From: "Tycho Andersen (AMD)" <[email protected]> Recent SEV firmware [1] does not support SEV-ES VMs when SNP is enabled. Expose this by revoking VM-types that are not supported by the current configurations either from firmware restrictions or ASID configuration.
My previous version of this patch series [2] used SNP_VERIFY_MITIGATION to test for a mitigation bit. While AMD-SB-3023 says that there is a mitigation bit (3) for CVE-2025-48514, bit 3 corresponds to an unrelated issue. The correct way to check for this is to use the SVN/SPL from the TCB. We are in the process of updating the SB to reflect this. changelog from v1: * compare SVN as above * fix commit message prefixes * supported_vm_types local is a u32 * move crypto stuff before KVM stuff in the event of patch tetris [1]: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3023.html [2]: https://lore.kernel.org/all/[email protected]/ Tycho Andersen (AMD) (5): crypto/ccp: hoist kernel part of SNP_PLATFORM_STATUS crypto/ccp: export firmware supported vm types KVM: SEV: don't expose unusable VM types KVM: SEV: mask off firmware unsupported vm types KVM: selftests: teach sev_*_test about revoking VM types arch/x86/kvm/svm/sev.c | 15 ++- drivers/crypto/ccp/sev-dev.c | 101 ++++++++++++++++-- include/linux/psp-sev.h | 37 +++++++ .../selftests/kvm/x86/sev_init2_tests.c | 14 ++- .../selftests/kvm/x86/sev_migrate_tests.c | 2 +- .../selftests/kvm/x86/sev_smoke_test.c | 4 +- 6 files changed, 151 insertions(+), 22 deletions(-) base-commit: c369299895a591d96745d6492d4888259b004a9e -- 2.53.0
