On 6/10/26 09:52, Tom Lendacky wrote:
> On 6/10/26 06:30, Naveen N Rao wrote:
>> [+Sean]
>>
>> Hi Mike,
>>
>> On Tue, Jun 09, 2026 at 07:35:46PM -0500, Michael Roth wrote:
>>> On Tue, Jun 02, 2026 at 12:42:13PM +0530, Naveen N Rao (AMD) wrote:
>>>> KVM commit 66155de93bcf ("KVM: x86: Disallow read-only memslots for
>>>> SEV-ES and SEV-SNP (and TDX)"), and the subsequent commit d30d9ee94cc0
>>>> ("KVM: x86: Only advertise KVM_CAP_READONLY_MEM when supported by VM")
>>>> stopped advertising KVM_CAP_READONLY_MEM support for encrypted guests
>>>> (KVM_X86_SEV_ES_VM and KVM_X86_SNP_VM), but not for KVM_X86_DEFAULT_VM
>>>> type SEV-ES guests. As a result of this, it is no longer possible to
>>>> start SEV-ES guests with any SEV feature enabled (in particular,
>>>> debug-swap) with pflash devices.
>>>>
>>>> This is an issue since SEV-ES guests have historically used pflash
>>>> devices for OVMF. Guests on older KVM+Qemu are able to enable debug-swap
>>>> while using pflash devices, so work around the KVM limitation by
>>>> switching to using a VMA-based write protection. This allows
>>>> well-behaved SEV-ES guests to continue to work with pflash devices and
>>>> enable debug-swap. Mis-behaving guests trying to write to the protected
>>>> OVMF area will be killed.
>>>
>>> Based on Sean's description, a write access to a read-only memslot would
>>> cause the vCPU to permanently spin on #NPFs if trying to write to it as
>>> MMIO due to #VC handler not triggering, and that's why we don't support
>>> read-only memslots. But since SEV-ES was previously working with pflash,
>>> it seems like it does not rely on this functionality...
>>
>> Right, normal well-behaved SEV-ES/SNP guests work just fine as they
>> don't write to any of the read-only areas.
>
> Yes they do. There is specific support to make a direct GHCB MMIO
> request because of the lack of the #VC exception (see
> OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c).
Specifically the QemuFlashPtrWrite() function.
Thanks,
Tom
>
> Thanks,
> Tom
>
