From nobody Fri Oct 3 23:02:53 2025 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2073.outbound.protection.outlook.com [40.107.92.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5AE527B335; Fri, 22 Aug 2025 21:25:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.92.73 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897961; cv=fail; b=hZu69Agoeeq/A7RuBEzBoavgdX0xYS5xzakqVQxTlrRdAVNs0cdu/7SV77IS1sH6rCc/ATkMmIVnE4xK76O32DJJKIx1UEwHP6GIsk90mrJoXxhP0dvv1qUJUaR6Q7gwKofIsf0hLvblsOfYzjDHiAjmXKx6FwUziaUfaA58rlk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897961; c=relaxed/simple; bh=AG/406KkjHf53+/lNdD+gwZwA57bZPiQi3eou+HDAcg=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=i77bHztwcd9hQbL8QFS2OpRNWu7m/BBvlpR3V5X7Vkt1htnSxYAyY1PKf/30JUUdFuoeq3R527lQSq3aa21H7tgiWAsJgKHpkoDievsodmphsOI93ExTScnzSFgPAtEMJBzs0NojP/9sSSVJzum2B7JLbICEhLw/VqL6OGmhF5E= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=K0bCvGyw; arc=fail smtp.client-ip=40.107.92.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="K0bCvGyw" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cXgGf1i7jcBdyl3YbiXN1Zi7pnYHr1PhtcohYGY9frDd+88GYYRvteepspugZTW125qjyOnVqQkhJewJJFyNxot6XSgwvtv3zXSQETm+OIwXNNLcaWqcslvm31hrTuIFWHohjfG6W3H0FFcgKkCRB+1YdNaoksr55v/0uYQedamKCne/97N05AaXQKJKlv5QRwrmVJpYT36QHV38PftYnwKud95EpXRBG5GhvgxbrSL42HJot/+lbbA+0w4iKv6Lbm7maZ0mmvAFRQ/Y4RwnXPXwngG+OCGpE5aNoSswLwt1VurT5gJXyCv+ywAoTlgId6QGMzROmDAg1zNyme7Uaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1qpuQ04fUWNxzfM48WH84V188tdKk81YQXQcZfcnIVw=; b=BPj5nly14cYq/dGohkSYfAxngo4Xr2NBfn+cV6R1GHTiqDuZc6KHCrug18ZUEGs56YpYmPIipjrzABDCXbo8w4dNo76MlWpSHeB9ihWML64eJs3+axZOklLKO3KpxocaowQP3tmTPLli0svW8b/fZWcSye3vjRj55mEfDDqzcP5PH1HQx2iZNWJJOtmMM2W4VDC1DNLyr5pv/J09mS5RFuxnFbKVWtrxzPNgL+zoXTqp4kF8eBwBRdJO8VwmbPvpXWtPaBpdm9Q3jYFaB0EGtiNbOUTmXEpIOxTEJrnKfO05M5hpP9UTabWDduee5CndnX+4hD6LfpwgMz9DjMSZJQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1qpuQ04fUWNxzfM48WH84V188tdKk81YQXQcZfcnIVw=; b=K0bCvGyw/tMswViN+xPhMiLEPJbWrfI5AHrF6oij7ypFdPlG/qnwpXW7CXqK8Hsn1CihfW3lbGaRHpZWENI/YWVGnp4ph3xTQ+9fZU0LbMgzF2P6WwBybOQkVVSK+HF5GxuzhMd4TYIQowNKzySfS6mDv1EUHYQge3DnB4UrhWk= Received: from PH1PEPF00013302.namprd07.prod.outlook.com (2603:10b6:518:1::11) by CH3PR12MB7666.namprd12.prod.outlook.com (2603:10b6:610:152::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9052.16; Fri, 22 Aug 2025 21:25:56 +0000 Received: from CY4PEPF0000EE3F.namprd03.prod.outlook.com (2a01:111:f403:f910::2) by PH1PEPF00013302.outlook.office365.com (2603:1036:903:47::9) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9052.19 via Frontend Transport; Fri, 22 Aug 2025 21:25:56 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by CY4PEPF0000EE3F.mail.protection.outlook.com (10.167.242.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.9052.8 via Frontend Transport; Fri, 22 Aug 2025 21:25:56 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Fri, 22 Aug 2025 16:25:54 -0500 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH 1/4] KVM: SEV: Publish supported SEV-SNP policy bits Date: Fri, 22 Aug 2025 16:25:31 -0500 Message-ID: X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE3F:EE_|CH3PR12MB7666:EE_ X-MS-Office365-Filtering-Correlation-Id: 745c90e5-6482-41ba-fa31-08dde1c27b21 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|7416014|376014|36860700013|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?rrYPmPYjaW7nolNnqk8P37FG2D5JGAylfpPIyJta4PzA5osJ8Rm43lUdv+l4?= =?us-ascii?Q?izh+5bLrtgIxJo6XCjBJv71Hn180EZ5qjYtHqROYhrC3ZnUz6REIW+bo8NP3?= =?us-ascii?Q?Nm2mvh9uixlrwVHmZ2ztY/+3jG5hNAqIaFvsXRB3cVpXjHIBWZz7alrHIpHl?= =?us-ascii?Q?Z3QomGRqDbNBRwI5akTC/03qiTcuva5KPLqwSe+IpKZKXmf3cJl6qxWbjnoX?= =?us-ascii?Q?WjRQeUjajtaG7h08B/zlnH2qabKpQrKn5r1r3nx/RAQxy64i5BnN6AqF90gQ?= =?us-ascii?Q?zyD1PwVjBCHpFTxaSshxJ3LptDl+7LiMgaaR5PAj1xn3ZbY5wLJ78EzNuJef?= =?us-ascii?Q?tqKWq7oHHNQb2zH9y85Jrp/AOPhsdk9yMhS2e454WI+X2K0YEvf6w8lCLdnI?= =?us-ascii?Q?Nl0Rsew025LrIUQnS4ucrzKacHUHs4SKYxkqqG3HvcN4ZR4i6tUocU9Fcbh6?= =?us-ascii?Q?XBr6maz8gn5qU6SjHyf6L7sv//8/lYAZmG9X/7V0j1Gw339xtPpJQUCUKbQx?= =?us-ascii?Q?9vH+tAbH1Bvh33n+3Av+6WG4s8eKrx4yR3yaqTUPJ76USKUNwFoQhVpO6pZ6?= =?us-ascii?Q?g3Rpj3nHt3HVmbPeFeomJjbIOyTFMeTt0rwLjjUoZJHqvKX/Zsa6gX8g59fE?= =?us-ascii?Q?w8YW3RGONF+1kkDIFsOOIx3OxaTrc6/G8Z4Ij44zy5GuAALtIyvHsvU2PawE?