git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Sean Christopherson <seanjc@google.com>
	Tue, 10 Mar 2026 23:48:12 +0000 (16:48 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 22 Apr 2026 11:30:49 +0000 (13:30 +0200)
commit	e00ef00eb7f9b2be18516fa3732377ffe3ecaf6d
tree	a9af7ec3bee72d29c17af81fbfe1f49179672001	tree \| snapshot
parent	ab725ac3022469ecd4d7aa7d5646712e98b249d8	commit \| diff

KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created

commit 624bf3440d7214b62c22d698a0a294323f331d5d upstream.

Reject LAUNCH_FINISH for SEV-ES and SNP VMs if KVM is actively creating
one or more vCPUs, as KVM needs to process and encrypt each vCPU's VMSA.
Letting userspace create vCPUs while LAUNCH_FINISH is in-progress is
"fine", at least in the current code base, as kvm_for_each_vcpu() operates
on online_vcpus, LAUNCH_FINISH (all SEV+ sub-ioctls) holds kvm->mutex, and
fully onlining a vCPU in kvm_vm_ioctl_create_vcpu() is done under
kvm->mutex. I.e. there's no difference between an in-progress vCPU and a
vCPU that is created entirely after LAUNCH_FINISH.

However, given that concurrent LAUNCH_FINISH and vCPU creation can't
possibly work (for any reasonable definition of "work"), since userspace
can't guarantee whether a particular vCPU will be encrypted or not,
disallow the combination as a hardening measure, to reduce the probability
of introducing bugs in the future, and to avoid having to reason about the
safety of future changes related to LAUNCH_FINISH.

Cc: Jethro Beekman <jethro@fortanix.com>
Closes: https://lore.kernel.org/all/b31f7c6e-2807-4662-bcdd-eea2c1e132fa@fortanix.com
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260310234829.2608037-5-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arch/x86/kvm/svm/sev.c		diff \| blob \| blame \| history
include/linux/kvm_host.h		diff \| blob \| blame \| history