Re: [PATCH v3 6/7] KVM: SEV: Don't advertise VM types that are disabled by firmware

[Tom Lendacky]

On 4/16/26 18:23, Sean Christopherson wrote:
> From: Tycho Andersen <tycho@xxxxxxxxxx>
> 
> As called out in a footnote for a recent SNP vulnerability[1], it is
> possible for a specific flavor of SEV+ to be disabled by the firmware even
> when the flavor is fully supported by the CPU and platform:
> 
>   Applying mitigation CVE-2025-48514 will result in disabling SEV-ES when
>   SEV-SNP is enabled.
> 
> Restrict KVM's set of supported VM types based on the VM types that are
> fully supported by firmware to avoid over-reporting what KVM can actually
> support.  Like KVM's handling of ASID space exhaustion, don't modify KVM's
> CPUID capabilities, as the CPU/platform still supports the underlying
> technology and clearing e.g. SEV_ES while advertising SEV_SNP would confuse
> KVM and userspace.
> 
> Link: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3023.html [1]
> Link: https://lore.kernel.org/all/aZyLIWtffvEnmtYh@xxxxxxxxxx
> Suggested-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> Signed-off-by: Tycho Andersen (AMD) <tycho@xxxxxxxxxx>
> [sean: rewrite changelog to provide details on why/how this can happen]
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>

That added line gets a little lost to my eyes by not having a blank line
in between, but that's just me :)

Reviewed-by: Tom Lendacky <thomas.lendacky@xxxxxxx>

> ---
>  arch/x86/kvm/svm/sev.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 0971cf652b0b..ab386aa0c284 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -3202,6 +3202,7 @@ void __init sev_hardware_setup(void)
>  		vm_types |= BIT(KVM_X86_SEV_ES_VM);
>  	if (sev_snp_supported)
>  		vm_types |= BIT(KVM_X86_SNP_VM);
> +	vm_types &= sev_firmware_supported_vm_types();
>  
>  	kvm_caps.supported_vm_types |= vm_types;
>