Add a module parameter secure_tsc to allow control of the SEV-SNP Secure TSC feature at module load time, providing administrators with the ability to disable Secure TSC support even when the hardware and kernel support it. Default the parameter to enabled (true) to maintain existing behavior when the feature is supported. Set the parameter to false if the feature cannot be enabled to reflect the actual state. Suggested-by: Tom Lendacky Signed-off-by: Nikunj A Dadhania --- arch/x86/kvm/svm/sev.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 0835c664fbfd..1f359e31104f 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -56,6 +56,11 @@ module_param_named(sev_snp, sev_snp_enabled, bool, 0444); /* enable/disable SEV-ES DebugSwap support */ static bool sev_es_debug_swap_enabled = true; module_param_named(debug_swap, sev_es_debug_swap_enabled, bool, 0444); + +/* enable/disable Secure TSC support */ +static bool sev_snp_secure_tsc_enabled = true; +module_param_named(secure_tsc, sev_snp_secure_tsc_enabled, bool, 0444); + static u64 sev_supported_vmsa_features; static unsigned int nr_ciphertext_hiding_asids; @@ -3147,8 +3152,11 @@ void __init sev_hardware_setup(void) if (sev_es_debug_swap_enabled) sev_supported_vmsa_features |= SVM_SEV_FEAT_DEBUG_SWAP; - if (sev_snp_enabled && tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SECURE_TSC)) + if (sev_snp_enabled && sev_snp_secure_tsc_enabled && + tsc_khz && cpu_feature_enabled(X86_FEATURE_SNP_SECURE_TSC)) sev_supported_vmsa_features |= SVM_SEV_FEAT_SECURE_TSC; + else + sev_snp_secure_tsc_enabled = false; } void sev_hardware_unsetup(void) base-commit: 6b36119b94d0b2bb8cea9d512017efafd461d6ac -- 2.48.1