Supported policy bits are dependent on the level of SEV firmware that is
currently running. Create an API to return the supported policy bits for
the current level of firmware.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
drivers/crypto/ccp/sev-dev.c | 37 ++++++++++++++++++++++++++++++++++++
include/linux/psp-sev.h | 20 +++++++++++++++++++
2 files changed, 57 insertions(+)
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 0d13d47c164b..db7c7c50cebc 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2777,6 +2777,43 @@ void sev_platform_shutdown(void)
}
EXPORT_SYMBOL_GPL(sev_platform_shutdown);
+u64 sev_get_snp_policy_bits(void)
+{
+ struct psp_device *psp = psp_master;
+ struct sev_device *sev;
+ u64 policy_bits;
+
+ if (!cc_platform_has(CC_ATTR_HOST_SEV_SNP))
+ return 0;
+
+ if (!psp || !psp->sev_data)
+ return 0;
+
+ sev = psp->sev_data;
+
+ policy_bits = SNP_POLICY_MASK_BASE;
+
+ if (sev->snp_plat_status.feature_info) {
+ if (sev->snp_feat_info_0.ecx & SNP_RAPL_DISABLE_SUPPORTED)
+ policy_bits |= SNP_POLICY_MASK_RAPL_DIS;
+
+ if (sev->snp_feat_info_0.ecx & SNP_CIPHER_TEXT_HIDING_SUPPORTED)
+ policy_bits |= SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM;
+
+ if (sev->snp_feat_info_0.ecx & SNP_AES_256_XTS_POLICY_SUPPORTED)
+ policy_bits |= SNP_POLICY_MASK_MEM_AES_256_XTS;
+
+ if (sev->snp_feat_info_0.ecx & SNP_CXL_ALLOW_POLICY_SUPPORTED)
+ policy_bits |= SNP_POLICY_MASK_CXL_ALLOW;
+
+ if (sev_version_greater_or_equal(1, 58))
+ policy_bits |= SNP_POLICY_MASK_PAGE_SWAP_DISABLE;
+ }
+
+ return policy_bits;
+}
+EXPORT_SYMBOL_GPL(sev_get_snp_policy_bits);
+
void sev_dev_destroy(struct psp_device *psp)
{
struct sev_device *sev = psp->sev_data;
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 27c92543bf38..1b4c68ec5c65 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -32,6 +32,20 @@
#define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18)
#define SNP_POLICY_MASK_DEBUG BIT_ULL(19)
#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20)
+#define SNP_POLICY_MASK_CXL_ALLOW BIT_ULL(21)
+#define SNP_POLICY_MASK_MEM_AES_256_XTS BIT_ULL(22)
+#define SNP_POLICY_MASK_RAPL_DIS BIT_ULL(23)
+#define SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM BIT_ULL(24)
+#define SNP_POLICY_MASK_PAGE_SWAP_DISABLE BIT_ULL(25)
+
+/* Base SEV-SNP policy bitmask for minimum supported SEV firmware version */
+#define SNP_POLICY_MASK_BASE (SNP_POLICY_MASK_API_MINOR | \
+ SNP_POLICY_MASK_API_MAJOR | \
+ SNP_POLICY_MASK_SMT | \
+ SNP_POLICY_MASK_RSVD_MBO | \
+ SNP_POLICY_MASK_MIGRATE_MA | \
+ SNP_POLICY_MASK_DEBUG | \
+ SNP_POLICY_MASK_SINGLE_SOCKET)
#define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */
@@ -868,7 +882,10 @@ struct snp_feature_info {
u32 edx;
} __packed;
+#define SNP_RAPL_DISABLE_SUPPORTED BIT(2)
#define SNP_CIPHER_TEXT_HIDING_SUPPORTED BIT(3)
+#define SNP_AES_256_XTS_POLICY_SUPPORTED BIT(4)
+#define SNP_CXL_ALLOW_POLICY_SUPPORTED BIT(5)
#ifdef CONFIG_CRYPTO_DEV_SP_PSP
@@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask);
void snp_free_firmware_page(void *addr);
void sev_platform_shutdown(void);
bool sev_is_snp_ciphertext_hiding_supported(void);
+u64 sev_get_snp_policy_bits(void);
#else /* !CONFIG_CRYPTO_DEV_SP_PSP */
@@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { }
static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return false; }
+static inline u64 sev_get_snp_policy_bits(void) { return 0; }
+
#endif /* CONFIG_CRYPTO_DEV_SP_PSP */
#endif /* __PSP_SEV_H__ */
--
2.51.1On Mon, Oct 27, 2025 at 02:33:50PM -0500, Tom Lendacky wrote: > Supported policy bits are dependent on the level of SEV firmware that is > currently running. Create an API to return the supported policy bits for > the current level of firmware. > > Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> > --- > drivers/crypto/ccp/sev-dev.c | 37 ++++++++++++++++++++++++++++++++++++ > include/linux/psp-sev.h | 20 +++++++++++++++++++ > 2 files changed, 57 insertions(+) Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Mon, Oct 27, 2025, Tom Lendacky wrote:
> Supported policy bits are dependent on the level of SEV firmware that is
> currently running. Create an API to return the supported policy bits for
> the current level of firmware.
