Change SEV_STATUS check from not-supported to supported

Since the set of defined SEV features can change over time, it is not
possible for the code to stay current with the set of features that
should not be supported.  Instead, it is safer for the code to enumerate
the set of features that can be supported, with the assumption that any
unknown feature must be rejected.

BTB isolation and debug register isolation offer security and do not
have any impact to software functionality so they can safely be accepted
if present.  Other features may require explicit software support.

Signed-off-by: Jon Lange <jlange@microsoft.com>

src/sev/status.rs

@@ -155,19 +155,14 @@ pub fn sev_snp_enabled() -> bool {
 
 pub fn sev_status_verify() {
     let required = SEVStatusFlags::SEV | SEVStatusFlags::SEV_ES | SEVStatusFlags::SEV_SNP;
-    let not_supported = SEVStatusFlags::VTOM
-        | SEVStatusFlags::REFLECT_VC
-        | SEVStatusFlags::REST_INJ
-        | SEVStatusFlags::ALT_INJ
-        | SEVStatusFlags::DBGSWP
+    let supported = SEVStatusFlags::DBGSWP
         | SEVStatusFlags::PREV_HOST_IBS
         | SEVStatusFlags::BTB_ISOLATION
-        | SEVStatusFlags::SECURE_TSC
         | SEVStatusFlags::VMSA_REG_PROT;
 
     let status = sev_flags();
     let required_check = status & required;
-    let supported_check = status & not_supported;
+    let not_supported_check = status & !(supported | required);
 
     if required_check != required {
         log::error!(
@@ -177,8 +172,8 @@ pub fn sev_status_verify() {
         panic!("Required SEV features not available");
     }
 
-    if !supported_check.is_empty() {
-        log::error!("Unsupported features enabled: {}", supported_check);
+    if !not_supported_check.is_empty() {
+        log::error!("Unsupported features enabled: {}", not_supported_check);
         panic!("Unsupported SEV features enabled");
     }
 }