Re: [PATCH v2 4/5] KVM: SEV: mask off firmware unsupported vm types

[Sean Christopherson <seanjc@google.com>]

On Tue, Mar 24, 2026, Tycho Andersen wrote:
> From: "Tycho Andersen (AMD)" <tycho@kernel.org>
> 
> In some configurations not all VM types are supported by the firmware.
> Reflect this information in the supported_vm_types that KVM exports.
> 
> Link: https://lore.kernel.org/all/aZyLIWtffvEnmtYh@google.com/
> Suggested-by: Sean Christopherson <seanjc@google.com>
> Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
> ---
>  arch/x86/kvm/svm/sev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 37490803f2e8..0fe9515db1e7 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -2976,7 +2976,8 @@ void __init sev_set_cpu_caps(void)
>  		supported_vm_types |= BIT(KVM_X86_SNP_VM);
>  	}
>  
> -	kvm_caps.supported_vm_types |= supported_vm_types;
> +	kvm_caps.supported_vm_types |= (supported_vm_types &
> +					sev_firmware_supported_vm_types());

This is slightly flawed, in that sev_hardware_setup() still reports SEV-ES as
fully enabled, whereas the other cases (ASID exhaustation) clear the VM type *and*
report the feature as "unusable".

Addressing that is actually a great opportunity to dedup some code in the previous
path.  I.e. if we first relocate the supported_vm_types updates to sev_hardware_setup(),
then there's no need to copy+paste the ASID checks.  And then restricting VM types
based on firmware support Just Works.

E.g. to yield:

[ 1813.863571] ccp 0000:24:00.1: SEV-SNP API:1.58 build:1
[ 1813.876790] kvm_amd: SEV enabled (ASIDs 254 - 509)
[ 1813.881595] kvm_amd: SEV-ES unusable (ASIDs 1 - 253)
[ 1813.886574] kvm_amd: SEV-SNP enabled (ASIDs 1 - 253)
[ 1813.891549] kvm_amd: Virtual VMLOAD VMSAVE supported
[ 1813.896522] kvm_amd: Virtual GIF supported

I'll send a v3, I've got everything coded up (I wanted to make sure my idea
actually worked before suggesting it :-) ).