYtBy0zYjeWImLvN9NxX54tQNlmwiO/OTfwi3SDKtCaQnc6a8UlQqS+wTsS
         NVuxPsev8iFHCre7Z3bnpSpLY2Ch+GfV616PsqcIVojJPkI9dVlQpIJBgSJz91GOvwIs
         67AZbA+PcbdOZ1q0E0mGZL27mjX/AioEbWFK0zOrYJAoSBrck4SK8F5pljwHnlitY1LZ
         S81Mu3d3ToOI+eiXviqP8b6v9LLYUyWwWJqzrpiqDiDpPVES+JMxJ0iuG7hG1aImBmwi
         ZNrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381829; x=1776986629;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=I8i9cxkTxORgkUnwzKhG1n+FrAvtgU2d9BkG0Hg1zPQ=;
        b=mUOTr2F0ofbhp9q6P/qJgmJdpHaiEdO6Wl1tR3LWgHryUgsg35/oeMW9vWUe/UFaKj
         rGgJDOmgueZeh9s97phaCurwis91w4CiKIjyhtrCR78Z0MZajTOC53UumT3nPJwY7r3+
         Rjo9uo9o3ruRWzZns+Mt1xBBIqHJZj1DNCbikOBv1pmuoPL4LoTaONLWus5+Wxo/8rED
         z3owXuvnkWGzxPSPHCiG8uOJbYDqE6ELvCUwjyjFdehB+ZgRFz67ChFd7Aso/XZS7C00
         rSQeu7kZzQ9zZBsBqDvfCy7Tl1S/c7zeRuKskofOPYlwQwrBAYxeRk2zS9VRmRm0u+My
         sCqw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/O2dmGhwNAS4bOB+RBgb5RFP6QrMaf0oaxt5DLQhpws8haK3q6d27TMXQvsTlk5U2bFrW0U9HzJBGvCYI=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx2LxVx2XAJIxKHbu21eYLDLDy/XK1iUkWvNmDJwflp/OG1+v66
	ax5xb5nxVTC6/jAQCaB1Rnqmw+Hgy/knbtELtSXBT+7xnUnMoyxzoFWjQ0BnAzPsmLqH+/YFUdL
	6+S5KJQ==
X-Received: from pfbdo20.prod.google.com
 ([2002:a05:6a00:4a14:b0:82f:120:fd71])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:928b:b0:82c:212a:a9b5
 with SMTP id d2e1a72fcca58-82f8c8df69fmr245291b3a.36.1776381829092; Thu, 16
 Apr 2026 16:23:49 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:28 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-7-seanjc@google.com>
Subject: [PATCH v3 6/7] KVM: SEV: Don't advertise VM types that are disabled
 by firmware
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Tycho Andersen <tycho@kernel.org>

As called out in a footnote for a recent SNP vulnerability[1], it is
possible for a specific flavor of SEV+ to be disabled by the firmware even
when the flavor is fully supported by the CPU and platform:

  Applying mitigation CVE-2025-48514 will result in disabling SEV-ES when
  SEV-SNP is enabled.

Restrict KVM's set of supported VM types based on the VM types that are
fully supported by firmware to avoid over-reporting what KVM can actually
support.  Like KVM's handling of ASID space exhaustion, don't modify KVM's
CPUID capabilities, as the CPU/platform still supports the underlying
technology and clearing e.g. SEV_ES while advertising SEV_SNP would confuse
KVM and userspace.

