Gentwo Git Trees - linux/.git/commit

author	Ashish Kalra <ashish.kalra@amd.com>
	Wed, 20 Aug 2025 20:50:25 +0000 (20:50 +0000)
committer	Sean Christopherson <seanjc@google.com>
	Mon, 15 Sep 2025 17:14:11 +0000 (10:14 -0700)
commit	6c7c620585c6537dd5dcc75f972b875caf00f773
tree	01aa01695a0b03f79b260c4f1c5cac7b007f479a	tree \| snapshot
parent	d7fc7d9833f6b60805f67e3f913b7a646ce2a47e	commit \| diff

KVM: SEV: Add SEV-SNP CipherTextHiding support

Ciphertext hiding prevents host accesses from reading the ciphertext of
SNP guest private memory. Instead of reading ciphertext, the host reads
will see constant default values (0xff).

The SEV ASID space is split into SEV and SEV-ES/SEV-SNP ASID ranges.
Enabling ciphertext hiding further splits the SEV-ES/SEV-SNP ASID space
into separate ASID ranges for SEV-ES and SEV-SNP guests.

Add a new off-by-default kvm-amd module parameter to enable ciphertext
hiding and allow the admin to configure the SEV-ES and SEV-SNP ASID
ranges. Simply cap the maximum SEV-SNP ASID as appropriate, i.e. don't
reject loading KVM or disable ciphertest hiding for a too-big value, as
KVM's general approach for module params is to sanitize inputs based on
hardware/kernel support, not burn the world down. This also allows the
admin to use -1u to assign all SEV-ES/SNP ASIDs to SNP without needing
dedicated handling in KVM.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/95abc49edfde36d4fb791570ea2a4be6ad95fd0d.1755721927.git.ashish.kalra@amd.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| blame \| history
arch/x86/kvm/svm/sev.c		diff \| blob \| blame \| history