From nobody Sat Feb 7 22:07:19 2026 Received: from DM5PR21CU001.outbound.protection.outlook.com (mail-centralusazon11011070.outbound.protection.outlook.com [52.101.62.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 307FD2C3247; Wed, 22 Oct 2025 17:38:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.62.70 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154691; cv=fail; b=g045ihPUvtf0gu63rHJKHGBt62utyKqdFYi1d+uLQvEi5bHGu4f3dUeW7PylOAhFHRqeahFWn58jSAhhY4h9r6QtSzVNWltKakBa59W1lClPpejEQ2H1ilBgmx8hP8lsJAFd11xBLx6YIQONtBz/9xUnS6/pTTCYzQGsqofmNz8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154691; c=relaxed/simple; bh=GH0rw9JavLJ7eoT+LWwMYbYeK53WqVp27twnpQt+RMM=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=s1gipp9kXoVq2ZMvZyd+f0Fx89eEUv+vkGZoq7ahGVn3lNoNmBIYXyvIf9ruOXmLHu6jm5ZXLrbhgrW+mEbS7kzXXBy20SEYbstvP2Hahdq2nUXnlgRvPPUS0r4hixNcS9OeapIv4PGLHbh1v0H/0kVFR0BRwxPYVqFux/Qe89M= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=kdnE1Lgs; arc=fail smtp.client-ip=52.101.62.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="kdnE1Lgs" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vmNKoq/vAQQiDwYK0Q2ihKdDRIOTWJLAf1MJF9kf6JesJ8eom+NmpuU6vl0mWGM1Ug49je69Cwv+MBPPzSUb5Br4D2rMN5YBbaeCoPau5kOgF49TZrvZHBZ3vp++XW4sHLb/S9VTqJZxvIT7rf4F37gaj7FVAOkg6BsYsiY9JfnnRUdXuUIuIkEDkIQfOjlLZqFKom7M0y2zsgLjNqwScVYVGSvNKL/dr2AOwq0YCVKNqN2nICK3GLqRrTeK/csdcrjqum/v9wTD9n77KMXQyutSbwftysERCVKCC1fAL9o1kPoNx14U9Q1AlNcmv8W7q0JO5DLqe6RExifnGBaUig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WzXgEF+jbb9U3wQh/DHTiRvekdQH9f4XJA7+x5EW1wE=; b=am14eSiC3NIRLGOpoBOoHw3umwPHZQaDTnmhxNssdXiEnKUlXHsnwyhQ9m9vx3dl5W6EfkNAUf4PrFQG7DbFu0eTSP8fsZG7OiHOSy/KmYlonMWPVvqKVpKMqf05XcHoPIOHXDTeylHrwSdpjHxltZ0QFeiuYPoDUzTieprmMSid3IKhKsOulgRUlj4HIbb9b1DutaiyUcZFAVmdfwoIqHvmsmS+iXU9fJykr0ljKs7ZbWjAf5MA7pZ44MlLDrmQAC+re7HIj7//b80VhokiGNyNw771JQL0y2ddgxzyZ79bb5gHfqyOUuH4ySCCqQoqk81wLdAUo+ezhwsz3Lhriw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WzXgEF+jbb9U3wQh/DHTiRvekdQH9f4XJA7+x5EW1wE=; b=kdnE1LgsQlkMBkFLCv4q1mBYQl/jGLvgfns5GYxZ6gSjpOQocpBY1cJwl0BK6SoEUKgSiwM2dDdT4VzHa2UnJKM4JqsrhYtCjD350i3+ItO+P6XFDzwJbkt2nLtvup/4hWHCD5ahxPSIO1t1yZB9I0CtX4BP9OIthuqfREaw8J8= Received: from SJ0PR05CA0170.namprd05.prod.outlook.com (2603:10b6:a03:339::25) by SJ0PR12MB7083.namprd12.prod.outlook.com (2603:10b6:a03:4ae::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 17:38:03 +0000 Received: from SJ5PEPF000001F6.namprd05.prod.outlook.com (2603:10b6:a03:339:cafe::5e) by SJ0PR05CA0170.outlook.office365.com (2603:10b6:a03:339::25) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9253.12 via Frontend Transport; Wed, 22 Oct 2025 17:37:45 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ5PEPF000001F6.mail.protection.outlook.com (10.167.242.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.7 via Frontend Transport; Wed, 22 Oct 2025 17:38:01 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 22 Oct 2025 10:37:59 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [PATCH v3 1/4] KVM: SEV: Publish supported SEV-SNP policy bits Date: Wed, 22 Oct 2025 12:37:21 -0500 Message-ID: X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ5PEPF000001F6:EE_|SJ0PR12MB7083:EE_ X-MS-Office365-Filtering-Correlation-Id: 05b0be72-c2c7-4ac8-2238-08de1191bf60 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|7416014|82310400026|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?cMtU3npVaUrboM4inHTTWJCOAsgRyLTQnaA8T/Ax+fMHubDCPXJ0mpyn1SSH?= =?us-ascii?Q?jln3G1NJCMu8DhR49HP0AtEvng6jn+bLkmd16b+HOm+xrBXj85U6mTXqLcyc?= =?us-ascii?Q?TjPxWfBJKgLN/3yfNGLylaDMIa73Aznxh+DI3jwMxyc3SVH83pKo2yfgvnsS?= =?us-ascii?Q?GkmqUdZmd+HGfGLXviOFRMiAZH4qzHeEkTsMlPvUUv2wSNCjvO78Noqran3E?= =?us-ascii?Q?G79C4xieMUI7IKxcBTkMGpSK3lqpARKDb8xIiq9DVdJ1CXWOP23JZpfNfCpf?= =?us-ascii?Q?0yd0y5JDuNcA9Z9ywEULS9W8KozEwvp00EBByHQ8d1A7UoW3kk+B7hAK1+GC?= =?us-ascii?Q?5weoltqTChFpcBljEsruemy3OcHMFqSqbPVm4ez8Uf/EwEhG7YCGld79bH/s?= =?us-ascii?Q?xQG2uvitYEMejD7SVViUNIEaFGNcf6/ltgV7xfFeaTUbKD3pOdX9/WuryJxr?= =?us-ascii?Q?tGP0jgc8qyP6hS65uR+LDB77+ANdrx+hwJFHzVvZBf97QOrjV/IkdMHOaIh/?= =?us-ascii?Q?uBfkIUpVQAXmNUsZmNezSOZ7aCJ8gwWXL79SP+k/Qc+UhmJT1Jy4qn+SND2/?= =?us-ascii?Q?WZNk/3e5C0RisH0nLib6vBKtSJtxlYTmIa1Issr/PsFS7TxfiseHb8q/xgAl?= =?us-ascii?Q?vXzc95InalsBGc6QTEpC0fD4WtUbzLYIyu6OS/jmD8pzRsM1f1H/GhVWspjx?= =?us-ascii?Q?9poYIuIpwv+Z7KR954+XADPQhdiFg6OR774KiM/H0t2FOA98rYWxR8zD38f0?= =?us-ascii?Q?OhHms1mOD73TNwqd1SqxtoFz4o9oeK2H5mCtynxUnmkfydO1xzvmi0POri+K?