1. Patchew
  2. linux
  3. View series

[PATCH 0/2] Remove some hardcoded SEV-SNP guest policy checks during guest launch

Tom Lendacky posted 2 patches 8 months, 2 weeks ago 
arch/x86/kvm/svm/sev.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
[PATCH 0/2] Remove some hardcoded SEV-SNP guest policy checks during guest launch
Posted by Tom Lendacky 8 months, 2 weeks ago 
This series removes some guest policy checks that can be better controlled
by the SEV firmware.

- Remove the check for the SMT policy bit. Currently, a check is made to
  ensure the SMT policy bit is set to 1. However, there is no reason for
  KVM to do this. The SMT policy bit, when 0, is used to ensure that SMT
  has been disabled *in the BIOS.* As this does not require any special
  support within KVM, the check can be safely removed to allow the SEV
  firmware to determine whether the system meets the policy.

- Remove the check for the SINGLE_SOCKET policy bit. Currently, a check
  is made to ensure the SINGLE_SOCKET policy bit is set to 0. However,
  there is no reason for KVM to do this. The SINGLE_SOCKET policy bit,
  when 1, is used to ensure that an SNP guest is only run on a single
  socket. When the system only consists of a single socket, the SEV
  firmware allows guest activation to succeed. However, if the system
  has more than one socket, the SEV firmware will fail guest activation
  when the SNP_ACTIVATE command is used (which is the activation command
  used by KVM).

The SMT policy patch should not be controversial. The SINGLE_SOCKET policy
patch could be a bit controversial, since, when you have the SINGLE_SOCKET
policy bit set, you can have a guest that can run without issue on a
single socket system, but suddenly fail when attempted to be started on a
system with more than one socket. But, as this is opt-in behavior from
userspace, this could be viewed as providing the protection that the guest
owner desires.

In order to support use of the SINGLE_SOCKET policy bit on a system with
more than one socket, the SNP_ACTIVATE_EX command must be used and proper
scheduling support performed.

The series is based off of:
  https://github.com/kvm-x86/linux.git next

Tom Lendacky (2):
  KVM: SVM: Allow SNP guest policy disallow running with SMT enabled
  KVM: SVM: Allow SNP guest policy to specify SINGLE_SOCKET

 arch/x86/kvm/svm/sev.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)


base-commit: 3f7b307757ecffc1c18ede9ee3cf9ce8101f3cc9
-- 
2.46.2
Re: [PATCH 0/2] Remove some hardcoded SEV-SNP guest policy checks during guest launch
Posted by Sean Christopherson 7 months, 3 weeks ago 
On Thu, 29 May 2025 16:17:58 -0500, Tom Lendacky wrote:
> This series removes some guest policy checks that can be better controlled
> by the SEV firmware.
> 
> - Remove the check for the SMT policy bit. Currently, a check is made to
>   ensure the SMT policy bit is set to 1. However, there is no reason for
>   KVM to do this. The SMT policy bit, when 0, is used to ensure that SMT
>   has been disabled *in the BIOS.* As this does not require any special
>   support within KVM, the check can be safely removed to allow the SEV
>   firmware to determine whether the system meets the policy.
> 
> [...]

Applied to kvm-x86 svm.  FWIW, I'm not entirely sure I love the idea of doing
nothing, e.g. it'd be nice to enumerate support to userspace.  But adding a
bunch of code to regurgitate information that's likely available to userspace
(or more likely, the platform admin/orchestrator) doesn't seem worthwile either.

I'll make sure to flag this for Paolo's eyeballs.

[1/2] KVM: SVM: Allow SNP guest policy disallow running with SMT enabled
      https://github.com/kvm-x86/linux/commit/9f4701e05fae
[2/2] KVM: SVM: Allow SNP guest policy to specify SINGLE_SOCKET
      https://github.com/kvm-x86/linux/commit/24be2b7956a5

--
https://github.com/kvm-x86/kvm-unit-tests/tree/next
Re: [PATCH 0/2] Remove some hardcoded SEV-SNP guest policy checks during guest launch
Posted by Tom Lendacky 7 months, 3 weeks ago 
On 6/24/25 14:38, Sean Christopherson wrote:
> On Thu, 29 May 2025 16:17:58 -0500, Tom Lendacky wrote:
>> This series removes some guest policy checks that can be better controlled
>> by the SEV firmware.
>>
>> - Remove the check for the SMT policy bit. Currently, a check is made to
>>   ensure the SMT policy bit is set to 1. However, there is no reason for
>>   KVM to do this. The SMT policy bit, when 0, is used to ensure that SMT
>>   has been disabled *in the BIOS.* As this does not require any special
>>   support within KVM, the check can be safely removed to allow the SEV
>>   firmware to determine whether the system meets the policy.
>>
>> [...]
> 
> Applied to kvm-x86 svm.  FWIW, I'm not entirely sure I love the idea of doing
> nothing, e.g. it'd be nice to enumerate support to userspace.  But adding a
> bunch of code to regurgitate information that's likely available to userspace
> (or more likely, the platform admin/orchestrator) doesn't seem worthwile either.
> 
> I'll make sure to flag this for Paolo's eyeballs.

Sounds good, thanks Sean!

Tom

> 
> [1/2] KVM: SVM: Allow SNP guest policy disallow running with SMT enabled
>       https://github.com/kvm-x86/linux/commit/9f4701e05fae
> [2/2] KVM: SVM: Allow SNP guest policy to specify SINGLE_SOCKET
>       https://github.com/kvm-x86/linux/commit/24be2b7956a5
> 
> --
> https://github.com/kvm-x86/kvm-unit-tests/tree/next

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.