[PATCH v3 3/6] KVM: SEV: Disallow setting SNP-only features for non-SNP guests via a single mask
From: Kim Phillips
Date: Thu Apr 02 2026 - 16:28:31 EST
As SNP-only features get added, adding them to the valid_vmsa_features mask
in __sev_guest_init() often gets neglected. Add SVM_SEV_FEAT_SNP_ONLY_MASK
to help group these common features together.
Suggested-by: Sean Christopherson <seanjc@xxxxxxxxxx>
Cc: Borislav Petkov (AMD) <bp@xxxxxxxxx>
Link: https://lore.kernel.org/kvm/aaWog_UjW-M3412C@xxxxxxxxxx/
Signed-off-by: Kim Phillips <kim.phillips@xxxxxxx>
---
v3: new
arch/x86/include/asm/svm.h | 2 ++
arch/x86/kvm/svm/sev.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index edde36097ddc..7e3f9d92351a 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -307,6 +307,8 @@ static_assert((X2AVIC_4K_MAX_PHYSICAL_ID & AVIC_PHYSICAL_MAX_INDEX_MASK) == X2AV
#define SVM_SEV_FEAT_DEBUG_SWAP BIT(5)
#define SVM_SEV_FEAT_SECURE_TSC BIT(9)
+#define SVM_SEV_FEAT_SNP_ONLY_MASK SVM_SEV_FEAT_SECURE_TSC
+
#define VMCB_ALLOWED_SEV_FEATURES_VALID BIT_ULL(63)
struct vmcb_seg {
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 3f9c1aa39a0a..2b4f3c05e282 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -456,7 +456,7 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp,
return -EINVAL;
if (!snp_active)
- valid_vmsa_features &= ~SVM_SEV_FEAT_SECURE_TSC;
+ valid_vmsa_features &= ~SVM_SEV_FEAT_SNP_ONLY_MASK;
if (data->vmsa_features & ~valid_vmsa_features)
return -EINVAL;
--
2.43.0