Link: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-302=
3.html [1]
Link: https://lore.kernel.org/all/aZyLIWtffvEnmtYh@google.com
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
[sean: rewrite changelog to provide details on why/how this can happen]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 arch/x86/kvm/svm/sev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 0971cf652b0b..ab386aa0c284 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3202,6 +3202,7 @@ void __init sev_hardware_setup(void)
 		vm_types |=3D BIT(KVM_X86_SEV_ES_VM);
 	if (sev_snp_supported)
 		vm_types |=3D BIT(KVM_X86_SNP_VM);
+	vm_types &=3D sev_firmware_supported_vm_types();
=20
 	kvm_caps.supported_vm_types |=3D vm_types;
=20
--=20
2.54.0.rc1.513.gad8abe7a5a-goog
From nobody Tue Jun 16 06:26:32 2026
Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com
 [209.85.210.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E17CB3A16B6
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 23:23:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776381835; cv=none;
 b=mwx4kvQ8MlccEn0giONj/pcqRyQJgUsdqYNk+iFvV7c8Dyiz8sW+DOjvWYblhIR8r0pIgY/unMLyvhSDes11PUKy/+MP4cARaeD/UCNwWtmUHLakz8p0HPrjJtEBaTMYoITsGx4dQPakxwiGsb2EBeI7a070sTK/U6nKv5mpIFY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776381835; c=relaxed/simple;
	bh=z9lIX9DuyErNsdEarWQrJGrRTnr2frPfAGsuiIhhPJ8=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Sp/uMupHS4zXpm8PAB6HvChzPiBTtoz0ZjlwGrF/RV2V2K9tDr0a4KvOW6HETtO4AxU6/KHoHnBNxMcJrQCJNTWSW2NMb6MRFrvkAgC5AM0ppKiZ0+2EFdqlZgzVbeRrPVHahy+w8VFRw6H9bbuRud0MNkkUG87keIcVOeiOr3c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Y3lUCtue; arc=none smtp.client-ip=209.85.210.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Y3lUCtue"
Received: by mail-pf1-f201.google.com with SMTP id
 d2e1a72fcca58-82f756ebd0dso72145b3a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 16:23:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1776381831; x=1776986631;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=zAK6S4K1O30Zc7+4RITzFic55CfupiQzind/IcIwTPU=;
        b=Y3lUCtueEg9o845zn/Z2+HHYEBQ8uEUQg1ZnM+doXc6i4fXP2GR+Xyt4a3Vv/6DtBz
         aJ0rjAJE1w7mZiPGyqtu4wv25rb5bZsa2aXXCs9SdV9Av7BrXVuaAsWN34uY+dDD841g
         4LnoNvbe5y4wwKlGmRJgbRB/Tu9H1fI7CJ/XWXfTU6GWRwYrNhSSSBjzU7JKuahV/+LU
         g7hFOMnwGAHeFXnbKJISS9lGc6xHml43ivWwmQapSI3NSpW/MvKjQYE6YuCHGllYgEKx
         UrNhLfWCfl8hgeyropwG4Oeu7ay7HAaYQJz6obWCDEOwJWp+tAcjitWbGOh9opM+Cj5O
         RGRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776381831; x=1776986631;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=zAK6S4K1O30Zc7+4RITzFic55CfupiQzind/IcIwTPU=;
        b=ZyWjaAAhF2XwIrgZzBsPT6zuoFIA7QIEigK37SfgZ1f5KFtx128sbQNlXOYrVKARmi
         6MKXSii9wT1Z1nxPUWlmE6vg1Bv6xDKbJIws1hJM7vJnlucx3tZGg1V629YEwl19jWal
         x+cwu/TTVjn5GaVTNqOwNpfLjLbvM+8XGJjYxARq4r4+UyanufoLKb7a5OzGSYG8y1JS
         D6mstLpOODG838uE9nZW3w6olQvYiApT1ggXnxVCCX+m29ZNansTBYV0okxC5U2Ct7Ry
         GhG05CHTr9AQEKKqC5JlrDIUmasU7HZLR1ymEgHIvAjjUHgId5KfjCMNQgyWn93sy9Yd
         HHiA==
X-Forwarded-Encrypted: i=1;
 AFNElJ9SS7yxp2JRPdkDH48D6ee5+7tSHm4vFbGTYCKkXtkGOki093IsYUhDuAWh9PzVg1Sjoa2fzkBrdJzB8ec=@vger.kernel.org
X-Gm-Message-State: AOJu0YyKw6FN/rY8COOHluhxs86v2/yfQH2tPJfI1Cc+CKlga4G9OCO1
	MUKRDQFHIsAI3vvNWRpOfOZIIfDMaaF8czUfo0ZFxTTLJMHPKwxXJnZpxH0G/0yH6bKLRXP4UzP
	JmlHOQw==
X-Received: from pfbmb8.prod.google.com
 ([2002:a05:6a00:7608:b0:82f:60a5:8a3d])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:18aa:b0:82c:eb46:acb9
 with SMTP id d2e1a72fcca58-82f8c961f8amr240636b3a.24.1776381831072; Thu, 16
 Apr 2026 16:23:51 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 16 Apr 2026 16:23:29 -0700
In-Reply-To: <20260416232329.3408497-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260416232329.3408497-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.rc1.513.gad8abe7a5a-goog
Message-ID: <20260416232329.3408497-8-seanjc@google.com>
Subject: [PATCH v3 7/7] KVM: selftests: Teach sev_*_test about revoking VM
 types
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Ashish Kalra <ashish.kalra@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
	John Allen <john.allen@amd.com>
Cc: kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Tycho Andersen <tycho@kernel.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Tycho Andersen <tycho@kernel.org>

