From: Tycho Andersen Date: Thu, 16 Apr 2026 23:23:28 +0000 (-0700) Subject: KVM: SEV: Don't advertise VM types that are disabled by firmware X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8355a92df1f016bcb2fdb0cc9fc7bd13b6588dc;p=thirdparty%2Flinux.git KVM: SEV: Don't advertise VM types that are disabled by firmware As called out in a footnote for a recent SNP vulnerability[1], it is possible for a specific flavor of SEV+ to be disabled by the firmware even when the flavor is fully supported by the CPU and platform: Applying mitigation CVE-2025-48514 will result in disabling SEV-ES when SEV-SNP is enabled. Restrict KVM's set of supported VM types based on the VM types that are fully supported by firmware to avoid over-reporting what KVM can actually support. Like KVM's handling of ASID space exhaustion, don't modify KVM's CPUID capabilities, as the CPU/platform still supports the underlying technology and clearing e.g. SEV_ES while advertising SEV_SNP would confuse KVM and userspace. Link: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3023.html [1] Link: https://lore.kernel.org/all/aZyLIWtffvEnmtYh@google.com Suggested-by: Sean Christopherson Signed-off-by: Tycho Andersen (AMD) [sean: rewrite changelog to provide details on why/how this can happen] Reviewed-by: Tom Lendacky Tested-by: Tycho Andersen (AMD) Link: https://patch.msgid.link/20260416232329.3408497-7-seanjc@google.com Signed-off-by: Sean Christopherson --- diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 105d95034cae..145d0c54d955 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3202,6 +3202,7 @@ out: vm_types |= BIT(KVM_X86_SEV_ES_VM); if (sev_snp_supported) vm_types |= BIT(KVM_X86_SNP_VM); + vm_types &= sev_firmware_supported_vm_types(); kvm_caps.supported_vm_types |= vm_types;