= =?us-ascii?Q?P0vWZWvrwwxIBblOACgFMCyIFIgHdRZRPboV4oLFGZTiB+76Q9HX0s9rynHF?= =?us-ascii?Q?9tCKA8u4q1z5tj5GfpTJO3vwqqfZtwZUhBn3GjnLOcsBDUlvoHPJAl4Q0wGF?= =?us-ascii?Q?SaMXFtfKhR+cV/2YiGk/QvtxBZXAksXTD+/cADSrpFQCrg2KponN/t5NriAe?= =?us-ascii?Q?HX0jC/p+H8GoNAIIIo3+EN0gwiSaYc+dBNZVnXDzDOawTCvPaQC8ECaMxWJc?= =?us-ascii?Q?E9GDadhM90HRuwL8H8P38G/QDJR7a3exzNhRSekwCy8pSrM3Ym2/zWr40qxd?= =?us-ascii?Q?hjUyzs+qAuziW3evFBdZCfru8WVJrTmr7D8Zmyq+Ouwkcgs2ZevbNSnuvP0U?= =?us-ascii?Q?u0ONGMWpTE5g2Iqib6RYb18MIt3cSBXsEpIvTl1M128bldLoM/OHtdOhi9kL?= =?us-ascii?Q?NTrCZrEvaM+KtwlsiWdTD7Rr+K3JNLgVGgrzuT251V3fio5CthVBVnN8FOHJ?= =?us-ascii?Q?nMHOCN+5+0DpzqjyLonVTODGOOxE2KdAhqwoHt9XFKKlCbtDiKBsC4j85fDL?= =?us-ascii?Q?3X32YPD2HbPEdNQ3fy7ItVZcyocy0tTsqgw30MaQlIhUF6jMKdwZ1iHtpHSP?= =?us-ascii?Q?O/HqQh+ATvlcXw5HIcMTUSCK+oT879sE3HCsA3tU3KL/6sT5M3wpFSgf2D+d?= =?us-ascii?Q?VMySr3L88CKArhyahe+mwpiNH3Vn16ohUUOvgPlUfuWt01J+mRzlTA0UVbWu?= =?us-ascii?Q?olq8HQmEWplfuuEujl0=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(7416014)(82310400026)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 17:38:01.0508 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 05b0be72-c2c7-4ac8-2238-08de1191bf60 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ5PEPF000001F6.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB7083 Content-Type: text/plain; charset="utf-8" Define the set of policy bits that KVM currently knows as not requiring any implementation support within KVM. Provide this value to userspace via the KVM_GET_DEVICE_ATTR ioctl. Signed-off-by: Tom Lendacky --- arch/x86/include/uapi/asm/kvm.h | 1 + arch/x86/kvm/svm/sev.c | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kv= m.h index d420c9c066d4..7ceff6583652 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -502,6 +502,7 @@ struct kvm_sync_regs { /* vendor-specific groups and attributes for system fd */ #define KVM_X86_GRP_SEV 1 # define KVM_X86_SEV_VMSA_FEATURES 0 +# define KVM_X86_SNP_POLICY_BITS 1 =20 struct kvm_vmx_nested_state_data { __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE]; diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 0835c664fbfd..72cc7cc8c9b8 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -80,6 +80,8 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertext= _hiding_asids, uint, 04 SNP_POLICY_MASK_DEBUG | \ SNP_POLICY_MASK_SINGLE_SOCKET) =20 +static u64 snp_supported_policy_bits __ro_after_init; + #define INITIAL_VMSA_GPA 0xFFFFFFFFF000 =20 static u8 sev_enc_bit; @@ -2143,6 +2145,10 @@ int sev_dev_get_attr(u32 group, u64 attr, u64 *val) *val =3D sev_supported_vmsa_features; return 0; =20 + case KVM_X86_SNP_POLICY_BITS: + *val =3D snp_supported_policy_bits; + return 0; + default: return -ENXIO; } @@ -2207,7 +2213,7 @@ static int snp_launch_start(struct kvm *kvm, struct k= vm_sev_cmd *argp) if (params.flags) return -EINVAL; =20 - if (params.policy & ~SNP_POLICY_MASK_VALID) + if (params.policy & ~snp_supported_policy_bits) return -EINVAL; =20 /* Check for policy bits that must be set */ @@ -3100,8 +3106,10 @@ void __init sev_hardware_setup(void) else if (sev_snp_supported) sev_snp_supported =3D is_sev_snp_initialized(); =20 - if (sev_snp_supported) + if (sev_snp_supported) { + snp_supported_policy_bits =3D SNP_POLICY_MASK_VALID; nr_ciphertext_hiding_asids =3D init_args.max_snp_asid; + } =20 /* * If ciphertext hiding is enabled, the joint SEV-ES/SEV-SNP --=20 2.51.1 From nobody Sat Feb 7 22:07:19 2026 Received: from SA9PR02CU001.outbound.protection.outlook.com (mail-southcentralusazon11013043.outbound.protection.outlook.com [40.93.196.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 487F02D4811; Wed, 22 Oct 2025 17:38:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.196.43 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154693; cv=fail; b=rt7W4+Yl47Nc1hhCRZ3E9AVqqZfqqR9WMNUrEUBvUMJQ6UpICfZlSUCKM4mjB27OE1aIv1JUANwSqmHVVY4BVudN6vIUae3HM9r5OM5zyRLBFe5++YYvGGoh5G5xsK1eKk8M7gbOLV1CxaC5CDdcaBrrtGc1tmXLlAnm3oAQmw4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154693; c=relaxed/simple; bh=PuoTyl9ye9CN0/xbVpsf3ax+i4FUMyuVR19Q2eg5t8M=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=debZtQ0yVmUjfMEgMuexzKhhvCMlkFMQVG7gyj/zVoXBLwJrTndDFg1gzR0zXGYP3ru3yh5HlDeyjuDNiAt9vKGyK6gxmZ+LA+UMryqc7b9fijEw0RV9uhp5E+nt5ZPPZPRjpKgnn2VdC5h1MXWJiPSSzU9vyDH2GJkR4Q8uKNk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=F97T6tyb; arc=fail smtp.client-ip=40.93.196.