From nobody Thu Oct 2 06:14:46 2025 Received: from BN8PR05CU002.outbound.protection.outlook.com (mail-eastus2azon11011008.outbound.protection.outlook.com [52.101.57.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D4C72566F2; Fri, 19 Sep 2025 19:00:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.57.8 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308445; cv=fail; b=OWl874pp2BdLwnIzVo7sU1XyrBv8ckTH+cIyc6CTLEWuDSSbRVoBmX6tSs4BqGR4zPMOGgumEuPelJT2RhjbksvwlJnaFVBR3v4nyeyHU7wXRi1YFIgMOVQXQlWUjniB7gTkt2rBdNPRZ/kPAe6MKdrhqsYL4FQgo5X0WTa10pQ= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308445; c=relaxed/simple; bh=o7UyrwIyfDWhoJ3SMqHQVCb1URnHcvcHpDmOeRsbxS0=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=lr3tckaHYgWrMF6MRoVuVfzj+136VktAHRi8m9w4YPRDTyNp5zA1hLj4/mCOUiP9z2jBKS2zLTvCU5bFv2frcVYx209+sSW3kcMLKMOk3IOKHarYC0oU5Y75K1Og2JYqEhJ/kSpdtgXxYAxN8MqYEXXEK67IMk7GSU0U0K9wTio= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=CXgx+ROs; arc=fail smtp.client-ip=52.101.57.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="CXgx+ROs" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=s9m8x1u97CXwhvqoZK3FfbpX+sOadhFOnTFrPTGHQ1MpUQN/eECLgGRvDgjEUPUiSxZ6umVYS4Lu6KvYSWiwaCWbW+d43vsgRDVVPi7R/mojJpB73gl1Rz6huJUNQjCvNF5Ua29cNiPMJ0Hvd4XS7o8vQ7cX+zlcod2ifyQWIxZKKr385BbKQ8c/jUDlJNCHCNon3pfLA77hrw2V8XkWmTSybgdVYvAhCFlp6i+pq9mdN1867hUrDgEeq45juLDaM5bbm3Gjx/B3zq6f9QWLkq3F5+8LXBCrh9b70aLOAGaVFSZ6m2U62W6OyRXX6IaAV6gNCtUscZkxmIa7YGk6rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5GJkbMdy7D/J9OYUDeUIhozUifSnIls4ii58/toN5pg=; b=bSNNydUJEI3EZWdRfxskeg94Yjj762Resd77bZUmscYfXOg3/fJBuDGqPgdRjJMM4HswxT1KAGE5FlWMnSMbCfBwqty4Bla7iCNtO3dJbI21DtPh+vZLb3Wemq3Dmj2tf17Vkr27EzdLe4lAtGrHPXgUrJfgdO/Vad7pYBWXGCHfgL8qcasoyDDukna2DB/aYk/ifS19du6cHLs/5NAEcNGBpckLE+HA5HpfakqloRqHW1+f1xKT7f3dzaajcZHJxgvFDwUYsJFzAEJZ+8q7ddwhzozLL24piPW82YRngtgMMxHQlJC/iF3eeXgvaabw4y2M08Q6Et8UjL6qP38oAw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5GJkbMdy7D/J9OYUDeUIhozUifSnIls4ii58/toN5pg=; b=CXgx+ROs7SYV62Dxgy+EqI6v4NSTqBAyAxRv0hGbgtbZcdZ2x93sUzhNgVzCWGgcEmQQGpDwQ3GCnBfrvYSN0yliSZZPNq7+likh6JlkKdN7r6ZhcA0iX3355+juLH2bOoQHvEVjMo517IOz0H/kaGvLZgzu63A8LeO69bcgjts= Received: from MW4PR04CA0365.namprd04.prod.outlook.com (2603:10b6:303:81::10) by PH8PR12MB6794.namprd12.prod.outlook.com (2603:10b6:510:1c5::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.13; Fri, 19 Sep 2025 19:00:37 +0000 Received: from CO1PEPF000044F6.namprd21.prod.outlook.com (2603:10b6:303:81:cafe::46) by MW4PR04CA0365.outlook.office365.com (2603:10b6:303:81::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.16 via Frontend Transport; Fri, 19 Sep 2025 19:00:37 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by CO1PEPF000044F6.mail.protection.outlook.com (10.167.241.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9182.0 via Frontend Transport; Fri, 19 Sep 2025 19:00:37 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Fri, 19 Sep 2025 12:00:35 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH v2 1/4] KVM: SEV: Publish supported SEV-SNP policy bits Date: Fri, 19 Sep 2025 14:00:05 -0500 Message-ID: X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF000044F6:EE_|PH8PR12MB6794:EE_ X-MS-Office365-Filtering-Correlation-Id: 1d4194b8-9980-44d4-5a23-08ddf7aed1c9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|82310400026|1800799024|376014|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?uVL8kPcHvXNU3bEJ1J/Id3WYZQkoUZRMSRhpdgfn3k25k30xkqoPBReYucLL?= =?us-ascii?Q?orgszyKafaPotyqo6TCQOubupmmca9Jw/+n/nNcFipQmGcugfaWFeCbs+0vY?= =?us-ascii?Q?p826k+mL/qXr3tD5kqbZK02oZK0383zbmaqzyIrogXC09RZk3z0Sa2Uv4wEC?= =?us-ascii?Q?7yNvTa8DXeItog647FefiiCZC10zbv9xHU0MwsGEaPFmXpSUyZGMvkYwolT5?= =?us-ascii?Q?ggarKO8ecmm19gFMbaUSgUDK6lv00OHW0Pi7NUlMHWM6J7gsfHxeW5a7B4S7?= =?us-ascii?Q?L/z8yZJmRBNiLfVnl8FvLLHg6+Xbe9IM2v8lK6S47Hq7GHhBq2UYDBSZC0NX?= =?us-ascii?Q?Mt4vNK7JuxtYg0VGX1hFYdT9itDazEdCic6lPEsm+V0vmnA6lAr4c4INNWjX?= =?us-ascii?Q?jLQ2w3kBW/cROAaaa9y8tKZYYzlL08u7Rac3b7Y8tTFZEncnVkoTfP58BM8l?= =?us-ascii?Q?vjO70sOvRZL7FkccvuFtf51Uap9YEAAWXutrLKeBNlK1akwWdb0dPyZH/lxl?= =?us-ascii?Q?fzD22d5tDipMkJPWsI/Z0ePimtuXFCcpv/ZUugpqfFSmn4zBGdWUyl7m34tZ?= =?us-ascii?Q?6iJt+6KwNDm30YFYPWiobslEYG3je/40owz9JEKkhqC8HareKW0AetTF1UV9?= =?us-ascii?Q?l76sjH0FXPKBrETl+l67KxIMdk9+L9sr61urDjbNA2yHSktE8xWPE1zDiGDP?