* Wed Aug 09 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-38

- kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch [bz#2214840]
- kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch [bz#2214840]
- kvm-i386-sev-Update-checks-and-information-related-to-re.patch [bz#2214840]
- kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch [bz#2214840]
- kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch [bz#2223947]
- Resolves: bz#2214840
  ([AMDSERVER 8.9 Bug] Qemu SEV reduced-phys-bits fixes)
- Resolves: bz#2223947
  ([RHEL8.9] qemu core dump with '-cpu host,mpx=off' on Cascadelake host)

kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch

@@ -0,0 +1,53 @@
+From 18ac13c7d64266238bd44b2188e0d044af3c3377 Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Thu, 3 Aug 2023 15:14:14 -0400
+Subject: [PATCH 4/5] i386/cpu: Update how the EBX register of CPUID 0x8000001F
+ is set
+
+RH-Author: Bandan Das <None>
+RH-MergeRequest: 296: Updates to SEV reduced-phys-bits parameter
+RH-Bugzilla: 2214840
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [4/4] 8b236fd9bc4c177bfacf6220a429e711b5bf062e
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2214840
+
+commit fb6bbafc0f19385fb257ee073ed13dcaf613f2f8
+Author: Tom Lendacky <thomas.lendacky@amd.com>
+Date:   Fri Sep 30 10:14:30 2022 -0500
+
+    i386/cpu: Update how the EBX register of CPUID 0x8000001F is set
+
+    Update the setting of CPUID 0x8000001F EBX to clearly document the ranges
+    associated with fields being set.
+
+    Fixes: 6cb8f2a663 ("cpu/i386: populate CPUID 0x8000_001F when SEV is active")
+    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+    Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+    Message-Id: <5822fd7d02b575121380e1f493a8f6d9eba2b11a.1664550870.git.thomas.lendacky@amd.com>
+    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+---
+ target/i386/cpu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 9d3dcdcc0d..265f0aadfc 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -5836,8 +5836,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+         if (sev_enabled()) {
+             *eax = 0x2;
+             *eax |= sev_es_enabled() ? 0x8 : 0;
+-            *ebx = sev_get_cbit_position();
+-            *ebx |= sev_get_reduced_phys_bits() << 6;
++            *ebx = sev_get_cbit_position() & 0x3f; /* EBX[5:0] */
++            *ebx |= (sev_get_reduced_phys_bits() & 0x3f) << 6; /* EBX[11:6] */
+         }
+         break;
+     default:
+-- 
+2.37.3
+

kvm-i386-sev-Update-checks-and-information-related-to-re.patch

@@ -0,0 +1,78 @@
+From 19504ea76b6341c11213316402bb5194487e1f01 Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Thu, 3 Aug 2023 15:13:19 -0400
+Subject: [PATCH 3/5] i386/sev: Update checks and information related to
+ reduced-phys-bits
+
+RH-Author: Bandan Das <None>
+RH-MergeRequest: 296: Updates to SEV reduced-phys-bits parameter
+RH-Bugzilla: 2214840
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [3/4] b617173d2b15fa39cdc02b5c1ac4d52e9b0dfede
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2214840
+
+commit 8168fed9f84e3128f7628969ae78af49433d5ce7
+Author: Tom Lendacky <thomas.lendacky@amd.com>
+Date:   Fri Sep 30 10:14:29 2022 -0500
+
+    i386/sev: Update checks and information related to reduced-phys-bits
+
+    The value of the reduced-phys-bits parameter is propogated to the CPUID
+    information exposed to the guest. Update the current validation check to
+    account for the size of the CPUID field (6-bits), ensuring the value is
+    in the range of 1 to 63.
+
+    Maintain backward compatibility, to an extent, by allowing a value greater
+    than 1 (so that the previously documented value of 5 still works), but not
+    allowing anything over 63.
+
+    Fixes: d8575c6c02 ("sev/i386: add command to initialize the memory encryption context")
+    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+    Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+    Message-Id: <cca5341a95ac73f904e6300f10b04f9c62e4e8ff.1664550870.git.thomas.lendacky@amd.com>
+    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+---
+ target/i386/sev.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/target/i386/sev.c b/target/i386/sev.c
+index 025ff7a6f8..ba6a65e90c 100644
+--- a/target/i386/sev.c
++++ b/target/i386/sev.c
+@@ -892,15 +892,26 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
+     host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+     host_cbitpos = ebx & 0x3f;
+ 
++    /*
++     * The cbitpos value will be placed in bit positions 5:0 of the EBX
++     * register of CPUID 0x8000001F. No need to verify the range as the
++     * comparison against the host value accomplishes that.
++     */
+     if (host_cbitpos != sev->cbitpos) {
+         error_setg(errp, "%s: cbitpos check failed, host '%d' requested '%d'",
+                    __func__, host_cbitpos, sev->cbitpos);
+         goto err;
+     }
+ 
+-    if (sev->reduced_phys_bits < 1) {
+-        error_setg(errp, "%s: reduced_phys_bits check failed, it should be >=1,"
+-                   " requested '%d'", __func__, sev->reduced_phys_bits);
++    /*
++     * The reduced-phys-bits value will be placed in bit positions 11:6 of
++     * the EBX register of CPUID 0x8000001F, so verify the supplied value
++     * is in the range of 1 to 63.
++     */
++    if (sev->reduced_phys_bits < 1 || sev->reduced_phys_bits > 63) {
++        error_setg(errp, "%s: reduced_phys_bits check failed,"
++                   " it should be in the range of 1 to 63, requested '%d'",
++                   __func__, sev->reduced_phys_bits);
+         goto err;
+     }
+ 
+-- 
+2.37.3
+

kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch

@@ -0,0 +1,55 @@
+From 57ee29fbb08f7b89ee1b7c75b749392c08af3b03 Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Thu, 3 Aug 2023 15:23:54 -0400
+Subject: [PATCH 1/5] qapi, i386/sev: Change the reduced-phys-bits value from 5
+ to 1
+
+RH-Author: Bandan Das <None>
+RH-MergeRequest: 296: Updates to SEV reduced-phys-bits parameter
+RH-Bugzilla: 2214840
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [1/4] 4137cb3b57cbb175078bc908fb2301ea2b97fd17
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2214840
+
+commit 798a818f50a9bfc01e8b5943090de458863b897b
+Author: Tom Lendacky <thomas.lendacky@amd.com>
+Date:   Fri Sep 30 10:14:27 2022 -0500
+
+    qapi, i386/sev: Change the reduced-phys-bits value from 5 to 1
+
+    A guest only ever experiences, at most, 1 bit of reduced physical
+    addressing. Change the query-sev-capabilities json comment to use 1.
+
+    Fixes: 31dd67f684 ("sev/i386: qmp: add query-sev-capabilities command")
+    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+    Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+    Message-Id: <cb96d8e09154533af4b4e6988469bc0b32390b65.1664550870.git.thomas.lendacky@amd.com>
+    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+RHEL Notes:
+     Conflicts: Context differences, since commit 811b4ec7f8eb<qapi, target/i386/sev: Add cpu0-id to query-sev-capabilities>
+     is missing
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+---
+ qapi/misc-target.json | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/qapi/misc-target.json b/qapi/misc-target.json
+index 4bc45d2474..ede9052440 100644
+--- a/qapi/misc-target.json
++++ b/qapi/misc-target.json
+@@ -205,7 +205,7 @@
+ #
+ # -> { "execute": "query-sev-capabilities" }
+ # <- { "return": { "pdh": "8CCDD8DDD", "cert-chain": "888CCCDDDEE",
+-#                  "cbitpos": 47, "reduced-phys-bits": 5}}
++#                  "cbitpos": 47, "reduced-phys-bits": 1}}
+ #
+ ##
+ { 'command': 'query-sev-capabilities', 'returns': 'SevCapability',
+-- 
+2.37.3
+

kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch

@@ -0,0 +1,61 @@
+From 095811c08557b0a2ad1a433d28699ead1e5ef664 Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Thu, 3 Aug 2023 15:12:15 -0400
+Subject: [PATCH 2/5] qemu-options.hx: Update the reduced-phys-bits
+ documentation
+
+RH-Author: Bandan Das <None>
+RH-MergeRequest: 296: Updates to SEV reduced-phys-bits parameter
+RH-Bugzilla: 2214840
+RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Commit: [2/4] f8e8f5aeff449a34ce90c6e55e2a51873a6e6a87
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2214840
+
+commit 326e3015c4c6f3197157ea0bb00826ae740e2fad
+Author: Tom Lendacky <thomas.lendacky@amd.com>
+Date:   Fri Sep 30 10:14:28 2022 -0500
+
+    qemu-options.hx: Update the reduced-phys-bits documentation
+
+    A guest only ever experiences, at most, 1 bit of reduced physical
+    addressing. Update the documentation to reflect this as well as change
+    the example value on the reduced-phys-bits option.
+
+    Fixes: a9b4942f48 ("target/i386: add Secure Encrypted Virtualization (SEV) object")
+    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+    Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+    Message-Id: <13a62ced1808546c1d398e2025cf85f4c94ae123.1664550870.git.thomas.lendacky@amd.com>
+    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+---
+ qemu-options.hx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 4b7798088b..981248e283 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -5204,7 +5204,7 @@ SRST
+         physical address space. The ``reduced-phys-bits`` is used to
+         provide the number of bits we loose in physical address space.
+         Similar to C-bit, the value is Host family dependent. On EPYC,
+-        the value should be 5.
++        a guest will lose a maximum of 1 bit, so the value should be 1.
+ 
+         The ``sev-device`` provides the device file to use for
+         communicating with the SEV firmware running inside AMD Secure
+@@ -5239,7 +5239,7 @@ SRST
+ 
+              # |qemu_system_x86| \\
+                  ...... \\
+-                 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=5 \\
++                 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \\
+                  -machine ...,memory-encryption=sev0 \\
+                  .....
+ 
+-- 
+2.37.3
+

kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch

@@ -0,0 +1,57 @@
+From 522ce31b4998b714b03e781f49403b71531ebe5a Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
+Date: Mon, 23 May 2022 18:26:58 +0200
+Subject: [PATCH 5/5] target/i386/kvm: Fix disabling MPX on "-cpu host" with
+ MPX-capable host
+
+RH-Author: Ani Sinha <None>
+RH-MergeRequest: 297: target/i386/kvm: Fix disabling MPX on "-cpu host" with MPX-capable host
+RH-Bugzilla: 2223947
+RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
+RH-Commit: [1/1] 90098294a873a53b366389606fd0402efcbd70ad
+
+Since KVM commit 5f76f6f5ff96 ("KVM: nVMX: Do not expose MPX VMX controls when guest MPX disabled")
+it is not possible to disable MPX on a "-cpu host" just by adding "-mpx"
+there if the host CPU does indeed support MPX.
+QEMU will fail to set MSR_IA32_VMX_TRUE_{EXIT,ENTRY}_CTLS MSRs in this case
+and so trigger an assertion failure.
+
+Instead, besides "-mpx" one has to explicitly add also
+"-vmx-exit-clear-bndcfgs" and "-vmx-entry-load-bndcfgs" to QEMU command
+line to make it work, which is a bit convoluted.
+
+Make the MPX-related bits in FEAT_VMX_{EXIT,ENTRY}_CTLS dependent on MPX
+being actually enabled so such workarounds are no longer necessary.
+
+Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
+Message-Id: <51aa2125c76363204cc23c27165e778097c33f0b.1653323077.git.maciej.szmigiero@oracle.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 267b5e7e378afd260004cb37a66a6fcd641e3b53)
+---
+ target/i386/cpu.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 265f0aadfc..726814ee2e 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1326,6 +1326,14 @@ static FeatureDep feature_dependencies[] = {
+         .from = { FEAT_7_0_EBX,             CPUID_7_0_EBX_INVPCID },
+         .to = { FEAT_VMX_SECONDARY_CTLS,    VMX_SECONDARY_EXEC_ENABLE_INVPCID },
+     },
++    {
++        .from = { FEAT_7_0_EBX,             CPUID_7_0_EBX_MPX },
++        .to = { FEAT_VMX_EXIT_CTLS,         VMX_VM_EXIT_CLEAR_BNDCFGS },
++    },
++    {
++        .from = { FEAT_7_0_EBX,             CPUID_7_0_EBX_MPX },
++        .to = { FEAT_VMX_ENTRY_CTLS,        VMX_VM_ENTRY_LOAD_BNDCFGS },
++    },
+     {
+         .from = { FEAT_7_0_EBX,             CPUID_7_0_EBX_RDSEED },
+         .to = { FEAT_VMX_SECONDARY_CTLS,    VMX_SECONDARY_EXEC_RDSEED_EXITING },
+-- 
+2.37.3
+

qemu-kvm.spec

@@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 37%{?rcrel}%{?dist}
+Release: 38%{?rcrel}%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -769,6 +769,16 @@ Patch303: kvm-util-iov-Remove-qemu_iovec_init_extended.patch
 Patch304: kvm-iotests-iov-padding-New-test.patch
 # For bz#2141964 - Guest hit EXT4-fs error on host 4K disk  when repeatedly hot-plug/unplug running IO disk
 Patch305: kvm-block-Fix-pad_request-s-request-restriction.patch
+# For bz#2214840 - [AMDSERVER 8.9 Bug] Qemu SEV reduced-phys-bits fixes
+Patch306: kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch
+# For bz#2214840 - [AMDSERVER 8.9 Bug] Qemu SEV reduced-phys-bits fixes
+Patch307: kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch
+# For bz#2214840 - [AMDSERVER 8.9 Bug] Qemu SEV reduced-phys-bits fixes
+Patch308: kvm-i386-sev-Update-checks-and-information-related-to-re.patch
+# For bz#2214840 - [AMDSERVER 8.9 Bug] Qemu SEV reduced-phys-bits fixes
+Patch309: kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch
+# For bz#2223947 - [RHEL8.9] qemu core dump with '-cpu host,mpx=off' on Cascadelake host
+Patch310: kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch
 
 BuildRequires: wget
 BuildRequires: rpm-build
@@ -1938,6 +1948,17 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 
 
 %changelog
+* Wed Aug 09 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-38
+- kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch [bz#2214840]
+- kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch [bz#2214840]
+- kvm-i386-sev-Update-checks-and-information-related-to-re.patch [bz#2214840]
+- kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch [bz#2214840]
+- kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch [bz#2223947]
+- Resolves: bz#2214840
+  ([AMDSERVER 8.9 Bug] Qemu SEV reduced-phys-bits fixes)
+- Resolves: bz#2223947
+  ([RHEL8.9] qemu core dump with '-cpu host,mpx=off' on Cascadelake host)
+
 * Tue Jul 25 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-37
 - kvm-util-iov-Make-qiov_slice-public.patch [bz#2141964]
 - kvm-block-Collapse-padded-I-O-vecs-exceeding-IOV_MAX.patch [bz#2141964]