On 9/11/25 06:54, Naveen N Rao (AMD) wrote:
> Add support for enabling Secure AVIC VMSA SEV feature in SEV-SNP guests
> through a new "secure-avic" boolean property on SEV-SNP guest objects.
>
> Sample command-line:
> -machine q35,confidential-guest-support=sev0 \
> -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,secure-avic=on
Since the hypervisor support for Secure AVIC is not accepted in KVM, yet,
this should not be included yet until we know what the full VMM
requirements might be.
Thanks,
Tom
>
> Reviewed-by: Nikunj A Dadhania <nikunj@xxxxxxx>
> Signed-off-by: Naveen N Rao (AMD) <naveen@xxxxxxxxxx>
> ---
> target/i386/sev.h | 1 +
> target/i386/sev.c | 13 +++++++++++++
> qapi/qom.json | 5 ++++-
> 3 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/target/i386/sev.h b/target/i386/sev.h
> index 87e73034ad15..a374c144bccd 100644
> --- a/target/i386/sev.h
> +++ b/target/i386/sev.h
> @@ -47,6 +47,7 @@ bool sev_snp_enabled(void);
> #define SVM_SEV_FEAT_SNP_ACTIVE BIT(0)
> #define SVM_SEV_FEAT_DEBUG_SWAP BIT(5)
> #define SVM_SEV_FEAT_SECURE_TSC BIT(9)
> +#define SVM_SEV_FEAT_SECURE_AVIC BIT(16)
>
> typedef struct SevKernelLoaderContext {
> char *setup_data;
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index facf51c810d9..f9170e21ca57 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -3147,6 +3147,16 @@ static void sev_snp_guest_set_secure_tsc(Object *obj, bool value, Error **errp)
> sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_TSC, value);
> }
>
> +static bool sev_snp_guest_get_secure_avic(Object *obj, Error **errp)
> +{
> + return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_AVIC);
> +}
> +
> +static void sev_snp_guest_set_secure_avic(Object *obj, bool value, Error **errp)
> +{
> + sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_SECURE_AVIC, value);
> +}
> +
> static void
> sev_snp_guest_get_tsc_frequency(Object *obj, Visitor *v, const char *name,
> void *opaque, Error **errp)
> @@ -3210,6 +3220,9 @@ sev_snp_guest_class_init(ObjectClass *oc, const void *data)
> object_class_property_add(oc, "tsc-frequency", "uint32",
> sev_snp_guest_get_tsc_frequency,
> sev_snp_guest_set_tsc_frequency, NULL, NULL);
> + object_class_property_add_bool(oc, "secure-avic",
> + sev_snp_guest_get_secure_avic,
> + sev_snp_guest_set_secure_avic);
> }
>
> static void
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 5b99148cb790..5dce560a2f54 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -1105,6 +1105,8 @@
> # @tsc-frequency: set secure TSC frequency. Only valid if Secure TSC
> # is enabled (default: zero) (since 10.2)
> #
> +# @secure-avic: enable Secure AVIC (default: false) (since 10.2)
> +#
> # Since: 9.1
> ##
> { 'struct': 'SevSnpGuestProperties',
> @@ -1118,7 +1120,8 @@
> '*host-data': 'str',
> '*vcek-disabled': 'bool',
> '*secure-tsc': 'bool',
> - '*tsc-frequency': 'uint32' } }
> + '*tsc-frequency': 'uint32',
> + '*secure-avic': 'bool' } }
>
> ##
> # @TdxGuestProperties:
