x86/sev: Mark the TSC in a secure TSC guest as reliable

nikunjad · bp3tk0v · commit 0a2a98f691f2 · 2025-01-07T21:26:20.000+01:00
In SNP guest environment with Secure TSC enabled, unlike other clock sources (such as HPET, ACPI timer, APIC, etc), the RDTSC instruction is handled without causing a VM exit, resulting in minimal overhead and jitters. Even when the host CPU's TSC is tampered with, the Secure TSC enabled guest keeps on ticking forward. Hence, mark Secure TSC as the only reliable clock source, bypassing unstable calibration. [ bp: Massage. ] Signed-off-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Tested-by: Peter Gonda <pgonda@google.com> Link: https://lore.kernel.org/r/20250106124633.1418972-10-nikunj@amd.com
diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c
@@ -541,6 +541,9 @@ void __init sme_early_init(void)
 	 * kernel mapped.
 	 */
 	snp_update_svsm_ca();
+
+	if (sev_status & MSR_AMD64_SNP_SECURE_TSC)
+		setup_force_cpu_cap(X86_FEATURE_TSC_RELIABLE);
 }
 
 void __init mem_encrypt_free_decrypted_mem(void)

Original file line number	Diff line number	Diff line change
`@@ -541,6 +541,9 @@ void __init sme_early_init(void)`
`541`	`541`	`* kernel mapped.`
`542`	`542`	`*/`
`543`	`543`	`snp_update_svsm_ca();`
	`544`	`+`
	`545`	`+ if (sev_status & MSR_AMD64_SNP_SECURE_TSC)`
	`546`	`+ setup_force_cpu_cap(X86_FEATURE_TSC_RELIABLE);`
`544`	`547`	`}`
`545`	`548`
`546`	`549`	`void __init mem_encrypt_free_decrypted_mem(void)`