= =?us-ascii?Q?d85VA9i2viSUEN3TnZNsp2YLwUws7cLdqxzUA5GkhDH/ceRi3008TKQV8XHy?= =?us-ascii?Q?xTn0d30XNPCUc3DcqZN4whYUOdIdu3Cg7DWK7dX3kGng17ovjEuT1pqwMdLj?= =?us-ascii?Q?O8sDJTbmXFBJ+3N82JMtMT5jkceyWYIGUF+y6f+gKj+gSOGd9MQqMrF3+Pqy?= =?us-ascii?Q?Cqgh9YOwIl55yhC1FIBUKI8PyKdBcx1gOX3OAZxqNuUbyE6Z6k95MHcKDzg/?= =?us-ascii?Q?8BGs3dRJUhXJRdm4oDEe2PfsxuKxfLWTobATbWsm3Ah/gRY1ecgXVkiae8Al?= =?us-ascii?Q?f/afx/D1lvjPVD4cT15xe1HzalW1aCZOcvlz1OKlpoqJ11C+hiJGUS78NCj+?= =?us-ascii?Q?YNBS5dfXJuVcVwapiIkRgFXJOuAU0G4CynSg5cxW02xQx2kTtTDoIWqJHTiW?= =?us-ascii?Q?aK3yrg4VqN+vPje55sGsRd6X5eLu3cBgbqvj1mxbSY/ymCbmU2NG1rgU2I/g?= =?us-ascii?Q?SfIgz/gCX99qisYOEkohAGstNvWb9Bm2btnC9T0UO9zhQxJGz/NCSClVA6mz?= =?us-ascii?Q?UmOwy74qVJCSYK70lFi7ELBCmfzQZs1rhG5Eq0K1JWksX0A3yQUIgegRBJ+x?= =?us-ascii?Q?j1af6qAPD8ko8iafIlLtBHz8NGxDcJZ1oyL1Trn4G4bgKGDDQAK2euFQvhEd?= =?us-ascii?Q?7BHgAokeU0Oq6EgKWRBpbtIQskLnjjlz09cD/awwQkMlUIuLUGuDOs8LswFg?= =?us-ascii?Q?jGG2PElsK5aE9HMaIwrlo+Bo8tWp3YVeN94PwlUzjKFK+105FIuK0A=3D=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(7416014)(82310400026)(1800799024)(376014)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2025 19:00:37.1145 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1d4194b8-9980-44d4-5a23-08ddf7aed1c9 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044F6.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR12MB6794 Content-Type: text/plain; charset="utf-8" Define the set of policy bits that KVM currently knows as not requiring any implementation support within KVM. Provide this value to userspace via the KVM_GET_DEVICE_ATTR ioctl. Signed-off-by: Tom Lendacky --- arch/x86/include/uapi/asm/kvm.h | 1 + arch/x86/kvm/svm/sev.c | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index 0f15d683817d..90e9c4551fa6 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -468,6 +468,7 @@ struct kvm_sync_regs { /* vendor-specific groups and attributes for system fd */ #define KVM_X86_GRP_SEV 1 # define KVM_X86_SEV_VMSA_FEATURES 0 +# define KVM_X86_SNP_POLICY_BITS 1 =20 struct kvm_vmx_nested_state_data { __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE]; diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 01345b73f879..65bb2515ffb7 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -81,6 +81,8 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertext= _hiding_asids, uint, 04 SNP_POLICY_MASK_DEBUG | \ SNP_POLICY_MASK_SINGLE_SOCKET) =20 +static u64 snp_supported_policy_bits __ro_after_init; + #define INITIAL_VMSA_GPA 0xFFFFFFFFF000 =20 static u8 sev_enc_bit; @@ -2134,6 +2136,10 @@ int sev_dev_get_attr(u32 group, u64 attr, u64 *val) *val =3D sev_supported_vmsa_features; return 0; =20 + case KVM_X86_SNP_POLICY_BITS: + *val =3D snp_supported_policy_bits; + return 0; + default: return -ENXIO; } @@ -2198,7 +2204,7 @@ static int snp_launch_start(struct kvm *kvm, struct k= vm_sev_cmd *argp) if (params.flags) return -EINVAL; =20 - if (params.policy & ~SNP_POLICY_MASK_VALID) + if (params.policy & ~snp_supported_policy_bits) return -EINVAL; =20 /* Check for policy bits that must be set */ @@ -3084,8 +3090,10 @@ void __init sev_hardware_setup(void) else if (sev_snp_supported) sev_snp_supported =3D is_sev_snp_initialized(); =20 - if (sev_snp_supported) + if (sev_snp_supported) { + snp_supported_policy_bits =3D SNP_POLICY_MASK_VALID; nr_ciphertext_hiding_asids =3D init_args.max_snp_asid; + } =20 /* * If ciphertext hiding is enabled, the joint SEV-ES/SEV-SNP --=20 2.46.2 From nobody Thu Oct 2 06:14:46 2025 Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11010037.outbound.protection.outlook.com [52.101.56.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54FE72566F2; Fri, 19 Sep 2025 19:00:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.56.37 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308456; cv=fail; b=YyqoiCqkwJbfb8RNZQ4sF3f2zjGF2HT5eoVai5JIxLAm+qkVqTbTxgDI57K95p2y5uE+484EjX30Xqh3ank8iSaKRrebgFN8O9mYrQd9TvJtw2ogHGkYHoB9HyhWTKYXRNDJMkawUQLfj5iMT1tmqDJoIQqowt29C5pzsO3KWVA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308456; c=relaxed/simple; bh=PFHCaLyZGihPWrS3tBpQMN7AD1bRBGpy3Su7wQ00E2w=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=kXqzx0Oq0YTW5StQweoYOvefFrd0in1dvzL53HLqMYfX5Iti/C3MtGZwANJOfqFxV81BGvSMPKYHch8eRmHKI1AykQNh561NCtqj+tT/eMHM+kHj3YiEgvnSdEtIolkWeVPMjSnhVoYbOSGUcWg9QmDwkmoLTkiCPCe+U1E6Cv8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=PORvNiKB; arc=fail smtp.client-ip=52.101.56.