KVM Planes + SEV-SNP Support

[PATCH 00/60] KVM Planes + SEV-SNP Support

Posted by Jörg Rödel 2 weeks, 5 days ago

From: Joerg Roedel <joerg.roedel@amd.com>

Hi,

Here is the updated patch-set implementing support for planes in KVM.
Planes is KVMs name for supporting various privilege separation
features of hardware (AMD SEV-SNP VMPLs, Intel TDX, ARM CCA Planes) or
software (Hyper-V VSM) in KVM.

The code posted here is based on prior work by Tom Lendacky, Roy
Hopkins[1] and Paolo Bonzini[2] as well as the numerous participants
of the KVM Planes BoF at KVM Forum 2024.

The user-space interface has slightly changed compared to the previous
patches posted by Paolo. The Documentation patch has the details.

The changes implement the base-support in KVM and X86 as well as the
parts required for AMD SEV-SNP VMPLs. The patches are based on
v7.1-rc7 and can be used to run an SEV-SNP VM with COCONUT-SVSM[3] in
VMPL0 with a Linux guest in VMPL2. An updated QEMU is needed as well,
the changes for that will be posted separately.

This changes depend on Melodys patches for supporting restricted
injection. As they are required to run COCONUT-SVSM, they are included
here for completeness.

KVM planes support as posted here has a number of known limitations:

	- Using planes requires IRQ-Chip in split mode
	- IRQFD not yet supported
	- Memory attributes are not per-plane yet - this is required
	  for VSM

The patches are also in this git branch:

	https://github.com/joergroedel/linux/tree/kvm-planes-v7.1

And can be used together with this QEMU tree:

	https://github.com/joergroedel/qemu/tree/qemu-planes-linux-v7.1

Please review.

-Joerg

[1] https://lore.kernel.org/all/cover.1726506534.git.roy.hopkins@suse.com/
[2] https://lore.kernel.org/all/20250401161106.790710-1-pbonzini@redhat.com/
[3] https://github.com/coconut-svsm/svsm/

Joerg Roedel (37):
  kvm: Introduce struct kvm_vcpu_common
  kvm: Move vcpu accounting to struct kvm_vcpu_common
  kvm: Add read accessors for kvm_vcpu scheduling state
  kvm: Make kvm_running_vcpus point to struct kvm_vcpu_common
  kvm: Move VCPU scheduling state to struct kvm_vcpu_common
  kvm: Add accessors for kvm_vcpu->mutex
  kvm: Move VCPU locking to struct kvm_vcpu_common
  kvm: Move kvm_vcpu->rcuwait to struct kvm_vcpu_common
  kvm: Introduce accessors for kvm_vcpu->mode
  kvm: Move kvm_vcpu mode and requests field to struct kvm_vcpu_common
  kvm: Introduce per-plane VCPU requests
  kvm: Move kvm_vcpu pid members to struct kvm_vcpu_common
  kvm: Move kvm_vcpu sigset members to struct kvm_vcpu_common
  kvm: Move kvm_vcpu spinloop members to struct kvm_vcpu_common
  kvm: Move kvm_vcpu->dirty_ring to struct kvm_vcpu_common
  kvm: Introduce arch-specific plane state
  kvm: Introduce arch-specific part of struct kvm_vcpu_common
  kvm: Allocate struct kvm_plane in architecture code
  KVM: Implement KVM_CREATE_VCPU ioctl for planes
  kvm: Keep track of plane VCPUs in struct kvm_vcpu_common
  kvm: Add VCPU plane-scheduling state and helpers
  kvm: Add plane_level to kvm_kernel_irq_routing_entry
  kvm: Pass plane_level to kvm_set_routing_entry()
  kvm: Make KVM_SET_GSI_ROUTING per plane
  kvm: x86: Handle IOAPIC EOIs per plane
  kvm: x86: Move CPUID state to struct kvm_vcpu_arch_common
  kvm: x86: Move cpu_caps to struct kvm_vcpu_arch_common
  kvm: x86: Update state for all plane VCPUs after CPUID update
  kvm: x86: Share MTRR state across planes
  kvm: x86: Select a plane to run
  kvm: x86: Make event injection VCPU requests per-plane
  kvm: x86: Allow hardware backend to overwrite struct kvm_plane
    allocation
  kvm: x86: Make KVM_REQ_UPDATE_PROTECTED_GUEST_STATE per plane
  kvm: x86: Share pio_data across planes
  kvm: x86: Switch to plane0 if it has events
  kvm: x86: Restrict KVM planes support to KVM_IRQCHIP_SPLIT
  kvm: svm: Track vmsa_features per plane