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="F97T6tyb" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LpDbqBooPXT/9uIhtQWhFHjJAR2O5rOvOCkGpaKggaeh7U3K1xtU1kgr2gg8RJuWJcPFYecPNCpRX7uBPQFY2GHa1+ALKCq9rLfpdYfQI+/1RklTIJmJKGe8vtDDIvbzP+U9vMVdVuhN0yDLDa0joUprqbx1MnukwLjD6mo9HkHCWY4k1QNbGq49lNFa0sSCOS8iTp2uh5kAMIOHgijZWBUi30AKLB3SDhjT1RfuhPM4SFmBRSfzV/oEmW566QqOW/x1JQfHp77EzmXD1UWD+m/G70l+3MliN9dJq0OVBb+CGQ7CVB0HzQWoMhrWKAOfuooq4DHgG8fTXaeuos0C/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PuGzia3XeBZUZpraRdNlkzYKccM9/9G2QiGfESQ+5fg=; b=N5iYgHvlcqhqftEQN5gFWJ42Ibi2BTpInOK9b+55Y0sSUb59OkPWB2+oBc0Il7yJQQOxyaGH8mHGe45p3jSRZGpFHX5fb3N6uvb2/o9d44LjdXa4qKNFgC0+bqfkUYArGD1oRWzkRub+cxBBeG+Eu5x4x60yn+i+7Ci0ijmtbRmhBrxXNXfyi6vyA+hE/9/oelKJ3vO9UsxMs1oy6Q2gjNcEIp5LgT0eMAbd1XjnyBJFRSVzNMzF6zcKFsx7lsS5YNxqET5QxgQbj5TvGm5k+JjsesMVyHVUUcsxFQ/bVyU23vJcWdkeSwyuHgJni6ow7ktQlyGLq3wZox2Tj5tpOQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PuGzia3XeBZUZpraRdNlkzYKccM9/9G2QiGfESQ+5fg=; b=F97T6tybe8KY/g3ZqNJF7MQLpWd4Mo4gPzAx3YTLgzhC03CxSQ5DKUDqp5qBFrq9eovequGQ8pHBm/zOruUk68NtNMmwwHJMeRK/GaKk8sTJIhBuJrEMKpciRGP6v+Dg8zZHbeV+Qf8bQcL/0gzNXXOtjBMn5Nd1ESFw8XYuyWM= Received: from SJ0PR03CA0216.namprd03.prod.outlook.com (2603:10b6:a03:39f::11) by DS7PR12MB9475.namprd12.prod.outlook.com (2603:10b6:8:251::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 17:38:09 +0000 Received: from SJ5PEPF000001F7.namprd05.prod.outlook.com (2603:10b6:a03:39f:cafe::fb) by SJ0PR03CA0216.outlook.office365.com (2603:10b6:a03:39f::11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9253.12 via Frontend Transport; Wed, 22 Oct 2025 17:38:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ5PEPF000001F7.mail.protection.outlook.com (10.167.242.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.7 via Frontend Transport; Wed, 22 Oct 2025 17:38:08 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 22 Oct 2025 10:38:07 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [PATCH v3 2/4] KVM: SEV: Consolidate the SEV policy bits in a single header file Date: Wed, 22 Oct 2025 12:37:22 -0500 Message-ID: <68f3807f80245fd5f5f1bd02645bea387b65d6cb.1761154644.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ5PEPF000001F7:EE_|DS7PR12MB9475:EE_ X-MS-Office365-Filtering-Correlation-Id: 95aab2ac-e0dc-4de6-1eec-08de1191c397 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|7416014|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?+sg9v4uyx542+YQVUCRwb7KwZyz4HO4cVtDyPvuVg86LiBZvVCahwozwtZBg?= =?us-ascii?Q?Q7E8MglyBy3CXZcsa8J4e5mrwl8xsd8/O7enKV+pZG6CrPKSk7Qx6SiUk9H0?= =?us-ascii?Q?j27tEz8WV6aKKTDQR5xppcyj3XhtZXye0SovEF/nD4sYrEC2wCEK3HLivFMs?= =?us-ascii?Q?a2eGebGJcPmCwYoGH/SwwV9RIyh8bdC3EpJj4tIVt9cNcaaGq9pZ3R7ddfGn?= =?us-ascii?Q?bInARzDgl7CD83VPgPvO6Z4PlV1PMCfPxeISICxWml1Mc6WIRfm8KC8DEFlM?= =?us-ascii?Q?gGt66pctrJ6GL/0yajciCg6s+wuMBo8J0JYl7D05cNrnvkf7VaZ3lKOqLcgh?= =?us-ascii?Q?+9WrorVu0nh6WezXzwdfB8tuChvlARK2IVwgM37OyN6nWZsFyizh8JhSescC?= =?us-ascii?Q?zhNDV1l3tHLskC7MCZTLv5NcKuMl2VNyVPJuLtgqOCL6HapiT7yAYL4Qh+pm?= =?us-ascii?Q?Jbes/xpqLGtu66e7GcgM4YoTMMnnVDFAylGBcrFeCcmVxOEvjgDVsbJpFYkU?= =?us-ascii?Q?tJedvtdysEyeIun1ev3Q70p3YCDRVPjiU712RspCaXvFXRJuYq5t+kMBT3AY?= =?us-ascii?Q?nFr+Go7Jv2pC1LFtfvWlB/vVeGR/mdIL3XjykCs4IojOFmwZt/cRcZ9zz/ZX?= =?us-ascii?Q?gs+TgYL0tp0a4elZ5czGJiMwuzWC+A5koY69a3SQoh46hyAfbooSPiiMBVVU?= =?us-ascii?Q?rk1NdBoQAqUUU6OnsWXVvgarWJjUb03j8aBh6IAQHcTmlZoPDQMQ3uYucV3U?= =?us-ascii?Q?xSVCNxUWE9Ns0FfAfkWAw/0vH1XGfzb+MP2r6838gxAdqgc79DEut530gz1I?= =?us-ascii?Q?DEGhM6vowCMr8a9fnMS/o0B3aBA7XyyiHeur1VXo/WtZPPsOg5eDthCR+Z3g?= =?us-ascii?Q?8mO9O1p2DtTn+4we9pr21LOl2u4hdQGaoFFClMQpJPPHLDWdTqqcw4+oRoR0?= =?us-ascii?Q?bKO2P7uI0EzSdBbMelYcT0VZckd06j9rJ7hNy2kbTTRAhrn89bLphYGGsZOa?= =?us-ascii?Q?nncRiSRmG6df/WyJtNdRswlgK0MEyyJoWtBFpEj5PofaSqMWE8uI2ltTN9fu?= =?us-ascii?Q?1o6shCtcfjhl7kUUHBVkqj5l8zbj+FQ4ifS902CefLQHwiRguy2QaelA5eLV?= =?us-ascii?Q?pawBRVggG8UzN/nXm//yS0pJQ4VjywH7VKNgqs/Oc3jxeLHYZcQUhJLALlRB?= =?us-ascii?Q?6R4X3aaBOh5H5VulXm4TvYgZVpjRFbQPZ/hKciytWDXqJtkuRhqZaVGJKl0z?= =?us-ascii?Q?Fws72Nb+XY78vA6iWgchN+34WSFWriAtd2JjgAWE0sKMAhbe8Q3IYDt6Q2BH?= =?us-ascii?Q?H4ivndNvXgcBbOgJ5tOqdydVTGdaLp36T0LM/0cLRBWds+EkrfxfsxkE/RvP?= =?us-ascii?Q?/W5a4PdkmHJgYjHSkL6ENM7fxQQ6g5hm3DEdHyYeRvG+tRfr7PhAyjm/9WBw?= =?us-ascii?Q?Y5e+NhsIP7Ix3HsuRdtHD90ysjK1741UlgW0npERO/yuRllrjbfNx1UjCD4U?= =?us-ascii?Q?fh88adlzP2NQUgXTEqYJzuyBTpdi5tQcvzmT8cZTivz12/Ir1STXjth0vdWl?