[PATCH 09/21] KVM: SEV: Document the SEV-ES check when querying SMM support as "safe"
From: Sean Christopherson
Date: Tue Mar 10 2026 - 19:50:05 EST
Use the "unsafe" API to check for an SEV-ES+ guest when determining whether
or not SMBASE is a supported MSR, i.e. whether or not emulated SMM is
supported. This will eventually allow adding lockdep assertings to the
APIs for detecting SEV+ VMs without triggering "real" false positives.
While svm_has_emulated_msr() doesn't hold kvm->lock, i.e. can get both
false positives *and* false negatives, both are completely fine, as the
only time the result isn't stable is when userspace is the sole consumer
of the result. I.e. userspace can confuse itself, but that's it.
No functional change intended.
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/svm/svm.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 0a1acc21b133..bd0c497c6040 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4487,9 +4487,17 @@ static bool svm_has_emulated_msr(struct kvm *kvm, u32 index)
case MSR_IA32_SMBASE:
if (!IS_ENABLED(CONFIG_KVM_SMM))
return false;
- /* SEV-ES guests do not support SMM, so report false */
- if (kvm && sev_es_guest(kvm))
+
+#ifdef CONFIG_KVM_AMD_SEV
+ /*
+ * KVM can't access register state to emulate SMM for SEV-ES
+ * guests. Conusming stale data here is "fine", as KVM only
+ * checks for MSR_IA32_SMBASE support without a vCPU when
+ * userspace is querying KVM_CAP_X86_SMM.
+ */
+ if (kvm && ____sev_es_guest(kvm))
return false;
+#endif
break;
default:
break;
--
2.53.0.473.g4a7958ca14-goog