CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2025/05/19 02:36:36
Modified files:
sys/arch/amd64/amd64: vmm_machdep.c
sys/arch/amd64/include: specialreg.h vmmvar.h
Log message:
Configure AMD SEV-ES in vmm(4).
For SEV-ES we have to adjust the guest configuration:
- Do not intercept XSETBV. We can not force access to XCR0 as it
is part of the encrypted state.
- We do not have direct access to EFER and CR[04], thus intercept
EFER and CR[04] "post write". The provided exit handler will
keep track of the guest state.
- Regarding MSRs:
- Allow access to GHCB MSR, which will be used for guest-host
communication.
- Allow reading XSS state, which will be needed for CPUID Extended
State Enumeration.
- Allow full read/write for EFER. SVME bit cannot not be modified
with SEV-ES, it will always be 1.
- SEV-ES requires LBR virtualization, thus enable it.
When everything is set up, the initial state is copied to the VMSA,
which is not yet encrypted. This will have to be done by vmd(8)
and psp(4).
from hshoexer@; OK mlarkin@