= =?us-ascii?Q?AnU8CqJkNErE5Wz4bFU=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(7416014)(1800799024)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 17:38:08.1229 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 95aab2ac-e0dc-4de6-1eec-08de1191c397 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ5PEPF000001F7.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB9475 Content-Type: text/plain; charset="utf-8" Consolidate SEV policy bit definitions into a single file. Use include/linux/psp-sev.h to hold the definitions and remove the current definitions from the arch/x86/kvm/svm/sev.c and arch/x86/include/svm.h files. No functional change intended. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 16 ++++------------ arch/x86/kvm/svm/svm.h | 3 --- include/linux/psp-sev.h | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 72cc7cc8c9b8..45e87d756e15 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -65,15 +65,7 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertex= t_hiding_asids, uint, 04 #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 =20 -/* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ -#define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) -#define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) -#define SNP_POLICY_MASK_SMT BIT_ULL(16) -#define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) -#define SNP_POLICY_MASK_DEBUG BIT_ULL(19) -#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) - -#define SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ +#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ SNP_POLICY_MASK_API_MAJOR | \ SNP_POLICY_MASK_SMT | \ SNP_POLICY_MASK_RSVD_MBO | \ @@ -3107,7 +3099,7 @@ void __init sev_hardware_setup(void) sev_snp_supported =3D is_sev_snp_initialized(); =20 if (sev_snp_supported) { - snp_supported_policy_bits =3D SNP_POLICY_MASK_VALID; + snp_supported_policy_bits =3D KVM_SNP_POLICY_MASK_VALID; nr_ciphertext_hiding_asids =3D init_args.max_snp_asid; } =20 @@ -5093,10 +5085,10 @@ struct vmcb_save_area *sev_decrypt_vmsa(struct kvm_= vcpu *vcpu) =20 /* Check if the SEV policy allows debugging */ if (sev_snp_guest(vcpu->kvm)) { - if (!(sev->policy & SNP_POLICY_DEBUG)) + if (!(sev->policy & SNP_POLICY_MASK_DEBUG)) return NULL; } else { - if (sev->policy & SEV_POLICY_NODBG) + if (sev->policy & SEV_POLICY_MASK_NODBG) return NULL; } =20 diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index e4b04f435b3d..379e14ad30e5 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -117,9 +117,6 @@ struct kvm_sev_info { cpumask_var_t have_run_cpus; /* CPUs that have done VMRUN for this VM. */ }; =20 -#define SEV_POLICY_NODBG BIT_ULL(0) -#define SNP_POLICY_DEBUG BIT_ULL(19) - struct kvm_svm { struct kvm kvm; =20 diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index e0dbcb4b4fd9..27c92543bf38 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -14,6 +14,25 @@ =20 #include =20 +/* As defined by SEV API, under "Guest Policy". */ +#define SEV_POLICY_MASK_NODBG BIT(0) +#define SEV_POLICY_MASK_NOKS BIT(1) +#define SEV_POLICY_MASK_ES BIT(2) +#define SEV_POLICY_MASK_NOSEND BIT(3) +#define SEV_POLICY_MASK_DOMAIN BIT(4) +#define SEV_POLICY_MASK_SEV BIT(5) +#define SEV_POLICY_MASK_API_MAJOR GENMASK(23, 16) +#define SEV_POLICY_MASK_API_MINOR GENMASK(31, 24) + +/* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ +#define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) +#define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) +#define SNP_POLICY_MASK_SMT BIT_ULL(16) +#define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) +#define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18) +#define SNP_POLICY_MASK_DEBUG BIT_ULL(19) +#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) + #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ =20 /** --=20 2.51.1 From nobody Sat Feb 7 22:07:19 2026 Received: from MW6PR02CU001.outbound.protection.outlook.com (mail-westus2azon11012024.outbound.protection.outlook.com [52.101.48.