git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Tycho Andersen <tycho@kernel.org>
	Thu, 16 Apr 2026 23:23:24 +0000 (16:23 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Wed, 13 May 2026 16:55:53 +0000 (09:55 -0700)
commit	4b28f0846ef6521b47ee95ea7d77c9d40a7baf29
tree	9a5d9284b60c6ddaab42d56e596fb144482cc3bd	tree \| snapshot
parent	acf4d11a35d8bb546e205fe05349f60cfefbff76	commit \| diff

crypto/ccp: export firmware supported vm types

In some configurations, the firmware does not support all VM types. The SEV
firmware has an entry in the TCB_VERSION structure referred to as the
Security Version Number in the SEV-SNP firmware specification and referred
to as the "SPL" in SEV firmware release notes. The SEV firmware release
notes say:

    On every SEV firmware release where a security mitigation has been
    added, the SNP SPL gets increased by 1. This is to let users know that
    it is important to update to this version.

The SEV firmware release that fixed CVE-2025-48514 by disabling SEV-ES
support on vulnerable platforms has this SVN increased to reflect the fix.
The SVN is platform-specific, as is the structure of TCB_VERSION.

Check CURRENT_TCB instead of REPORTED_TCB, since the firmware behaves with
the CURRENT_TCB SVN level and will reject SEV-ES VMs accordingly.

Parse the SVN, and mask off the SEV_ES supported VM type from the list of
supported types if it is above the per-platform threshold for the relevant
platforms.

Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
Link: https://patch.msgid.link/20260416232329.3408497-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

drivers/crypto/ccp/sev-dev.c		diff \| blob \| blame \| history
include/linux/psp-sev.h		diff \| blob \| blame \| history