SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP guests, as they control aspects of the encrypted guest state that are not relevant for basic SEV guests.
Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is enabled when any SEV features are specified. Reviewed-by: Nikunj A Dadhania <[email protected]> Reviewed-by: Tom Lendacky <[email protected]> Signed-off-by: Naveen N Rao (AMD) <[email protected]> --- target/i386/sev.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/target/i386/sev.c b/target/i386/sev.c index 89cde2c6464a..35df7be4f67c 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -518,6 +518,12 @@ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_features, __func__); return -1; } + if (sev_features && !sev_es_enabled()) { + error_setg(errp, + "%s: SEV features require either SEV-ES or SEV-SNP to be enabled", + __func__); + return -1; + } if (sev_features & ~sev_common->supported_sev_features) { error_setg(errp, "%s: VMSA contains unsupported sev_features: %lX, " -- 2.51.0
