From: Paolo Bonzini Date: Tue, 30 Sep 2025 17:34:32 +0000 (-0400) Subject: Merge tag 'kvm-x86-ciphertext-6.18' of https://github.com/kvm-x86/linux into HEAD X-Git-Tag: v6.18-rc1~55^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=10ef74c06bb1f51e706018f2939722e881192eff;p=thirdparty%2Fkernel%2Flinux.git Merge tag 'kvm-x86-ciphertext-6.18' of https://github.com/kvm-x86/linux into HEAD KVM SEV-SNP CipherText Hiding support for 6.18 Add support for SEV-SNP's CipherText Hiding, an opt-in feature that prevents unauthorized CPU accesses from reading the ciphertext of SNP guest private memory, e.g. to attempt an offline attack. Instead of ciphertext, the CPU will always read back all FFs when CipherText Hiding is enabled. Add new module parameter to the KVM module to enable CipherText Hiding and control the number of ASIDs that can be used for VMs with CipherText Hiding, which is in effect the number of SNP VMs. When CipherText Hiding is enabled, the shared SEV-ES/SEV-SNP ASID space is split into separate ranges for SEV-ES and SEV-SNP guests, i.e. ASIDs that can be used for CipherText Hiding cannot be used to run SEV-ES guests. --- 10ef74c06bb1f51e706018f2939722e881192eff diff --cc arch/x86/kvm/svm/sev.c index 81ee31481eaa7,01345b73f8796..aacfbffa3af5b --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@@ -451,10 -450,18 +472,10 @@@ static int __sev_guest_init(struct kvm sev->vmsa_features = data->vmsa_features; sev->ghcb_version = data->ghcb_version; - /* - * Currently KVM supports the full range of mandatory features defined - * by version 2 of the GHCB protocol, so default to that for SEV-ES - * guests created via KVM_SEV_INIT2. - */ - if (sev->es_active && !sev->ghcb_version) - sev->ghcb_version = GHCB_VERSION_DEFAULT; - - if (vm_type == KVM_X86_SNP_VM) + if (snp_active) sev->vmsa_features |= SVM_SEV_FEAT_SNP_ACTIVE; - ret = sev_asid_new(sev); + ret = sev_asid_new(sev, vm_type); if (ret) goto e_no_asid;