From: Tycho Andersen <tycho@kernel.org>
To: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
John Allen <john.allen@amd.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Shuah Khan <shuah@kernel.org>
Cc: Kim Phillips <kim.phillips@amd.com>,
Alexey Kardashevskiy <aik@amd.com>,
Nikunj A Dadhania <nikunj@amd.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: [PATCH 3/5] crypto/ccp: export firmware supported vm types
Date: Tue, 3 Mar 2026 12:15:07 -0700 [thread overview]
Message-ID: <20260303191509.1565629-4-tycho@kernel.org> (raw)
In-Reply-To: <20260303191509.1565629-1-tycho@kernel.org>
From: "Tycho Andersen (AMD)" <tycho@kernel.org>
In some configurations, the firmware does not support all VM types. Do an
SNP_VERIFY_MITIGATION to determine if the mitigation for CVE-2025-48514 is
active, and if so, turn off the SEV_ES bit.
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
---
drivers/crypto/ccp/sev-dev.c | 83 ++++++++++++++++++++++++++++++++++++
include/linux/psp-sev.h | 9 ++++
2 files changed, 92 insertions(+)
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index 9eba3fe1a27f..79610617a38d 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2930,3 +2930,86 @@ void sev_pci_exit(void)
sev_firmware_shutdown(sev);
}
+
+static int snp_verify_mitigation(struct sev_device *sev, u64 vector, u64 *verified)
+{
+ struct sev_data_snp_verify_mitigation data = {0};
+ struct snp_verify_mitigation_dst *dst;
+ struct page *p;
+ int rc, error = 0;
+
+ if (!sev->snp_plat_status.feature_info ||
+ !(sev->snp_feat_info_0.ecx & SNP_VERIFY_MITIGATION_SUPPORTED)) {
+ return -EOPNOTSUPP;
+ }
+
+ p = __snp_alloc_firmware_pages(GFP_KERNEL, 0, true);
+ if (!p)
+ return -ENOMEM;
+ dst = page_address(p);
+
+ data.length = sizeof(data);
+ data.subcommand = SNP_MIT_SUBCMD_REQ_VERIFY;
+ data.vector = vector;
+ data.dst_paddr_en = 1;
+ data.dst_paddr = __psp_pa(dst);
+
+ rc = sev_do_cmd(SEV_CMD_SNP_VERIFY_MITIGATION, &data, &error);
+ if (rc < 0) {
+ if (error)
+ dev_err(sev->dev, "VERIFY_MITIGATION error %d\n", error);
+ goto reclaim_pages;
+ }
+
+ rc = -EIO;
+ if (dst->mit_failure_status) {
+ dev_err(sev->dev, "VERIFY_MITIGATION failure status %d\n", dst->mit_failure_status);
+ goto reclaim_pages;
+ }
+
+ *verified = dst->mit_verified_vector;
+ rc = 0;
+
+reclaim_pages:
+ __snp_free_firmware_pages(p, 0, true);
+ return rc;
+}
+
+int sev_firmware_supported_vm_types(void)
+{
+ int rc, supported_vm_types = 0;
+ struct sev_device *sev;
+ u64 verified = 0;
+
+ if (!psp_master || !psp_master->sev_data)
+ return supported_vm_types;
+ sev = psp_master->sev_data;
+
+ supported_vm_types |= BIT(KVM_X86_SEV_VM);
+ supported_vm_types |= BIT(KVM_X86_SEV_ES_VM);
+
+ if (!sev->snp_initialized)
+ return supported_vm_types;
+
+ supported_vm_types |= BIT(KVM_X86_SNP_VM);
+
+ rc = snp_verify_mitigation(sev, SNP_MIT_VEC_CVE_2025_48514, &verified);
+ if (rc < 0) {
+ /*
+ * Older firmware that doesn't support VERIFY_MITIGATION won't
+ * have the mitigation for this CVE, so all types are supported.
+ */
+ if (rc == -EOPNOTSUPP)
+ return supported_vm_types;
+ dev_err(sev->dev, "Unable to determine supported vm types: %d\n", rc);
+ return supported_vm_types;
+ }
+
+ /* This mitigation disables SEV-ES guests when present */
+ if (verified & SNP_MIT_VEC_CVE_2025_48514)
+ supported_vm_types &= ~BIT(KVM_X86_SEV_ES_VM);
+
+ return supported_vm_types;
+
+}
+EXPORT_SYMBOL_FOR_MODULES(sev_firmware_supported_vm_types, "kvm-amd");
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 2b4b56632b4e..07ce49b31ba2 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -611,6 +611,12 @@ struct sev_data_snp_verify_mitigation {
#define SNP_MIT_SUBCMD_REQ_STATUS 0x0
#define SNP_MIT_SUBCMD_REQ_VERIFY 0x1
+/*
+ * For CVE-2025-48514 defined in AMD-SB-3023
+ * https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3023.html
+ */
+#define SNP_MIT_VEC_CVE_2025_48514 BIT(3)
+
/**
* struct snp_verify_mitigation_dst - mitigation result vectors
*
@@ -1092,6 +1098,7 @@ void snp_free_firmware_page(void *addr);
void sev_platform_shutdown(void);
bool sev_is_snp_ciphertext_hiding_supported(void);
u64 sev_get_snp_policy_bits(void);
+int sev_firmware_supported_vm_types(void);
#else /* !CONFIG_CRYPTO_DEV_SP_PSP */
@@ -1135,6 +1142,8 @@ static inline void sev_platform_shutdown(void) { }
static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return false; }
+static inline int sev_firmware_supported_vm_types(void) { return 0; }
+
#endif /* CONFIG_CRYPTO_DEV_SP_PSP */
#endif /* __PSP_SEV_H__ */
--
2.53.0
next prev parent reply other threads:[~2026-03-03 19:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 19:15 [PATCH 0/5] Revoke supported SEV VM types Tycho Andersen
2026-03-03 19:15 ` [PATCH 1/5] kvm/sev: don't expose unusable " Tycho Andersen
2026-03-12 19:55 ` Sean Christopherson
2026-03-03 19:15 ` [PATCH 2/5] crypto/ccp: introduce SNP_VERIFY_MITIGATION Tycho Andersen
2026-03-03 19:15 ` Tycho Andersen [this message]
2026-03-03 23:05 ` [PATCH 3/5] crypto/ccp: export firmware supported vm types Tycho Andersen
2026-03-03 19:15 ` [PATCH 4/5] kvm/sev: mask off firmware unsupported " Tycho Andersen
2026-03-12 19:57 ` Sean Christopherson
2026-03-03 19:15 ` [PATCH 5/5] selftests/kvm: teach sev_*_test about revoking VM types Tycho Andersen
2026-03-12 20:00 ` Sean Christopherson
2026-03-12 20:04 ` [PATCH 0/5] Revoke supported SEV " Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260303191509.1565629-4-tycho@kernel.org \
--to=tycho@kernel.org \
--cc=aik@amd.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=john.allen@amd.com \
--cc=kim.phillips@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nikunj@amd.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
--cc=tglx@kernel.org \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.