Melody Wang (7):
  x86/sev: Define the #HV doorbell page structure
  KVM: SVM: Add support for the SEV-SNP #HV doorbell page NAE event
  KVM: SVM: Inject #HV when Restricted Injection is active
  KVM: SVM: Inject NMIs when Restricted Injection is active
  KVM: SVM: Inject MCEs when Restricted Injection is active
  KVM: SVM: Enable Restricted Injection for an SEV-SNP guest
  KVM: SVM: Add support for the SEV-SNP #HV IPI NAE event

Paolo Bonzini (11):
  Documentation: kvm: introduce "VM plane" concept
  kvm: Introduce struct kvm_plane
  kvm: Move vcpu_array to struct kvm_plane
  kvm: Implement KVM_CAP_PLANES
  kvm: Implement KVM_CREATE_PLANE ioctl
  kvm: Add KVM_EXIT_PLANE_EVENT
  kvm: Allocate struct kvm_run only for struct kvm_vcpu_common
  kvm: Make KVM_SIGNAL_MSI per plane
  kvm: x86: Make apic_map per plane
  kvm: x86: Make local APIC code aware of planes
  kvm: x86: Introduce max_planes x86-op

Tom Lendacky (5):
  kvm: svm: Implement GET_AP_APIC_IDS NAE event
  kvm: sev: Allow for VMPL level specification in AP create
  kvm: svm: Invoke a specified VMPL level VMSA for the vCPU
  kvm: svm: Implement max_planes x86 operation
  kvm: svm: Advertise full multi-VMPL support to the SNP guest

