On Thu, Aug 22, 2024, Kim Phillips wrote: > AMD EPYC 5th generation processors have introduced a feature that allows > the hypervisor to control the SEV_FEATURES that are set for, or by, a > guest [1]. ALLOWED_SEV_FEATURES can be used by the hypervisor to enforce > that SEV-ES and SEV-SNP guests cannot enable features that the > hypervisor does not want to be enabled. > > When ALLOWED_SEV_FEATURES is enabled, a VMRUN will fail if any > non-reserved bits are 1 in SEV_FEATURES but are 0 in > ALLOWED_SEV_FEATURES. This may need additional uAPI so that userspace can opt-in. Dunno. I hope guests aren't abusing features, but IIUC, flipping this on has the potential to break existing VMs, correct?
