SEV-SNP will set PFERR_GUEST_ENC_MASK for NPT faults for encrypted/private memory. Generally such accesses will be preceded at some point by a GHCB request to the hypervisor to put the page in the expected private/shared state, so the KVM MMU wouldn't normally need to generate KVM_EXIT_MEMORY_FAULTs to handle the updates at access time. However, implicit conversions are also supported for SNP guests, and in those cases an KVM_EXIT_MEMORY_FAULT will be needed to put the page in the expected private/shared state. Check for this PFERR_GUEST_ENC_MASK bit when determining whether a #NPF should be handled with restrictedmem pages or not. Signed-off-by: Michael Roth <michael.roth@xxxxxxx> --- arch/x86/kvm/svm/sev.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 885a3f1da910..0dd3d9debe48 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4446,7 +4446,10 @@ int sev_fault_is_private(struct kvm *kvm, gpa_t gpa, u64 error_code, bool *priva * source is the only indicator of whether the fault should be treated * as private or not. */ - *private_fault = kvm_mem_is_private(kvm, gfn); + if (sev_snp_guest(kvm)) + *private_fault = (error_code & PFERR_GUEST_ENC_MASK) ? true : false; + else + *private_fault = kvm_mem_is_private(kvm, gfn); return 1; -- 2.25.1