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 02B0E2D29B7; Wed, 22 Oct 2025 17:38:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.48.24 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154706; cv=fail; b=J70hekpTPfeeaemBwz/Nwylo/Y/2ifMfa7/h8qYxRCfFxWv/7bnCHCsq5xZR16beOvVRNegoATnHswLcLpYP5ZUx8Fn7w/ALZrJ9pus0UkQ5z9Au1FuVdvt26J2JB6Scr/j9as2UzjLlZfJ2Gn3OV0xhCt7eWnxR6oMxMNNnOTk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154706; c=relaxed/simple; bh=vc/I7K30t008SnvmNyF02++PrO3hPXQ8NLnRyXTFFJ0=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=K9zwswIJjIEN5K2SGbtZsb8AALAwynXAWCMP5WqOnmptGxLVbzHp8IsSDyvO2gLU43hm0Z6rk6M1Yo8+DKq9tU2+AD8lB83qbYb7M56ZireHH9bHhYfJ36su2ONAJzVwyn6qkjVcA+tE5HgKuZDMUkmQbNp4/f/LLFBEIK/D8L4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=HjoSTqAU; arc=fail smtp.client-ip=52.101.48.24 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="HjoSTqAU" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GsrCU/fLdW+YDKAMRC5mpOsz8r+7+bZUdf6grpheOmYxzaRQHybTezkgP6/G3gO3lrQvvS7hfOO3gXiYaC8GpdquKkM5fE+BU0z85GLW4yPJxwzvb3SG1sO0R5kFTNbDHERcWRZpNtn3euKbVphXxE+nF+P2k6jzlKfxgCjQ1sROEn3vjNpwaCJkTyALf/4C+MB9rroGaTGP2mSW1M9NHP0X4ZjdZFYiXYS6isR2mayifOPKkDuiSt3CQcvbp12GBteG+s/V4R4Ipb3VbELdY8/mVB/ZaGPwWRsXrrrgNy0+4/X2tlG1dtKsntg5VR2bCZJaABTYTvJ/Nas3DcgDcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gzgtGNZX0C3COPXskZoEwnjPN5MfB2avtbyLQ+7MQTI=; b=MxEcQM3kr5Fip0vROaB9XMQ2rwumOiMSR+f2Rz0UpUGtl7mDXf+WcvGq+rtlor6D07ZN3SbIkNA2vdS32jAbuoQk4Z/uDam65+rT1sjYbZ5clgrSfktFpKVVxsZA4d65rJMiIt/8NxfPaBw24LIW8mUkXX0zQVbi5J/xTr5qU6Uxh2BrOEPzq5Va7DHJDM8jfjM2JmVHZXX1NA0h/mZr6siypiYHO8w5v1NH9x68BN6o7XOy1S+TbYLuk7lRZ6dVF4JrFa8B5693olMROVkJxMG282OUg1pgFfYWyXZQox6sbNV8NZ5aHciDqr6iPJV1d0/x1JYtwTfRkMnu9YoCKQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gzgtGNZX0C3COPXskZoEwnjPN5MfB2avtbyLQ+7MQTI=; b=HjoSTqAUeI+VtXGWtQ/4aXuFSvdCFdD2+yFsOYwYCD+6eh4RA8m1wQlDAgKBre5jIbGbIXDMtTEeooVPhQlH4hD75QhPEOKRkP2+vEgPPZGfGKONht7IfIiJIYNanDImQZ1Cl9Iv0PDvpkxpciS8mUl1EBs/SqsPF+sTyHB04C0= Received: from BY1P220CA0018.NAMP220.PROD.OUTLOOK.COM (2603:10b6:a03:5c3::8) by DS4PR12MB9609.namprd12.prod.outlook.com (2603:10b6:8:278::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 17:38:21 +0000 Received: from SJ5PEPF000001F1.namprd05.prod.outlook.com (2603:10b6:a03:5c3:cafe::2a) by BY1P220CA0018.outlook.office365.com (2603:10b6:a03:5c3::8) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9253.13 via Frontend Transport; Wed, 22 Oct 2025 17:38:22 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ5PEPF000001F1.mail.protection.outlook.com (10.167.242.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.7 via Frontend Transport; Wed, 22 Oct 2025 17:38:20 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 22 Oct 2025 10:38:19 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [PATCH v3 3/4] crypto: ccp - Add an API to return the supported SEV-SNP policy bits Date: Wed, 22 Oct 2025 12:37:23 -0500 Message-ID: <3a86b3678a78a8b720d3818f4121972f67e2d0a8.1761154644.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ5PEPF000001F1:EE_|DS4PR12MB9609:EE_ X-MS-Office365-Filtering-Correlation-Id: 3d628f41-1303-4e53-58f1-08de1191cb05 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|7416014|36860700013|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?wmJE67DvBoBGY3/L71vXDD+gjWiRkjrYRCj4nzgYQzkjocwGZICxeOo1aWlk?= =?us-ascii?Q?QkuJbgWh8uCEN2/Rpx9GbeO5Ezfz9y8KK9OAJNxaa9zQfVZwD6DY9WfMEaYu?= =?us-ascii?Q?ggG/ZlbRvocMHiva2zxT62isK1CYWJQHw5J6Zp+oWZ5UwPNXX2Dpu0eQ5GlI?= =?us-ascii?Q?VNkv4UqyfFJpTD5QtamnACx2kMiaesdac3SazUy/JaM1an0LnDoLvZJ13ONq?= =?us-ascii?Q?ThnuzCPXR81/IjaoVRxsulQD811N/zqoMKqQgojnvRg+QM2ElCizlwBhyT1X?= =?us-ascii?Q?/60qmxyWjv7Ou2SUZpfafH4yf+5VNTfkfaVBCNaNkckg65zlf1sHdPzy8EUx?= =?us-ascii?Q?xyVrrqY6DLMWE5B9HoGMKb0CGzb21CQo8kd16z08a3Gjb82gKKlWjUFB/4oX?= =?us-ascii?Q?YBo5G+3XzJ9zjipf9lCK3bTo2U9FV5itGvvzQUnFu6KafAk37DBZTSbh6tRb?= =?us-ascii?Q?48HVmagTXaNtQo+uQ8dV4VBeDciPODntLxH3cbbRMg4hj/dcs8hdxXde+9pS?= =?us-ascii?Q?mJrUaOlCxIorDcbevxTD0fG+5HnqEb+fvabSF80XsKsIQmb4j/bP8iWFWD06?= =?us-ascii?Q?MJOj0CjSBpd6TRT7r8iQTtW+tpV0dq6xJyWrZXjS2UoS8kfy+O57E2DQNj34?= =?us-ascii?Q?mhmRjD5IQHBvY4MDw8lrwygFBuxAXYw4MuJO+elRqAUkL+alJdGvP2N6GS2Q?= =?us-ascii?Q?28Qkcs+KJbRfI/UBj/4cMoizaVlUzuyLYUJgZCQ1P77PYjlCHgGx8s1wYg2P?= =?us-ascii?Q?hlQ03nzxlrvKEqVMFrZisEQEm1rX+PbIwUfehSW7klaOQ+97IgEKMsCwsoon?= =?us-ascii?Q?BZBlq3B7mYNRBafeFJZ9+xSSa2WWYR9i06K+6/PMCi1M4JyCFSy/w0BOyw54?= =?us-ascii?Q?bBijZBCw5s9GdCJmZ3kDuuRVmsWdMe/PG9C9dlvIrwhnedvxl7viiAzpgfJs?= =?us-ascii?Q?FqPXfSBqvUCvWtft6ASN0+Ry9DXZw8ubPuwnJidhZFP9FYe5jrDg3BwizgsZ?= =?us-ascii?Q?uBnq7ze3nzwRQTjnFKi1zQYohZLWHlnIoIuXAFwG6jn+z0PGcFuZrq+8YKlr?= =?us-ascii?Q?X9O9k7rHxljFIERuuIWbghu71djF6VrHXNOb/1ILcuAAIXtDLlF2ZKa+DAII?= =?us-ascii?Q?U1kDMCR2Z6df+FhJf6T2lbTtOFvvEn+BQ9LXxPbtu8ACmmWVZc7GVZR7HHyq?= =?us-ascii?Q?7AKv7vL45fDLC2U9ZGlwkd3d2TD2jXvj9U4xS/wrapYZgglSGA0we84YAtv2?= =?us-ascii?Q?6vDhV0ebwq2I473MBh1JcWs/riB42x2u6BpQyRHXtQoYI49neTHzVfqY2g27?= =?us-ascii?Q?D1pGW5u8O0LvUWhnEjR6iq57y0Bn4voTPoJnRV0S0tIVtVIiQ7K3fXfC/okO?