On Thu, 12 Feb 2026 at 11:58, Ani Sinha <[email protected]> wrote: > sev_launch_finish() and sev_snp_launch_finish() could be called multiple times > when the confidential guest is being reset/rebooted. The migration > blockers should not be added multiple times, once per invocation. This change > makes sure that the migration blockers are added only one time by adding the > migration blockers to the vm state change handler when the vm transitions to > the running state. Subsequent reboots do not change the state of the vm. > > Signed-off-by: Ani Sinha <[email protected]> > --- > target/i386/sev.c | 20 +++++--------------- > 1 file changed, 5 insertions(+), 15 deletions(-) > > diff --git a/target/i386/sev.c b/target/i386/sev.c > index 66e38ca32e..260d8ef88b 100644 > --- a/target/i386/sev.c > +++ b/target/i386/sev.c > @@ -1421,11 +1421,6 @@ sev_launch_finish(SevCommonState *sev_common) > } > > sev_set_guest_state(sev_common, SEV_STATE_RUNNING); > - > - /* add migration blocker */ > - error_setg(&sev_mig_blocker, > - "SEV: Migration is not implemented"); > - migrate_add_blocker(&sev_mig_blocker, &error_fatal); > } > > static int snp_launch_update_data(uint64_t gpa, void *hva, size_t len, > @@ -1608,7 +1603,6 @@ static void > sev_snp_launch_finish(SevCommonState *sev_common) > { > int ret, error; > - Error *local_err = NULL; > OvmfSevMetadata *metadata; > SevLaunchUpdateData *data; > SevSnpGuestState *sev_snp = SEV_SNP_GUEST(sev_common); > @@ -1655,15 +1649,6 @@ sev_snp_launch_finish(SevCommonState *sev_common) > > kvm_mark_guest_state_protected(); > sev_set_guest_state(sev_common, SEV_STATE_RUNNING); > - > - /* add migration blocker */ > - error_setg(&sev_mig_blocker, > - "SEV-SNP: Migration is not implemented"); > - ret = migrate_add_blocker(&sev_mig_blocker, &local_err); > - if (local_err) { > - error_report_err(local_err); > - exit(1); > - } > } > > > @@ -1676,6 +1661,11 @@ sev_vm_state_change(void *opaque, bool running, > RunState state) > if (running) { > if (!sev_check_state(sev_common, SEV_STATE_RUNNING)) { > klass->launch_finish(sev_common); > + > + /* add migration blocker */ > + error_setg(&sev_mig_blocker, > + "SEV: Migration is not implemented"); > + migrate_add_blocker(&sev_mig_blocker, &error_fatal); > } > } > } > --
* 'sev_mig_blocker' is a global static variable, so it's the same blocker (address) added each time, maybe add_blocker() should do a check to avoid duplicates. * Otherwise it looks okay. Reviewed-by: Prasad Pandit <[email protected]> Thank you. --- - Prasad
