[PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[Nikunj A Dadhania]

Require a minimum GHCB version of 2 when starting SEV-SNP guests through
KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an
incompatible GHCB version (less than 2), reject the request early rather
than allowing the guest to start with an incorrect protocol version and
fail later.

Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB protocol version")
Cc: Thomas Lendacky <thomas.lendacky@amd.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nikunj A Dadhania <nikunj@amd.com>
---
 arch/x86/kvm/svm/sev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index a12e78b67466..91d06fb91ba2 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -435,6 +435,9 @@ static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp,
 	if (unlikely(sev->active))
 		return -EINVAL;
 
+	if (snp_active && data->ghcb_version && data->ghcb_version < 2)
+		return -EINVAL;
+
 	sev->active = true;
 	sev->es_active = es_active;
 	sev->vmsa_features = data->vmsa_features;
-- 
2.43.0

Re: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[Sean Christopherson]

On Fri, Jul 11, 2025, Nikunj A Dadhania wrote:
> Require a minimum GHCB version of 2 when starting SEV-SNP guests through
> KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an
> incompatible GHCB version (less than 2), reject the request early rather
> than allowing the guest to start with an incorrect protocol version and
> fail later.

What happens with ghcb_version==1?   I.e. what failure occurs, and when?

Re: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[kernel test robot]

Hi Nikunj,

kernel test robot noticed the following build errors:

[auto build test ERROR on kvm/queue]
[also build test ERROR on kvm/next linus/master v6.16-rc5 next-20250711]
[cannot apply to kvm/linux-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Nikunj-A-Dadhania/KVM-SEV-Enforce-minimum-GHCB-version-requirement-for-SEV-SNP-guests/20250711-125527
base:   https://git.kernel.org/pub/scm/virt/kvm/kvm.git queue
patch link:    https://lore.kernel.org/r/20250711045408.95129-1-nikunj%40amd.com
patch subject: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests
config: x86_64-rhel-9.4-rust (https://download.01.org/0day-ci/archive/20250712/202507120551.iDEiTBBN-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250712/202507120551.iDEiTBBN-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202507120551.iDEiTBBN-lkp@intel.com/

All errors (new ones prefixed by >>):

>> arch/x86/kvm/svm/sev.c:426:6: error: use of undeclared identifier 'snp_active'
     426 |         if (snp_active && data->ghcb_version && data->ghcb_version < 2)
         |             ^
   1 error generated.


vim +/snp_active +426 arch/x86/kvm/svm/sev.c

   400	
   401	static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp,
   402				    struct kvm_sev_init *data,
   403				    unsigned long vm_type)
   404	{
   405		struct kvm_sev_info *sev = to_kvm_sev_info(kvm);
   406		struct sev_platform_init_args init_args = {0};
   407		bool es_active = vm_type != KVM_X86_SEV_VM;
   408		u64 valid_vmsa_features = es_active ? sev_supported_vmsa_features : 0;
   409		int ret;
   410	
   411		if (kvm->created_vcpus)
   412			return -EINVAL;
   413	
   414		if (data->flags)
   415			return -EINVAL;
   416	
   417		if (data->vmsa_features & ~valid_vmsa_features)
   418			return -EINVAL;
   419	
   420		if (data->ghcb_version > GHCB_VERSION_MAX || (!es_active && data->ghcb_version))
   421			return -EINVAL;
   422	
   423		if (unlikely(sev->active))
   424			return -EINVAL;
   425	
 > 426		if (snp_active && data->ghcb_version && data->ghcb_version < 2)
   427			return -EINVAL;
   428	
   429		sev->active = true;
   430		sev->es_active = es_active;
   431		sev->vmsa_features = data->vmsa_features;
   432		sev->ghcb_version = data->ghcb_version;
   433	
   434		/*
   435		 * Currently KVM supports the full range of mandatory features defined
   436		 * by version 2 of the GHCB protocol, so default to that for SEV-ES
   437		 * guests created via KVM_SEV_INIT2.
   438		 */
   439		if (sev->es_active && !sev->ghcb_version)
   440			sev->ghcb_version = GHCB_VERSION_DEFAULT;
   441	
   442		if (vm_type == KVM_X86_SNP_VM)
   443			sev->vmsa_features |= SVM_SEV_FEAT_SNP_ACTIVE;
   444	
   445		ret = sev_asid_new(sev);
   446		if (ret)
   447			goto e_no_asid;
   448	
   449		init_args.probe = false;
   450		ret = sev_platform_init(&init_args);
   451		if (ret)
   452			goto e_free;
   453	
   454		/* This needs to happen after SEV/SNP firmware initialization. */
   455		if (vm_type == KVM_X86_SNP_VM) {
   456			ret = snp_guest_req_init(kvm);
   457			if (ret)
   458				goto e_free;
   459		}
   460	
   461		INIT_LIST_HEAD(&sev->regions_list);
   462		INIT_LIST_HEAD(&sev->mirror_vms);
   463		sev->need_init = false;
   464	
   465		kvm_set_apicv_inhibit(kvm, APICV_INHIBIT_REASON_SEV);
   466	
   467		return 0;
   468	
   469	e_free:
   470		argp->error = init_args.error;
   471		sev_asid_free(sev);
   472		sev->asid = 0;
   473	e_no_asid:
   474		sev->vmsa_features = 0;
   475		sev->es_active = false;
   476		sev->active = false;
   477		return ret;
   478	}
   479	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[Nikunj A Dadhania]

Sean Christopherson <seanjc@google.com> writes:

> On Fri, Jul 11, 2025, Nikunj A Dadhania wrote:
>> Require a minimum GHCB version of 2 when starting SEV-SNP guests through
>> KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an
>> incompatible GHCB version (less than 2), reject the request early rather
>> than allowing the guest to start with an incorrect protocol version and
>> fail later.
>
> What happens with ghcb_version==1?   I.e. what failure occurs, and
> when?