= =?us-ascii?Q?Fb95Yq8voSi6Q0/ngJ5pKeAQVlVilro/C76VHZeq9+bqDLQqeJ10W871Hy2S?= =?us-ascii?Q?RP1EryFRG79G2nNFggvkOPyGySr/wKJWHFqBbJAhHLNU5+DX4abProl2uKLI?= =?us-ascii?Q?qh0drAkfz8hnHQXzEPjU2c4i9GybC1hdV/1xsHdFG7nrv03f/WXMUu1DF3wd?= =?us-ascii?Q?L2dwgS5WYUc+8ihF2yg=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(7416014)(36860700013)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 17:38:20.5913 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3d628f41-1303-4e53-58f1-08de1191cb05 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ5PEPF000001F1.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS4PR12MB9609 Content-Type: text/plain; charset="utf-8" Supported policy bits are dependent on the level of SEV firmware that is currently running. Create an API to return the supported policy bits for a given level of firmware. KVM will AND that value with the KVM supported policy bits to generate the actual supported policy bits. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 3 ++- drivers/crypto/ccp/sev-dev.c | 37 ++++++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 20 +++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 45e87d756e15..24167178bf05 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3099,7 +3099,8 @@ void __init sev_hardware_setup(void) sev_snp_supported =3D is_sev_snp_initialized(); =20 if (sev_snp_supported) { - snp_supported_policy_bits =3D KVM_SNP_POLICY_MASK_VALID; + snp_supported_policy_bits =3D sev_get_snp_policy_bits(); + snp_supported_policy_bits &=3D KVM_SNP_POLICY_MASK_VALID; nr_ciphertext_hiding_asids =3D init_args.max_snp_asid; } =20 diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 0d13d47c164b..db7c7c50cebc 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -2777,6 +2777,43 @@ void sev_platform_shutdown(void) } EXPORT_SYMBOL_GPL(sev_platform_shutdown); =20 +u64 sev_get_snp_policy_bits(void) +{ + struct psp_device *psp =3D psp_master; + struct sev_device *sev; + u64 policy_bits; + + if (!cc_platform_has(CC_ATTR_HOST_SEV_SNP)) + return 0; + + if (!psp || !psp->sev_data) + return 0; + + sev =3D psp->sev_data; + + policy_bits =3D SNP_POLICY_MASK_BASE; + + if (sev->snp_plat_status.feature_info) { + if (sev->snp_feat_info_0.ecx & SNP_RAPL_DISABLE_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_RAPL_DIS; + + if (sev->snp_feat_info_0.ecx & SNP_CIPHER_TEXT_HIDING_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM; + + if (sev->snp_feat_info_0.ecx & SNP_AES_256_XTS_POLICY_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_MEM_AES_256_XTS; + + if (sev->snp_feat_info_0.ecx & SNP_CXL_ALLOW_POLICY_SUPPORTED) + policy_bits |=3D SNP_POLICY_MASK_CXL_ALLOW; + + if (sev_version_greater_or_equal(1, 58)) + policy_bits |=3D SNP_POLICY_MASK_PAGE_SWAP_DISABLE; + } + + return policy_bits; +} +EXPORT_SYMBOL_GPL(sev_get_snp_policy_bits); + void sev_dev_destroy(struct psp_device *psp) { struct sev_device *sev =3D psp->sev_data; diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h index 27c92543bf38..1b4c68ec5c65 100644 --- a/include/linux/psp-sev.h +++ b/include/linux/psp-sev.h @@ -32,6 +32,20 @@ #define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18) #define SNP_POLICY_MASK_DEBUG BIT_ULL(19) #define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) +#define SNP_POLICY_MASK_CXL_ALLOW BIT_ULL(21) +#define SNP_POLICY_MASK_MEM_AES_256_XTS BIT_ULL(22) +#define SNP_POLICY_MASK_RAPL_DIS BIT_ULL(23) +#define SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM BIT_ULL(24) +#define SNP_POLICY_MASK_PAGE_SWAP_DISABLE BIT_ULL(25) + +/* Base SEV-SNP policy bitmask for minimum supported SEV firmware version = */ +#define SNP_POLICY_MASK_BASE (SNP_POLICY_MASK_API_MINOR | \ + SNP_POLICY_MASK_API_MAJOR | \ + SNP_POLICY_MASK_SMT | \ + SNP_POLICY_MASK_RSVD_MBO | \ + SNP_POLICY_MASK_MIGRATE_MA | \ + SNP_POLICY_MASK_DEBUG | \ + SNP_POLICY_MASK_SINGLE_SOCKET) =20 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ =20 @@ -868,7 +882,10 @@ struct snp_feature_info { u32 edx; } __packed; =20 +#define SNP_RAPL_DISABLE_SUPPORTED BIT(2) #define SNP_CIPHER_TEXT_HIDING_SUPPORTED BIT(3) +#define SNP_AES_256_XTS_POLICY_SUPPORTED BIT(4) +#define SNP_CXL_ALLOW_POLICY_SUPPORTED BIT(5) =20 #ifdef CONFIG_CRYPTO_DEV_SP_PSP =20 @@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask); void snp_free_firmware_page(void *addr); void sev_platform_shutdown(void); bool sev_is_snp_ciphertext_hiding_supported(void); +u64 sev_get_snp_policy_bits(void); =20 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ =20 @@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { } =20 static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return f= alse; } =20 +static inline u64 sev_get_snp_policy_bits(void) { return 0; } + #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ =20 #endif /* __PSP_SEV_H__ */ --=20 2.51.1 From nobody Sat Feb 7 22:07:19 2026 Received: from SA9PR02CU001.outbound.protection.outlook.com (mail-southcentralusazon11013017.outbound.protection.outlook.com [40.93.196.