On Thu, Sep 25, 2025 at 03:47:29PM +0530, Naveen N Rao (AMD) wrote:
> This series adds support for enabling VMSA SEV features for SEV-ES and
> SEV-SNP guests. Since that is already supported for IGVM files, some of
> that code is moved to generic path and reused.
>
> Debug-swap is already supported in KVM today, while patches for enabling
> Secure TSC have been accepted for the upcoming kernel release.
Any other comments on this series?
So far, the only minor change I have on top of this series is the change
suggested by Markus:
diff --git a/qapi/qom.json b/qapi/qom.json
index 5b830a9ba000..a2b9ccdfe43e 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -1010,7 +1010,8 @@
# designated guest firmware page for measured boot with -kernel
# (default: false) (since 6.2)
#
-# @debug-swap: enable virtualization of debug registers
+# @debug-swap: enable virtualization of debug registers. This is only
+# supported on SEV-ES/SEV-SNP guests
# (default: false) (since 10.2)
#
# Since: 9.1
Otherwise, this series still applies cleanly to current master.
>
> Roy,
> I haven't been able to test IGVM, so would be great if that is tested to
> confirm there are no unintended changes there.
I took a stab at this with the buildigvm tool from Roy. I am able to
boot a Linux guest with an IGVM file generated from that using qemu
built with this series applied. In addition, with the below change to
buildigvm, I am able to see Secure TSC being enabled in the guest:
diff --git a/src/vmsa.rs b/src/vmsa.rs
index 3d67a953055e..ac150264c244 100644
--- a/src/vmsa.rs
+++ b/src/vmsa.rs
@@ -70,6 +70,7 @@ fn construct_vmsa(reset_addr: u32, platform: Platform) ->
Result<Box<SevVmsa>, B
if let Platform::SevSnp = platform {
vmsa.sev_features.set_snp(true);
+ vmsa.sev_features.set_secure_tsc(true);
}
Ok(vmsa_box)
I couldn't get it to work with > 1 vCPUs though (I'm possibly missing
OVMF changes or such).
- Naveen
