| Message ID | 20240320083945.991426-1-michael.roth@amd.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add AMD Secure Nested Paging (SEV-SNP) support | expand |
On 3/20/24 09:38, Michael Roth wrote: > These patches implement SEV-SNP base support along with CPUID enforcement > support for QEMU, and are also available at: > > https://github.com/amdese/qemu/commits/snp-v3-rfc > > they are based on top of the following patchset from Paolo: > > "[PATCH 0/7] target/i386: VM type infrastructure and KVM_SEV_INIT2 support" > https://lists.gnu.org/archive/html/qemu-devel/2024-03/msg04663.html > > > Patch Layout > ------------ > > 01-05: Various changes needed to handle new header files in kvm-next tree > and some hacks to get a functional header sync in place for building > this series. > 06-18: These are patches directly plucked from Xiaoyao's TDX v5 patchset[1] > that implement common dependencies between SNP/TDX like base > guest_memfd, KVM_EXIT_MEMORY_FAULT handling (with a small FIXUP), and > mechanisms to disable SMM. We would've also needed some of the basic > infrastructure for handling specifying VM types for KVM_CREATE, but > much of that is now part of the sevinit2 series this patchset is based > on. Ideally all these patches, once stable, could be maintained in a > common tree so that future SNP/TDX patchsets can be more easily > iterated on/reviewed. > 19-20: Patches introduced by this series that are possible candidate for a > common tree. > shared/private pages when things like VFIO are in use. > 21-32: Introduction of sev-snp-guest object and various configuration > requirements for SNP. > 33-36: Handling for various KVM_EXIT_VMGEXIT events that are handled in > userspace. > 37-49: Support for creating a cryptographic "launch" context and populating > various OVMF metadata pages, BIOS regions, and vCPU/VMSA pages with > the initial encrypted/measured/validated launch data prior to > launching the SNP guest. I reviewed the non-SEV bits of patches 21-46 and it looks nicely self-contained. That's pretty much expected but still good news. I didn't look closely at the SEV-SNP code for obvious reasons (it's only been one hour :)), except for the object-oriented aesthetics which I have remarked upon. However, they seem to be in good shape. I will now focus on reviewing patches 6-20. This way we can prepare a common tree for SEV_INIT2/SNP/TDX, for both vendors to build upon. Thanks for posting this, and thanks to the Intel people too for the previous work on the guest_memfd parts! Paolo
On Wed, Mar 20, 2024 at 10:59 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > I will now focus on reviewing patches 6-20. This way we can prepare a > common tree for SEV_INIT2/SNP/TDX, for both vendors to build upon. Ok, the attachment is the delta that I have. The only major change is requiring discard (thus effectively blocking VFIO support for SEV-SNP/TDX, at least for now). I will push it shortly to the same sevinit2 branch, and will post the patches sometime soon. Xiaoyao, you can use that branch too (it's on https://gitlab.com/bonzini/qemu) as the basis for your TDX work. Paolo
