* SNP guest policy support
@ 2025-08-13 13:18 Tom Lendacky
2025-08-21 16:39 ` Sean Christopherson
0 siblings, 1 reply; 2+ messages in thread
From: Tom Lendacky @ 2025-08-13 13:18 UTC (permalink / raw)
To: Sean Christopherson, Paolo Bonzini, kvm; +Cc: Michael Roth
Paolo/Sean,
I'm looking to expand the supported set of policy bits that the VMM can
supply on an SNP guest launch (e.g. requiring ciphertext hiding, etc.).
Right now we have the SNP_POLICY_MASK_VALID bitmask that is used to
check for KVM supported policy bits. From the previous patches I
submitted to add the SMT and SINGLE_SOCKET policy bit support, there was
some thought of possibly providing supported policy bits to userspace.
Should we just update the mask as we add support for new policy bits? Or
should we do something similar to the sev_supported_vmsa_features
support and add a KVM_X86_SEV_POLICY_SUPPORT attribute to the
KVM_X86_GRP_SEV? Or...?
Thoughts?
Thanks,
Tom
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: SNP guest policy support
2025-08-13 13:18 SNP guest policy support Tom Lendacky
@ 2025-08-21 16:39 ` Sean Christopherson
0 siblings, 0 replies; 2+ messages in thread
From: Sean Christopherson @ 2025-08-21 16:39 UTC (permalink / raw)
To: Tom Lendacky; +Cc: Paolo Bonzini, kvm, Michael Roth
On Wed, Aug 13, 2025, Tom Lendacky wrote:
> Paolo/Sean,
>
> I'm looking to expand the supported set of policy bits that the VMM can
> supply on an SNP guest launch (e.g. requiring ciphertext hiding, etc.).
>
> Right now we have the SNP_POLICY_MASK_VALID bitmask that is used to
> check for KVM supported policy bits. From the previous patches I
> submitted to add the SMT and SINGLE_SOCKET policy bit support, there was
> some thought of possibly providing supported policy bits to userspace.
>
> Should we just update the mask as we add support for new policy bits? Or
> should we do something similar to the sev_supported_vmsa_features
> support and add a KVM_X86_SEV_POLICY_SUPPORT attribute to the
> KVM_X86_GRP_SEV? Or...?
I think adding KVM_X86_SEV_POLICY_SUPPORT to KVM_X86_GRP_SEV makes the most sense.
If we allow new bits, then we definitely need a way to enumerate support to
userspace. Even if we made KVM fully permissive, we'd need/want a way to communicate
_that_ to userspace, which means adding a capability or something similar.
In other words, we need new uAPI, and if we need new uAPI, then I'd much prefer
to retain control in KVM just in case a policy comes along that we don't want to
(or can't) support for whatever reason.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-21 16:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-13 13:18 SNP guest policy support Tom Lendacky
2025-08-21 16:39 ` Sean Christopherson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).