= =?us-ascii?Q?3DQMIJb4XzuXSC/LIOsITebQxLB4hNQZ+6RDn7jRlJEdut+opFq+DSoiJZ3C?= =?us-ascii?Q?IGAieYrBS4jLG4KAcO2ZnCBPlmihpLJv10BhycFQSScTWpOl9FMZuacMfjE/?= =?us-ascii?Q?nAZXClC3Jp+I8iRhVbZgD9CJLmQVGTh9mwlneby94cscOx7sumYz+PxfxX6V?= =?us-ascii?Q?k4BTQNkwofAHG8zia/GIq4eqWH3hh8gk1bFBuPnLhELTqTtuDnZhMP9RbdDt?= =?us-ascii?Q?lG003h239zAYrJSBXaUnMxrEkORyZIAWk9cODRbfv7zSpKhx2rbCpnB/YlSo?= =?us-ascii?Q?AbHVbhN/opWYed3ANSdqkMfU7wNQC0zlcPU/wFhC9FMgT3OJHCcpldzVmsF6?= =?us-ascii?Q?/3nBXPYbsjBdnA7B6QnKiJYNdvH18uKTpIikGw8gLeIDsF2MIXSsBr4Ng0+j?= =?us-ascii?Q?BpZ2Pid/v1MJoB8TS/arJDICsRq9QXyhcQT9TBIcUS9daVMpBF0fJLh8lyos?= =?us-ascii?Q?he24AIgkJvttqND8ifGnfx4gVGthJjZxv9Fnar86uWxUiUDrjaINlBOMlFDL?= =?us-ascii?Q?i15nbmkhgK9z2UO5pTPzXXJSvVdPl/LvtOSSs3g7TWCTDvtB8G3wzQ1Fezv/?= =?us-ascii?Q?ywQCbgHz+TJPcVS3e32ElzgeX1CfoiaqB0/CLcW4Z7ex6RF0R7yih04hy2ue?= =?us-ascii?Q?mLTIp/Ue5iSe5qP8h4SPCfLsCdpZumcyG8eE0182UXMifep1SPAVbDosf8qy?= =?us-ascii?Q?3hk+oaG0kKAQopAexjN5KJTEbz1r1S71uO3q38KMz+owf7EsMdY4Xhr2gFGh?= =?us-ascii?Q?APtmOPMaXUn6bT6XtdFVrfM279EKEp5evXeD?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(7416014)(376014)(36860700013)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2025 21:25:56.1329 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 745c90e5-6482-41ba-fa31-08dde1c27b21 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE3F.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB7666 Content-Type: text/plain; charset="utf-8" Define the set of policy bits that KVM currently knows as not requiring any implementation support within KVM. Provide this value to userspace via the KVM_GET_DEVICE_ATTR ioctl. Signed-off-by: Tom Lendacky --- arch/x86/include/uapi/asm/kvm.h | 1 + arch/x86/kvm/svm/sev.c | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index 0f15d683817d..90e9c4551fa6 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -468,6 +468,7 @@ struct kvm_sync_regs { /* vendor-specific groups and attributes for system fd */ #define KVM_X86_GRP_SEV 1 # define KVM_X86_SEV_VMSA_FEATURES 0 +# define KVM_X86_SNP_POLICY_BITS 1 =20 struct kvm_vmx_nested_state_data { __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE]; diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 2fbdebf79fbb..7e6ce092628a 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -78,6 +78,8 @@ static u64 sev_supported_vmsa_features; SNP_POLICY_MASK_DEBUG | \ SNP_POLICY_MASK_SINGLE_SOCKET) =20 +static u64 snp_supported_policy_bits; + #define INITIAL_VMSA_GPA 0xFFFFFFFFF000 =20 static u8 sev_enc_bit; @@ -2113,6 +2115,10 @@ int sev_dev_get_attr(u32 group, u64 attr, u64 *val) *val =3D sev_supported_vmsa_features; return 0; =20 + case KVM_X86_SNP_POLICY_BITS: + *val =3D snp_supported_policy_bits; + return 0; + default: return -ENXIO; } @@ -2177,7 +2183,7 @@ static int snp_launch_start(struct kvm *kvm, struct k= vm_sev_cmd *argp) if (params.flags) return -EINVAL; =20 - if (params.policy & ~SNP_POLICY_MASK_VALID) + if (params.policy & ~snp_supported_policy_bits) return -EINVAL; =20 /* Check for policy bits that must be set */ @@ -3054,6 +3060,9 @@ void __init sev_hardware_setup(void) sev_supported =3D sev_es_supported =3D sev_snp_supported =3D false; else if (sev_snp_supported) sev_snp_supported =3D is_sev_snp_initialized(); + + if (sev_snp_supported) + snp_supported_policy_bits =3D SNP_POLICY_MASK_VALID; } =20 if (boot_cpu_has(X86_FEATURE_SEV)) --=20 2.46.2 From nobody Fri Oct 3 23:02:53 2025 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2040.outbound.protection.outlook.com [40.107.237.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0268C33CE94; Fri, 22 Aug 2025 21:26:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.237.40 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897974; cv=fail; b=c7hMUKrSXUT3XYoB9W+FNM5QQF1WAixi1kEmXkWYcuqfMRK8rJGrLqHkYto0wzsavoONgvzT/7zQ3ZUXsRtvMILWlx7Iss8MpMWgPh+SuZgQ3WK6zAWpktB0eKi9FM4Gbp3D6Q0Ys7OoDM5hTWlQRH9D/LHTLpIlyHcIMbJnvGA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897974; c=relaxed/simple; bh=gV4gxwfeA+xwLIYks9A6tODs336WbWjYm6MD2uV0RzQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=enDFSbbWx4ruzgMnOGWrq61MR12oGxhx6+dAjs1rlVpktYcfrpGTD0aieoSuPOUPKc+cdDfftmtZ/km4ILnUd0fPpBDmjY5cpsdDW8izkJkq4bFBqTDPto7oweJsEQvHB7Gwd/pNZ9r65xQJ0rIv5FOldZ8IVfnR0pTto0zkwqA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=q+RAkXFy; arc=fail