On 3/21/2024 1:08 AM, Paolo Bonzini wrote: > On Wed, Mar 20, 2024 at 10:59 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> I will now focus on reviewing patches 6-20. This way we can prepare a >> common tree for SEV_INIT2/SNP/TDX, for both vendors to build upon. > > Ok, the attachment is the delta that I have. The only major change is > requiring discard (thus effectively blocking VFIO support for > SEV-SNP/TDX, at least for now). > > I will push it shortly to the same sevinit2 branch, and will post the > patches sometime soon. > > Xiaoyao, you can use that branch too (it's on > https://gitlab.com/bonzini/qemu) as the basis for your TDX work. Sure, it's really a good news for us. BTW, there are some minor comments on guest_memfd patches of my v5 post[*]. Could you please resolve them it your branch? [*] https://lore.kernel.org/qemu-devel/20240229063726.610065-1-xiaoyao.li@intel.com/ > Paolo
On Wed, Mar 20, 2024 at 03:38:56AM -0500, Michael Roth wrote: > > Testing > ------- > > This series has been tested against the following host kernel tree, which > is a snapshot of the latest WIP SNP hypervisor tree at the time of this > posting. It will likely not be kept up to date afterward, so please keep an > eye upstream or official AMDESE github if you are looking for the latest > some time after this posting: > > https://github.com/mdroth/linux/commits/snp-host-v12-wip40/ I just noticed I had a necessary local change that wasn't included in the initial push of this branch. I've updated the branch now, but just wanted to post a heads-up in case anyone was having issues. -Mike
> On 20 Mar 2024, at 14:08, Michael Roth <michael.roth@amd.com> wrote: > > These patches implement SEV-SNP base support along with CPUID enforcement > support for QEMU, and are also available at: > > https://github.com/amdese/qemu/commits/snp-v3-rfc > > they are based on top of the following patchset from Paolo: > > "[PATCH 0/7] target/i386: VM type infrastructure and KVM_SEV_INIT2 support" > https://lists.gnu.org/archive/html/qemu-devel/2024-03/msg04663.html Can you please also CC me on future revisions of this patchset? Thanks! > > > Patch Layout > ------------ > > 01-05: Various changes needed to handle new header files in kvm-next tree > and some hacks to get a functional header sync in place for building > this series. > 06-18: These are patches directly plucked from Xiaoyao's TDX v5 patchset[1] > that implement common dependencies between SNP/TDX like base > guest_memfd, KVM_EXIT_MEMORY_FAULT handling (with a small FIXUP), and > mechanisms to disable SMM. We would've also needed some of the basic > infrastructure for handling specifying VM types for KVM_CREATE, but > much of that is now part of the sevinit2 series this patchset is based > on. Ideally all these patches, once stable, could be maintained in a > common tree so that future SNP/TDX patchsets can be more easily > iterated on/reviewed. > 19-20: Patches introduced by this series that are possible candidate for a > common tree. > shared/private pages when things like VFIO are in use. > 21-32: Introduction of sev-snp-guest object and various configuration > requirements for SNP. > 33-36: Handling for various KVM_EXIT_VMGEXIT events that are handled in > userspace. > 37-49: Support for creating a cryptographic "launch" context and populating > various OVMF metadata pages, BIOS regions, and vCPU/VMSA pages with > the initial encrypted/measured/validated launch data prior to > launching the SNP guest. > > > Testing > ------- > > This series has been tested against the following host kernel tree, which > is a snapshot of the latest WIP SNP hypervisor tree at the time of this > posting. It will likely not be kept up to date afterward, so please keep an > eye upstream or official AMDESE github if you are looking for the latest > some time after this posting: > > https://github.com/mdroth/linux/commits/snp-host-v12-wip40/ > > A patched OVMF is also needed due to upstream KVM no longer supporting MMIO > ranges that are mapped