| Message ID | 20190620180247.8825-9-brijesh.singh@amd.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add SEV guest live migration support | expand |
On 6/20/19 1:03 PM, Singh, Brijesh wrote: > The command can be used by the hypervisor to specify the target Platform > Diffie-Hellman key (PDH) and certificate chain before starting the SEV > guest migration. The values passed through the command will be used while > creating the outgoing encryption context. > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > --- > qapi/target.json | 18 ++++++++++++++++++ > target/i386/monitor.c | 10 ++++++++++ > target/i386/sev-stub.c | 5 +++++ > target/i386/sev.c | 11 +++++++++++ > target/i386/sev_i386.h | 9 ++++++++- > 5 files changed, 52 insertions(+), 1 deletion(-) > > +++ b/qapi/target.json > @@ -512,3 +512,21 @@ > ## > { 'command': 'query-cpu-definitions', 'returns': ['CpuDefinitionInfo'], > 'if': 'defined(TARGET_PPC) || defined(TARGET_ARM) || defined(TARGET_I386) || defined(TARGET_S390X) || defined(TARGET_MIPS)' } > + > +## > +# @migrate-set-sev-info: > +# > +# The command is used to provide the target host information used during the > +# SEV guest. > +# > +# @pdh the target host platform diffie-hellman key encoded in base64 > +# > +# @plat-cert the target host platform certificate chain encoded in base64 > +# > +# @amd-cert AMD certificate chain which include ASK and OCA encoded in base64 > +# > +# Since 4.3 The next release is 4.1, then likely 4.2 near the end of the calendar year, then 5.0 in 2020. There is no planned 4.3 release. Are you trying to get this in 4.1?
On 6/20/19 2:13 PM, Eric Blake wrote: > On 6/20/19 1:03 PM, Singh, Brijesh wrote: >> The command can be used by the hypervisor to specify the target Platform >> Diffie-Hellman key (PDH) and certificate chain before starting the SEV >> guest migration. The values passed through the command will be used while >> creating the outgoing encryption context. >> >> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> >> --- >> qapi/target.json | 18 ++++++++++++++++++ >> target/i386/monitor.c | 10 ++++++++++ >> target/i386/sev-stub.c | 5 +++++ >> target/i386/sev.c | 11 +++++++++++ >> target/i386/sev_i386.h | 9 ++++++++- >> 5 files changed, 52 insertions(+), 1 deletion(-) >> > >> +++ b/qapi/target.json >> @@ -512,3 +512,21 @@ >> ## >> { 'command': 'query-cpu-definitions', 'returns': ['CpuDefinitionInfo'], >> 'if': 'defined(TARGET_PPC) || defined(TARGET_ARM) || defined(TARGET_I386) || defined(TARGET_S390X) || defined(TARGET_MIPS)' } >> + >> +## >> +# @migrate-set-sev-info: >> +# >> +# The command is used to provide the target host information used during the >> +# SEV guest. >> +# >> +# @pdh the target host platform diffie-hellman key encoded in base64 >> +# >> +# @plat-cert the target host platform certificate chain encoded in base64 >> +# >> +# @amd-cert AMD certificate chain which include ASK and OCA encoded in base64 >> +# >> +# Since 4.3 > > The next release is 4.1, then likely 4.2 near the end of the calendar > year, then 5.0 in 2020. There is no planned 4.3 release. Are you trying > to get this in 4.1? Ah, I was meaning to type 4.2 and not 4.3. The series has dependency on kernel patches, my best effort it to get it ready for 4.2 merge window.
diff --git a/qapi/target.json b/qapi/target.json index 1d4d54b600..4109772298 100644 --- a/qapi/target.json +++ b/qapi/target.json @@ -512,3 +512,21 @@ ## { 'command': 'query-cpu-definitions', 'returns': ['CpuDefinitionInfo'], 'if': 'defined(TARGET_PPC) || defined(TARGET_ARM) || defined(TARGET_I386) || defined(TARGET_S390X) || defined(TARGET_MIPS)' } + +## +# @migrate-set-sev-info: +# +# The command is used to provide the target host information used during the +# SEV guest. +# +# @pdh the target host platform diffie-hellman key encoded in base64 +# +# @plat-cert the target host platform certificate chain encoded in base64 +# +# @amd-cert AMD certificate chain which include ASK and OCA encoded in base64 +# +# Since 4.3 +# +## +{ 'command': 'migrate-set-sev-info', + 'data': { 'pdh': 'str', 'plat-cert': 'str', 'amd-cert' : 'str' }} diff --git a/target/i386/monitor.c b/target/i386/monitor.c index 56e2dbece7..68e2e2b8ec 100644 --- a/target/i386/monitor.c +++ b/target/i386/monitor.c @@ -736,3 +736,13 @@ SevCapability *qmp_query_sev_capabilities(Error **errp) return data; } + +void qmp_migrate_set_sev_info(const char *pdh, const char *plat_cert, + const char *amd_cert, Error **errp) +{ + if (sev_enabled()) { + sev_set_migrate_info(pdh, plat_cert, amd_cert); + } else { + error_setg(errp, "SEV is not enabled"); + } +} diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c index e5ee13309c..173bfa6374 100644 --- a/target/i386/sev-stub.c +++ b/target/i386/sev-stub.c @@ -48,3 +48,8 @@ SevCapability *sev_get_capabilities(void) { return NULL; } + +void sev_set_migrate_info(const char *pdh, const char *plat_cert, + const char *amd_cert) +{ +} diff --git a/target/i386/sev.c b/target/i386/sev.c index 1b05fcf9a9..2c7c496593 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -852,6 +852,17 @@ int sev_sync_page_enc_bitmap(void *handle, uint8_t *host, uint64_t size, return 0; } +void sev_set_migrate_info(const char *pdh, const char *plat_cert, + const char *amd_cert) +{ + SEVState *s = sev_state; + + s->remote_pdh = g_base64_decode(pdh, &s->remote_pdh_len); + s->remote_plat_cert = g_base64_decode(plat_cert, + &s->remote_plat_cert_len); + s->amd_cert = g_base64_decode(amd_cert, &s->amd_cert_len); +} + static void sev_register_types(void) { diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h index c0f9373beb..258047ab2c 100644 --- a/target/i386/sev_i386.h +++ b/target/i386/sev_i386.h @@ -39,7 +39,8 @@ extern uint32_t sev_get_cbit_position(void); extern uint32_t sev_get_reduced_phys_bits(void); extern char *sev_get_launch_measurement(void); extern SevCapability *sev_get_capabilities(void); - +extern void sev_set_migrate_info(const char *pdh, const char *plat_cert, + const char *amd_cert); typedef struct QSevGuestInfo QSevGuestInfo; typedef struct QSevGuestInfoClass QSevGuestInfoClass; @@ -81,6 +82,12 @@ struct SEVState { int sev_fd; SevState state; gchar *measurement; + guchar *remote_pdh; + size_t remote_pdh_len; + guchar *remote_plat_cert; + size_t remote_plat_cert_len; + guchar *amd_cert; + size_t amd_cert_len; }; typedef struct SEVState SEVState;
The command can be used by the hypervisor to specify the target Platform Diffie-Hellman key (PDH) and certificate chain before starting the SEV guest migration. The values passed through the command will be used while creating the outgoing encryption context. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> --- qapi/target.json | 18 ++++++++++++++++++ target/i386/monitor.c | 10 ++++++++++ target/i386/sev-stub.c | 5 +++++ target/i386/sev.c | 11 +++++++++++ target/i386/sev_i386.h | 9 ++++++++- 5 files changed, 52 insertions(+), 1 deletion(-)