smtp.client-ip=40.107.237.40 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="q+RAkXFy" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EUrn0RxzAFzExZrCGLjzPS6+2rqD+nbSNaerK+PS3VGO4euVQs9EuAn25iO6Gi9qCQqJQt8Zt0nTJsUmo3aDnZY5ASxKmr2m3YJvhS0UkRn/SeRn/NI5dYNLflAXuxaiOq9y1RVEHM76VrBjdy9FiJqK5fgQIj8Njr1gDqadM7xGg9bXXjyP0JMmruL2tQz31d8zvq/8Cifg2FjMcGyWIwV9nrSrf8h0bITV8gPhtgB2GDWlRFGpLQ7SNywYuPURYBwWaqknP+gDqKxtCFOO/nn/yEP25t+GXY2ocsAX1OJao3FT9sunMguN13HN2EvCpMQRzB9i4cbTWRE3oTQwzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=64FtdNmtlsjMeTveq10OeReqRxhsy1X9GPf0nuDzGS8=; b=yTVy5wjgyiYqsRIF+PBcOnKI5zRYreDgbIOlIi7ODh4pi6IRqox6/GG4UtOyKLS+1hNQe7bpMGqz+yqnqpYKw/oXG0Vfmjth0x78AMfw7Mr9By3006ITRwPHxA8pz1j62s/JUQZL9cm2ccK/fsZikYuVMOMij7XPO7BmmLsqz0F9wlWZcibwowQyfCRa93jIasYNeuV7nHOUiOC5KoCvTY+j5Ta4A0GWKHtwstci5aJD9hYOn3UGD2qRzG/2g4ILh3rrjmuk/U9vAxJrIpFscJpc7i28bxyY0+taLB8wG2xKkY96BUCqQDI2YV12WP1HjmHTk1cIFV8SZNRgBunoXA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=64FtdNmtlsjMeTveq10OeReqRxhsy1X9GPf0nuDzGS8=; b=q+RAkXFyhShWCTx0un1xxfzpSodLl8b2LqkHISRtGYcSJUOxOQOTOWKIYdLpVBdj4WXkdod0o8mbMiTImDsIjotVPUye5yuLhutPiCRm6+/FL0HZQQ2lFJg69ScftCyM/zK+X5orSuy0uLWC5wiJiZEYym14aaGDh1hDwxpuNaQ= Received: from BY3PR10CA0020.namprd10.prod.outlook.com (2603:10b6:a03:255::25) by DM4PR12MB6229.namprd12.prod.outlook.com (2603:10b6:8:a8::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9052.17; Fri, 22 Aug 2025 21:26:06 +0000 Received: from CY4PEPF0000EE38.namprd03.prod.outlook.com (2603:10b6:a03:255:cafe::9b) by BY3PR10CA0020.outlook.office365.com (2603:10b6:a03:255::25) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9052.19 via Frontend Transport; Fri, 22 Aug 2025 21:26:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by CY4PEPF0000EE38.mail.protection.outlook.com (10.167.242.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.9052.8 via Frontend Transport; Fri, 22 Aug 2025 21:26:06 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Fri, 22 Aug 2025 16:26:02 -0500 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH 2/4] KVM: SEV: Consolidate the SEV policy bits in a single header file Date: Fri, 22 Aug 2025 16:25:32 -0500 Message-ID: X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE38:EE_|DM4PR12MB6229:EE_ X-MS-Office365-Filtering-Correlation-Id: 517bebfc-beac-4d9b-da0b-08dde1c2813d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|36860700013|376014|7416014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?IyZBjoRy4F9q2OLpV8iFK3l1j7hwnnppBJ4PQ0hQ33ySMAsfq9Ksdqr28gb9?= =?us-ascii?Q?aahWUAiDUAtpQh7WapFhj2pr2DmR7Qa8nDbZHarQEn6SyfPmJ+p3Zcn42Pek?= =?us-ascii?Q?xHp1bBRivzoJvX6XMo3My80x4XoF9Ej1V2ZSj9E7P7I5XvaHIxE6WSrhze/p?= =?us-ascii?Q?c8FaC4tjE8KmFxm3qix3gZzJzV+ZfYr5pakPSIicIKQknksW+D7hO+cLN1Kl?= =?us-ascii?Q?FVecj4XvxBdBrcYlTk5A+eYu7Z1nG8IIdp+pSSNRFOB0kdXNvjgdJBGdbR1o?= =?us-ascii?Q?kHzUfuJ/ctQgiehhxCi1g70QmeOlvdhJcq6MO0omW65b4V1xW1UZHPeezmOG?= =?us-ascii?Q?bIdh1paE1LnQGuDqJ9d8ru8uTRgFyqE/OzK7gWeVm26UTtEzM4QmJ8C59tZT?= =?us-ascii?Q?NYDtMyIicYhbo0IBsD7GCRN8nGD17rGRgDWpzQE4IaFGeAmzOxZKEhqS8RIt?= =?us-ascii?Q?4fDO1Z3Qn9kO1Eu6mhESyACx+WzhfTqaSAJIfB1jPuX2+YUeaF1IzeW1Vn6b?= =?us-ascii?Q?LYVbKnffrngFGypliPmd1DtvjUXPFkS/nI/BDi2KJR/q8k00L0bUwyoOF3Yy?= =?us-ascii?Q?nA7Uye8XnNkHMRI6MUwKs5AtzIMe1bqyEWFDDXpfYLmz1p+z5ZmE5GXeIfLX?= =?us-ascii?Q?wh6mi85u05bQrEdMcopclyTliHFxUDgSMQr84dg/kUGPMTid/sgHn4h8cV8N?= =?us-ascii?Q?TqypXHHZxmMInUIlIDCZYAdICXf7oQqNZZTv1RTmlBeEetIfQ124zR2DjPwx?= =?us-ascii?Q?IC+MsUzW6DSAV/ITWHEbWjEVQ/KEwq42ThzskplBTrxK0tE2wrTNoYuVskkJ?= =?us-ascii?Q?P28ltgyv/8hx9TAiPiN2TSDiyoydhDnypfyEMXVNG8n4DYYHzjQtHu5HCw/Q?= =?us-ascii?Q?aCI1Q1ifeETaHyMQwsKpb8eH4y2ORJNYjwyOAvUOdQcclby62HIOVAbnzKYp?= =?us-ascii?Q?p2t11emtJ+/QMpyAq9Ipos09QGfC1bwxkuJDEA9MlVrPo1eMX4s9BoUOxkfM?= =?us-ascii?Q?Yfjmf5UxUxzWU/fvewXeoIQCwZVBDseUTSXlLdxvF2ytY9PbfYY6HTzsmZak?= =?us-ascii?Q?/TnNe0N4IndceaH5hwuRnP45sSVapLk10G+lAu8yTPuiOdY5YPuQ+iD+zhkL?= =?us-ascii?Q?kN95490Tiglmou5HhKFZEjA7N3U6n3RbXvHE6ckrg5M+dUevoZRh6siJgFQ9?= =?us-ascii?Q?JzpnsVfbERh8Y8Rk2ldAGzMlHA7sKWSwpRilb+FbEs1JrCfJWqxNM7/uIBkf?= =?us-ascii?Q?ysznz5F7j6VmehVP7u13ZcrivcsOB2NwUA9jlyHDkNZz3VUTsIBsVqbcDy8m?= =?us-ascii?Q?1RHeor20mlcoQoVM96w7NvHTBpakEjgzoJcp5GXeB0UbShoNneeiLuIRR6YJ?= =?us-ascii?Q?WGVfzBsdpeL5BrKnYwSwPbCoWNHYpXWtz+ZI31lnmFcT+GxWTht4DeiyLzwJ?= =?us-ascii?Q?2iM/yJZ2Ff2CjsmMFjAywmevHQThbpf6P9AlyYstaKWRnYzw7rn6MLWIKoY+?= =?us-ascii?Q?o2sQ0qc8d/JKCLU5JNGdyMpaSUJn/C6AZsUd?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700013)(376014)(7416014);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2025 21:26:06.3795 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 517bebfc-beac-4d9b-da0b-08dde1c2813d X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE38.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6229 Content-Type: text/plain; charset="utf-8" Consolidate SEV policy bit definitions into a single file. Use include/linux/psp-sev.h to hold the definitions and remove the current definitions from the arch/x86/kvm/svm/sev.c and arch/x86/include/svm.h files. No functional change intended. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 16 ++++------------ arch/x86/kvm/svm/svm.h | 3 --- include/linux/psp-sev.h | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 7e6ce092628a..b21376e83ca7 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -63,15 +63,7 @@ static u64 sev_supported_vmsa_features; #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 =20 -/* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ -#define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) -#define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) -#define SNP_POLICY_MASK_SMT BIT_ULL(16) -#define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) -#define SNP_POLICY_MASK_DEBUG BIT_ULL(19) -#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) - -#define SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ +#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ SNP_POLICY_MASK_API_MAJOR | \ SNP_POLICY_MASK_SMT | \ SNP_POLICY_MASK_RSVD_MBO | \ @@ -3062,7 +3054,7 @@ void __init sev_hardware_setup(void) sev_snp_supported =3D is_sev_snp_initialized(); =20 if (sev_snp_supported) - snp_supported_policy_bits =3D SNP_POLICY_MASK_VALID; + snp_supported_policy_bits =3D KVM_SNP_POLICY_MASK_VALID; } =20 if (boot_cpu_has(X86_FEATURE_SEV)) @@ -4993,10 +4985,10 @@ struct vmcb_save_area *sev_decrypt_vmsa(struct kvm_= vcpu *vcpu) =20 /* Check if the SEV policy allows debugging */ if (sev_snp_guest(vcpu->kvm)) { - if (!(sev->policy & SNP_POLICY_DEBUG)) + if (!(sev->policy & SNP_POLICY_MASK_DEBUG)) return NULL; } else { - if (sev->policy & SEV_POLICY_NODBG) + if (sev->policy & SEV_POLICY_MASK_NODBG) return NULL; } =20 diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 58b9d168e0c8..61911a2b78c3 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -113,9 +113,6 @@ struct kvm_sev_info { cpumask_var_t have_run_cpus; /* CPUs that have done VMRUN for this VM. */ }; =20 -#define SEV_POLICY_NODBG BIT_ULL(0) -#define SNP_POLICY_DEBUG BIT_ULL(19) - struct kvm_svm { struct kvm kvm; =20 diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index e0dbcb4b4fd9..27c92543bf38 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -14,6 +14,25 @@ =20 #include =20 +/* As defined by SEV API, under "Guest Policy". */ +#define SEV_POLICY_MASK_NODBG BIT(0) +#define SEV_POLICY_MASK_NOKS BIT(1) +#define SEV_POLICY_MASK_ES BIT(2) +#define SEV_POLICY_MASK_NOSEND BIT(3) +#define SEV_POLICY_MASK_DOMAIN BIT(4) +#define SEV_POLICY_MASK_SEV BIT(5) +#define SEV_POLICY_MASK_API_MAJOR GENMASK(23, 16) +#define SEV_POLICY_MASK_API_MINOR GENMASK(31, 24) + +/* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ +#define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) +#define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) +#define SNP_POLICY_MASK_SMT BIT_ULL(16) +#define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) +#define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18) +#define SNP_POLICY_MASK_DEBUG BIT_ULL(19) +#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) + #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ =20 /** --=20 2.46.2 From nobody Fri Oct 3 23:02:53 2025 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2057.outbound.protection.outlook.com [40.107.93.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31EC9343202; Fri, 22 Aug 2025 21:26:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.93.