The SNP_VERIFY_MITIGATION command can be used to query the status of currently supported vulnerability mitigations and to initiate mitigations within the firmware. The command supports two subcommands - STATUS and VERIFY. The STATUS subcommand is used to query the supported and verified mitigation bits. The VERIFY subcommand initiates the mitigation process within the FW for the specified vulnerability. Information about supported mitigations is planned to be published as part of AMD Security Bulletins/Notices. The patch is based on kvm/next and on "crypto/ccp: Fix locking on alloc failure handling"[1]. The latter is required as we invoke this command within sev_ioctl(), which already holds the mutex and does not need to do so again if it has to reclaim snp pages. Comments and feedback appreciated! [1]: https://lore.kernel.org/all/20250617094354.1357771-1-aik@xxxxxxx/ Pratik R. Sampat (1): crypto: ccp - Add the SNP_VERIFY_MITIGATION command Documentation/virt/coco/sev-guest.rst | 13 +++++++ drivers/crypto/ccp/sev-dev.c | 55 +++++++++++++++++++++++++++ include/linux/psp-sev.h | 30 +++++++++++++++ include/uapi/linux/psp-sev.h | 34 +++++++++++++++++ 4 files changed, 132 insertions(+) base-commit: cf931c83bfc9a33f0b0a91f6fb63a685ffeeb011 -- 2.49.0