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="PORvNiKB" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Fu2Xz8bbdMfzoe21NmQH8HrWiJEDCn4QkyZKmluLp+9vpGW0n1pI1V9eKLj7sCh+4/X9UvLnnYA+iVDdR7ojl3GpdCpP7TaqK3C1ISYgzGDWPvq9pryx0sdWpvneXLtW1lR+1OPDNluOrR10dgPkHMZD2B3QaW67WoOieMpguP2QEXC320C7lPei8Ai9fDtZKl1VRDtjecMfCcDw7TL6IvOxDjiOY4n1kMB+c8r0vzX0FKgoNFumgPVlBCJ37fZ+92Y+GlvOQP3+imf5kq9UvkxsQ77bYGDc/0lyU0AZ47m4r8P9fSAQb6oaeIwkCdGiaU+BW1tpXW2lNwZhqlYs6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G451SQdXWSf1qndqz5qjRiQ9dHhcLo0u/qaafmkmLH8=; b=hFka5/qE7s+IY+5S3Bfq9Z7h5167rjLB/cJFxl1AYO+NT02wM6t/yuBAmTHhMQt8Y6+CaYunAwztjEAYKEo9XMQP6QcsunOgSKeCvqfYZ9DxsKXcK/4IcHpwRPJ3GUgzP0Qz4qsS9/WjbB5NyiHjEN8bujUvZcsWON4eT9FjPIfkIc72YsE1I5XftMbe9CNOrn9Tf5zRJ98U38KvlG3KcpVL1GPvLGsAHlNqLlVN4gpSpL7zsTSIptx4edvA6VFYH6DjI7NJHBGAFohETro0ZoGokId8bu4v7fB6LPpyCb5JXZbPGJ6Rv2halfSnVEV2EOyoiXY14duaeQHsM9WLKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G451SQdXWSf1qndqz5qjRiQ9dHhcLo0u/qaafmkmLH8=; b=PORvNiKB8fleNFmS2oROVHK0F8bwhKlmfOoBRZHt00EXshfziFxxHUXRpIqYcWg4+zqxQiJRianU3lsCwEK72XTfISJ/vM7xpBCpmj++4KAqC3o0fWdNZ+q8EdwiVCXKxHKXRiNFebsIRKmjLhHo8oU/Ah0YcGTu7q6JBaXk60w= Received: from SJ0PR03CA0337.namprd03.prod.outlook.com (2603:10b6:a03:39c::12) by IA1PR12MB6457.namprd12.prod.outlook.com (2603:10b6:208:3ab::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9115.19; Fri, 19 Sep 2025 19:00:50 +0000 Received: from CO1PEPF000044FC.namprd21.prod.outlook.com (2603:10b6:a03:39c:cafe::14) by SJ0PR03CA0337.outlook.office365.com (2603:10b6:a03:39c::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.14 via Frontend Transport; Fri, 19 Sep 2025 19:00:49 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by CO1PEPF000044FC.mail.protection.outlook.com (10.167.241.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.0 via Frontend Transport; Fri, 19 Sep 2025 19:00:49 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Fri, 19 Sep 2025 12:00:48 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH v2 2/4] KVM: SEV: Consolidate the SEV policy bits in a single header file Date: Fri, 19 Sep 2025 14:00:06 -0500 Message-ID: <0b8321ece36d946fb348ab38332eeaa9982375fd.1758308408.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF000044FC:EE_|IA1PR12MB6457:EE_ X-MS-Office365-Filtering-Correlation-Id: 2c24ffe9-5c1c-4b6f-bee3-08ddf7aed928 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|36860700013|7416014|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?2i1kl1N2bFWbE1Y1/WALka298KYRSjFuNQxSoqJmocS54Osb5bt+x9Etca6o?= =?us-ascii?Q?bT4syJe1Z56c6b/Rp7bIfmLwTckSCe79Opybl7XDwez7X4tLTZ/ZHorb7LW0?= =?us-ascii?Q?e37LYWE1id6TGlFaBuc49G74AZFU4N3Dht8a8oIrb4b/BJPFNWi8huv3PirK?= =?us-ascii?Q?caUgMzkG5f7Bv9BCxO1aaeGb4n5XgYVzeq8RKb4LwDfinE1SwJBbQrabQpza?= =?us-ascii?Q?kmNLyAwWxHElZqu6dwytCNZdoKGKTfz+WOqL/xDWPCXHspLaCdcuJ9wSB7Mb?= =?us-ascii?Q?/yzrsJai7TbS8hh06TKy2j/Dv511cQtBIG99JZ+UoVHYPZjhzRm3t/lDGGZX?= =?us-ascii?Q?abhVH9t5L1/c7DdHxDQa/aMDAWe4qVeWX60GEA8zy3/jCu2duzWO+inDozzG?= =?us-ascii?Q?Fv+iCButwAljB8AiqBd55s2cVkzPStwiDALCEeHHL1TXg/oxqQg2oNH6Cuq4?= =?us-ascii?Q?qFuPLk5ZeZh1nSmxrJc+2IXvrqsYhAlYLIL3nNKtESRIaNpKfhmVjPLa4wzA?= =?us-ascii?Q?t93gfCg3CiihBN7DWrjxLANKTNzpmx6ohtWQIE6m3u5e7WJUPBRz2FoL2hFq?= =?us-ascii?Q?E9xmkchpLe5QF9sZT4acwQZhJXkWZr5ZkUON0x2ZfAxKSYMkJi/OjrHwlQ+x?= =?us-ascii?Q?BSAbxbRuaV6Vr8/FU1JPk8A4PXow0F1sAIn95ExSy65h1Wx5ilPbesrZdryF?= =?us-ascii?Q?5q59A6IE+M/y4GhTE9D3RxmHEQJ1814/EN6byKA/nu1xFLHGFQ6GhM9iq5WE?= =?us-ascii?Q?BeLSrD81Ahjz8Qtb7DLkMYqNAxgpmyigkcEd20TA8Hxuc92zl0Mta34q5MF5?= =?us-ascii?Q?oJMeBpN+pJhlkMaUJkqiSLKqmC2Z27xa3tBGf9Ru0aaGIGQABiHjJYGeN1OY?= =?us-ascii?Q?OVK7eEgesU6JAvC/REYLjp3HwwR0Z8kWW6ydu/qHTAWxUvJgwKXkU2wmVv29?= =?us-ascii?Q?jSUOt9dnJtD1C2I62q9eT7K7z9q196VKf2Mb83EZJxB/D7dERzIYxM3KAX5p?= =?us-ascii?Q?o73VVCP11KXT2C3smT/EkGwpE/YSo2yTjTbsP5kog/MRK5VmbUBmMzbnQcYV?= =?us-ascii?Q?iAoaxtEY1BhM1FERVDFixiCTib1ofUa2OWyWjh9xis/jZt7Owqi+PN+P1XU1?= =?us-ascii?Q?Uh98342aknYbQehnko7r7ffrpQyFqFkLmgykMZrII06BoDN4385p8PI7OnmR?= =?us-ascii?Q?UIM4FwlRILLzz1C1VKrudvJgpL4NFE8IsSgjogEO4m7rx8BObz999OgnLluY?= =?us-ascii?Q?0IpN1o+WQb0QBStYeErjygatozof2gvkHjW/FVoNn26QFxyZUe5YerhmoEZ1?= =?us-ascii?Q?zypeX7mNPvHJ8Wp6GDpepdUTimm9AXm5jxm1yBPJrBOekNiYPv7kCEQmgc7E?= =?us-ascii?Q?wyrv4yDh+Hp4vKweuVwWDbh75JNz41Gf0at9liVU6S0/4+2Hl1WJ/5eBhuOw?= =?us-ascii?Q?