 Documentation/virt/kvm/api.rst        | 102 +++-
 arch/arm64/include/asm/kvm_host.h     |  19 +-
 arch/arm64/kvm/arch_timer.c           |   3 +-
 arch/arm64/kvm/arm.c                  |  37 +-
 arch/arm64/kvm/inject_fault.c         |   4 +-
 arch/arm64/kvm/nested.c               |   2 +-
 arch/arm64/kvm/vgic/vgic-init.c       |   3 +-
 arch/arm64/kvm/vgic/vgic-irqfd.c      |   7 +-
 arch/loongarch/include/asm/kvm_host.h |  17 +
 arch/loongarch/kvm/intc/pch_pic.c     |   2 +-
 arch/loongarch/kvm/irqfd.c            |   5 +-
 arch/loongarch/kvm/timer.c            |   2 +-
 arch/loongarch/kvm/vcpu.c             |  16 +-
 arch/loongarch/kvm/vm.c               |  18 +
 arch/mips/include/asm/kvm_host.h      |  17 +
 arch/mips/kvm/mips.c                  |  35 +-
 arch/powerpc/include/asm/kvm_host.h   |  17 +
 arch/powerpc/kvm/book3s_pr.c          |   2 +-
 arch/powerpc/kvm/book3s_xics.c        |   4 +-
 arch/powerpc/kvm/book3s_xive.c        |   4 +-
 arch/powerpc/kvm/book3s_xive_native.c |   4 +-
 arch/powerpc/kvm/booke.c              |   2 +-
 arch/powerpc/kvm/mpic.c               |   6 +-
 arch/powerpc/kvm/powerpc.c            |  27 +-
 arch/powerpc/kvm/trace.h              |   2 +-
 arch/riscv/include/asm/kvm_host.h     |  17 +
 arch/riscv/kvm/aia_device.c           |   4 +-
 arch/riscv/kvm/main.c                 |  18 +
 arch/riscv/kvm/vcpu.c                 |  13 +-
 arch/riscv/kvm/vm.c                   |   6 +-
 arch/s390/include/asm/kvm_host.h      |  17 +
 arch/s390/kvm/interrupt.c             |  11 +-
 arch/s390/kvm/kvm-s390.c              |  33 +-
 arch/s390/kvm/pv.c                    |   2 +-
 arch/x86/include/asm/cpufeatures.h    |   1 +
 arch/x86/include/asm/kvm-x86-ops.h    |   4 +
 arch/x86/include/asm/kvm_host.h       |  96 ++--
 arch/x86/include/asm/sev-common.h     |   8 +
 arch/x86/include/asm/svm.h            |  42 ++
 arch/x86/include/uapi/asm/svm.h       |   9 +
 arch/x86/kvm/cpuid.c                  |  70 ++-
 arch/x86/kvm/cpuid.h                  |  31 +-
 arch/x86/kvm/hyperv.c                 |   2 +-
 arch/x86/kvm/i8254.c                  |   2 +-
 arch/x86/kvm/ioapic.c                 |   8 +-
 arch/x86/kvm/irq.c                    |  19 +-
 arch/x86/kvm/lapic.c                  | 144 +++--
 arch/x86/kvm/lapic.h                  |  14 +-
 arch/x86/kvm/mmu/mmu.c                |   4 +-
 arch/x86/kvm/mtrr.c                   |  12 +-
 arch/x86/kvm/smm.c                    |   2 +-
 arch/x86/kvm/svm/sev.c                | 644 ++++++++++++++++++++--
 arch/x86/kvm/svm/svm.c                |  85 ++-
 arch/x86/kvm/svm/svm.h                |  52 +-
 arch/x86/kvm/trace.h                  |   2 +-
 arch/x86/kvm/vmx/common.h             |   2 +-
 arch/x86/kvm/vmx/main.c               |  16 +-
 arch/x86/kvm/vmx/nested.h             |   4 +-
 arch/x86/kvm/vmx/posted_intr.c        |   2 +-
 arch/x86/kvm/vmx/vmx.c                |  11 +-
 arch/x86/kvm/vmx/x86_ops.h            |   1 +
 arch/x86/kvm/x86.c                    | 237 ++++++--
 arch/x86/kvm/x86.h                    |   5 +
 arch/x86/kvm/xen.c                    |   2 +-
 arch/x86/kvm/xen.h                    |   2 +-
 include/linux/kvm_host.h              | 278 ++++++++--
 include/linux/kvm_types.h             |   2 +
 include/uapi/linux/kvm.h              |  18 +
 virt/kvm/dirty_ring.c                 |   4 +-
 virt/kvm/irqchip.c                    |  13 +-
 virt/kvm/kvm_main.c                   | 764 +++++++++++++++++++-------
 71 files changed, 2460 insertions(+), 630 deletions(-)

-- 
2.53.0

Re: [PATCH 00/60] KVM Planes + SEV-SNP Support

Posted by Melody Wang 2 weeks, 2 days ago

Hi,

On 6/8/26 7:41 AM, Jörg Rödel wrote:
> From: Joerg Roedel <joerg.roedel@amd.com>
 > ...
> This changes depend on Melodys patches for supporting restricted
> injection. As they are required to run COCONUT-SVSM, they are included
> here for completeness.

Btw, I am fixing up the restricted injection patches based on AI 
reviews, will send the new version out upstream soon. So you dont need 
to review the current version.