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B96A32D73B1; Wed, 22 Oct 2025 17:38:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.196.17 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154716; cv=fail; b=NBnYwTWHebOPprsMhCTyv/hdIeHBAfB6DKrYA+iOk/CHl6gR9jwyRxGq2zDkBwjtyel9qeWgt/eOTjs/3Ity12urIovEJBwfqmuCsalxkhKCatetEZ0/zMIfN0GPxnraPrptKENKflAeIjsKQGdapQ7DY75VIvQ/Ew6kDncjNUk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761154716; c=relaxed/simple; bh=2S/3hIS3mWxG7KWWoLghWB+oB0Yw/n8TecyS04LzMkI=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hKJYC2juPLd4lQc5S0Lwgdw6dhiXuZJYYG4OtGirdENX3K1ijQeXhL62l3NDVQjBY6jIvy8C0tkRVtoUavSV1AjBO2wveT1U0gI/DOYFc8aR53xTUJqrAAPTWKOkqaNNBad19j/kUJcqQ7v/G1TruVWO/Co9+rO+IpMMz7QAGVo= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b=wjhVwD7F; arc=fail smtp.client-ip=40.93.196.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amd.com header.i=@amd.com header.b="wjhVwD7F" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qqu7Y1OqP2KnpX21vWInMEez2ssKATbrNx/1GBL3FZ1qdVpVejrTzQHiCKB5axw8EUce2AjjzhGPe5sqUVXmliO/p06IpzVxIScmFgwPLD686M2Xu5Y6aBSJ6drIFW5sqQMHGjnOyIAA3xRhhOXWkeToIBIbshZMHpaW+J7xVnZJ1+xVKLkXV6ya9/FVE6b11nmrp0hsszI2XlIi0R90VTUULuNJQ7UatzXnmADvlDWFLtZY3lxP//wyzv/9sMKwseX7nKdRBRX8GHrgotFdGxTOXGlwxER2+4D6bot6isjxO6WpZBoglS2jKphX+eqY5G0kKgp08EUocIpcqNiZNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vzWx4c/xpRWt+W8cD5JFXtsltygRSfej9WV13jqYI6Y=; b=f/m9LnhPX0O7uTSInXr7M+Ps8mMEmQCo/26Y6EYefSKFxwKvab+UntjKgkAoY6Gpl6/9Jit9bVmdwAWKXC4MJxvuUVOyaKExxReUTBhIjE2xvY0/LSsufwXLUkWahwU5ogdsLiuA5TVm6fVn/8jS89V/ROfuSTzfhpbM+YdCygzcTrQ4c8c8+Zk3CCLlpdYKbRRaoORwb89ZCAR9Z31bgW6EdpG9Y/7y6YqRuyaZrMkky3skOWa7csnqVw+cJsRZZEpV4mP+bh3nMm8j0WqFdWOg2kEqBjgH2tlAZTEsRhn1jvhKUfJ7ybHbIY1sN9AWH4Ex6LytKBJH9qLtVHAxgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vzWx4c/xpRWt+W8cD5JFXtsltygRSfej9WV13jqYI6Y=; b=wjhVwD7F5LZM+0S5qLv4nO7LIjSi6gNU8wI8hFF3dhUhXKRgYGbKGbCWQ5zgr6hjUEihwOCAYbW5un7JcVSMffoS8cBTRatvbmbnWSsMfSZsp8n4JGf9NbSTO/aoVbJrGlO9eKAykFJ7YzWT8ASixwvydPe/igVJyKOvjVeVWR8= Received: from SJ0PR03CA0131.namprd03.prod.outlook.com (2603:10b6:a03:33c::16) by IA0PR12MB7700.namprd12.prod.outlook.com (2603:10b6:208:430::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9228.16; Wed, 22 Oct 2025 17:38:29 +0000 Received: from SJ5PEPF000001F3.namprd05.prod.outlook.com (2603:10b6:a03:33c:cafe::53) by SJ0PR03CA0131.outlook.office365.com (2603:10b6:a03:33c::16) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9228.17 via Frontend Transport; Wed, 22 Oct 2025 17:38:29 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=satlexmb07.amd.com; pr=C Received: from satlexmb07.amd.com (165.204.84.17) by SJ5PEPF000001F3.mail.protection.outlook.com (10.167.242.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.7 via Frontend Transport; Wed, 22 Oct 2025 17:38:28 +0000 Received: from tlendack-t1.amd.com (10.180.168.240) by satlexmb07.amd.com (10.181.42.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 22 Oct 2025 10:38:27 -0700 From: Tom Lendacky To: , , , CC: Paolo Bonzini , Sean Christopherson , Borislav Petkov , Dave Hansen , Ingo Molnar , "Thomas Gleixner" , Michael Roth , "Ashish Kalra" , Herbert Xu , "David Miller" Subject: [PATCH v3 4/4] KVM: SEV: Add known supported SEV-SNP policy bits Date: Wed, 22 Oct 2025 12:37:24 -0500 Message-ID: <93045a3b8941e5b58f03a4d27945b523f5a9b8a2.1761154644.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: satlexmb08.amd.com (10.181.42.217) To satlexmb07.amd.com (10.181.42.216) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ5PEPF000001F3:EE_|IA0PR12MB7700:EE_ X-MS-Office365-Filtering-Correlation-Id: b95e657e-d07b-4591-0272-08de1191d001 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|82310400026|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?iDqkAU7HAY6Ebkz8i3p/ADHroEMZNJBZr0p2qkF1jlLEty9yLYvyhQNHhu+F?= =?us-ascii?Q?KaJPJx1qwEHDejTNszwTkw0CDz/+5WmMwF6d8PaK59QMJEFPbdY55kVyQz05?