/4pIqrO6vCPpAdKy/pjbBHMAm6WkKhbVZiADOQRXbXDz6q0An7JDHjXAjWW+?= =?us-ascii?Q?vBpzt4fjfAlpaQq1EyIokgNIj1N1fde/bR2J?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(36860700013)(7416014)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2025 19:00:49.4814 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2c24ffe9-5c1c-4b6f-bee3-08ddf7aed928 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044FC.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6457 Content-Type: text/plain; charset="utf-8" Consolidate SEV policy bit definitions into a single file. Use include/linux/psp-sev.h to hold the definitions and remove the current definitions from the arch/x86/kvm/svm/sev.c and arch/x86/include/svm.h files. No functional change intended. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 16 ++++------------ arch/x86/kvm/svm/svm.h | 3 --- include/linux/psp-sev.h | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 65bb2515ffb7..e63f2ee57204 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -66,15 +66,7 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertex= t_hiding_asids, uint, 04 #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 =20 -/* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ -#define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) -#define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) -#define SNP_POLICY_MASK_SMT BIT_ULL(16) -#define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) -#define SNP_POLICY_MASK_DEBUG BIT_ULL(19) -#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) - -#define SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ +#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ SNP_POLICY_MASK_API_MAJOR | \ SNP_POLICY_MASK_SMT | \ SNP_POLICY_MASK_RSVD_MBO | \ @@ -3091,7 +3083,7 @@ void __init sev_hardware_setup(void) sev_snp_supported =3D is_sev_snp_initialized(); =20 if (sev_snp_supported) { - snp_supported_policy_bits =3D SNP_POLICY_MASK_VALID; + snp_supported_policy_bits =3D KVM_SNP_POLICY_MASK_VALID; nr_ciphertext_hiding_asids =3D init_args.max_snp_asid; } =20 @@ -5040,10 +5032,10 @@ struct vmcb_save_area *sev_decrypt_vmsa(struct kvm_= vcpu *vcpu) =20 /* Check if the SEV policy allows debugging */ if (sev_snp_guest(vcpu->kvm)) { - if (!(sev->policy & SNP_POLICY_DEBUG)) + if (!(sev->policy & SNP_POLICY_MASK_DEBUG)) return NULL; } else { - if (sev->policy & SEV_POLICY_NODBG) + if (sev->policy & SEV_POLICY_MASK_NODBG) return NULL; } =20 diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 58b9d168e0c8..61911a2b78c3 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -113,9 +113,6 @@ struct kvm_sev_info { cpumask_var_t have_run_cpus; /* CPUs that have done VMRUN for this VM. */ }; =20 -#define SEV_POLICY_NODBG BIT_ULL(0) -#define SNP_POLICY_DEBUG BIT_ULL(19) - struct kvm_svm { struct kvm kvm; =20 diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index e0dbcb4b4fd9..27c92543bf38 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -14,6 +14,25 @@ =20 #include =20 +/* As defined by SEV API, under "Guest Policy". */ +#define SEV_POLICY_MASK_NODBG BIT(0) +#define SEV_POLICY_MASK_NOKS BIT(1) +#define SEV_POLICY_MASK_ES BIT(2) +#define SEV_POLICY_MASK_NOSEND BIT(3) +#define SEV_POLICY_MASK_DOMAIN BIT(4) +#define SEV_POLICY_MASK_SEV BIT(5) +#define SEV_POLICY_MASK_API_MAJOR GENMASK(23, 16) +#define SEV_POLICY_MASK_API_MINOR GENMASK(31, 24) + +/* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ +#define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) +#define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) +#define SNP_POLICY_MASK_SMT BIT_ULL(16) +#define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) +#define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18) +#define SNP_POLICY_MASK_DEBUG BIT_ULL(19) +#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) + #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ =20 /** --=20 2.46.2 From nobody Thu Oct 2 06:14:46 2025 Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazon11010038.outbound.protection.outlook.com [52.101.193.