SNP guest terminates with following error:

KVM: unknown exit reason 24
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00a00f11
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 00000000 0000ffff 00009300
CS =f000 ffff0000 0000ffff 00009b00
SS =0000 00000000 0000ffff 00009300
DS =0000 00000000 0000ffff 00009300
FS =0000 00000000 0000ffff 00009300
GS =0000 00000000 0000ffff 00009300
LDT=0000 00000000 0000ffff 00008200
TR =0000 00000000 0000ffff 00008b00
GDT=     00000000 0000ffff
IDT=     00000000 0000ffff
CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000000
Code=c5 5a 08 2d 00 00 00 00 00 00 00 00 00 00 00 00 56 54 46 00 <0f> 20
c0 a8 01 74 05 e9 2c ff ff ff e9 11 ff 90 00 00 00 00 00 00 00 00 00 00
00 00 00 00

Hypervisor logs the guest termination with GHCB_SNP_UNSUPPORTED error code:

kvm_amd: SEV-ES guest requested termination: 0x0:0x2

Regards
Nikunj

Re: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[Nikunj A Dadhania]

kernel test robot <lkp@intel.com> writes:

> Hi Nikunj,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on kvm/queue]
> [also build test ERROR on kvm/next linus/master v6.16-rc5 next-20250711]
> [cannot apply to kvm/linux-next]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:    https://github.com/intel-lab-lkp/linux/commits/Nikunj-A-Dadhania/KVM-SEV-Enforce-minimum-GHCB-version-requirement-for-SEV-SNP-guests/20250711-125527
> base:   https://git.kernel.org/pub/scm/virt/kvm/kvm.git queue
> patch link:    https://lore.kernel.org/r/20250711045408.95129-1-nikunj%40amd.com
> patch subject: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests
> config: x86_64-rhel-9.4-rust (https://download.01.org/0day-ci/archive/20250712/202507120551.iDEiTBBN-lkp@intel.com/config)
> compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
> rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250712/202507120551.iDEiTBBN-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202507120551.iDEiTBBN-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
>>> arch/x86/kvm/svm/sev.c:426:6: error: use of undeclared identifier 'snp_active'
>      426 |         if (snp_active && data->ghcb_version && data->ghcb_version < 2)
>          |             ^
>    1 error generated.

This was on top of SecureTSC hos patches that is having the change, will
sent v2 without this dependency.

Regards
Nikunj

Re: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[Sean Christopherson]

On Sun, Jul 13, 2025, Nikunj A Dadhania wrote:
> Sean Christopherson <seanjc@google.com> writes:
> 
> > On Fri, Jul 11, 2025, Nikunj A Dadhania wrote:
> >> Require a minimum GHCB version of 2 when starting SEV-SNP guests through
> >> KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an
> >> incompatible GHCB version (less than 2), reject the request early rather
> >> than allowing the guest to start with an incorrect protocol version and
> >> fail later.
> >
> > What happens with ghcb_version==1?   I.e. what failure occurs, and
> > when?
> 
> SNP guest terminates with following error:

So this probably isn't stable@ worth then?  Because I don't see any risk to the
kernel, this is ultimately only a problem if the VMM is broken, and the "fix"
doesn't provide any meaningful change in functionality (the VM is dead no matter
what).

Re: [PATCH] KVM: SEV: Enforce minimum GHCB version requirement for SEV-SNP guests

[Nikunj A Dadhania]

Sean Christopherson <seanjc@google.com> writes:

> On Sun, Jul 13, 2025, Nikunj A Dadhania wrote:
>> Sean Christopherson <seanjc@google.com> writes:
>> 
>> > On Fri, Jul 11, 2025, Nikunj A Dadhania wrote:
>> >> Require a minimum GHCB version of 2 when starting SEV-SNP guests through
>> >> KVM_SEV_INIT2. When a VMM attempts to start an SEV-SNP guest with an
>> >> incompatible GHCB version (less than 2), reject the request early rather
>> >> than allowing the guest to start with an incorrect protocol version and
>> >> fail later.
>> >
>> > What happens with ghcb_version==1?   I.e. what failure occurs, and
>> > when?
>> 
>> SNP guest terminates with following error:
>
> So this probably isn't stable@ worth then?  Because I don't see any risk to the
> kernel, this is ultimately only a problem if the VMM is broken, and the "fix"
> doesn't provide any meaningful change in functionality (the VM is dead no matter
> what).

Agree, VM start will fail no matter what, just that it will be early.
I will send a v2 with updated change log and dropping the stable@ tag.

Regards,
Nikunj