as private. It is recommended you build the AmdSevX64 > variant as it provides the kernel-hashing support present in this series: > > https://github.com/mdroth/edk2/commits/apic-mmio-fix1c/ > > A basic command-line invocation for SNP would be: > > qemu-system-x86_64 -smp 32,maxcpus=255 -cpu EPYC-Milan-v2 > -machine q35,confidential-guest-support=sev0,memory-backend=ram1 > -object memory-backend-memfd,id=ram1,size=4G,share=true,reserve=false > -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,id-auth= > -bios /home/mroth/ovmf/OVMF_CODE-upstream-20240228-apicfix-1c-AmdSevX64.fd > > With kernel-hashing and certificate data supplied: > > qemu-system-x86_64 -smp 32,maxcpus=255 -cpu EPYC-Milan-v2 > -machine q35,confidential-guest-support=sev0,memory-backend=ram1 > -object memory-backend-memfd,id=ram1,size=4G,share=true,reserve=false > -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,id-auth=,certs-path=/home/mroth/cert.blob,kernel-hashes=on > -bios /home/mroth/ovmf/OVMF_CODE-upstream-20240228-apicfix-1c-AmdSevX64.fd > -kernel /boot/vmlinuz-6.8.0-snp-host-v12-wip40+ > -initrd /boot/initrd.img-6.8.0-snp-host-v12-wip40+ > -append "root=UUID=d72a6d1c-06cf-4b79-af43-f1bac4f620f9 ro console=ttyS0,115200n8" > > Any comments/feedback would be very much appreciated. > > [1] https://github.com/amdese/linux > https://github.com/amdese/amdsev/tree/snp-latest > > Changes since rfc2: > > - reworked on top of guest_memfd support > - added handling for various KVM_EXIT_VMGEXIT events > - various changes/considerations for PCI passthrough support > - general bugfixes/hardening/cleanups > - qapi cmdline doc fixes/rework (Dov, Markus) > - switch to qbase64_decode, more error-checking for cmdline opts (Dov) > - unset id_block_en for 0 input (Dov) > - use error_setg in snp init (Dov) > - report more info in trace_kvm_sev_init (Dov) > - rework bounds-checking for kvm_cpuid_info, rework existing checks for readability, add additional checks (Dov) > - fixups for validated_ranges handling (Dov) > - rename 'policy' field to 'snp-policy' in query-sev when sev-type is SNP > > Changes since rfc1: > > - rebased onto latest master > - drop SNP config file in favor of a new 'sev-snp-guest' object where all > SNP-related params are passed as strings/integers via command-line > - report specific error if BIOS reports invalid address/len for > reserved/pre-validated regions (Connor) > - use Range helpers for handling validated region overlaps (Dave) > - simplify error handling in sev_snp_launch_start, and report the correct > return code when handling LAUNCH_START failures (Dov) > - add SEV-SNP bit to CPUID 0x8000001f when SNP enabled > - updated query-sev to handle differences between SEV and SEV-SNP > - updated to work against v5 of SEV-SNP host kernel / hypervisor patches > > ---------------------------------------------------------------- > Brijesh Singh (5): > i386/sev: Introduce 'sev-snp-guest' object > i386/sev: Add the SNP launch start context > i386/sev: Add handling to encrypt/finalize guest launch data > hw/i386/sev: Add function to get SEV metadata from OVMF header > i386/sev: Add support for populating OVMF metadata pages > > Chao Peng (2): > kvm: Enable KVM_SET_USER_MEMORY_REGION2 for memslot > kvm: handle KVM_EXIT_MEMORY_FAULT > > Dov Murik (4): > qapi, i386: Move kernel-hashes to SevCommonProperties > i386/sev: Extract build_kernel_loader_hashes > i386/sev: Reorder struct declarations > i386/sev: Allow measured direct kernel boot on SNP > > Isaku Yamahata (2): > pci-host/q35: Move PAM initialization above SMRAM initialization > q35: Introduce smm_ranges property for q35-pci-host > > Michael Roth (30): > Revert "linux-headers hack" from sevinit2 base tree > scripts/update-linux-headers: Add setup_data.h to import list > scripts/update-linux-headers: Add bits.h to file imports > [HACK] linux-headers: Update headers for 6.8 + kvm-coco-queue + SNP > [TEMP] hw/i386: Remove redeclaration of struct setup_data > RAMBlock: Add support of KVM private guest memfd > [FIXUP] "kvm: handle KVM_EXIT_MEMORY_FAULT": drop qemu_host_page_size > trace/kvm: Add trace for page convertion between shared and private > kvm: Make kvm_convert_memory() obey ram_block_discard_is_enabled() > trace/kvm: Add trace for KVM_EXIT_MEMORY_FAULT > i386/sev: Introduce "sev-common" type to encapsulate common SEV state > i386/sev: Add a sev_snp_enabled() helper > target/i386: Add handling for KVM_X86_SNP_VM VM type > i386/sev: Skip RAMBlock notifiers for SNP > i386/sev: Skip machine-init-done notifiers for SNP > i386/sev: Set ms->require_guest_memfd for SNP > i386/sev: Disable SMM for SNP > i386/sev: Don't disable block discarding for SNP > i386/cpu: Set SEV-SNP CPUID bit when SNP enabled > i386/sev: Update query-sev QAPI format to handle SEV-SNP > i386/sev: Don't return launch measurements for SEV-SNP guests > kvm: Make kvm_convert_memory() non-static > i386/sev: Add KVM_EXIT_VMGEXIT handling for Page State Changes > i386/sev: Add KVM_EXIT_VMGEXIT handling for Page State Changes (MSR-based) > i386/sev: Add KVM_EXIT_VMGEXIT handling for Extended Guest Requests > i386/sev: Set CPU state to protected once SNP guest payload is finalized > i386/sev: Add support for SNP CPUID validation > hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled > hw/i386/sev: Use guest_memfd for legacy ROMs > hw/i386: Add support for loading BIOS using guest_memfd > > Xiaoyao Li (6): > HostMem: Add mechanism to opt in kvm guest memfd via MachineState > trace/kvm: Split address space and slot id in trace_kvm_set_user_memory() > kvm: Introduce support for memory_attributes > physmem: Introduce ram_block_discard_guest_memfd_range() > kvm/memory: Make memory type private by default if it has guest memfd backend > memory: Introduce memory_region_init_ram_guest_memfd() > > accel/kvm/kvm-all.c | 241 ++- > accel/kvm/trace-events | 4 +- > accel/stubs/kvm-stub.c | 5 + > backends/hostmem-file.c | 1 + > backends/hostmem-memfd.c | 1 + > backends/hostmem-ram.c | 1 + > backends/hostmem.c | 1 + > docs/system/i386/amd-memory-encryption.rst | 78 +- > hw/core/machine.c | 5 + > hw/i386/pc.c | 13 +- > hw/i386/pc_q35.c | 2 + > hw/i386/pc_sysfw.c | 25 +- > hw/i386/pc_sysfw_ovmf.c | 33 + > hw/i386/x86.c | 46 +- > hw/pci-host/q35.c | 61 +- > include/exec/cpu-common.h | 2 + > include/exec/memory.h | 26 +- > include/exec/ram_addr.h | 2 +- > include/exec/ramblock.h | 1 + > include/hw/boards.h | 2 + > include/hw/i386/pc.h | 31 +- > include/hw/i386/x86.h | 2 +- > include/hw/pci-host/q35.h | 1 + > include/standard-headers/asm-x86/bootparam.h | 17 +- > include/standard-headers/asm-x86/kvm_para.h | 3 +- > include/standard-headers/linux/ethtool.h | 48 + > include/standard-headers/linux/fuse.h | 39 +- > include/standard-headers/linux/input-event-codes.h | 1 + > include/standard-headers/linux/virtio_gpu.h | 2 + > include/standard-headers/linux/virtio_snd.h | 154 ++ > include/sysemu/hostmem.h | 1 + > include/sysemu/kvm.h | 7 + > include/sysemu/kvm_int.h | 2 + > linux-headers/asm-arm64/kvm.h | 15 +- > linux-headers/asm-arm64/sve_context.h | 11 + > linux-headers/asm-generic/bitsperlong.h | 4 + > linux-headers/asm-loongarch/kvm.h | 2 - > linux-headers/asm-mips/kvm.h | 2 - > linux-headers/asm-powerpc/kvm.h | 45 +- > linux-headers/asm-riscv/kvm.h | 3 +- > linux-headers/asm-s390/kvm.h | 315 +++- > linux-headers/asm-x86/kvm.h | 372 ++++- > linux-headers/asm-x86/setup_data.h | 83 + > linux-headers/linux/bits.h | 15 + > linux-headers/linux/kvm.h | 719 +-------- > linux-headers/linux/psp-sev.h | 71 + > qapi/misc-target.json | 71 +- > qapi/qom.json | 96 +- > scripts/update-linux-headers.sh | 5 +- > system/memory.c | 30 + > system/physmem.c | 47 +- > target/i386/cpu.c | 1 + > target/i386/kvm/kvm.c | 4 + > target/i386/sev-sysemu-stub.c | 2 +- > target/i386/sev.c | 1631 ++++++++++++++++---- > target/i386/sev.h | 13 +- > target/i386/trace-events | 3 + > 57 files changed, 3272 insertions(+), 1146 deletions(-) > create mode 100644 linux-headers/asm-x86/setup_data.h > create mode 100644 linux-headers/linux/bits.h > > > >
These patches implement SEV-SNP base support along with CPUID enforcement support for QEMU, and are also available at: https://github.com/amdese/qemu/commits/snp-v3-rfc they are based on top of the following patchset from Paolo: "[PATCH 0/7] target/i386: VM type infrastructure and KVM_SEV_INIT2 support" https://lists.gnu.org/archive/html/qemu-devel/2024-03/msg04663.html Patch Layout ------------ 01-05: Various changes needed to handle new header files in kvm-next tree and some hacks to get a functional header sync in place for building this series. 06-18: These are patches directly plucked from Xiaoyao's TDX v5 patchset[1] that implement common dependencies between SNP/TDX like base guest_memfd, KVM_EXIT_MEMORY_FAULT handling (with a small FIXUP), and mechanisms to disable SMM. We would've also needed some of the basic infrastructure for handling specifying VM types for KVM_CREATE, but much of that is now part of the sevinit2 series this patchset is based on. Ideally all these patches, once stable, could be maintained in a common tree so that future SNP/TDX patchsets can be more easily iterated on/reviewed. 19-20: Patches introduced by this series that are possible candidate for a common tree. shared/private pages when things like VFIO are in use. 21-32: Introduction of sev-snp-guest object and various configuration requirements for SNP. 33-36: Handling for various KVM_EXIT_VMGEXIT events that are handled in userspace. 37-49: Support for creating a cryptographic "launch" context and populating various OVMF metadata pages, BIOS regions, and vCPU/VMSA pages with the initial encrypted/measured/validated launch data prior to launching the SNP guest. Testing ------- This series has been tested against the following host kernel tree, which is a snapshot of the latest WIP SNP hypervisor tree at the time of this posting. It will likely not be kept up to date afterward, so please keep an eye upstream or official AMDESE github if you are looking for the latest some time after this posting: https://github.com/mdroth/linux/commits/snp-host-v12-wip40/ A patched OVMF is also needed due to upstream KVM no longer supporting MMIO ranges that are mapped as private. It is recommended you build the AmdSevX64 variant as it provides the kernel-hashing support present in this series: https://github.com/mdroth/edk2/commits/apic-mmio-fix1c/ A basic command-line invocation for SNP would be: qemu-system-x86_64 -smp 32,maxcpus=255 -cpu EPYC-Milan-v2 -machine q35,confidential-guest-support=sev0,memory-backend=ram1 -object memory-backend-memfd,id=ram1,size=4G,share=true,reserve=false -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,id-auth= -bios /home/mroth/ovmf/OVMF_CODE-upstream-20240228-apicfix-1c-AmdSevX64.fd With kernel-hashing and certificate data supplied: qemu-system-x86_64 -smp 32,maxcpus=255 -cpu EPYC-Milan-v2 -machine q35,confidential-guest-support=sev0,memory-backend=ram1 -object memory-backend-memfd,id=ram1,size=4G,share=true,reserve=false -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,id-auth=,certs-path=/home/mroth/cert.blob,kernel-hashes=on -bios /home/mroth/ovmf/OVMF_CODE-upstream-20240228-apicfix-1c-AmdSevX64.fd -kernel /boot/vmlinuz-6.8.0-snp-host-v12-wip40+ -initrd /boot/initrd.img-6.8.0-snp-host-v12-wip40+ -append "root=UUID=d72a6d1c-06cf-4b79-af43-f1bac4f620f9 ro console=ttyS0,115200n8" Any comments/feedback would be very much appreciated. [1] https://github.com/amdese/linux https://github.com/amdese/amdsev/tree/snp-latest Changes since rfc2: - reworked on top of guest_memfd support - added handling for various KVM_EXIT_VMGEXIT events - various changes/considerations for PCI passthrough support - general bugfixes/hardening/cleanups - qapi cmdline doc fixes/rework (Dov, Markus) - switch to qbase64_decode, more error-checking for cmdline opts (Dov) - unset id_block_en for 0 input (Dov) - use error_setg in snp init (Dov) - report more info in trace_kvm_sev_init (Dov) - rework bounds-checking for kvm_cpuid_info, rework existing checks for readability, add additional checks (Dov) - fixups for validated_ranges handling (Dov) - rename 'policy' field to 'snp-policy' in query-sev when sev-type is SNP Changes since rfc1: - rebased onto latest master - drop SNP config file in favor of a new 'sev-snp-guest' object where all SNP-related params are passed as strings/integers via command-line - report specific error if BIOS reports invalid address/len for reserved/pre-validated regions (Connor) - use Range helpers for handling validated region overlaps (Dave) - simplify error handling in sev_snp_launch_start, and report the correct return code when handling LAUNCH_START failures (Dov) - add SEV-SNP bit to CPUID 0x8000001f when SNP enabled - updated query-sev to handle differences between SEV and SEV-SNP - updated to work against v5 of SEV-SNP host kernel / hypervisor patches ---------------------------------------------------------------- Brijesh Singh (5): i386/sev: Introduce 'sev-snp-guest' object i386/sev: Add the SNP launch start context i386/sev: Add handling to encrypt/finalize guest launch data hw/i386/sev: Add function to get SEV metadata from OVMF header i386/sev: Add support for populating OVMF metadata pages Chao Peng (2): kvm: Enable KVM_SET_USER_MEMORY_REGION2 for memslot kvm: handle KVM_EXIT_MEMORY_FAULT Dov Murik (4): qapi, i386: Move kernel-hashes to SevCommonProperties i386/sev: Extract build_kernel_loader_hashes i386/sev: Reorder struct declarations i386/sev: Allow measured direct kernel boot on SNP Isaku Yamahata (2): pci-host/q35: Move PAM initialization above SMRAM initialization q35: Introduce smm_ranges property for q35-pci-host Michael Roth (30): Revert "linux-headers hack" from sevinit2 base tree scripts/update-linux-headers: Add setup_data.h to import list scripts/update-linux-headers: Add bits.h to file imports [HACK] linux-headers: Update headers for 6.8 + kvm-coco-queue + SNP [TEMP] hw/i386: Remove redeclaration of struct setup_data RAMBlock: Add support of KVM private guest memfd [FIXUP] "kvm: handle KVM_EXIT_MEMORY_FAULT": drop qemu_host_page_size trace/kvm: Add trace for page convertion between shared and private kvm: Make kvm_convert_memory() obey ram_block_discard_is_enabled() trace/kvm: Add trace for KVM_EXIT_MEMORY_FAULT i386/sev: Introduce "sev-common" type to encapsulate common SEV state i386/sev: Add a sev_snp_enabled() helper target/i386: Add handling for KVM_X86_SNP_VM VM type i386/sev: Skip RAMBlock notifiers for SNP i386/sev: Skip machine-init-done notifiers for SNP i386/sev: Set ms->require_guest_memfd for SNP i386/sev: Disable SMM for SNP i386/sev: Don't disable block discarding for SNP i386/cpu: Set SEV-SNP CPUID bit when SNP enabled i386/sev: Update query-sev QAPI format to handle SEV-SNP i386/sev: Don't return launch measurements for SEV-SNP guests kvm: Make kvm_convert_memory() non-static i386/sev: Add KVM_EXIT_VMGEXIT handling for Page State Changes i386/sev: Add KVM_EXIT_VMGEXIT handling for Page State Changes (MSR-based) i386/sev: Add KVM_EXIT_VMGEXIT handling for Extended Guest Requests i386/sev: Set CPU state to protected once SNP guest payload is finalized i386/sev: Add support for SNP CPUID validation hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled hw/i386/sev: Use guest_memfd for legacy ROMs hw/i386: Add support for loading BIOS using guest_memfd Xiaoyao Li (6): HostMem: Add mechanism to opt in kvm guest memfd via MachineState trace/kvm: Split address space and slot id in trace_kvm_set_user_memory() kvm: Introduce support for memory_attributes physmem: Introduce ram_block_discard_guest_memfd_range() kvm/memory: Make memory type private by default if it has guest memfd backend memory: Introduce memory_region_init_ram_guest_memfd() accel/kvm/kvm-all.c | 241 ++- accel/kvm/trace-events | 4 +- accel/stubs/kvm-stub.c | 5 + backends/hostmem-file.c | 1 + backends/hostmem-memfd.c | 1 + backends/hostmem-ram.c | 1 + backends/hostmem.c | 1 + docs/system/i386/amd-memory-encryption.rst | 78 +- hw/core/machine.c | 5 + hw/i386/pc.c | 13 +- hw/i386/pc_q35.c | 2 + hw/i386/pc_sysfw.c | 25 +- hw/i386/pc_sysfw_ovmf.c | 33 + hw/i386/x86.c | 46 +- hw/pci-host/q35.c | 61 +- include/exec/cpu-common.h | 2 + include/exec/memory.h | 26 +- include/exec/ram_addr.h | 2 +- include/exec/ramblock.h | 1 + include/hw/boards.h | 2 + include/hw/i386/pc.h | 31 +- include/hw/i386/x86.h | 2 +- include/hw/pci-host/q35.h | 1 + include/standard-headers/asm-x86/bootparam.h | 17 +- include/standard-headers/asm-x86/kvm_para.h | 3 +- include/standard-headers/linux/ethtool.h | 48 + include/standard-headers/linux/fuse.h | 39 +- include/standard-headers/linux/input-event-codes.h | 1 + include/standard-headers/linux/virtio_gpu.h | 2 + include/standard-headers/linux/virtio_snd.h | 154 ++ include/sysemu/hostmem.h | 1 + include/sysemu/kvm.h | 7 + include/sysemu/kvm_int.h | 2 + linux-headers/asm-arm64/kvm.h | 15 +- linux-headers/asm-arm64/sve_context.h | 11 + linux-headers/asm-generic/bitsperlong.h | 4 + linux-headers/asm-loongarch/kvm.h | 2 - linux-headers/asm-mips/kvm.h | 2 - linux-headers/asm-powerpc/kvm.h | 45 +- linux-headers/asm-riscv/kvm.h | 3 +- linux-headers/asm-s390/kvm.h | 315 +++- linux-headers/asm-x86/kvm.h | 372 ++++- linux-headers/asm-x86/setup_data.h | 83 + linux-headers/linux/bits.h | 15 + linux-headers/linux/kvm.h | 719 +-------- linux-headers/linux/psp-sev.h | 71 + qapi/misc-target.json | 71 +- qapi/qom.json | 96 +- scripts/update-linux-headers.sh | 5 +- system/memory.c | 30 + system/physmem.c | 47 +- target/i386/cpu.c | 1 + target/i386/kvm/kvm.c | 4 + target/i386/sev-sysemu-stub.c | 2 +- target/i386/sev.c | 1631 ++++++++++++++++---- target/i386/sev.h | 13 +- target/i386/trace-events | 3 + 57 files changed, 3272 insertions(+), 1146 deletions(-) create mode 100644 linux-headers/asm-x86/setup_data.h create mode 100644 linux-headers/linux/bits.h