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E42A7283FE9; Fri, 19 Sep 2025 19:01:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.193.38 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308463; cv=fail; b=qA0HoL1KbC6WNcFIdEkDicD9XHPdRhrE2nyTwZ6cL7b+XjuZuREMCcxAjsHDvP6Se0hot7ZcM9RDsc7Nh/yisVOz+coNjtKCYoaGagafvZncrUpNwxULjyUM0FJZhG6g2ktBj7vQsTwetyjy4G4lOsOWol0XytG8yHioir5fGns= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308463; c=relaxed/simple; bh=C0XBK7AVJKhrvSJl6QonGhjyqtcotUEsYK0LC71xgjU=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gpmi/SEDyarPyO75QVoo5qMMAxu9ipVgEsxISrociKMHVIlvEw5tOH9hkRqNcR+opBqXUvu3Wl+TCI6nJdE3HocuTxec+2v+kMBXfsFkM7dsuF6dQBEAPaKu1AfGB90PksAkeLbG0h2e1ngX83iw2Dz21sfzmgg0k8/dUgYymTE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=VFWOqE40; arc=fail smtp.client-ip=52.101.193.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="VFWOqE40" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ETCDFUi6xINCD81vKFKqc+ocC3RIAV3Xlukn4w7P8TwHZJBCYnKzsn0BZEKrCciG1JZGBaPSZS+EC215s65utEah3sF8aPZwSeEG6m4Z6ELeZIgiG7CScKctJRoxP7gIZE/uMqVHecLQXHmeBoHCGnWLva2vAFyChRx0HHdgqeWd/M4aAhyJQZdxgUuS3e0IHD5Djhz2btH41eamrGD5iuEa4KwZQLLlmnSs8WO2QWCq3O1wHu5OeKZX+2LecZIVQYvB/ZHr1nGuYx+5VD1JQ8SHBtVQDaOBR8z2xK/gVL3fNUulqbxaCPQr3ym7A7V8SwuHKGWWiAeUGV990DWs7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LT+O+5QyjAgJSX4ZevwtHEOXe+5G+ornM/tCjy8O5qc=; b=oyr0SG7b15kEB6iWQQDqKh6aIiX37TxEFDNxFxYL9al2SsuXn5WTDN+UwmZ7ZY9rnN5UjajlYYw/3x9CVLWbGbtSSnF6Q4XEWkZLCaOpacK1vM7ns6oazXxswSapzbGIbez8ms9DN0Y6awTU/D5Hff5wOkJRcKNaTWgOxS8Kj/5vPh3zPe9SakERuZvkrh7UMwmhX8pFZhKQXHpXIUOS7++8j0BMFyPUrotEsDMre0ARqSoulOyXEMtQwf41fv3LRCoRd+Vrbw8TbCsqDYP49SwAjEkl/nJZQeufnc6AQwKiS66c0W1g+Tgv6JeDmUFbUheSc6nr9tSENAReNtoJ7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LT+O+5QyjAgJSX4ZevwtHEOXe+5G+ornM/tCjy8O5qc=; b=VFWOqE40dHfV469RCW3dB4P7HMQFGGuYriFHfgu6XS8ogZSb3S85wp5BCumlVrlVlIAIvUInSiQHFAvD4Z6tMry59EpsflKyO+yqdqyYwlqwGB1e1bLJIAqfK0QKoYFkURPSNjIt4/ixQj1nZwvmjpyhkWBV+7Cnvt7O3KwglvE= Received: from BY1P220CA0022.NAMP220.PROD.OUTLOOK.COM (2603:10b6:a03:5c3::14) by DM4PR12MB6472.namprd12.prod.outlook.com (2603:10b6:8:bc::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9115.19; Fri, 19 Sep 2025 19:00:58 +0000 Received: from CO1PEPF000044FD.namprd21.prod.outlook.com (2603:10b6:a03:5c3:cafe::67) by BY1P220CA0022.outlook.office365.com (2603:10b6:a03:5c3::14) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.17 via Frontend Transport; Fri, 19 Sep 2025 19:01:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by CO1PEPF000044FD.mail.protection.outlook.com (10.167.241.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9160.0 via Frontend Transport; Fri, 19 Sep 2025 19:00:57 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Fri, 19 Sep 2025 12:00:55 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH v2 3/4] crypto: ccp - Add an API to return the supported SEV-SNP policy bits Date: Fri, 19 Sep 2025 14:00:07 -0500 Message-ID: <27988b066cdf271711c4e7a99dff0f07cb745090.1758308408.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF000044FD:EE_|DM4PR12MB6472:EE_ X-MS-Office365-Filtering-Correlation-Id: ec1e389c-f151-4997-c8be-08ddf7aeddd3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|36860700013|1800799024|82310400026; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?/oPL/i1bVk+W/H3GLEdu213v1KiJiRamSHRMf/e+RPcJEFpsSz5Wiae0/8Go?= =?us-ascii?Q?JbUmVu2WcXXxXP81QFVyTrX/6/N3NAUMaimDKrdirVNidy6xNaQf8Hfng5PP?= =?us-ascii?Q?4/kXyKgaXjdqn3gj9C5uTulw8N7DYE4uCbqIHeqWEvO75+F4dKMF6LJRPw+R?= =?us-ascii?Q?+Q9pJlfTWWfqzvxhRI5qKJ4E7Ahd5VUNU9xzlPj+uIM6N/h9LFqUj+60cUmI?= =?us-ascii?Q?nIvTjeGB7M5+El3VyFVQb10y+Ecbszg7s1WYxh7EyjhvK3kk+wDDJg9sIaD4?= =?us-ascii?Q?2hxlClx/vnKqkrEBiEh5tZH4AjZ6CUmkY1gwE3Ni0olHPdSnnTwmuiPhSQZR?= =?us-ascii?Q?hm4/t40e1miUjnjAZYMY7MMA/0QExZS/JAu1qK/YxNIlfkXebrgH1UOwQM3M?= =?us-ascii?Q?OBFpaGo2oXQcTkKwfS0EST37WNT6UsAePUksFgkGisLNGEJ74IK8pIHzEvHz?= =?us-ascii?Q?QfCYMU5ub91Tr6XQTGx/sEOlQYP48FY8k+OuPNS0Z5yrqwPaK2xLFmUfX5z3?= =?us-ascii?Q?9MG4GPjrUWD2FSKHuLIm7pmj04RfvsOCPd0Ne5IL0Zpvi6BQfxq3N8w3RF/s?= =?us-ascii?Q?+usdiPWVgzdsqoa9LFs1uFpEAdjFNFZ59KIcYO/cdOU/i2B/4ymKCn4TWmP6?= =?us-ascii?Q?p+KenKLa9SkDOYfT8wWyrYrVzeu4uUpFxTelMkqAPwjGArbGt1C1cBDwXwPy?= =?us-ascii?Q?pcRwsa1ixnJ9pT63Dh1E9zFo1hoNcSGWif3neffhGVjr12GQbbyLg1IndmMm?= =?us-ascii?Q?e0n2EYR9nwJi0yeYCOx1kaepW3KNd6+L1fNBCjge9cnzyLEp6WxKpvjUd10h?= =?us-ascii?Q?Pkox10oe3ZYB2jh9gVlGuz8WHnjNtAVFtfvWy+RxXjPsl3RCPbaP9Z8ij2xT?= =?us-ascii?Q?iSshPLUY+yP+yAFY/B++PPpoG7phv+H1GXKTQQPXKWvlG4izWFp64YTsKIWg?= =?us-ascii?Q?cbHETuRS7jQupRVBcqltfYROAjARuaxyWthr2SW8RGUOXNjgRtZ/S9HNeqKg?= =?us-ascii?Q?2c77qLdogZKrZR3wBFmIi+vcBwqt1pVXU5jlYc3CChc/3v7q8ido4QPBCZAF?