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897982; cv=fail; b=KsRIMkYaSIbP9zPW2vADE5KfK+0656t8ELwgrbUCCvtuRowb7WDdH35Tue2mDBNutDCEIY7WXeF4/7diiIJ57+0CHNWmdv0Jnn3mNh/vaW5EQTWH4ZxL+dgXsP6Mq6g8rRhwNIgawKWBhzufg3Yaj3cxksSEA8OmuOQqTWWGe+E= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897982; c=relaxed/simple; bh=dVfvncoIZun8RVkNeL3wO6kb1xPOs4VGa0cnxzyfi+I=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=bDgCzSY2kDVZ/N6GBMuD9X44bgY/rAG/29IJkfiWVnYpbzuax4v0/MX6JVqgI2uED7OnUOXlHhZoyfSho7LvZ5HNiFP2X51dySzNPVCbdtzA6H7n/2FzIHkgW3ofCdr6PebcLuk6keMNm+gw+c+ZPyk9cJZdxEkPtem8+6W/yIo= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=CCtawQiX; arc=fail smtp.client-ip=40.107.93.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="CCtawQiX" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=U7Zr0ypfEy8TPcRWvTrq93ao47lTDvH4HQQfPN3xXR2V/5iE0OBEyQJPz31yDCIe6s95r2Rk7amJ8Jts5/9jTsjwzI4ZWWNC9p+xaXK2/oh6W76kG2KHn4txWoEyZWceREBuCL85+rnlzdzrJJD6bR69vOPbeMWHuA/3cvDHqG/pJmk03H8YccwRZ4aUcnB9rm4xJ2+amgdg6SerdgyiQrO3N9btElXvet/eJvFcXkui0tHORuz8PP15fsNJdHMuV0vpwrlU8I6Wo8MalLU+xJeE4IlVN9rr8Z3/VaGp9D4wbG2Rh3vjeQJ1phneE/XiiCuDyc6xpUJsgDA2F4YMMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fZ7RZMXpxrSiy8rfFoPpwW/bgpm9eW8833MgyL8kNoI=; b=G8y0pLSTUml7Ik/FVjvfDcm/bV4mO5M+XizpD5RgPJNMJtFuu31oI+V0LibfJXZeT4T8xN7BRVEHlhky3+lFQeTC60Yo/soGE2PwK8nCVRV63ZXiHigXp2tZtn/wdL+dU1t/WkgSCQqDdGtkMPzCgKg+W9wHOqhZUvGsXSkwT6R6iUNhBMtAp9cLn8jClxxbatJA+IPxq0NU/eNam7z4grgmiME5qg+K5Wae7dA0+GuWxP6K3NcxU10cWoxDTeqbbpPSC5cVp28IRU0l674ll16oLH/Qlv3/jR6YJpXEzTbsQra/eI2w9yXzZBgXM9l5z5j1ICvf/SjZI9yxUP8X8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fZ7RZMXpxrSiy8rfFoPpwW/bgpm9eW8833MgyL8kNoI=; b=CCtawQiXV2h4p2r4UJbGlNqtqrI0rDrTLF31SjDHruo+Rk1OHDTcVyvKRGpbUGfhJf7UBiBLBL5odBe6mUa6KVIk6SixfSoq8yRms1sxoqe3deWjVZ6k4baUwQI8T0Bqh8mblXXQQOk84j4kbZ+nrD2xUNTBRUj+XJ5tu9Lv1AM= Received: from BY3PR05CA0060.namprd05.prod.outlook.com (2603:10b6:a03:39b::35) by DS0PR12MB9397.namprd12.prod.outlook.com (2603:10b6:8:1bd::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9052.14; Fri, 22 Aug 2025 21:26:12 +0000 Received: from CY4PEPF0000EE3B.namprd03.prod.outlook.com (2603:10b6:a03:39b:cafe::13) by BY3PR05CA0060.outlook.office365.com (2603:10b6:a03:39b::35) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9073.10 via Frontend Transport; Fri, 22 Aug 2025 21:26:11 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by CY4PEPF0000EE3B.mail.protection.outlook.com (10.167.242.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.9052.8 via Frontend Transport; Fri, 22 Aug 2025 21:26:11 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Fri, 22 Aug 2025 16:26:10 -0500 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH 3/4] crypto: ccp - Add an API to return the supported SEV-SNP policy bits Date: Fri, 22 Aug 2025 16:25:33 -0500 Message-ID: X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE3B:EE_|DS0PR12MB9397:EE_ X-MS-Office365-Filtering-Correlation-Id: 58c1ead1-6b22-444a-78fb-08dde1c28446 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|1800799024|7416014|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?K9cn6DyvMwPAYkRBgLjN3RIflEEanP550h5xGXh4SN24pn/oZLAEwpBEaNyU?= =?us-ascii?Q?cx+y9VJ2rdq3ebcaSR/sRYjVVGNAg9sUWTLk8KUQp/BT0eeThTkwnoEkD0PW?= =?us-ascii?Q?VPsKbDO91BqfCMaqC8+qRR7Cf1t6Z/dOsWnZGTsPuXgJRHMvME2/LC51T/RO?= =?us-ascii?Q?adTFFm+coffsW2t4+aEfILo4ooUfQD+m+FMlZs74Cvp1xXP1QjhzcHAG9yle?= =?us-ascii?Q?ybXBhKds4ejvP6jzzY9K6iSXJb44Bi3M2zeUpk6QLP8InO7/GAkBH0ZXImF5?= =?us-ascii?Q?H9B2JFqMu+f9ondO7x96MtpznPbL8oBM8dfixW4ye72XVTw2RfzDDHiLT8aI?= =?us-ascii?Q?/FjCAWmydIPoxyf1/cTV4OLu+Uuwh59z0POGfp5dxlJjhih3US4wfSs4BbON?= =?us-ascii?Q?FaQMUSohmQe5gVDAjrtJPxUaucoNlpufBIArHOSlMSUNH+CKqcB3dvHkt/wZ?= =?us-ascii?Q?E/sXT0OXwbjTCcVoA7TCF7V5d5o7rGcwl5O42o84aFWjclzC801jtVNznbca?= =?us-ascii?Q?bvP5wO63lYfVZfMVGcl5gLVIQaL3QNqkKREt0lBGqNOXR21xr4cPjQF0gHYa?= =?us-ascii?Q?aQ/pXCZMVmqU0Wg2FGeEBGymH674NYXjbpBQ6tM5b/+5ayS3TSrROcOLH1oN?= =?us-ascii?Q?Huo6mzrHFUiUoZ02iu55HwZOj9imCz1n8tfEIfeKN/8udT9kQy3zzp4oSw+W?= =?us-ascii?Q?9oBgSIZA888gwjloUZYJgojpwGouzRXLRAbySJKkiSDa/RMjGJvP/QN2XM23?= =?us-ascii?Q?uSUCNZ+LqQGAbMFV3QqGlBP61Mwq2q8llh8CDLj1uYLr6FMYx8Pw5A3DgT4e?= =?us-ascii?Q?veDdMz/cfhaSk/6TQTI/WbbU0KW0gAFyIUlE8pFjvZwN4xNUdF+23rm54H4v?= =?us-ascii?Q?SkmlLS2lA+VtTiU7pQlYvFOCZ8RH9tBxnRtC5d+MeDTwPmu4RaSBp1yh15zd?= =?us-ascii?Q?Z4VOjYhUjIE8XjpyYfei7TObwq9dFFCrQeFTxzNoRbhRhMNKQRRCuxz0SEzj?= =?us-ascii?Q?4cJEKNQ0DzCuxT2avO1OacZ5jyoc1Gsr8TYfNPJ8NRWc4zDcCDY/3obRMtl5?= =?us-ascii?Q?B+pgzUW3nz5EEMxPOA3rPaV/scbjeIidaYdTgwogFnjJyBbPHIKhMGgxixgQ?