-- 
Thanks,
Melody

[syzbot ci] Re: KVM Planes + SEV-SNP Support

Posted by syzbot ci 2 weeks, 4 days ago

syzbot ci has tested the following series

[v1] KVM Planes + SEV-SNP Support
https://lore.kernel.org/all/20260608144252.351443-1-joro@8bytes.org
* [PATCH 01/60] x86/sev: Define the #HV doorbell page structure
* [PATCH 02/60] KVM: SVM: Add support for the SEV-SNP #HV doorbell page NAE event
* [PATCH 03/60] KVM: SVM: Inject #HV when Restricted Injection is active
* [PATCH 04/60] KVM: SVM: Inject NMIs when Restricted Injection is active
* [PATCH 05/60] KVM: SVM: Inject MCEs when Restricted Injection is active
* [PATCH 06/60] KVM: SVM: Enable Restricted Injection for an SEV-SNP guest
* [PATCH 07/60] KVM: SVM: Add support for the SEV-SNP #HV IPI NAE event
* [PATCH 08/60] Documentation: kvm: introduce "VM plane" concept
* [PATCH 09/60] kvm: Introduce struct kvm_plane
* [PATCH 10/60] kvm: Move vcpu_array to struct kvm_plane
* [PATCH 11/60] kvm: Introduce struct kvm_vcpu_common
* [PATCH 12/60] kvm: Move vcpu accounting to struct kvm_vcpu_common
* [PATCH 13/60] kvm: Add read accessors for kvm_vcpu scheduling state
* [PATCH 14/60] kvm: Make kvm_running_vcpus point to struct kvm_vcpu_common
* [PATCH 15/60] kvm: Move VCPU scheduling state to struct kvm_vcpu_common
* [PATCH 16/60] kvm: Add accessors for kvm_vcpu->mutex
* [PATCH 17/60] kvm: Move VCPU locking to struct kvm_vcpu_common
* [PATCH 18/60] kvm: Move kvm_vcpu->rcuwait to struct kvm_vcpu_common
* [PATCH 19/60] kvm: Introduce accessors for kvm_vcpu->mode
* [PATCH 20/60] kvm: Move kvm_vcpu mode and requests field to struct kvm_vcpu_common
* [PATCH 21/60] kvm: Introduce per-plane VCPU requests
* [PATCH 22/60] kvm: Move kvm_vcpu pid members to struct kvm_vcpu_common
* [PATCH 23/60] kvm: Move kvm_vcpu sigset members to struct kvm_vcpu_common
* [PATCH 24/60] kvm: Move kvm_vcpu spinloop members to struct kvm_vcpu_common
* [PATCH 25/60] kvm: Move kvm_vcpu->dirty_ring to struct kvm_vcpu_common
* [PATCH 26/60] kvm: Introduce arch-specific plane state
* [PATCH 27/60] kvm: Introduce arch-specific part of struct kvm_vcpu_common
* [PATCH 28/60] kvm: Implement KVM_CAP_PLANES
* [PATCH 29/60] kvm: Implement KVM_CREATE_PLANE ioctl
* [PATCH 30/60] kvm: Add KVM_EXIT_PLANE_EVENT
* [PATCH 31/60] kvm: Allocate struct kvm_plane in architecture code
* [PATCH 32/60] kvm: Allocate struct kvm_run only for struct kvm_vcpu_common
* [PATCH 33/60] KVM: Implement KVM_CREATE_VCPU ioctl for planes
* [PATCH 34/60] kvm: Keep track of plane VCPUs in struct kvm_vcpu_common
* [PATCH 35/60] kvm: Add VCPU plane-scheduling state and helpers
* [PATCH 36/60] kvm: Add plane_level to kvm_kernel_irq_routing_entry
* [PATCH 37/60] kvm: Pass plane_level to kvm_set_routing_entry()
* [PATCH 38/60] kvm: Make KVM_SIGNAL_MSI per plane
* [PATCH 39/60] kvm: Make KVM_SET_GSI_ROUTING per plane
* [PATCH 40/60] kvm: x86: Handle IOAPIC EOIs per plane
* [PATCH 41/60] kvm: x86: Make apic_map per plane
* [PATCH 42/60] kvm: x86: Make local APIC code aware of planes
* [PATCH 43/60] kvm: x86: Move CPUID state to struct kvm_vcpu_arch_common
* [PATCH 44/60] kvm: x86: Move cpu_caps to struct kvm_vcpu_arch_common
* [PATCH 45/60] kvm: x86: Update state for all plane VCPUs after CPUID update
* [PATCH 46/60] kvm: x86: Share MTRR state across planes
* [PATCH 47/60] kvm: x86: Select a plane to run
* [PATCH 48/60] kvm: x86: Make event injection VCPU requests per-plane
* [PATCH 49/60] kvm: x86: Allow hardware backend to overwrite struct kvm_plane allocation
* [PATCH 50/60] kvm: x86: Make KVM_REQ_UPDATE_PROTECTED_GUEST_STATE per plane
* [PATCH 51/60] kvm: x86: Share pio_data across planes
* [PATCH 52/60] kvm: x86: Switch to plane0 if it has events
* [PATCH 53/60] kvm: x86: Introduce max_planes x86-op
* [PATCH 54/60] kvm: x86: Restrict KVM planes support to KVM_IRQCHIP_SPLIT
* [PATCH 55/60] kvm: svm: Track vmsa_features per plane
* [PATCH 56/60] kvm: svm: Implement GET_AP_APIC_IDS NAE event
* [PATCH 57/60] kvm: sev: Allow for VMPL level specification in AP create
* [PATCH 58/60] kvm: svm: Invoke a specified VMPL level VMSA for the vCPU
* [PATCH 59/60] kvm: svm: Implement max_planes x86 operation
* [PATCH 60/60] kvm: svm: Advertise full multi-VMPL support to the SNP guest

