The guest policy is set either through command-line or through IGVM. If none of the above applies, default guest policy applies. However, if IGVM does not set the guest policy, currently the policy gets set to 0 regardless of whether it was previously set to default value or command line. This change fixes this by checking if IGVM indeed has set a policy value. If not, do not reset existing value.
This avoids guest crashes such as the following during reset when the IGVM has not explicitly set any guest policies: qemu-system-x86_64: sev_snp_launch_start: SNP_LAUNCH_START ret=-22 fw_error=0 '' qemu-system-x86_64: sev_common_kvm_init: failed to create encryption context qemu-system-x86_64: unable to rebuild guest: Operation not permitted(-1) Reported-by: Gerd Hoffmann <[email protected]> Signed-off-by: Ani Sinha <[email protected]> --- target/i386/sev.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 549e624176..cddffe0da8 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -2760,7 +2760,11 @@ static int cgs_set_guest_policy(ConfidentialGuestPolicyType policy_type, id_auth->author_key[0] ? 1 : 0; finish->id_block_en = 1; } - sev_snp_guest->kvm_start_conf.policy = policy; + + /* do not reset existing policy if policy was not set in IGVM */ + if (policy != 0) { + sev_snp_guest->kvm_start_conf.policy = policy; + } } else { SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs); /* Only the policy flags are supported for SEV and SEV-ES */ @@ -2769,7 +2773,11 @@ static int cgs_set_guest_policy(ConfidentialGuestPolicyType policy_type, "but SEV-SNP is not enabled", __func__); return -1; } - sev_guest->policy = policy; + + /* do not reset existing policy if policy was not set in IGVM */ + if (policy != 0) { + sev_guest->policy = policy; + } } return 0; } -- 2.42.0