= =?us-ascii?Q?C+gSZuPqPpXVHtF1FLjkKePtU/fL8PHNdyvSLxu8z6/+XUQbSbbbkzjoLpJN?= =?us-ascii?Q?tH5VS8D67OPsNLWDc+6q3b8j+rPJWISkzqcn6gq7GlmSVRFnO26qQvkPWODK?= =?us-ascii?Q?leMUpIv6cOnaT63sJs9QaPr1WgdmsXA/ym6x0p0Vzi6tE0aR3qnVSQ9x7UwV?= =?us-ascii?Q?PClgIL8LGZ9itK8ulzQkUQcPca5MdliRrpP0IUbuP/YmEsmXcJ6L496r4rPX?= =?us-ascii?Q?22FJHSb3FjOdQ1rm9XdOnAYBh/78O+USg5gNG2YgheshPDnLn6i6cvmWMF+6?= =?us-ascii?Q?jxUBuTtuoaAZad1yLWZ9K33LrZES1RHXJ8pidYv04sfcQXVFKmZPSrUwu8v+?= =?us-ascii?Q?PZN2KLMcq6N602kNF9zSfoFdk1mAKQHf9Vt3DiPlGq9SvGYdZIzHUA+Pt4Ka?= =?us-ascii?Q?+pFRGBarnW5+dw1HCQSZVYepxViwjj2JBhey?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(7416014)(376014)(36860700013)(1800799024)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2025 19:00:57.2200 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ec1e389c-f151-4997-c8be-08ddf7aeddd3 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044FD.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6472 Content-Type: text/plain; charset="utf-8" Supported policy bits are dependent on the level of SEV firmware that is currently running. Create an API to return the supported policy bits for a given level of firmware. KVM will AND that value with the KVM supported policy bits to generate the actual supported policy bits. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 3 ++- drivers/crypto/ccp/sev-dev.c | 37 ++++++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 20 +++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index e63f2ee57204..f77da22200fb 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3083,7 +3083,8 @@ void __init sev_hardware_setup(void) sev_snp_supported =3D is_sev_snp_initialized(); =20 if (sev_snp_supported) { - snp_supported_policy_bits =3D KVM_SNP_POLICY_MASK_VALID; + snp_supported_policy_bits =3D sev_get_snp_policy_bits(); + snp_supported_policy_bits &=3D KVM_SNP_POLICY_MASK_VALID; nr_ciphertext_hiding_asids =3D init_args.max_snp_asid; } =20 diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 334405461657..d4159cec12a0 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2583,6 +2583,43 @@ void sev_platform_shutdown(void) } EXPORT_SYMBOL_GPL(sev_platform_shutdown); =20 +u64 sev_get_snp_policy_bits(void) +{ + struct psp_device *psp =3D psp_master; + struct sev_device *sev; + u64 policy_bits; + + if (!cc_platform_has(CC_ATTR_HOST_SEV_SNP)) + return 0; + + if (!psp || !psp->sev_data) + return 0; + + sev =3D psp->sev_data; + + policy_bits =3D SNP_POLICY_MASK_BASE; + + if (sev->snp_plat_status.feature_info) { + if (sev->snp_feat_info_0.ecx & SNP_RAPL_DISABLE_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_RAPL_DIS; + + if (sev->snp_feat_info_0.ecx & SNP_CIPHER_TEXT_HIDING_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM; + + if (sev->snp_feat_info_0.ecx & SNP_AES_256_XTS_POLICY_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_MEM_AES_256_XTS; + + if (sev->snp_feat_info_0.ecx & SNP_CXL_ALLOW_POLICY_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_CXL_ALLOW; + + if (sev_version_greater_or_equal(1, 58)) + policy_bits |=3D SNP_POLICY_MASK_PAGE_SWAP_DISABLE; + } + + return policy_bits; +} +EXPORT_SYMBOL_GPL(sev_get_snp_policy_bits); + void sev_dev_destroy(struct psp_device *psp) { struct sev_device *sev =3D psp->sev_data; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index 27c92543bf38..1b4c68ec5c65 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -32,6 +32,20 @@ #define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18) #define SNP_POLICY_MASK_DEBUG BIT_ULL(19) #define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) +#define SNP_POLICY_MASK_CXL_ALLOW BIT_ULL(21) +#define SNP_POLICY_MASK_MEM_AES_256_XTS BIT_ULL(22) +#define SNP_POLICY_MASK_RAPL_DIS BIT_ULL(23) +#define SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM BIT_ULL(24) +#define SNP_POLICY_MASK_PAGE_SWAP_DISABLE BIT_ULL(25) + +/* Base SEV-SNP policy bitmask for minimum supported SEV firmware version = */ +#define SNP_POLICY_MASK_BASE (SNP_POLICY_MASK_API_MINOR | \ + SNP_POLICY_MASK_API_MAJOR | \ + SNP_POLICY_MASK_SMT | \ + SNP_POLICY_MASK_RSVD_MBO | \ + SNP_POLICY_MASK_MIGRATE_MA | \ + SNP_POLICY_MASK_DEBUG | \ + SNP_POLICY_MASK_SINGLE_SOCKET) =20 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ =20 @@ -868,7 +882,10 @@ struct snp_feature_info { u32 edx; } __packed; =20 +#define