Re: [PATCH v3 0/7] KVM: SEV: Don't advertise unusable VM types

Next message: Petr Mladek: "Re: [PATCH v2 1/6] selftests: livepatch: Check for ARCH_HAS_SYSCALL_WRAPPER config"
Previous message: Alexey Charkov: "[PATCH RFC 4/4] clk: rockchip: rk3576: add ROUND_CLOSEST to dclk_vp1_src divider"
In reply to: Tom Lendacky: "Re: [PATCH v3 6/7] KVM: SEV: Don't advertise VM types that are disabled by firmware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tycho Andersen

Date: Fri Apr 17 2026 - 11:14:48 EST

On Thu, Apr 16, 2026 at 04:23:22PM -0700, Sean Christopherson wrote:
> My preference would be to take this through the KVM tree, with acks on the
> crypto patches. I'd also be a-ok with a stable branch/tag of the crypto
> changes.
>
> In the words of Tycho:
>
> Recent SEV firmware [1] does not support SEV-ES VMs when SNP is enabled.
> Expose this by revoking VM-types that are not supported by the current
> configurations either from firmware restrictions or ASID configuration.
>
> My previous version of this patch series [2] used SNP_VERIFY_MITIGATION
> to test for a mitigation bit. While AMD-SB-3023 says that there is a
> mitigation bit (3) for CVE-2025-48514, bit 3 corresponds to an unrelated
> issue. The correct way to check for this is to use the SVN/SPL from the
> TCB. We are in the process of updating the SB to reflect this.

I re-ran my matrix of firmware tests:

Tested-by: Tycho Andersen (AMD) <tycho@xxxxxxxxxx>

Thanks for cleaning this up.

Tycho