Instead of using CPUID, use the VM type bit to determine support, since
those now reflect the correct status of support by the kernel and firmware
configurations.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
 tools/testing/selftests/kvm/x86/sev_init2_tests.c  | 14 ++++++--------
 .../testing/selftests/kvm/x86/sev_migrate_tests.c  |  2 +-
 tools/testing/selftests/kvm/x86/sev_smoke_test.c   |  4 ++--
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/tools/testing/selftests/kvm/x86/sev_init2_tests.c b/tools/test=
ing/selftests/kvm/x86/sev_init2_tests.c
index b238615196ad..97bd036b4f1c 100644
--- a/tools/testing/selftests/kvm/x86/sev_init2_tests.c
+++ b/tools/testing/selftests/kvm/x86/sev_init2_tests.c
@@ -136,16 +136,14 @@ int main(int argc, char *argv[])
 		    kvm_check_cap(KVM_CAP_VM_TYPES), 1 << KVM_X86_SEV_VM);
=20
 	TEST_REQUIRE(kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_X86_SEV_VM));
-	have_sev_es =3D kvm_cpu_has(X86_FEATURE_SEV_ES);
+	have_sev_es =3D kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_X86_SEV_ES_VM);
=20
-	TEST_ASSERT(have_sev_es =3D=3D !!(kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(K=
VM_X86_SEV_ES_VM)),
-		    "sev-es: KVM_CAP_VM_TYPES (%x) does not match cpuid (checking %x)",
-		    kvm_check_cap(KVM_CAP_VM_TYPES), 1 << KVM_X86_SEV_ES_VM);
+	TEST_ASSERT(!have_sev_es || kvm_cpu_has(X86_FEATURE_SEV_ES),
+		    "sev-es: SEV_ES_VM supported without SEV_ES in CPUID");
=20
-	have_snp =3D kvm_cpu_has(X86_FEATURE_SEV_SNP);
-	TEST_ASSERT(have_snp =3D=3D !!(kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_=
X86_SNP_VM)),
-		    "sev-snp: KVM_CAP_VM_TYPES (%x) indicates SNP support (bit %d), but =
CPUID does not",
-		    kvm_check_cap(KVM_CAP_VM_TYPES), KVM_X86_SNP_VM);
+	have_snp =3D kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_X86_SNP_VM);
+	TEST_ASSERT(!have_snp || kvm_cpu_has(X86_FEATURE_SEV_SNP),
+		    "sev-snp: SNP_VM supported without SEV_SNP in CPUID");
=20
 	test_vm_types();
=20
diff --git a/tools/testing/selftests/kvm/x86/sev_migrate_tests.c b/tools/te=
sting/selftests/kvm/x86/sev_migrate_tests.c
index 6b0928e69051..42bc023d5193 100644
--- a/tools/testing/selftests/kvm/x86/sev_migrate_tests.c
+++ b/tools/testing/selftests/kvm/x86/sev_migrate_tests.c
@@ -374,7 +374,7 @@ int main(int argc, char *argv[])
=20
 	TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_SEV));
=20
-	have_sev_es =3D kvm_cpu_has(X86_FEATURE_SEV_ES);
+	have_sev_es =3D kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_X86_SEV_ES_VM);
=20
 	if (kvm_has_cap(KVM_CAP_VM_MOVE_ENC_CONTEXT_FROM)) {
 		test_sev_migrate_from(/* es=3D */ false);
diff --git a/tools/testing/selftests/kvm/x86/sev_smoke_test.c b/tools/testi=
ng/selftests/kvm/x86/sev_smoke_test.c
index 8bd37a476f15..f3c39335ff39 100644
--- a/tools/testing/selftests/kvm/x86/sev_smoke_test.c
+++ b/tools/testing/selftests/kvm/x86/sev_smoke_test.c
@@ -249,10 +249,10 @@ int main(int argc, char *argv[])
=20
 	test_sev_smoke(guest_sev_code, KVM_X86_SEV_VM, 0);
=20
-	if (kvm_cpu_has(X86_FEATURE_SEV_ES))
+	if (kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_X86_SEV_ES_VM))
 		test_sev_smoke(guest_sev_es_code, KVM_X86_SEV_ES_VM, SEV_POLICY_ES);
=20
-	if (kvm_cpu_has(X86_FEATURE_SEV_SNP))
+	if (kvm_check_cap(KVM_CAP_VM_TYPES) & BIT(KVM_X86_SNP_VM))
 		test_sev_smoke(guest_snp_code, KVM_X86_SNP_VM, snp_default_policy());
=20
 	return 0;
--=20
2.54.0.rc1.513.gad8abe7a5a-goog