SNP_RAPL_DISABLE_SUPPORTED BIT(2) #define SNP_CIPHER_TEXT_HIDING_SUPPORTED BIT(3) +#define SNP_AES_256_XTS_POLICY_SUPPORTED BIT(4) +#define SNP_CXL_ALLOW_POLICY_SUPPORTED BIT(5) =20 #ifdef CONFIG_CRYPTO_DEV_SP_PSP =20 @@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask); void snp_free_firmware_page(void *addr); void sev_platform_shutdown(void); bool sev_is_snp_ciphertext_hiding_supported(void); +u64 sev_get_snp_policy_bits(void); =20 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ =20 @@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { } =20 static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return f= alse; } =20 +static inline u64 sev_get_snp_policy_bits(void) { return 0; } + #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ =20 #endif /* __PSP_SEV_H__ */ --=20 2.46.2 From nobody Thu Oct 2 06:14:46 2025 Received: from CO1PR03CU002.outbound.protection.outlook.com (mail-westus2azon11010031.outbound.protection.outlook.com [52.101.46.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0F0C21C186; Fri, 19 Sep 2025 19:01:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.46.31 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308473; cv=fail; b=JeVhQf73YB+l1IM96wmFJj9TUZZXUBOj1w3AgW2CnJVF2pSNekDIpXRbw/FvPTsoDRP7zq4N5DsVwORyto2YD1m07zkUFfzc7umaO+2jZY3yEOWUL4fTl4pthnfd0v/HLiO9gE+uWRtOMpZxIw1SMgyfIJOxB972DVvSVvuVuRk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758308473; c=relaxed/simple; bh=A1sm/rMy0J1KzlWSbIfr3asp0BJ5iudEP4TEBzdfU10=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QfopCHKXcCdvFTt0ojXjZb+LOu4eX2j6lydFzuu/a/Y1GAEGViWTb1ALEx4iYTmh7eD2zwPbHZLUm4y/Q0Eyxcz+x2bOPru2xpKX9Js0M0Zz7JxhBfZ6xL1gYjC9NripNJmiugo3kUGYeQp88ksaI9kc8itZSyCRhqtzYHHlHHA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=t/KLqELB; arc=fail smtp.client-ip=52.101.46.31 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="t/KLqELB" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=D2azD50jLu5dBiHBpgp5uJf3tnweUFp3m8OCgjP50ezIS/KTuEkBkFwmE2drwrBPCgTyYiv9Rc8tmVZsE80QNjGz7Rh9NMJuqn6fc/82FqMDy8QmoFM4Hqa9ZTWESyTNWX0L3R6hNaL0Qxb6kUwKBymHZYrgSVZb13xYBayCJZjcMXiPPGqfGIBEKYfQPqxTyyJzMUe7KtTB9G6dYd1RNBvQDlaydkgVSfF75fwL5Z5xe5DIB2t8cDmpqpcFi5sSjGqRWzCkYFNP/L6z+M8aYHonU9cCsbVJLelHSqX2BciK8AcMPJUVU2tIVtb/FXShxouRgaDHSIFg0HdeypLwhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6X9ul9/6b2vLx1EXY4+mKxMdH1rmYhIJ1EuOI8+3n20=; b=R463ayuqMoU9IQh/O4EAOK11J67sauwDcUuXxCENWD0kn5a1P0/FV5HhOdus7u0ydBecYGhW9ohhxCkB0M06Tcdm/tA2NGvZsAsgeeVjojymeJ9nZMrYu8Qc8M2tgqe14rFBh4Isbkr24pP8PWGRM308zTdBDfNREWhWf+PgC2xidgKJpAVa2xKpEoTcYTMf429auNl0Wae1xjSZTOtdpy+qOICKhmoBxdokkSNI3ggWda+u2FulCf+8YsMEgSPFy4SW8U9FRSPiSqKuJA0EE681+NvvBsRqPCukjbfJT6j0dyOR+lEJpH9MpAolNXNt1GKYrmdgPNauk87Py5rh7Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6X9ul9/6b2vLx1EXY4+mKxMdH1rmYhIJ1EuOI8+3n20=; b=t/KLqELBuQlb7xc1rzhK8RI7H8VgL3NU/lSEWBbZATVi/QRKOd8WTQ6p+ZG0gGROoS6I1Y/hVe7gLzQavW5fcqHVNYVIZqqq21o7MgEwaw2jGikC7orkeRgmR93B8L0j4nENTaGKP7CGNsOKGVBbGlNALSVZp1vc6O1p37Q9YPs= Received: from BY1P220CA0018.NAMP220.PROD.OUTLOOK.COM (2603:10b6:a03:5c3::8) by BL3PR12MB9051.namprd12.prod.outlook.com (2603:10b6:208:3ba::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.13; Fri, 19 Sep 2025 19:01:06 +0000 Received: from CO1PEPF000044FD.namprd21.prod.outlook.com (2603:10b6:a03:5c3:cafe::c2) by BY1P220CA0018.outlook.office365.com (2603:10b6:a03:5c3::8) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9137.17 via Frontend Transport; Fri, 19 Sep 2025 19:01:02 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by CO1PEPF000044FD.mail.protection.outlook.com (10.167.241.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9160.0 via Frontend Transport; Fri, 19 Sep 2025 19:01:04 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Fri, 19 Sep 2025 12:01:03 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [RFC PATCH v2 4/4] KVM: SEV: Add known supported SEV-SNP policy bits Date: Fri, 19 Sep 2025 14:00:08 -0500 Message-ID: <27e833d0e988533153a5f786faa92fc6843e5c73.1758308408.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.46.2 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PEPF000044FD:EE_|BL3PR12MB9051:EE_ X-MS-Office365-Filtering-Correlation-Id: 8b16d609-843a-4535-8d97-08ddf7aee265 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|376014|7416014|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?K0W7ywPGK2EL5GVSkeWM0JS6pTXpsxzMCujuyXmTjCWAL/McXS3I8TB1M0F6?