Re: [PATCH v3] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command

Next message: DaeMyung Kang: "[PATCH 1/3] ntfs: free volume-wide resources on fill_super failure"
Previous message: Mark Brown: "Re: [PATCH v4 1/3] gpio: dwapb: Add ACPI ID LECA0001 for LECARC SoCs"
In reply to: Pratik R. Sampat: "Re: [PATCH v3] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command"
Next in thread: kernel test robot: "Re: [PATCH v3] crypto/ccp: Introduce SNP_VERIFY_MITIGATION command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tycho Andersen

Date: Wed May 20 2026 - 13:31:16 EST

On Tue, May 19, 2026 at 02:50:29PM -0500, Pratik R. Sampat wrote:
> The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which
> can be used to query the status of currently supported vulnerability
> mitigations and to initiate mitigations within the firmware.
>
> This command is an explicit mechanism to ascertain if a firmware
> mitigation is applied without needing a full RMP re-build, which is most
> useful in a live firmware update scenario.
>
> The firmware supports two subcommands: STATUS and VERIFY. The STATUS
> subcommand is used to query the supported and verified mitigation bits.
> The VERIFY subcommand initiates the mitigation process within the FW for
> the specified vulnerability. Expose a userspace interface under:
> /sys/firmware/sev/vulnerabilities/
> - supported_mitigations (read-only): supported mitigation vector mask
> - verified_mitigations (read/write): current verified mask; write a
> vector to request VERIFY for that bit
>
> The behavior of SNP_VERIFY_MITIGATION and the pre-requisites for using
> it are bug-specific. Information about supported mitigations and its
> corresponding vector is to be published as part of the AMD Security
> Bulletin.
>
> See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for
> more details.
>
> Signed-off-by: Pratik R. Sampat <prsampat@xxxxxxx>

Reviewed-by: Tycho Andersen (AMD) <tycho@xxxxxxxxxx>