Commit 275d6d11 authored by Tom Lendacky's avatar Tom Lendacky Committed by Sean Christopherson
Browse files

KVM: SEV: Add known supported SEV-SNP policy bits 



Add to the known supported SEV-SNP policy bits that don't require any
implementation support from KVM in order to successfully use them.

At this time, this includes:
  - CXL_ALLOW
  - MEM_AES_256_XTS
  - RAPL_DIS
  - CIPHERTEXT_HIDING_DRAM
  - PAGE_SWAP_DISABLE

Arguably, RAPL_DIS and CIPHERTEXT_HIDING_DRAM require KVM and the CCP
driver to enable these features in order for the setting of the policy
bits to be successfully handled. But, a guest owner may not wish their
guest to run on a system that doesn't provide support for those features,
so allowing the specification of these bits accomplishes that. Whether
or not the bit is supported by SEV firmware, a system that doesn't support
these features will either fail during the KVM validation of supported
policy bits before issuing the LAUNCH_START or fail during the
LAUNCH_START.

Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
Link: https://patch.msgid.link/ec040de9864099cf592a97c201dc4cc110b2b0cf.1761593632.git.thomas.lendacky@amd.com


Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent 7a61d613

arch/x86/kvm/svm/sev.c

+16 −6
Original line number Diff line number Diff line
@@ -65,12 +65,22 @@ module_param_named(ciphertext_hiding_asids, nr_ciphertext_hiding_asids, uint, 04 
#define AP_RESET_HOLD_NAE_EVENT		1

#define AP_RESET_HOLD_MSR_PROTO		2



/*

 * SEV-SNP policy bits that can be supported by KVM. These include policy bits

 * that have implementation support within KVM or policy bits that do not

 * require implementation support within KVM to enforce the policy.

 */

#define KVM_SNP_POLICY_MASK_VALID	(SNP_POLICY_MASK_API_MINOR		| \

					 SNP_POLICY_MASK_API_MAJOR		| \

					 SNP_POLICY_MASK_SMT			| \

					 SNP_POLICY_MASK_RSVD_MBO		| \

					 SNP_POLICY_MASK_DEBUG			| \

					 SNP_POLICY_MASK_SINGLE_SOCKET)

					 SNP_POLICY_MASK_SINGLE_SOCKET		| \

					 SNP_POLICY_MASK_CXL_ALLOW		| \

					 SNP_POLICY_MASK_MEM_AES_256_XTS	| \

					 SNP_POLICY_MASK_RAPL_DIS		| \

					 SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM	| \

					 SNP_POLICY_MASK_PAGE_SWAP_DISABLE)



static u64 snp_supported_policy_bits __ro_after_init;