Re: [RFC PATCH] target/i386: SEV: Allow pflash devices with SEV-ES guests

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tom Lendacky <thomas.lendacky@amd.com>
To: Naveen N Rao <naveen@kernel.org>,
	Michael Roth <michael.roth@amd.com>,
	Sean Christopherson <seanjc@google.com>
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
	qemu-devel <qemu-devel@nongnu.org>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"Eduardo Habkost" <eduardo@habkost.net>,
	"Eric Blake" <eblake@redhat.com>,
	"Markus Armbruster" <armbru@redhat.com>,
	"Marcelo Tosatti" <mtosatti@redhat.com>,
	"Zhao Liu" <zhao1.liu@intel.com>,
	"Nikunj A Dadhania" <nikunj@amd.com>,
	"Roy Hopkins" <roy.hopkins@randomman.co.uk>,
	"Srikanth Aithal" <srikanth.aithal@amd.com>,
	"Joerg Roedel" <joro@8bytes.org>
Subject: Re: [RFC PATCH] target/i386: SEV: Allow pflash devices with SEV-ES guests
Date: Wed, 10 Jun 2026 09:52:52 -0500	[thread overview]
Message-ID: <1850ceaf-dfd0-43e6-a799-0da08e2b0bda@amd.com> (raw)
In-Reply-To: <88d332b0-8756-444a-9d32-53299a0ebfa8@amd.com>

On 6/10/26 09:52, Tom Lendacky wrote:
> On 6/10/26 06:30, Naveen N Rao wrote:
>> [+Sean]
>>
>> Hi Mike,
>>
>> On Tue, Jun 09, 2026 at 07:35:46PM -0500, Michael Roth wrote:
>>> On Tue, Jun 02, 2026 at 12:42:13PM +0530, Naveen N Rao (AMD) wrote:
>>>> KVM commit 66155de93bcf ("KVM: x86: Disallow read-only memslots for
>>>> SEV-ES and SEV-SNP (and TDX)"), and the subsequent commit d30d9ee94cc0
>>>> ("KVM: x86: Only advertise KVM_CAP_READONLY_MEM when supported by VM")
>>>> stopped advertising KVM_CAP_READONLY_MEM support for encrypted guests
>>>> (KVM_X86_SEV_ES_VM and KVM_X86_SNP_VM), but not for KVM_X86_DEFAULT_VM
>>>> type SEV-ES guests. As a result of this, it is no longer possible to
>>>> start SEV-ES guests with any SEV feature enabled (in particular,
>>>> debug-swap) with pflash devices.
>>>>
>>>> This is an issue since SEV-ES guests have historically used pflash
>>>> devices for OVMF. Guests on older KVM+Qemu are able to enable debug-swap
>>>> while using pflash devices, so work around the KVM limitation by
>>>> switching to using a VMA-based write protection. This allows
>>>> well-behaved SEV-ES guests to continue to work with pflash devices and
>>>> enable debug-swap. Mis-behaving guests trying to write to the protected
>>>> OVMF area will be killed.
>>>
>>> Based on Sean's description, a write access to a read-only memslot would
>>> cause the vCPU to permanently spin on #NPFs if trying to write to it as
>>> MMIO due to #VC handler not triggering, and that's why we don't support
>>> read-only memslots. But since SEV-ES was previously working with pflash,
>>> it seems like it does not rely on this functionality...
>>
>> Right, normal well-behaved SEV-ES/SNP guests work just fine as they 
>> don't write to any of the read-only areas.
> 
> Yes they do. There is specific support to make a direct GHCB MMIO
> request because of the lack of the #VC exception (see
> OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c).

Specifically the QemuFlashPtrWrite() function.

Thanks,
Tom

> 
> Thanks,
> Tom
>

next prev parent reply	other threads:[~2026-06-10 14:53 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-02  7:12 [RFC PATCH] target/i386: SEV: Allow pflash devices with SEV-ES guests Naveen N Rao (AMD)
2026-06-03  4:32 ` Naveen N Rao
2026-06-10  0:35 ` Michael Roth
2026-06-10 11:30   ` Naveen N Rao
2026-06-10 14:52     ` Tom Lendacky
2026-06-10 14:52       ` Tom Lendacky [this message]
2026-06-10 19:33       ` Michael Roth
2026-06-11 11:32         ` Naveen N Rao
2026-06-11 16:11           ` Sean Christopherson
2026-06-10 19:41     ` Michael Roth
2026-06-11 11:55       ` Naveen N Rao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1850ceaf-dfd0-43e6-a799-0da08e2b0bda@amd.com \
    --to=thomas.lendacky@amd.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=eduardo@habkost.net \
    --cc=joro@8bytes.org \
    --cc=michael.roth@amd.com \
    --cc=mtosatti@redhat.com \
    --cc=naveen@kernel.org \
    --cc=nikunj@amd.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=roy.hopkins@randomman.co.uk \
    --cc=seanjc@google.com \
    --cc=srikanth.aithal@amd.com \
    --cc=zhao1.liu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.