From: Sean Christopherson <seanjc@google.com>
To: Nikunj A Dadhania <nikunj@amd.com>
Cc: pbonzini@redhat.com, kvm@vger.kernel.org,
thomas.lendacky@amd.com, santosh.shukla@amd.com,
Michael Roth <michael.roth@amd.com>
Subject: Re: [PATCH v3 2/2] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests
Date: Tue, 19 Aug 2025 11:28:03 -0700 [thread overview]
Message-ID: <aKTCMzVNwhlFNE0e@google.com> (raw)
In-Reply-To: <20250804090945.267199-3-nikunj@amd.com>
On Mon, Aug 04, 2025, Nikunj A Dadhania wrote:
> Require a minimum GHCB version of 2 when starting SEV-SNP guests through
> KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an
> incompatible GHCB version (less than 2), reject the request early rather
> than allowing the guest kernel to start with an incorrect protocol version
> and fail later with GHCB_SNP_UNSUPPORTED guest termination.
>
> Hypervisor logs the guest termination with GHCB_SNP_UNSUPPORTED error code:
s/Hypervisor/KVM, though I don't see any point in saying that KVM is doing
the logging, that's self-evident from the kvm_amd prefix. Instead, I think
what's important to is to say the guest _typically_ requests termination,
because AFAICT nothing guarantees the guest will fail in this exact way.
Not enforcing the minimum version typically causes the guest to request
termination with GHCB_SNP_UNSUPPORTED error code:
kvm_amd: SEV-ES guest requested termination: 0x0:0x2
> kvm_amd: SEV-ES guest requested termination: 0x0:0x2
>
> SNP guest fails with the below error message:
This is QEMU output, not guest output. I don't see any reason to capture this.
The fact that QEMU apparently doesn't handle KVM_EXIT_SYSTEM_EVENT isn't interesting.
> KVM: unknown exit reason 24
> EAX=00000000 EBX=00000000 ECX=00000000 EDX=00a00f11
> ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
> EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
> ES =0000 00000000 0000ffff 00009300
> CS =f000 ffff0000 0000ffff 00009b00
> SS =0000 00000000 0000ffff 00009300
> DS =0000 00000000 0000ffff 00009300
> FS =0000 00000000 0000ffff 00009300
> GS =0000 00000000 0000ffff 00009300
> LDT=0000 00000000 0000ffff 00008200
> TR =0000 00000000 0000ffff 00008b00
> GDT= 00000000 0000ffff
> IDT= 00000000 0000ffff
> CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
> DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
> DR6=00000000ffff0ff0 DR7=0000000000000400
> EFER=0000000000000000
No need for you to send a new version, I'm going to post a combined series for
this and Secure TSC.
next prev parent reply other threads:[~2025-08-19 18:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-04 9:09 [PATCH v3 0/2] KVM: SEV: Improve GHCB Version Handling for SEV-ES/SEV-SNP Nikunj A Dadhania
2025-08-04 9:09 ` [PATCH v3 1/2] KVM: SEV: Drop GHCB_VERSION_DEFAULT and open code it Nikunj A Dadhania
2025-08-04 9:09 ` [PATCH v3 2/2] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests Nikunj A Dadhania
2025-08-19 18:28 ` Sean Christopherson [this message]
2025-08-20 5:29 ` Nikunj A. Dadhania
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aKTCMzVNwhlFNE0e@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=nikunj@amd.com \
--cc=pbonzini@redhat.com \
--cc=santosh.shukla@amd.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.