Re: [RFC PATCH 7/7] target/i386: SEV: Add support for enabling Secure AVIC SEV feature

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

From: Tom Lendacky <thomas.lendacky@amd.com>
To: "Naveen N Rao (AMD)" <naveen@kernel.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Sean Christopherson <seanjc@google.com>
Cc: qemu-devel <qemu-devel@nongnu.org>,
	kvm@vger.kernel.org, "Daniel P. Berrange" <berrange@redhat.com>,
	Eduardo Habkost <eduardo@habkost.net>,
	Eric Blake <eblake@redhat.com>,
	Markus Armbruster <armbru@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Zhao Liu <zhao1.liu@intel.com>,
	Nikunj A Dadhania <nikunj@amd.com>,
	Michael Roth <michael.roth@amd.com>,
	Neeraj Upadhyay <neeraj.upadhyay@amd.com>,
	Roy Hopkins <roy.hopkins@randomman.co.uk>
Subject: Re: [RFC PATCH 7/7] target/i386: SEV: Add support for enabling Secure AVIC SEV feature
Date: Fri, 12 Sep 2025 09:17:12 -0500	[thread overview]
Message-ID: <46c73e5c-70b2-4700-97aa-e5ed06cc622f@amd.com> (raw)
In-Reply-To: <632eaad0ef28943520a1285c8efb3d8a756e4624.1757589490.git.naveen@kernel.org>

On 9/11/25 06:54, Naveen N Rao (AMD) wrote:
> Add support for enabling Secure AVIC VMSA SEV feature in SEV-SNP guests
> through a new "secure-avic" boolean property on SEV-SNP guest objects.
> 
> Sample command-line:
>   -machine q35,confidential-guest-support=sev0 \
>   -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,secure-avic=on

Since the hypervisor support for Secure AVIC is not accepted in KVM, yet,
this should not be included yet until we know what the full VMM
requirements might be.

Thanks,
Tom

> 
> Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
> ---
>  target/i386/sev.h |  1 +
>  target/i386/sev.c | 13 +++++++++++++
>  qapi/qom.json     |  5 ++++-
>  3 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/target/i386/sev.h b/target/i386/sev.h
> index 87e73034ad15..a374c144bccd 100644
> --- a/target/i386/sev.h
> +++ b/target/i386/sev.h
> @@ -47,6 +47,7 @@ bool sev_snp_enabled(void);
>  #define SVM_SEV_FEAT_SNP_ACTIVE     BIT(0)
>  #define SVM_SEV_FEAT_DEBUG_SWAP     BIT(5)
>  #define SVM_SEV_FEAT_SECURE_TSC     BIT(9)
> +#define SVM_SEV_FEAT_SECURE_AVIC    BIT(16)
>  
>  typedef struct SevKernelLoaderContext {
>      char *setup_data;
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index facf51c810d9..f9170e21ca57 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -3147,6 +3147,16 @@ static void sev_snp_guest_set_secure_tsc(Object *obj, bool value, Error **errp)
>      sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC, value);
>  }
>  
> +static bool sev_snp_guest_get_secure_avic(Object *obj, Error **errp)
> +{
> +    return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_AVIC);
> +}
> +
> +static void sev_snp_guest_set_secure_avic(Object *obj, bool value, Error **errp)
> +{
> +    sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_AVIC, value);
> +}
> +
>  static void
>  sev_snp_guest_get_tsc_frequency(Object *obj, Visitor *v, const char *name,
>                                  void *opaque, Error **errp)
> @@ -3210,6 +3220,9 @@ sev_snp_guest_class_init(ObjectClass *oc, const void *data)
>      object_class_property_add(oc, "tsc-frequency", "uint32",
>                                sev_snp_guest_get_tsc_frequency,
>                                sev_snp_guest_set_tsc_frequency, NULL, NULL);
> +    object_class_property_add_bool(oc, "secure-avic",
> +                                  sev_snp_guest_get_secure_avic,
> +                                  sev_snp_guest_set_secure_avic);
>  }
>  
>  static void
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 5b99148cb790..5dce560a2f54 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -1105,6 +1105,8 @@
>  # @tsc-frequency: set secure TSC frequency. Only valid if Secure TSC
>  #     is enabled (default: zero) (since 10.2)
>  #
> +# @secure-avic: enable Secure AVIC (default: false) (since 10.2)
> +#
>  # Since: 9.1
>  ##
>  { 'struct': 'SevSnpGuestProperties',
> @@ -1118,7 +1120,8 @@
>              '*host-data': 'str',
>              '*vcek-disabled': 'bool',
>              '*secure-tsc': 'bool',
> -            '*tsc-frequency': 'uint32' } }
> +            '*tsc-frequency': 'uint32',
> +            '*secure-avic': 'bool' } }
>  
>  ##
>  # @TdxGuestProperties:

     prev parent reply	other threads:[~2025-09-12 14:17 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-11 11:54 [RFC PATCH 0/7] target/i386: SEV: Add support for enabling VMSA SEV features Naveen N Rao (AMD)
2025-09-11 11:54 ` [RFC PATCH 1/7] target/i386: SEV: Consolidate SEV feature validation to common init path Naveen N Rao (AMD)
2025-09-12 13:39   ` Tom Lendacky
2025-09-15 14:19     ` Naveen N Rao
2025-09-11 11:54 ` [RFC PATCH 2/7] target/i386: SEV: Validate that SEV-ES is enabled when VMSA features are used Naveen N Rao (AMD)
2025-09-12 13:40   ` Tom Lendacky
2025-09-11 11:54 ` [RFC PATCH 3/7] target/i386: SEV: Add support for enabling debug-swap SEV feature Naveen N Rao (AMD)
2025-09-12 11:20   ` Markus Armbruster
2025-09-15 14:25     ` Naveen N Rao
2025-09-16 12:46       ` Markus Armbruster
2025-09-16 15:03         ` Daniel P. Berrangé
2025-09-12 13:50   ` Tom Lendacky
2025-09-15 14:25     ` Naveen N Rao
2025-09-11 11:54 ` [RFC PATCH 4/7] target/i386: SEV: Enable use of KVM_SEV_INIT2 for SEV-ES guests Naveen N Rao (AMD)
2025-09-11 11:54 ` [RFC PATCH 5/7] target/i386: SEV: Add support for enabling Secure TSC SEV feature Naveen N Rao (AMD)
2025-09-12 14:14   ` Tom Lendacky
2025-09-11 11:54 ` [RFC PATCH 6/7] target/i386: SEV: Add support for setting TSC frequency for Secure TSC Naveen N Rao (AMD)
2025-09-12 11:22   ` Markus Armbruster
2025-09-11 11:54 ` [RFC PATCH 7/7] target/i386: SEV: Add support for enabling Secure AVIC SEV feature Naveen N Rao (AMD)
2025-09-12 14:17   ` Tom Lendacky [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46c73e5c-70b2-4700-97aa-e5ed06cc622f@amd.com \
    --to=thomas.lendacky@amd.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=eduardo@habkost.net \
    --cc=kvm@vger.kernel.org \
    --cc=michael.roth@amd.com \
    --cc=mtosatti@redhat.com \
    --cc=naveen@kernel.org \
    --cc=neeraj.upadhyay@amd.com \
    --cc=nikunj@amd.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=roy.hopkins@randomman.co.uk \
    --cc=seanjc@google.com \
    --cc=zhao1.liu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox