Even though KVM_SEV_GET_ATTESTATION_REPORT is not one of the commands
that were added for SEV-SNP guests, it can be applied to them. Filtering
it out, for example, makes the QEMU command query-sev-attestation-report
fail.
Cc: Michael Roth <michael.roth@xxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
---
arch/x86/kvm/svm/sev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 5c125e4c1096..17307257d632 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2587,7 +2587,9 @@ int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
* Once KVM_SEV_INIT2 initializes a KVM instance as an SNP guest, only
* allow the use of SNP-specific commands.
*/
- if (sev_snp_guest(kvm) && sev_cmd.id < KVM_SEV_SNP_LAUNCH_START) {
+ if (sev_snp_guest(kvm) &&
+ sev_cmd.id < KVM_SEV_SNP_LAUNCH_START &&
+ sev_cmd.id != KVM_SEV_GET_ATTESTATION_REPORT) {
r = -EPERM;
goto out;
}
--
2.45.2
