git.ipfire.org Git - thirdparty/linux.git/commit

author	Kim Phillips <kim.phillips@amd.com>
	Mon, 10 Mar 2025 20:16:03 +0000 (15:16 -0500)
committer	Sean Christopherson <seanjc@google.com>
	Fri, 25 Apr 2025 23:19:55 +0000 (16:19 -0700)
commit	b6bc164f41dbee11a4f2913f8fda22066689aa95
tree	43ccc4e94c17a13deda571a46f03449445e9d2cf	tree
parent	f9f27c4a377a8b45d6ece79279846b4fb3e27c96	commit \| diff

KVM: SEV: Configure "ALLOWED_SEV_FEATURES" VMCB Field

AMD EPYC 5th generation processors have introduced a feature that allows
the hypervisor to control the SEV_FEATURES that are set for, or by, a
guest [1].  ALLOWED_SEV_FEATURES can be used by the hypervisor to enforce
that SEV-ES and SEV-SNP guests cannot enable features that the
hypervisor does not want to be enabled.

Always enable ALLOWED_SEV_FEATURES.  A VMRUN will fail if any
non-reserved bits are 1 in SEV_FEATURES but are 0 in
ALLOWED_SEV_FEATURES.

Some SEV_FEATURES - currently PmcVirtualization and SecureAvic
(see Appendix B, Table B-4) - require an opt-in via ALLOWED_SEV_FEATURES,
i.e. are off-by-default, whereas all other features are effectively
on-by-default, but still honor ALLOWED_SEV_FEATURES.

[1] Section 15.36.20 "Allowed SEV Features", AMD64 Architecture
    Programmer's Manual, Pub. 24593 Rev. 3.42 - March 2024:
    https://bugzilla.kernel.org/attachment.cgi?id=306250

Co-developed-by: Kishon Vijay Abraham I <kvijayab@amd.com>
Signed-off-by: Kishon Vijay Abraham I <kvijayab@amd.com>
Reviewed-by: Pankaj Gupta <pankaj.gupta@amd.com>
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/r/20250310201603.1217954-3-kim.phillips@amd.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/include/asm/svm.h		diff \| blob \| blame \| history
arch/x86/kvm/svm/sev.c		diff \| blob \| blame \| history
arch/x86/kvm/svm/svm.c		diff \| blob \| blame \| history