Re: [PATCH v8 3/7] crypto/ccp: Disable CPU hotplug while SNP is active

Next message: Md Shofiqul Islam: "[PATCH v4 1/3] dt-bindings: iio: health: add maxim,max86150"
Previous message: Thadeu Lima de Souza Cascardo: "Re: [PATCH v6 6/6] drm/amdgpu: Wire up dmem cgroup reclaim for VRAM manager"
In reply to: Jethro Beekman: "Re: [PATCH v8 3/7] crypto/ccp: Disable CPU hotplug while SNP is active"
Next in thread: Kalra, Ashish: "Re: [PATCH v8 3/7] crypto/ccp: Disable CPU hotplug while SNP is active"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ackerley Tng

Date: Tue Jun 23 2026 - 13:49:02 EST

Jethro Beekman <jethro@xxxxxxxxxxxx> writes:

> On 2026-06-15 21:49, Ashish Kalra wrote:
>> From: Ashish Kalra <ashish.kalra@xxxxxxx>
>>
>> The SEV firmware enumerates the CPUs at SNP initialization and is not
>> aware of the OS bringing CPUs online or offline afterwards, so OS CPU
>> hotplug can diverge from the firmware's expectations and break SNP.
>> Disable CPU hotplug while SNP is active.
>
> I think this is too broad. If I have a hypervisor that supports SNP virtualization, a (non-confidential) L1 guest running Linux should still support CPU hotplug while also running confidential L2 guests.
>
> --
> Jethro Beekman | CTO | Fortanix
>

Were any other solutions considered other than disabling CPU hotplug?

Is this temporary until something else is implemented?

I'm not sure how commonly CPU hotplug is used, and if people are okay
with trading in CPU hotplug to get SNP.

Is it that fundamentally the SEV firmware can't support hotplug, so
there's no point in keeping it enabled anyway?

Is there some way of supporting hotplug for CPUs that won't be used with
SNP, for serving non-SNP VMs on the same host as SNP VMs, or is that too
complicated?

>>
>> [...snip...]
>>