vmspawn: use EPYC-v4 cpu for SNP

SNP requires a named, stable CPU model so the launch measurement is
reproducible across hosts. EPYC-v4 is the baseline that covers all
SNP-capable processors (Milan and later).

Signed-off-by: Paul Meyer <katexochen0@gmail.com>

diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index e52e9d9852b8218bc37ac614e6a7b2df3d30bac9..73f2a19eef1ecbc32027751579efe02c707efbd4 100644 (file)
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -2944,14 +2944,17 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
                 config.vsock.cid = child_cid;
         }
 
-        /* -cpu stays on cmdline since not all flags are supported in config */
-        r = strv_extend_many(&cmdline, "-cpu",
+        /* -cpu stays on cmdline since not all flags are supported in config. SNP needs a stable,
+         * named CPU model so the launch measurement is reproducible across hosts; EPYC-v4 is the
+         * baseline that covers all SNP-capable processors (Milan and later). */
+        const char *cpu_model =
 #ifdef __x86_64__
-                             "max,hv_relaxed,hv-vapic,hv-time"
+                arg_confidential_computing == COCO_AMD_SEV_SNP ? "EPYC-v4"
+                                                             : "max,hv_relaxed,hv-vapic,hv-time";
 #else
-                             "max"
+                "max";
 #endif
-        );
+        r = strv_extend_many(&cmdline, "-cpu", cpu_model);
         if (r < 0)
                 return log_oom();