From: "Pratik R. Sampat" <prsampat@amd.com>
To: Tom Lendacky <thomas.lendacky@amd.com>,
ashish.kalra@amd.com, john.allen@amd.com,
herbert@gondor.apana.org.au, davem@davemloft.net
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
aik@amd.com, tycho@kernel.org, nikunj@amd.com,
michael.roth@amd.com
Subject: Re: [PATCH v4] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command
Date: Tue, 9 Jun 2026 12:19:21 -0400 [thread overview]
Message-ID: <6c9d6f7b-9d94-44f2-a73b-1dfe64bb6b87@amd.com> (raw)
In-Reply-To: <c00d4186-2a89-4c24-be02-6b6a05450fe5@amd.com>
On 6/9/26 12:06 PM, Tom Lendacky wrote:
> On 6/8/26 15:58, Pratik R. Sampat wrote:
>> The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which
>> can be used to query the status of currently supported vulnerability
>> mitigations and to initiate mitigations within the firmware.
>>
>> This command is an explicit mechanism to ascertain if a firmware
>> mitigation is applied without needing a full RMP re-build, which is most
>> useful in a live firmware update scenario.
>>
>> The firmware supports two subcommands: STATUS and VERIFY. The STATUS
>> subcommand is used to query the supported and verified mitigation bits.
>> The VERIFY subcommand initiates the mitigation process within the FW for
>> the specified vulnerability. Expose a userspace interface under:
>> /sys/firmware/sev/vulnerabilities/
>> - supported_mitigations (read-only): supported mitigation vector mask
>> - verified_mitigations (read/write): current verified mask; write a
>> vector to request VERIFY for that bit
>>
>> The behavior of SNP_VERIFY_MITIGATION and the pre-requisites for using
>> it are bug-specific. Information about supported mitigations and its
>> corresponding vector is to be published as part of the AMD Security
>> Bulletin.
>>
>> See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for
>> more details.
>>
>> Signed-off-by: Pratik R. Sampat <prsampat@amd.com>
>
> Just a few minor comments below, but in general...
>
> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
>
>> +static ssize_t verified_mitigations_store(struct kobject *kobj,
>> + struct kobj_attribute *attr,
>> + const char *buf, size_t count)
>> +{
>> + struct sev_data_snp_verify_mitigation_dst dst;
>> + struct sev_device *sev = psp_master->sev_data;
>> + u64 vector;
>> + int ret;
>> +
>> + ret = kstrtoull(buf, 0, &vector);
>> + if (ret)
>> + return ret;
>
> Should we save some time and check for vector having multiple bits set
> before sending it to the firmware?
>
Sure. This can be a quick sanity check and can save a FW call.
>> +err_verify_mit:
>> + kobject_put(sev->verify_mit);
>> + sev->verify_mit = NULL;
>> +err_sev_kobj:
>> + kobject_put(sev->sev_kobj);
>> + sev->sev_kobj = NULL;
>> +
>
> Extra blank line.
>
Ack.
>> +}
>> +
>> +static void sev_snp_unregister_verify_mitigation(struct sev_device *sev)
>> +{
>> + if (sev->verify_mit) {
>> + sysfs_remove_group(sev->verify_mit, &mit_attr_group);
>> + kobject_put(sev->verify_mit);
>> + sev->verify_mit = NULL;
>> + }
>> +
>> + if (sev->sev_kobj) {
>> + kobject_put(sev->sev_kobj);
>> + sev->sev_kobj = NULL;
>> + }
>> +}
>> +#else
>
> Just add the CONFIG option to the else and endif, e.g.:
>
> #else // CONFIG_SYSFS
>
> ...
>
> #endif // CONFIG_SYSFS
>
Ack.
>> +static void sev_snp_register_verify_mitigation(struct sev_device *sev) { }
>> +static void sev_snp_unregister_verify_mitigation(struct sev_device *sev) { }
>> +#endif
>> +
>> static int __sev_snp_init_locked(int *error, unsigned int max_snp_asid)
>> {
>> struct sev_data_range_list *snp_range_list __free(kfree) = NULL;
>> @@ -1673,6 +1824,17 @@ int sev_platform_init(struct sev_platform_init_args *args)
>> rc = _sev_platform_init_locked(args);
>> mutex_unlock(&sev_cmd_mutex);
>>
>> + /*
>> + * Register the sysfs interface outside the sev_cmd_mutex. The
>> + * _show()/_store() handlers issue SEV commands that acquire the
>> + * sev_cmd_mutex, so creating (and on the shutdown path, removing) the
>> + * sysfs group must stay outside that lock. sysfs provides its own
>> + * synchronization between group creation/removal and concurrent
>> + * attribute access.
>> + */
>> + if (!rc)
>> + sev_snp_register_verify_mitigation(psp_master->sev_data);
>> +
>> return rc;
>> }
>> EXPORT_SYMBOL_GPL(sev_platform_init);
>> @@ -2752,6 +2914,15 @@ static void sev_firmware_shutdown(struct sev_device *sev)
>> if (sev->tio_status)
>> sev_tsm_uninit(sev);
>>
>> + /*
>> + * Remove the sysfs interface before taking the sev_cmd_mutex.
>> + * sysfs_remove_group() waits for in-flight _show()/_store() handlers
>> + * to drain, and those handlers issue SNP_VERIFY_MITIGATION via
>> + * sev_do_cmd() which acquires the sev_cmd_mutex. Removing the group
>> + * while holding the mutex would therefore deadlock.
>
> s/would/could/
>
Will do and re-spin, thanks!
--Pratik
next prev parent reply other threads:[~2026-06-09 16:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 20:58 [PATCH v4] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command Pratik R. Sampat
2026-06-09 16:06 ` Tom Lendacky
2026-06-09 16:19 ` Pratik R. Sampat [this message]
2026-06-09 19:48 ` Tycho Andersen
2026-06-11 13:44 ` Pratik R. Sampat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c9d6f7b-9d94-44f2-a73b-1dfe64bb6b87@amd.com \
--to=prsampat@amd.com \
--cc=aik@amd.com \
--cc=ashish.kalra@amd.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=john.allen@amd.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=nikunj@amd.com \
--cc=thomas.lendacky@amd.com \
--cc=tycho@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox