SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP
guests, as they control aspects of the encrypted guest state that are
not relevant for basic SEV guests.
Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is
enabled when any SEV features are specified.
Reviewed-by: Nikunj A Dadhania <nikunj@xxxxxxx>
Signed-off-by: Naveen N Rao (AMD) <naveen@xxxxxxxxxx>
---
target/i386/sev.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 243e9493ba8d..fa23b5c38e9b 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -509,6 +509,12 @@ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_features,
__func__);
return -1;
}
+ if (sev_features && !sev_es_enabled()) {
+ error_setg(errp,
+ "%s: SEV features require either SEV-ES or SEV-SNP to be enabled",
+ __func__);
+ return -1;
+ }
if (sev_features & ~sev_common->supported_sev_features) {
error_setg(errp,
"%s: VMSA contains unsupported sev_features: %lX, "
--
2.50.1