= =?us-ascii?Q?fzzYR8FYWJO9Yaw5XBkvHMXRpfVOOwq719loOfMPzNo+GvTHQq4ILxkamdTK?= =?us-ascii?Q?niEN+j1s9QNXXrS60DfCrPV2oW0qwNlVzuP1oPeEEbfDq18Lie8neArsou3W?= =?us-ascii?Q?GPZxTA0x4vmI+mWVVlnCZbBbhvcrZFfwCpdNj767SPJFu+6PPmovpE1owyxu?= =?us-ascii?Q?7oEos0gCxQGRj8sqGtsEqNcx5ll/oWq9LTJlXSoNEo8Bihl7bufstqTSPFGI?= =?us-ascii?Q?P3G/IeNWfgImg7kHhAOGGBfmeAFWrQ3+y1OZ47D+GDAthN18b+6tq2AYRxGj?= =?us-ascii?Q?gy9L/xzd1FB7z9Gt1QAezJZU4uDLOSBcJxCaK5B1qnm3QrDw7PVOVb7RV1iR?= =?us-ascii?Q?Us8W2mcIGEtqD09v9aW5+F6rdPnGStM3Td53?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(1800799024)(7416014)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2025 21:26:11.4634 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 58c1ead1-6b22-444a-78fb-08dde1c28446 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE3B.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB9397 Content-Type: text/plain; charset="utf-8" Supported policy bits are dependent on the level of SEV firmware that is currently running. Create an API to return the supported policy bits for a given level of firmware. KVM will AND that value with the KVM supported policy bits to generate the actual supported policy bits. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 6 ++++-- drivers/crypto/ccp/sev-dev.c | 37 ++++++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 20 +++++++++++++++++++ 3 files changed, 61 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index b21376e83ca7..acdea463dd4f 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3053,8 +3053,10 @@ void __init sev_hardware_setup(void) else if (sev_snp_supported) sev_snp_supported =3D is_sev_snp_initialized(); =20 - if (sev_snp_supported) - snp_supported_policy_bits =3D KVM_SNP_POLICY_MASK_VALID; + if (sev_snp_supported) { + snp_supported_policy_bits =3D sev_get_snp_policy_bits(); + snp_supported_policy_bits &=3D KVM_SNP_POLICY_MASK_VALID; + } } =20 if (boot_cpu_has(X86_FEATURE_SEV)) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index c3bced655568..b66244d6b10f 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2575,6 +2575,43 @@ void sev_platform_shutdown(void) } EXPORT_SYMBOL_GPL(sev_platform_shutdown); =20 +u64 sev_get_snp_policy_bits(void) +{ + struct psp_device *psp =3D psp_master; + struct sev_device *sev; + u64 policy_bits; + + if (!cc_platform_has(CC_ATTR_HOST_SEV_SNP)) + return 0; + + if (!psp || !psp->sev_data) + return 0; + + sev =3D psp->sev_data; + + policy_bits =3D SNP_POLICY_MASK_BASE; + + if (sev->snp_plat_status.feature_info) { + if (sev->snp_feat_info_0.ecx & SNP_RAPL_DISABLE_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_RAPL_DIS; + + if (sev->snp_feat_info_0.ecx & SNP_CIPHER_TEXT_HIDING_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM; + + if (sev->snp_feat_info_0.ecx & SNP_AES_256_XTS_POLICY_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_MEM_AES_256_XTS; + + if (sev->snp_feat_info_0.ecx & SNP_CXL_ALLOW_POLICY_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_CXL_ALLOW; + + if (sev_version_greater_or_equal(1, 58)) + policy_bits |=3D SNP_POLICY_MASK_PAGE_SWAP_DISABLE; + } + + return policy_bits; +} +EXPORT_SYMBOL_GPL(sev_get_snp_policy_bits); + void sev_dev_destroy(struct psp_device *psp) { struct sev_device *sev =3D psp->sev_data; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index 27c92543bf38..1b4c68ec5c65 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -32,6 +32,20 @@ #define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18) #define SNP_POLICY_MASK_DEBUG BIT_ULL(19) #define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) +#define SNP_POLICY_MASK_CXL_ALLOW BIT_ULL(21) +#define SNP_POLICY_MASK_MEM_AES_256_XTS BIT_ULL(22) +#define SNP_POLICY_MASK_RAPL_DIS BIT_ULL(23) +#define SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM BIT_ULL(24) +#define SNP_POLICY_MASK_PAGE_SWAP_DISABLE BIT_ULL(25) + +/* Base SEV-SNP policy bitmask for minimum supported SEV firmware version = */ +#define SNP_POLICY_MASK_BASE (SNP_POLICY_MASK_API_MINOR | \ + SNP_POLICY_MASK_API_MAJOR | \ + SNP_POLICY_MASK_SMT | \ + SNP_POLICY_MASK_RSVD_MBO | \ + SNP_POLICY_MASK_MIGRATE_MA | \ + SNP_POLICY_MASK_DEBUG | \ + SNP_POLICY_MASK_SINGLE_SOCKET) =20 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ =20 @@ -868,7 +882,10 @@ struct snp_feature_info { u32 edx; } __packed; =20 +#define SNP_RAPL_DISABLE_SUPPORTED BIT(2) #define SNP_CIPHER_TEXT_HIDING_SUPPORTED BIT(3) +#define SNP_AES_256_XTS_POLICY_SUPPORTED BIT(4) +#define SNP_CXL_ALLOW_POLICY_SUPPORTED BIT(5) =20 #ifdef CONFIG_CRYPTO_DEV_SP_PSP =20 @@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask); void snp_free_firmware_page(void *addr); void sev_platform_shutdown(void); bool sev_is_snp_ciphertext_hiding_supported(void); +u64 sev_get_snp_policy_bits(void); =20 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ =20 @@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { } =20 static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return f= alse; } =20 +static inline u64 sev_get_snp_policy_bits(void) { return 0; } + #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ =20 #endif /* __PSP_SEV_H__ */ --=20 2.46.2 From nobody Fri Oct 3 23:02:53 2025 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2067.outbound.protection.outlook.com [40.107.92.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0A173469E7; Fri, 22 Aug 2025 21:26:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.92.67 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897985; cv=fail; b=LBwkUGX9wnriItHHf+aZ8adQ4NhTvE1eJL/V2B24TXhUdq4/utpM1bYqjOHg6ddlCARbGh/SEP8JIDzJj2orJnjPQ26Jkp08mm7rL4KXcD5/2+L72yGnUlv/lUl1ZyXsixpTdCsAuBTvAJ5FwmkXstHYgrEEgtElkmuhB5k8V4Y= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755897985; c=relaxed/simple; bh=D/Da2L9k545ht07y5O8slAkUbjS9ahxqM+RMRLspyMQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=DQLUXN1EcglQLrkec4PRNyHtvAWRyK6fipEzUKUsZDV7GiGVXhlmBR0OA5lJwfLgZW6Xc30OnQ7Y+wxUuD/7469sKpYSG1Nnie3tROrod1RdwoK98h7Pkwg0J86Ity3kG7scYExVyrzvsDdDep5ucLzKdVkll5Dxz5l75vaSrfk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=Dgj89S1i; arc=fail smtp.client-ip=40.107.92.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="Dgj89S1i" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gDJfCV6TSp+N7WVLzCxRxGxKNgijpm+1HXZB3VPVgoQOEQBgCVislChnLQ95fSINq0NuZiMlveGlStOMESDGiXSQEIYmIa1l4KxiulmohfmNXFCfZv1RceV7hIQarzFJpdhJMI4NMS9kYI74Xa5njWr70e+7uY8+jLtMaRdoRJCjFcv1k/ggP7EyRpVesLuz9sU1YbWuT1h9TOPwOrzXTEalGHoqUAatLZpSRJkuIIDTL1VOjf1bMimfFzULNab9UHBLGaD5CmLH+vXspUriZkagMe97LB8Yao6/SOiMErwZAw3ZuPHs2IsPhoG1ONLkHkRM3JB8PkW8PA1paiDmcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5WYaHXib+H5FygCqFC1uD7sz5f9LPGurVbnL56zzEfc=; b=uDHQStTkjNHbFubb1I287zJ2BPX2AJ1ioMyYhILRv+ZpDSEWzFrnljU5Z6iazjO51IGIX4hSpdK+jM+eOX+MmB88PnXTrpGFjB5296yIHKwEALJ9E0SUGn4UTzXOpZvp24drEfc76Sb5nfq9u8Ilzq5Ess4G/AOaGcsvig0qHKLCKYgg2EVfnPTNrlToXhpWYnFHqTTml/24v+AfSOQz+vpQUYZuFNHOE5F4NoIUnsaWThsemzOFw13kE836caibFQv3/iedLPhR38cn5umWzWrAIyEfFSVcYK0zPngwC+Shl40qphCYol6DFMGi6rX2Xj0zJXeyrtcssR2JGK+dBA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5WYaHXib+H5FygCqFC1uD7sz5f9LPGurVbnL56zzEfc=; b=Dgj89S1ixkGfYcKdOabt9t4QVZzpCC36AiYtANDAKav0A63JGHiVU0PV44iABbPfgnnc+gpEN4FoXYHAHtjuLXeLFnih3MeCaaluneJOHAAyaH/o0ynrl9GPO0IzkfQJ92q12K6Hffwrh7BmlYGQWfUWwA66lL+oyVYmTnB/Be0= Received: from BYAPR01CA0010.prod.exchangelabs.com (2603:10b6:a02:80::23) by CY5PR12MB6227.namprd12.prod.outlook.com (2603:10b6:930:21::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9052.15; Fri, 22 Aug 2025 21:26:19 +0000 Received: from CY4PEPF0000EE3E.namprd03.prod.outlook.com (2603:10b6:a02:80:cafe::44) by BYAPR01CA0010.outlook.office365.com (2603:10b6:a02:80::23) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9052.17 via Frontend Transport; Fri, 22 Aug 2025 21:27:36 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by CY4PEPF0000EE3E.mail.protection.outlook.com (10.167.242.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.9052.8 via Frontend Transport; Fri, 22 Aug 2025 21:26:19 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Fri, 22 Aug 2025 16:26:17 -0500 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH 4/4] KVM: SEV: Add known supported SEV-SNP policy bits Date: Fri, 22 Aug 2025 16:25:34 -0500 Message-ID: <7ce170febab3eeb2a591ff9e71fac8871f1aff60.1755897933.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE3E:EE_|CY5PR12MB6227:EE_ X-MS-Office365-Filtering-Correlation-Id: 821dcf67-5697-458d-9b70-08dde1c288d7 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|7416014|36860700013|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?