and found the following issue:
WARNING in __kvm_plane_ioctl

Full report is available here:
https://ci.syzbot.org/series/7426b4e7-e1df-4f2e-8464-acda36316e29

***

WARNING in __kvm_plane_ioctl

tree:      torvalds
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base:      2d3090a8aeb596a26935db0955d46c9a5db5c6ce
arch:      amd64
compiler:  Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config:    https://ci.syzbot.org/builds/f9f7af87-a544-413f-b7e0-662f92794f11/config
syz repro: https://ci.syzbot.org/findings/751865bf-494c-4000-9b11-d8aa15f03893/syz_repro

------------[ cut here ]------------
r == -EBUSY
WARNING: arch/x86/kvm/../../../virt/kvm/kvm_main.c:4412 at kvm_plane_ioctl_create_vcpu virt/kvm/kvm_main.c:4412 [inline], CPU#1: syz.2.19/5809
WARNING: arch/x86/kvm/../../../virt/kvm/kvm_main.c:4412 at __kvm_plane_ioctl+0x8bd/0xa70 virt/kvm/kvm_main.c:4908, CPU#1: syz.2.19/5809
Modules linked in:
CPU: 1 UID: 0 PID: 5809 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:kvm_plane_ioctl_create_vcpu virt/kvm/kvm_main.c:4412 [inline]
RIP: 0010:__kvm_plane_ioctl+0x8bd/0xa70 virt/kvm/kvm_main.c:4908
Code: e8 c8 0a 09 00 4c 89 f7 e8 80 a3 ff ff 48 8b 3d a9 a8 fd 11 4c 89 f6 e8 c1 35 e7 00 49 63 c7 e9 8c fc ff ff e8 94 2f 87 00 90 <0f> 0b 90 41 bf f0 ff ff ff eb bc e8 e3 eb 68 0a 89 f9 80 e1 07 80
RSP: 0018:ffffc9000318f940 EFLAGS: 00010293
RAX: ffffffff813f480c RBX: ffff8881ba113410 RCX: ffff88810d4f4a80
RDX: 0000000000000000 RSI: ffffffff8e6fa0b0 RDI: 00000000fffffff0
RBP: ffffc9000318fa70 R08: ffff88810d4f4a80 R09: 0000000000000002
R10: 00000000fffffff0 R11: 0000000000000000 R12: 1ffff92000631f34
R13: dffffc0000000000 R14: ffff8881b446cb18 R15: 00000000fffffff0
FS:  00007f13e64ad6c0(0000) GS:ffff8882a929c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f13e64acff8 CR3: 00000001a6053000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 kvm_vm_ioctl+0x88e/0xbf0 virt/kvm/kvm_main.c:5546
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f13e559ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f13e64ad028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f13e5816090 RCX: 00007f13e559ce59
RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004
RBP: 00007f13e5632d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f13e5816128 R14: 00007f13e5816090 R15: 00007fff90c39748
 </TASK>


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.

To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).

The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.