= =?us-ascii?Q?6k+1NNY3CvNk1eo2T5TRxKKBi/gh7hZcwt7pt24eeErJ4CrTVOaZ9Uo3Bi+k?= =?us-ascii?Q?4s4J1gzrefJs2OeQRIL07dREfUW3WkST32Z6/tANKwYa/NVmosHcpQ3PKYxw?= =?us-ascii?Q?f40MZZ9fkMWLBcH9wyWyaoLLjRlNC5ts9wjcuY2c9qAJ/6F/kJbWxXKLgGiW?= =?us-ascii?Q?cdOWIxZMDrr8w5sbbB+pRZ3sqVhSa1DfH0f/GGFtphjlHISniun3d9xu8BQ0?= =?us-ascii?Q?7kZcC1DOFZS7exsfjkFg2byF3y4qFpfabAQDx0croqPP/whoUF6ynN8N46Fz?= =?us-ascii?Q?QmwZ/1fc9VMdLI5oYjeSe/llueQYtGNQFTz7yka/eYyAmxfD26EzE0GLjyT5?= =?us-ascii?Q?XO9Zw66+/MqNvFohUAiBadE9oE9RnvUSmjSYR3xgFyFfgTZFJ55VPoy0VNHr?= =?us-ascii?Q?kY5M586x6sSceVUz8DQNQck+oLu2V7/C1H9niFHs3QmEE2PTJEE4rcFoCc+e?= =?us-ascii?Q?G8tyxjT25km1PBdhOe5JaMt3mRFmR1a3hERkV0hhct7sK9JPuiITxJv1lQQt?= =?us-ascii?Q?1bBY+3xmMEavdiDFa/8bwxxlndF7Eb/DygFDH6qVdUcFzwBfwC3m9zgXUjPr?= =?us-ascii?Q?d3mTAn+5azp/atLZLCG6Q3lNYzX237gJznZPdeANaT6qy7ZHvd8rB+a1NEYI?= =?us-ascii?Q?JwT7El9yQaawP7fZ+Ywob48UUrtPpZeHsqRIb9yLZHwEBFUWlrdI4EqETerT?= =?us-ascii?Q?gbraGoJrQ1R0Kw6xQ25o2sNsA8/XVhAxorjDXh5PdOLsOARvGtl7zkByTzEo?= =?us-ascii?Q?AzvD2eROi0dTfT2OTEwWRgf//VlUXYsvu4bDUv9S5YJL5yJEogrzkq/E2XvY?= =?us-ascii?Q?pJVlGosnnF/oyK4PIGILdmA1XUjvnXLO+4CMlBoFXxIUlWtW2Tw+vk2jTLEx?= =?us-ascii?Q?iFXjTZ9DGdZOLGiwLqloLjYGGoXSE8a1ko3s++FNGDCwljP5BzPdfCtNUN6H?= =?us-ascii?Q?1AmGX0qPKeUSM+HAVmlJe5TqBKKbg5onmN92tBHQJxqCAAj0eK7sIV31XiQ8?= =?us-ascii?Q?PPe3HUBhPtO+4txeKvWh79yhqB05rQgNDd3mNCTbaZY72qTClCknL5Z3eYqu?= =?us-ascii?Q?nRBSbZkRuVld3rVtsPX5AJ1oTlFG3dndjDVo3rMtZHlyqoIza1jZFVkKOIs1?= =?us-ascii?Q?LCL6BFzPJ7bsmIRtVAKca1ey4bhZXVmN6vMmc/FcsuhAsirbHlPy/SNcgMEw?= =?us-ascii?Q?X1AK9WGtOFdmUVIykZlPYr6Xrkeno1v9nXwAFJm5XVTDiMLacTfOn0gkNySj?= =?us-ascii?Q?r+I9u1t47iT1D34EjtpshuEt9u8ixvUpcT3Q9nZEOvQOG2mLXG7Te/mVdQ9a?= =?us-ascii?Q?V31CXQISimsr1Lze3Oe8WI9hSqHqb1l1IoE/MsDPz7JEca/Q7GXVM6zkFFq1?= =?us-ascii?Q?P5joWAjgRNDaidcdCrK9Y9ikF1rLCcLGLZoJf1HNV6A96Sksfmw2ZrmZTNtB?= =?us-ascii?Q?fgOI3oc42tltz7cvIYBmmLTv6HYVEQ29/j2i?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(376014)(7416014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2025 19:01:04.9811 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 8b16d609-843a-4535-8d97-08ddf7aee265 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044FD.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR12MB9051 Content-Type: text/plain; charset="utf-8" Add to the known supported SEV-SNP policy bits that don't require any implementation support from KVM in order to successfully use them. At this time, this includes: - CXL_ALLOW - MEM_AES_256_XTS - RAPL_DIS - CIPHERTEXT_HIDING_DRAM - PAGE_SWAP_DISABLE Arguably, RAPL_DIS and CIPHERTEXT_HIDING_DRAM require KVM and the CCP driver to enable these features in order for the setting of the policy bits to be successfully handled. But, a guest owner may not wish their guest to run on a system that doesn't provide support for those features, so allowing the specification of these bits accomplishes that. Whether or not the bit is supported by SEV firmware, a system that doesn't support these features will either fail during the KVM validation of supported policy bits before issuing the LAUNCH_START or fail during the LAUNCH_START. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index f77da22200fb..2385c9a0befe 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -66,12 +66,22 @@ module_param_named(ciphertext_hiding_asids, nr_cipherte= xt_hiding_asids, uint, 04 #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 =20 -#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ - SNP_POLICY_MASK_API_MAJOR | \ - SNP_POLICY_MASK_SMT | \ - SNP_POLICY_MASK_RSVD_MBO | \ - SNP_POLICY_MASK_DEBUG | \ - SNP_POLICY_MASK_SINGLE_SOCKET) +/* + * SEV-SNP policy bits that can be supported by KVM. These include policy = bits + * that have implementation support within KVM or policy bits that do not = rely + * on any implementation support within KVM. + */ +#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ + SNP_POLICY_MASK_API_MAJOR | \ + SNP_POLICY_MASK_SMT | \ + SNP_POLICY_MASK_RSVD_MBO | \ + SNP_POLICY_MASK_DEBUG | \ + SNP_POLICY_MASK_SINGLE_SOCKET | \ + SNP_POLICY_MASK_CXL_ALLOW | \ + SNP_POLICY_MASK_MEM_AES_256_XTS | \ + SNP_POLICY_MASK_RAPL_DIS | \ + SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM | \ + SNP_POLICY_MASK_PAGE_SWAP_DISABLE) =20 static u64 snp_supported_policy_bits __ro_after_init; =20 --=20 2.46.2