KVM: SEV: Add known supported SEV-SNP policy bits

Add to the known supported SEV-SNP policy bits that don't require any
implementation support from KVM in order to successfully use them.

At this time, this includes:
  - CXL_ALLOW
  - MEM_AES_256_XTS
  - RAPL_DIS
  - CIPHERTEXT_HIDING_DRAM
  - PAGE_SWAP_DISABLE

Arguably, RAPL_DIS and CIPHERTEXT_HIDING_DRAM require KVM and the CCP
driver to enable these features in order for the setting of the policy
bits to be successfully handled. But, a guest owner may not wish their
guest to run on a system that doesn't provide support for those features,
so allowing the specification of these bits accomplishes that. Whether
or not the bit is supported by SEV firmware, a system that doesn't support
these features will either fail during the KVM validation of supported
policy bits before issuing the LAUNCH_START or fail during the
LAUNCH_START.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://patch.msgid.link/ec040de9864099cf592a97c201dc4cc110b2b0cf.1761593632.git.thomas.lendacky@amd.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index a425674fe993169f3293653a19e75b26bfe3c026..f59c65abe3cfade5f774e910247222eec7ce3722 100644 (file)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -65,12 +65,22 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertext_hiding_asids, uint, 04
 #define AP_RESET_HOLD_NAE_EVENT                1
 #define AP_RESET_HOLD_MSR_PROTO                2
 
-#define KVM_SNP_POLICY_MASK_VALID      (SNP_POLICY_MASK_API_MINOR      | \
-                                        SNP_POLICY_MASK_API_MAJOR      | \
-                                        SNP_POLICY_MASK_SMT            | \
-                                        SNP_POLICY_MASK_RSVD_MBO       | \
-                                        SNP_POLICY_MASK_DEBUG          | \
-                                        SNP_POLICY_MASK_SINGLE_SOCKET)
+/*
+ * SEV-SNP policy bits that can be supported by KVM. These include policy bits
+ * that have implementation support within KVM or policy bits that do not
+ * require implementation support within KVM to enforce the policy.
+ */
+#define KVM_SNP_POLICY_MASK_VALID      (SNP_POLICY_MASK_API_MINOR              | \
+                                        SNP_POLICY_MASK_API_MAJOR              | \
+                                        SNP_POLICY_MASK_SMT                    | \
+                                        SNP_POLICY_MASK_RSVD_MBO               | \
+                                        SNP_POLICY_MASK_DEBUG                  | \
+                                        SNP_POLICY_MASK_SINGLE_SOCKET          | \
+                                        SNP_POLICY_MASK_CXL_ALLOW              | \
+                                        SNP_POLICY_MASK_MEM_AES_256_XTS        | \
+                                        SNP_POLICY_MASK_RAPL_DIS               | \
+                                        SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM | \
+                                        SNP_POLICY_MASK_PAGE_SWAP_DISABLE)
 
 static u64 snp_supported_policy_bits __ro_after_init;