tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

x86/sev: Include XSS value in GHCB CPUID request

When a guest issues a CPUID instruction for Fn0000000D_x01, the hypervisor may
be intercepting the CPUID instruction and need to access the guest XSS value.
For SEV-ES, the XSS value is encrypted and needs to be included in the GHCB to
be visible to the hypervisor.

Signed-off-by: John Allen <john.allen@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://patch.msgid.link/all/20250924200852.4452-3-john.allen@amd.com/

authored by

John Allen and committed by
Borislav Petkov (AMD) 92ad6505 9249bcde

+12
+11
arch/x86/coco/sev/vc-shared.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 3 + #ifndef __BOOT_COMPRESSED 4 + #define has_cpuflag(f) boot_cpu_has(f) 5 + #endif 6 + 3 7 static enum es_result vc_check_opcode_bytes(struct es_em_ctxt *ctxt, 4 8 unsigned long exit_code) 5 9 { ··· 549 545 else 550 546 /* xgetbv will cause #GP - use reset value for xcr0 */ 551 547 ghcb_set_xcr0(ghcb, 1); 548 + 549 + if (has_cpuflag(X86_FEATURE_SHSTK) && regs->ax == 0xd && regs->cx == 1) { 550 + struct msr m; 551 + 552 + raw_rdmsr(MSR_IA32_XSS, &m); 553 + ghcb_set_xss(ghcb, m.q); 554 + } 552 555 553 556 ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_CPUID, 0, 0); 554 557 if (ret != ES_OK)
+1
arch/x86/include/asm/svm.h
··· 701 701 DEFINE_GHCB_ACCESSORS(sw_exit_info_2) 702 702 DEFINE_GHCB_ACCESSORS(sw_scratch) 703 703 DEFINE_GHCB_ACCESSORS(xcr0) 704 + DEFINE_GHCB_ACCESSORS(xss) 704 705 705 706 #endif