Re: [PATCH v2 1/4] KVM: SEV: Do not allow intra-host migration/mirroring of SNP VMs

[Atish Patra]

On 6/2/26 7:38 AM, Tom Lendacky wrote:
> On 6/1/26 18:04, Atish Patra wrote:
> > From: Atish Patra <atishp@xxxxxxxx>
> >
> > The intra-host migration/mirroring feature is not fully implemented for
> > SEV-SNP VMs. The proper migration requires additional SNP-specific
> > state such as guest_req_mutex, guest_req_buf, and guest_resp_buf to be
> > transferred or initialized on the destination.
> >
> > The SNP VM mirroring requires vmsa features to be copied as well otherwise
> > ASID would be bound to SNP range while VM is detected as a SEV VM.
> >
> > Reject SNP source VMs in migration/mirroring until proper SNP state
> > transfer is implemented.
> >
> > Fixes: 0b020f5af092 ("KVM: SEV: Add support for SEV-ES intra host migration")
> Probably not the correct Fixes: tag. It should the tag that first
> introduces SNP hypervisor support.

Ahh yes. Fixed.

> And adding a comment above the if statements that indicate additional
> support is required for SNP, so don't allow it for now, would be nice.
Added.
> Otherwise, for the actual code...
>
> Reviewed-by: Tom Lendacky <thomas.lendacky@xxxxxxx>
>
> > Reported-by: Chris Mason <clm@xxxxxxxx>
> > Reported-by: Sashiko <sashiko-bot@xxxxxxxxxx>
> > Assisted-by: Claude:claude-opus-4-6
> > Signed-off-by: Atish Patra <atishp@xxxxxxxx>
> > ---
> >   arch/x86/kvm/svm/sev.c | 4 +++-
> >   1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> > index c2126b3c3072..e6ad6af128c9 100644
> > --- a/arch/x86/kvm/svm/sev.c
> > +++ b/arch/x86/kvm/svm/sev.c
> > @@ -2142,7 +2142,8 @@ int sev_vm_move_enc_context_from(struct kvm *kvm, unsigned int source_fd)
> >   		return ret;
> >   
> >   	if (kvm->arch.vm_type != source_kvm->arch.vm_type ||
> > -	    sev_guest(kvm) || !sev_guest(source_kvm)) {
> > +	    sev_guest(kvm) || !sev_guest(source_kvm) ||
> > +	    sev_snp_guest(source_kvm)) {
> >   		ret = -EINVAL;
> >   		goto out_unlock;
> >   	}
> > @@ -2865,6 +2866,7 @@ int sev_vm_copy_enc_context_from(struct kvm *kvm, unsigned int source_fd)
> >   	 * created after SEV/SEV-ES initialization, e.g. to init intercepts.
> >   	 */
> >   	if (sev_guest(kvm) || !sev_guest(source_kvm) ||
> > +	    sev_snp_guest(source_kvm) ||
> >   	    is_mirroring_enc_context(source_kvm) || kvm->created_vcpus) {
> >   		ret = -EINVAL;
> >   		goto e_unlock;