git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Paolo Bonzini <pbonzini@redhat.com>
	Sat, 9 Mar 2024 16:24:58 +0000 (11:24 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 3 Apr 2024 13:28:41 +0000 (15:28 +0200)
commit	4577036353fad3380774f8bdf68f5204d685b9c8
tree	c66e3f250026aebac2915c56f5d770ef030bc318	tree
parent	12f8e32a5a389a5d58afc67728c76e61beee1ad4	commit \| diff

SEV: disable SEV-ES DebugSwap by default

commit 5abf6dceb066f2b02b225fd561440c98a8062681 upstream.

The DebugSwap feature of SEV-ES provides a way for confidential guests to use
data breakpoints.  However, because the status of the DebugSwap feature is
recorded in the VMSA, enabling it by default invalidates the attestation
signatures.  In 6.10 we will introduce a new API to create SEV VMs that
will allow enabling DebugSwap based on what the user tells KVM to do.
Contextually, we will change the legacy KVM_SEV_ES_INIT API to never
enable DebugSwap.

For compatibility with kernels that pre-date the introduction of DebugSwap,
as well as with those where KVM_SEV_ES_INIT will never enable it, do not enable
the feature by default.  If anybody wants to use it, for now they can enable
the sev_es_debug_swap_enabled module parameter, but this will result in a
warning.

Fixes: d1f85fbe836e ("KVM: SEV: Enable data breakpoints in SEV-ES")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>