Re: [PATCH 4/4] kvm: svm: Support KVM_SEV_SNP_PAGE_TYPE_VMSA at SNP_LAUNCH_UPDATE

[Sean Christopherson <seanjc@google.com>]

+Jethro

On Thu, Jun 11, 2026, Jörg Rödel wrote:
> Hi Sean,
> 
> On Thu, Jun 11, 2026 at 05:43:05AM -0700, Sean Christopherson wrote:
> > On Thu, Jun 11, 2026, Jörg Rödel wrote:
> > > From: Joerg Roedel <joerg.roedel@amd.com>
> > > 
> > > Support setting a VMSA in guest physical memory during the SEV-SNP
> > > launch process. Only one VMSA can be provided which will then be used
> > > for the BSP. All of the APs will not have a VMSA allocated or assigned
> > > when this feature is used.
> > >
> > > This ensures stable launch measurements on SEV-SNP which are
> > > independent of the number of VCPUs the VM is launched with.
> > 
> > This needs a *much* longer explanation and more justification for exactly why
> > this needs to be handled in KVM.  I understand most of the words and acronyms,
> > but that's about where my understanding stops.
> 
> Sure, how about:
> 
> For SEV-SNP VMs KVM currently allocates and measures one VMSA per VCPU into the
> initial memory image.  Historically this behavior comes from the SEV-ES
> implementation, which has no concept of a guest-provided or guest-owned VMSA.
> So on SEV-ES there is no other choice than allocating the VMSAs in KVM.
> 
> In contrast, on SEV-SNP each VMSA has a GPA assigned and is (in theory)
> guest-owned, so that the old SEV-ES behavior of letting KVM manage the
> VMSAs causes several problems (especially together with IGVM-loading)
> and inefficiencies:
> 
> 	1. With the current KVM behavior the initial launch measurement depends
> 	   on the number of VCPUs the VM has assigned.
> 
> 	2. Current SEV-SNP guest code will not use the KVM-allocated VMSAs for
> 	   APs. Both EDK2 and the Linux kernel will allocate and provide their
> 	   own VMSA pages for every AP. So the current allocation dance KVM is
> 	   doing is useless for the APs.
> 
> 	3. The current behavior makes it impossible to implement the
> 	   IGVM-promise of a predictable launch measurement derived from only
> 	   the IGVM file and the target platform.
> 
> To solve these problems this patch adds support to measure an IGVM-provided
> VMSA page into the initial SEV-SNP memory image. Only one VMSA page is
> supported for now, which aligns with the IGVM requirement that each file can
> only provide one VP-context. The VMSA will be checked by KVM for supported SEV
> features and VMPL0 before being accepted.
> 
> When a VMSA page is measured in this way it will be used as the launch VMSA of
> the BSP for the VM. For all other VCPUs KVM will not allocate or measure VMSA
> pages, keeping the launch measurement in sync with the IGVM image. The guest
> has to provide VMSAs for all APs it intends to use, which common guest
> components already do anyway.

Isn't this essentially the same thing as hot-plugging vCPUs after launch?  I
have yet to review it in depth (sorry Jethro), but it looks a *lot* simpler.

https://lore.kernel.org/all/20d3a189-5649-4864-81cd-5a421267f21b@fortanix.com