>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
...
> @@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask);
> void snp_free_firmware_page(void *addr);
> void sev_platform_shutdown(void);
> bool sev_is_snp_ciphertext_hiding_supported(void);
> +u64 sev_get_snp_policy_bits(void);
>
> #else /* !CONFIG_CRYPTO_DEV_SP_PSP */
>
> @@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { }
>
> static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return false; }
>
> +static inline u64 sev_get_snp_policy_bits(void) { return 0; }
As called out in the RFC[*], this stub is unnecesary.
[*] https://lore.kernel.org/all/aMHP5EO-ucJGdHXz@google.com
On 11/13/25 12:52, Sean Christopherson wrote:
> On Mon, Oct 27, 2025, Tom Lendacky wrote:
>> Supported policy bits are dependent on the level of SEV firmware that is
>> currently running. Create an API to return the supported policy bits for
>> the current level of firmware.
>>
>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>> ---
>
> ...
>
>> @@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask);
>> void snp_free_firmware_page(void *addr);
>> void sev_platform_shutdown(void);
>> bool sev_is_snp_ciphertext_hiding_supported(void);
>> +u64 sev_get_snp_policy_bits(void);
>>
>> #else /* !CONFIG_CRYPTO_DEV_SP_PSP */
>>
>> @@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { }
>>
>> static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return false; }
>>
>> +static inline u64 sev_get_snp_policy_bits(void) { return 0; }
>
> As called out in the RFC[*], this stub is unnecesary.
>
> [*] https://lore.kernel.org/all/aMHP5EO-ucJGdHXz@google.com
Ah, sorry, missed that one. Do you want a fix up or do you want to handle it?
Thanks,
Tom
On Thu, Nov 13, 2025, Tom Lendacky wrote:
> On 11/13/25 12:52, Sean Christopherson wrote:
> > On Mon, Oct 27, 2025, Tom Lendacky wrote:
> >> @@ -1014,6 +1031,7 @@ void *snp_alloc_firmware_page(gfp_t mask);
> >> void snp_free_firmware_page(void *addr);
> >> void sev_platform_shutdown(void);
> >> bool sev_is_snp_ciphertext_hiding_supported(void);
> >> +u64 sev_get_snp_policy_bits(void);
> >>
> >> #else /* !CONFIG_CRYPTO_DEV_SP_PSP */
> >>
> >> @@ -1052,6 +1070,8 @@ static inline void sev_platform_shutdown(void) { }
> >>
> >> static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return false; }
> >>
> >> +static inline u64 sev_get_snp_policy_bits(void) { return 0; }
> >
> > As called out in the RFC[*], this stub is unnecesary.
> >
> > [*] https://lore.kernel.org/all/aMHP5EO-ucJGdHXz@google.com
>
> Ah, sorry, missed that one. Do you want a fix up or do you want to handle it?
No fixup necessary, assuming this goes through kvm-x86.
© 2016 - 2025 Red Hat, Inc.