KVM: SEV: Publish supported SEV-SNP policy bits

Define the set of policy bits that KVM currently knows as not requiring
any implementation support within KVM. Provide this value to userspace
via the KVM_GET_DEVICE_ATTR ioctl.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://patch.msgid.link/c596f7529518f3f826a57970029451d9385949e5.1761593632.git.thomas.lendacky@amd.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index d420c9c066d48c9836854a12436e13b4d6aa9d35..7ceff65836525c7490b718d0d9211f2cd4aa57da 100644 (file)
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -502,6 +502,7 @@ struct kvm_sync_regs {
 /* vendor-specific groups and attributes for system fd */
 #define KVM_X86_GRP_SEV                        1
 #  define KVM_X86_SEV_VMSA_FEATURES    0
+#  define KVM_X86_SNP_POLICY_BITS      1
 
 struct kvm_vmx_nested_state_data {
        __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE];

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index f04589ae76bb5d489bcd631bb3c362e6a4a438ae..a425674fe993169f3293653a19e75b26bfe3c026 100644 (file)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -72,6 +72,8 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertext_hiding_asids, uint, 04
                                         SNP_POLICY_MASK_DEBUG          | \
                                         SNP_POLICY_MASK_SINGLE_SOCKET)
 
+static u64 snp_supported_policy_bits __ro_after_init;
+
 #define INITIAL_VMSA_GPA 0xFFFFFFFFF000
 
 static u8 sev_enc_bit;
@@ -2135,6 +2137,10 @@ int sev_dev_get_attr(u32 group, u64 attr, u64 *val)
                *val = sev_supported_vmsa_features;
                return 0;
 
+       case KVM_X86_SNP_POLICY_BITS:
+               *val = snp_supported_policy_bits;
+               return 0;
+
        default:
                return -ENXIO;
        }
@@ -2199,7 +2205,7 @@ static int snp_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp)
        if (params.flags)
                return -EINVAL;
 
-       if (params.policy & ~KVM_SNP_POLICY_MASK_VALID)
+       if (params.policy & ~snp_supported_policy_bits)
                return -EINVAL;
 
        /* Check for policy bits that must be set */
@@ -3092,8 +3098,11 @@ out:
                else if (sev_snp_supported)
                        sev_snp_supported = is_sev_snp_initialized();
 
-               if (sev_snp_supported)
+               if (sev_snp_supported) {
+                       snp_supported_policy_bits = sev_get_snp_policy_bits() &
+                                                   KVM_SNP_POLICY_MASK_VALID;
                        nr_ciphertext_hiding_asids = init_args.max_snp_asid;
+               }
 
                /*
                 * If ciphertext hiding is enabled, the joint SEV-ES/SEV-SNP