Hi Sean, On 7/8/25 8:57 AM, Sean Christopherson wrote: > On Mon, Jun 30, 2025, Pratik R. Sampat wrote: >> The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which >> can be used to query the status of currently supported vulnerability >> mitigations and to initiate mitigations within the firmware. >> >> See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for >> more details. > > Nothing here explains why this needs to be exposed directly to userspace. The general idea is that not all mitigations may/can be applied immediately, for ex: some mitigations may require all the guest to be shutdown before they can be applied. So a host userspace interface to query+apply mitigations can be useful for that coordination before attempting to apply the mitigation. I also realized that I could use SNP_FEATURE_INFO's cached results from Ashish's CipherTextHiding series[1] to save us a firmware call if the verify mitigation in the ECX vector is unsupported. [1]: https://lore.kernel.org/kvm/cover.1751397223.git.ashish.kalra@xxxxxxx/ Thanks, Pratik
