[RFC PATCH v2 10/13] KVM: x86: Let moving encryption context be configurable

Fri, 16 May 2025 12:23:04 -0700 

From: Ackerley Tng <ackerley...@google.com>

SEV-capable VMs may also use the KVM_X86_SW_PROTECTED_VM type, but
they will still need architecture-specific handling to move encryption
context. Hence, we let moving of encryption context be configurable
and store that configuration in a flag.

Co-developed-by: Vishal Annapurve <vannapu...@google.com>
Signed-off-by: Vishal Annapurve <vannapu...@google.com>
Signed-off-by: Ackerley Tng <ackerley...@google.com>
Signed-off-by: Ryan Afranji <afra...@google.com>
---
 arch/x86/include/asm/kvm_host.h | 1 +
 arch/x86/kvm/svm/sev.c          | 2 ++
 arch/x86/kvm/x86.c              | 9 ++++++++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 179618300270..db37ce814611 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1576,6 +1576,7 @@ struct kvm_arch {
 #define SPLIT_DESC_CACHE_MIN_NR_OBJECTS (SPTE_ENT_PER_PAGE + 1)
        struct kvm_mmu_memory_cache split_desc_cache;
 
+       bool use_vm_enc_ctxt_op;
        gfn_t gfn_direct_bits;
 
        /*
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 689521d9e26f..95083556d321 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -442,6 +442,8 @@ static int __sev_guest_init(struct kvm *kvm, struct 
kvm_sev_cmd *argp,
        if (ret)
                goto e_no_asid;
 
+       kvm->arch.use_vm_enc_ctxt_op = true;
+
        init_args.probe = false;
        ret = sev_platform_init(&init_args);
        if (ret)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 637540309456..3a7e05c47aa8 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6624,7 +6624,14 @@ static int kvm_vm_move_enc_context_from(struct kvm *kvm, 
unsigned int source_fd)
        if (r)
                goto out_mark_migration_done;
 
-       r = kvm_x86_call(vm_move_enc_context_from)(kvm, source_kvm);
+       /*
+        * Different types of VMs will allow userspace to define if moving
+        * encryption context should be required.
+        */
+       if (kvm->arch.use_vm_enc_ctxt_op &&
+           kvm_x86_ops.vm_move_enc_context_from) {
+               r = kvm_x86_call(vm_move_enc_context_from)(kvm, source_kvm);
+       }
 
        kvm_unlock_two_vms(kvm, source_kvm);
 out_mark_migration_done:
-- 
2.49.0.1101.gccaa498523-goog

Reply via email to