/HfTnoDy6PPkO2yuchQlluroA/DbrSkVQj4UKjqMuxLK9xOjVJEX635lAEhR?= =?us-ascii?Q?0RJPUj+ESNfXi+22WgFIr4bUza/YSA7HhYRxDE0QJtIndWSHSLZDlR2FCbuC?= =?us-ascii?Q?qlWew1UpCC7vKPDLE5fNazMcBsvPjsjTDnNhoxBp6Ckdq1OH/t/N5URUogxV?= =?us-ascii?Q?8KFro/7WHTfJhMLUSzsnHmzlG+zuojtmGgF1hTqJwNh0FMogari6M6pjsFNH?= =?us-ascii?Q?jpgeJphJOv1TyJAXh+CNp9ouVSH1iH+bj0lCOOVmU6TnMiqUS5hsfrLgY/S5?= =?us-ascii?Q?1ea/LOxdg5ZLFLO0Mif6GM6NrPsdjP8E1oIbndN7vm5q0DLm681ANMaLjuXf?= =?us-ascii?Q?utEC4KfSod/Zr5MTPzlyFme7bWpbHWgiGbdcKdbNygx+B8zu8zmR0GUlW1pN?= =?us-ascii?Q?44+NP6Sk3mdnx+KpMW3MbsgHtMbkKBJuiv4gvLto2aeappv1HB9tTazWOlkq?= =?us-ascii?Q?WsDYUOGAJpxl28Fsv/OJRn2TF22sIm8GR4+KncUhzMDe4+N7BWdYof5txhey?= =?us-ascii?Q?KP7Gb98lEe9CBLUgp3rBh3AR2yKSO9BTvhp8LEVa4qBLvlpXZVThH53G/Y8/?= =?us-ascii?Q?SixHR+R8F8T8k4obIBR8j7CY5Ni1t8uQboojwKGh7OaWTr58UYLuF3tENz65?= =?us-ascii?Q?iuTYImisMgga6jqO3XFXW3pJvM5Caam9hnFZ3v48C7B1b1z3ZsNJySpiZha9?= =?us-ascii?Q?/UwZGuLWQqW+iYqj5C7fadtESLbbPAnZTRhbSefDCWIZ8xO69K1JORMvDbYI?= =?us-ascii?Q?cKOahAqg2s6aKXUklxV1aMP3QJ1OufnIE8Z2qSypeJVJYi8vWb2yMwar51Pv?= =?us-ascii?Q?Q/EKXHa43OB9idGR7b3hmxYJdtS90fCQNdlBwq8+qpLVCy6s9z0Aa5s1iF97?= =?us-ascii?Q?tkbYV7zl321+9zruo+GNMkHok0cmqcKf+v1JyzIxceUwL9OQbyveYsJl/aIh?= =?us-ascii?Q?lRkDbMns0xhOEEBWK4YVpdTHl/ZhttsCi6YYwG2Y1RukMOM3V8n4+kfjAVLV?= =?us-ascii?Q?2CpkXAu4UFM99Vp0JDS97lXHzQwzVL9+Bav+7GFvPvuKLHcmI2FR11TTSoNx?= =?us-ascii?Q?DJdJlvSINh57itbg7XJZ+/SCQ/xAxsqD8WcbbNuGuVbeYWdoDOvfk+jqDHK+?= =?us-ascii?Q?M8o/U0gDNTNBlddpelDetGGWkME8GqY93dcN5xT54S6rSwvpQB2CHfAPT3lM?= =?us-ascii?Q?yeBQxKK7Rx+skcGYZ/lngKLSruNziFSYESp1P2d4F/pB8RSzLiBaNg8TQIPN?= =?us-ascii?Q?/5+pdlFgKeCyRdxtPKAvhh2EX7LdPpHfmmlGKUFsmMUp8nVDuryefdI+6Rbt?= =?us-ascii?Q?HUgRqX1Z3acPeKP9e8EfQklhdfkEGEGcw2jXPai15vQvgfuDO/Obld5jkrKV?= =?us-ascii?Q?QDcT4Ny8tuc7jj+YnwMIZuhwkK3DS7U4PJjuo2ptguE1qlnaXNNY0lq09Nie?= =?us-ascii?Q?LP9dhGG9HomlQEY+MzA9klByVXXAvjUIZZhpVCpXJk44/sk049y7mSKk0Y32?= =?us-ascii?Q?mjpqCb/g+xRJYG/VmuHuFck+UvJUiS5+GvA8?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(376014)(82310400026)(7416014)(36860700013)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2025 21:26:19.1334 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 821dcf67-5697-458d-9b70-08dde1c288d7 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE3E.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6227 Content-Type: text/plain; charset="utf-8" Add to the known supported SEV-SNP policy bits that don't require any implementation support from KVM in order to successfully use them. At this time, this includes: - CXL_ALLOW - MEM_AES_256_XTS - RAPL_DIS - CIPHERTEXT_HIDING_DRAM - PAGE_SWAP_DISABLE Arguably, RAPL_DIS and CIPHERTEXT_HIDING_DRAM require KVM and the CCP driver to enable these features in order for the setting of the policy bits to be successfully handled. But, a guest owner may not wish their guest to run on a system that doesn't provide support for those features, so allowing the specification of these bits accomplishes that. Whether or not the bit is supported by SEV firmware, a system that doesn't support these features will either fail during the KVM validation of supported policy bits before issuing the LAUNCH_START or fail during the LAUNCH_START. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index acdea463dd4f..4f1564a52feb 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -63,12 +63,22 @@ static u64 sev_supported_vmsa_features; #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 =20 -#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ - SNP_POLICY_MASK_API_MAJOR | \ - SNP_POLICY_MASK_SMT | \ - SNP_POLICY_MASK_RSVD_MBO | \ - SNP_POLICY_MASK_DEBUG | \ - SNP_POLICY_MASK_SINGLE_SOCKET) +/* + * SEV-SNP policy bits that can be supported by KVM. These include policy = bits + * that have implementation support within KVM or policy bits that do not = rely + * on any implementation support within KVM. + */ +#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ + SNP_POLICY_MASK_API_MAJOR | \ + SNP_POLICY_MASK_SMT | \ + SNP_POLICY_MASK_RSVD_MBO | \ + SNP_POLICY_MASK_DEBUG | \ + SNP_POLICY_MASK_SINGLE_SOCKET | \ + SNP_POLICY_MASK_CXL_ALLOW | \ + SNP_POLICY_MASK_MEM_AES_256_XTS | \ + SNP_POLICY_MASK_RAPL_DIS | \ + SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM | \ + SNP_POLICY_MASK_PAGE_SWAP_DISABLE) =20 static u64 snp_supported_policy_bits; =20 --=20 2.46.2