= =?us-ascii?Q?x7+P6GPWXKQzdz4+sirjWSi8qMCTjZnDFSRxSmp897c8n6h4rVhF9WD4yBdx?= =?us-ascii?Q?Vsc4sEIoyTci8DWDLlK0D2MOTqv4j+d5efJdfN2Pelgu/5moGV8apxPUYNCz?= =?us-ascii?Q?u5clpxWaqEgIfSuFbK4FH+vsHDI1DOBub9PT9QRNI6pq85C9Lbf8lGQ5R/95?= =?us-ascii?Q?1DtI5EslKKvowBd/DAtCTkKTXxDCmUpwNKQM1moec4OpSmfFYn6PGl+nk7Xm?= =?us-ascii?Q?t8akUnFgYCUEM5xQZybOB2XcU3HssdCURFFM7Vi+1EfwBC0hADlPAjlT6x6M?= =?us-ascii?Q?hszIkm+Cu7f2ILL+gPf1+XzD0wXmEcVM3J5lBfvYcTvwqNy3/gmT8d9Iz6vT?= =?us-ascii?Q?nhHMN0P23Sfp9RERfHFR4eZ6w3XvmEGafBVUKJaaH46f5S5kvUb3DNorINOI?= =?us-ascii?Q?JFVEzR7Gea3M6PSAzQkkYRgLTywsHjAH+WVE7tWP22FwNbtG971j8meNnFZ9?= =?us-ascii?Q?zfOQygWi3egbfC+fdvKvMyaSDlaWvOCCnIhx1KBKv7rdR7O0/u00YIdaJQip?= =?us-ascii?Q?WXymFhDHCYUmwBDRJ+nEa5Dqrlkte6shE0UvFdAiVjLfd3e+NEirxHq+iDNg?= =?us-ascii?Q?1TdO3Iwj/ZcfophyKgE8WXYmRQ+rMdqHbmPSooIPu4Vust57cw1/HNA5h0qU?= =?us-ascii?Q?PlICruNr1eRTGqXhHK5M3a0AXBVptH64g94fE8I7jLtUSK9LN5Yd/EH4iUwL?= =?us-ascii?Q?pmSTJr6GLDRw9wWA4yMHCL/BergRrW9uWRBN11BoKq3XoaOre59TaQVsbfMr?= =?us-ascii?Q?oMl0EP8yCqEkfa3BtqTa0zhXNm31mKemF+AwlSkGpkFb56oBIcIBP5Xy4OGo?= =?us-ascii?Q?poUfWHJKIJZvwvbzGhzumuNjjaoJeZ/ARYUMNsxuaW0mHTSrbXG5bfJUHojT?= =?us-ascii?Q?XcdMqXJVBdY7DdneFsjtYVNhCSE74nRduZ833ak6wsQRsrH0RXKcMW6UawqI?= =?us-ascii?Q?yFJ/EcnGf1176j76wHYGXdDVD72H2W6flz+2mSh7qf5IZSeyhtASWTfg7psS?= =?us-ascii?Q?yQZt1iK82ZxdGxivwZbRBbvHLZrtvCRx3cZfpT5+1KSA7cao0iCfPY/GXYh2?= =?us-ascii?Q?dNYuhSR2N5oSlRcDXqn3Ywd0RG8KPPoFCIXGm5ebcR9lgG2hOxDBCQX5beqn?= =?us-ascii?Q?TYpU3SYgfOm7kbNZFedHjuiqU0AewNSpa1TZuIcvMOa37D1xNjje+KCBMZX8?= =?us-ascii?Q?jpbswKKDsUnBpQN/mSd/Zb+qsIXyyREXoxjjo5ZddSx8j3Plw/ZmZelpwSiv?= =?us-ascii?Q?tXNhvZZMhSNWB8lDVdwfMcwZP9plHvpdYHBummk8sFVxFPx4s7hJwO/Io5Bl?= =?us-ascii?Q?2rb8fgq18deQD1ybvk8S86bMQBy+n3plRejS5ilHTICOHdyrjJbGtoKR3+rw?= =?us-ascii?Q?0NVHvsJWBI0gowrYjcMU3ylEbv7o/EpazfTO08xOqKYqksjBYvUoyxxkQ/fy?= =?us-ascii?Q?zB6HqgIaS8aw9SpKU6M=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:satlexmb07.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(82310400026)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 17:38:28.9491 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b95e657e-d07b-4591-0272-08de1191d001 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[satlexmb07.amd.com] X-MS-Exchange-CrossTenant-AuthSource: SJ5PEPF000001F3.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR12MB7700 Content-Type: text/plain; charset="utf-8" Add to the known supported SEV-SNP policy bits that don't require any implementation support from KVM in order to successfully use them. At this time, this includes: - CXL_ALLOW - MEM_AES_256_XTS - RAPL_DIS - CIPHERTEXT_HIDING_DRAM - PAGE_SWAP_DISABLE Arguably, RAPL_DIS and CIPHERTEXT_HIDING_DRAM require KVM and the CCP driver to enable these features in order for the setting of the policy bits to be successfully handled. But, a guest owner may not wish their guest to run on a system that doesn't provide support for those features, so allowing the specification of these bits accomplishes that. Whether or not the bit is supported by SEV firmware, a system that doesn't support these features will either fail during the KVM validation of supported policy bits before issuing the LAUNCH_START or fail during the LAUNCH_START. Signed-off-by: Tom Lendacky --- arch/x86/kvm/svm/sev.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 24167178bf05..83beddc52715 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -65,12 +65,22 @@ module_param_named(ciphertext_hiding_asids, nr_cipherte= xt_hiding_asids, uint, 04 #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 =20 -#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ - SNP_POLICY_MASK_API_MAJOR | \ - SNP_POLICY_MASK_SMT | \ - SNP_POLICY_MASK_RSVD_MBO | \ - SNP_POLICY_MASK_DEBUG | \ - SNP_POLICY_MASK_SINGLE_SOCKET) +/* + * SEV-SNP policy bits that can be supported by KVM. These include policy = bits + * that have implementation support within KVM or policy bits that do not = rely + * on any implementation support within KVM. + */ +#define KVM_SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ + SNP_POLICY_MASK_API_MAJOR | \ + SNP_POLICY_MASK_SMT | \ + SNP_POLICY_MASK_RSVD_MBO | \ + SNP_POLICY_MASK_DEBUG | \ + SNP_POLICY_MASK_SINGLE_SOCKET | \ + SNP_POLICY_MASK_CXL_ALLOW | \ + SNP_POLICY_MASK_MEM_AES_256_XTS | \ + SNP_POLICY_MASK_RAPL_DIS | \ + SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM | \ + SNP_POLICY_MASK_PAGE_SWAP_DISABLE) =20 static u64 snp_supported_policy_bits __ro_after_init; =20 --=20 2.51.1