<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/arch/x86/boot/compressed/sev.c, branch master</title>
<subtitle>Hosts the 0x221E linux distro kernel.</subtitle>
<id>https://universe.0xinfinity.dev/distro/kernel/atom?h=master</id>
<link rel='self' href='https://universe.0xinfinity.dev/distro/kernel/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/'/>
<updated>2026-03-02T10:08:59Z</updated>
<entry>
<title>x86/sev: Allow IBPB-on-Entry feature for SNP guests</title>
<updated>2026-03-02T10:08:59Z</updated>
<author>
<name>Kim Phillips</name>
<email>kim.phillips@amd.com</email>
</author>
<published>2026-02-03T22:24:03Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=9073428bb204d921ae15326bb7d4558d9d269aab'/>
<id>urn:sha1:9073428bb204d921ae15326bb7d4558d9d269aab</id>
<content type='text'>
The SEV-SNP IBPB-on-Entry feature does not require a guest-side
implementation. It was added in Zen5 h/w, after the first SNP Zen
implementation, and thus was not accounted for when the initial set of SNP
features were added to the kernel.

In its abundant precaution, commit

  8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")

included SEV_STATUS' IBPB-on-Entry bit as a reserved bit, thereby masking
guests from using the feature.

Allow guests to make use of IBPB-on-Entry when supported by the hypervisor, as
the bit is now architecturally defined and safe to expose.

Fixes: 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
Signed-off-by: Kim Phillips &lt;kim.phillips@amd.com&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Reviewed-by: Nikunj A Dadhania &lt;nikunj@amd.com&gt;
Reviewed-by: Tom Lendacky &lt;thomas.lendacky@amd.com&gt;
Cc: stable@kernel.org
Link: https://patch.msgid.link/20260203222405.4065706-2-kim.phillips@amd.com
</content>
</entry>
<entry>
<title>x86/boot/sev: Move SEV decompressor variables into the .data section</title>
<updated>2026-03-02T10:08:33Z</updated>
<author>
<name>Tom Lendacky</name>
<email>thomas.lendacky@amd.com</email>
</author>
<published>2026-02-04T15:01:00Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=4ca191cec17a997d0e3b2cd312f3a884288acc27'/>
<id>urn:sha1:4ca191cec17a997d0e3b2cd312f3a884288acc27</id>
<content type='text'>
As part of the work to remove the dependency on calling into the decompressor
code (startup_64()) for a UEFI boot, a call to rmpadjust() was removed from
sev_enable() in favor of checking the value of the snp_vmpl variable.

When booting through a non-UEFI path and calling startup_64(), the call to
sev_enable() is performed before the BSS section is zeroed. With the removal
of the rmpadjust() call and the corresponding check of the return code, the
snp_vmpl variable is checked.

Since the kernel is running at VMPL0, the snp_vmpl variable will not have been
set and should be the default value of 0.  However, since the call occurs
before the BSS is zeroed, the snp_vmpl variable may not actually be zero,
which will cause the guest boot to fail.

Since the decompressor relocates itself, the BSS would need to be cleared both
before and after the relocation, but this would, in effect, cause all of the
changes to BSS variables before relocation to be lost after relocation.

Instead, move the snp_vmpl variable into the .data section so that it is
initialized and the value made safe during relocation. As a pre-caution
against future changes, move other SEV-related decompressor variables into the
.data section, too.

Fixes: 68a501d7fd82 ("x86/boot: Drop redundant RMPADJUST in SEV SVSM presence check")
Signed-off-by: Tom Lendacky &lt;thomas.lendacky@amd.com&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Reviewed-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Reviewed-by: Changyuan Lyu &lt;changyuanl@google.com&gt;
Tested-by: Kevin Hui &lt;kevinhui@meta.com&gt;
Tested-by: Changyuan Lyu &lt;changyuanl@google.com&gt;
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/5648b7de5b0a5d0dfef3785f9582b718678c6448.1770217260.git.thomas.lendacky@amd.com
</content>
</entry>
<entry>
<title>x86/boot: Move boot_*msr helpers to asm/shared/msr.h</title>
<updated>2025-10-30T15:29:53Z</updated>
<author>
<name>John Allen</name>
<email>john.allen@amd.com</email>
</author>
<published>2025-09-24T20:08:51Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=9249bcdea0c6db4f450a9267aa6da5b4dd4153ca'/>
<id>urn:sha1:9249bcdea0c6db4f450a9267aa6da5b4dd4153ca</id>
<content type='text'>
The boot_{rdmsr,wrmsr}() helpers are *just* the barebones MSR access
functionality, without any tracing or exception handling glue as it is done in
kernel proper.

Move these helpers to asm/shared/msr.h and rename to raw_{rdmsr,wrmsr}() to
indicate what they are.

  [ bp: Correct the reason why those helpers exist. I should've caught that in
    the original patch that added them:
      176db622573f ("x86/boot: Introduce helpers for MSR reads/writes"
    but oh well...
    - fixup include path delimiters to &lt;&gt; ]

Signed-off-by: John Allen &lt;john.allen@amd.com&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Reviewed-by: Tom Lendacky &lt;thomas.lendacky@amd.com&gt;
Link: https://patch.msgid.link/all/20250924200852.4452-2-john.allen@amd.com
</content>
</entry>
<entry>
<title>Merge branch 'x86/apic' into x86/sev, to resolve conflict</title>
<updated>2025-09-05T07:01:42Z</updated>
<author>
<name>Ingo Molnar</name>
<email>mingo@kernel.org</email>
</author>
<published>2025-09-05T07:01:42Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=0ca77f8d33e8136b8926775380506f78a8d04811'/>
<id>urn:sha1:0ca77f8d33e8136b8926775380506f78a8d04811</id>
<content type='text'>
 Conflicts:
	arch/x86/include/asm/sev-internal.h

Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
</content>
</entry>
<entry>
<title>x86/boot: Move startup code out of __head section</title>
<updated>2025-09-03T16:06:04Z</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ardb@kernel.org</email>
</author>
<published>2025-08-28T10:22:24Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=c5c30a37369313d1f8b84e96e6a4397b4e2b4eb8'/>
<id>urn:sha1:c5c30a37369313d1f8b84e96e6a4397b4e2b4eb8</id>
<content type='text'>
Move startup code out of the __head section, now that this no longer has
a special significance. Move everything into .text or .init.text as
appropriate, so that startup code is not kept around unnecessarily.

  [ bp: Fold in hunk to fix 32-bit CPU hotplug:
    Reported-by: kernel test robot &lt;oliver.sang@intel.com&gt;
    Closes: https://lore.kernel.org/oe-lkp/202509022207.56fd97f4-lkp@intel.com ]

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Link: https://lore.kernel.org/20250828102202.1849035-45-ardb+git@google.com
</content>
</entry>
<entry>
<title>x86/sev: Provide PIC aliases for SEV related data objects</title>
<updated>2025-09-03T15:59:43Z</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ardb@kernel.org</email>
</author>
<published>2025-08-28T10:22:15Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=9723dd0c705eb626bac2cd06b83a2c8514ed697a'/>
<id>urn:sha1:9723dd0c705eb626bac2cd06b83a2c8514ed697a</id>
<content type='text'>
Provide PIC aliases for data objects that are shared between the SEV startup
code and the SEV code that executes later. This is needed so that the confined
startup code is permitted to access them.

This requires some of these variables to be moved into a source file that is
not part of the startup code, as the PIC alias is already implied, and
exporting variables in the opposite direction is not supported.

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Link: https://lore.kernel.org/20250828102202.1849035-36-ardb+git@google.com
</content>
</entry>
<entry>
<title>x86/boot: Drop redundant RMPADJUST in SEV SVSM presence check</title>
<updated>2025-09-03T15:59:09Z</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ardb@kernel.org</email>
</author>
<published>2025-08-28T10:22:13Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=68a501d7fd82454525797971c6a0005ceeb93153'/>
<id>urn:sha1:68a501d7fd82454525797971c6a0005ceeb93153</id>
<content type='text'>
snp_vmpl will be assigned a non-zero value when executing at a VMPL other than
0, and this is inferred from a call to RMPADJUST, which only works when
running at VMPL0.

This means that testing snp_vmpl is sufficient, and there is no need to
perform the same check again.

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Link: https://lore.kernel.org/20250828102202.1849035-34-ardb+git@google.com
</content>
</entry>
<entry>
<title>x86/sev: Use boot SVSM CA for all startup and init code</title>
<updated>2025-09-03T15:58:26Z</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ardb@kernel.org</email>
</author>
<published>2025-08-28T10:22:12Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=c54604fb7f2522fec5b97e86103ec49e539e80fe'/>
<id>urn:sha1:c54604fb7f2522fec5b97e86103ec49e539e80fe</id>
<content type='text'>
To avoid having to reason about whether or not to use the per-CPU SVSM calling
area when running startup and init code on the boot CPU, reuse the boot SVSM
calling area as the per-CPU area for the BSP.

Thus, remove the need to make the per-CPU variables and associated state in
sev_cfg accessible to the startup code once confined.

  [ bp: Massage commit message. ]

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Link: https://lore.kernel.org/20250828102202.1849035-33-ardb+git@google.com
</content>
</entry>
<entry>
<title>x86/sev: Pass SVSM calling area down to early page state change API</title>
<updated>2025-09-03T15:58:22Z</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ardb@kernel.org</email>
</author>
<published>2025-08-28T10:22:11Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=00d25566761746ba53934ad3a89ea79923a38d01'/>
<id>urn:sha1:00d25566761746ba53934ad3a89ea79923a38d01</id>
<content type='text'>
The early page state change API is mostly only used very early, when only the
boot time SVSM calling area is in use. However, this API is also called by the
kexec finishing code, which runs very late, and potentially from a different
CPU (which uses a different calling area).

To avoid pulling the per-CPU SVSM calling area pointers and related SEV state
into the startup code, refactor the page state change API so the SVSM calling
area virtual and physical addresses can be provided by the caller.

No functional change intended.

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Link: https://lore.kernel.org/20250828102202.1849035-32-ardb+git@google.com
</content>
</entry>
<entry>
<title>x86/sev: Share implementation of MSR-based page state change</title>
<updated>2025-09-03T15:58:19Z</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ardb@kernel.org</email>
</author>
<published>2025-08-28T10:22:10Z</published>
<link rel='alternate' type='text/html' href='https://universe.0xinfinity.dev/distro/kernel/commit/?id=d5949ea50c5642ab7e3c4dd6020e23725c079b25'/>
<id>urn:sha1:d5949ea50c5642ab7e3c4dd6020e23725c079b25</id>
<content type='text'>
Both the decompressor and the SEV startup code implement the exact same
sequence for invoking the MSR based communication protocol to effectuate
a page state change.

Before tweaking the internal APIs used in both versions, merge them and
share them so those tweaks are only needed in a single place.

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Signed-off-by: Borislav Petkov (AMD) &lt;bp@alien8.de&gt;
Link: https://lore.kernel.org/20250828102202.1849035-31-ardb+git@google.com
</content>
</entry>
</feed>
