Re: [kvm-unit-tests PATCH v2 11/17] x86 AMD SEV: Initial support

[Tom Lendacky <thomas.lendacky@xxxxxxx>]

On 8/26/21 10:12 PM, Zixuan Wang wrote:
> AMD Secure Encrypted Virtualization (SEV) is a hardware accelerated
> memory encryption feature that protects guest VMs from host attacks.
>
> This commit provides set up code and a test case for AMD SEV. The set up
> code checks if SEV is supported and enabled, and then sets SEV c-bit for
> each page table entry.
>
> Co-developed-by: Hyunwook (Wooky) Baek <baekhw@xxxxxxxxxx>
> Signed-off-by: Hyunwook (Wooky) Baek <baekhw@xxxxxxxxxx>
> Signed-off-by: Zixuan Wang <zixuanwang@xxxxxxxxxx>
> ---
>   lib/x86/amd_sev.c   | 77 +++++++++++++++++++++++++++++++++++++++++++++
>   lib/x86/amd_sev.h   | 45 ++++++++++++++++++++++++++
>   lib/x86/asm/setup.h |  1 +
>   lib/x86/setup.c     | 15 +++++++++
>   x86/Makefile.common |  1 +
>   x86/Makefile.x86_64 |  3 ++
>   x86/amd_sev.c       | 64 +++++++++++++++++++++++++++++++++++++
>   7 files changed, 206 insertions(+)
>   create mode 100644 lib/x86/amd_sev.c
>   create mode 100644 lib/x86/amd_sev.h
>   create mode 100644 x86/amd_sev.c
>
> diff --git a/lib/x86/amd_sev.c b/lib/x86/amd_sev.c
> new file mode 100644
> index 0000000..5498ed6
> --- /dev/null
> +++ b/lib/x86/amd_sev.c
> @@ -0,0 +1,77 @@
> +/*
> + * AMD SEV support in KVM-Unit-Tests
> + *
> + * Copyright (c) 2021, Google Inc
> + *
> + * Authors:
> + *   Zixuan Wang <zixuanwang@xxxxxxxxxx>
> + *
> + * SPDX-License-Identifier: LGPL-2.0-or-later
> + */
> +
> +#include "amd_sev.h"
> +#include "x86/processor.h"
> +
> +static unsigned long long amd_sev_c_bit_pos;

This can be a unsigned short since this is just the bit position, not the 
mask.

> +
> +bool amd_sev_enabled(void)
> +{
> +	struct cpuid cpuid_out;
> +	static bool sev_enabled;
> +	static bool initialized = false;
> +
> +	/* Check CPUID and MSR for SEV status and store it for future function calls. */
> +	if (!initialized) {
> +		sev_enabled = false;
> +		initialized = true;
> +
> +		/* Test if we can query SEV features */
> +		cpuid_out = cpuid(CPUID_FN_LARGEST_EXT_FUNC_NUM);
> +		if (cpuid_out.a < CPUID_FN_ENCRYPT_MEM_CAPAB) {
> +			return sev_enabled;
> +		}
> +
> +		/* Test if SEV is supported */
> +		cpuid_out = cpuid(CPUID_FN_ENCRYPT_MEM_CAPAB);
> +		if (!(cpuid_out.a & SEV_SUPPORT_MASK)) {
> +			return sev_enabled;
> +		}
> +
> +		/* Test if SEV is enabled */
> +		if (!(rdmsr(MSR_SEV_STATUS) & SEV_ENABLED_MASK)) {
> +			return sev_enabled;
> +		}
> +
> +		sev_enabled = true;

Maybe just make this a bit easier to read by doing:

		if (rdmsr(MSR_SEV_STATUS & SEV_ENABLED_MASK)
			sev_enabled = true;

No need to return early since you are at the end of the if statement. Just 
my opinion, though, not a big deal.

Thanks,
Tom