Commit 4dd5ecac authored Apr 04, 2024 by Paolo Bonzini

KVM: SEV: allow SEV-ES DebugSwap again

The DebugSwap feature of SEV-ES provides a way for confidential guests
to use data breakpoints. Its status is record in VMSA, and therefore
attestation signatures depend on whether it is enabled or not. In order
to avoid invalidating the signatures depending on the host machine, it
was disabled by default (see commit 5abf6dce, "SEV: disable SEV-ES
DebugSwap by default", 2024-03-09).

However, we now have a new API to create SEV VMs that allows enabling
DebugSwap based on what the user tells KVM to do, and we also changed the
legacy KVM_SEV_ES_INIT API to never enable DebugSwap. It is therefore
possible to re-enable the feature without breaking compatibility with
kernels that pre-date the introduction of DebugSwap, so go ahead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20240404121327.3107131-14-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent 4f5defae

arch/x86/kvm/svm/sev.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -45,7 +45,7 @@ static bool sev_es_enabled = true;
		module_param_named(sev_es, sev_es_enabled, bool, 0444);

		/* enable/disable SEV-ES DebugSwap support */
		static bool sev_es_debug_swap_enabled = false;
		static bool sev_es_debug_swap_enabled = true;
		module_param_named(debug_swap, sev_es_debug_swap_enabled, bool, 0444);
		static u64 sev_supported_vmsa_features;