From patchwork Fri Jul 9 21:55:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368087 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F16D4C07E99 for ; Fri, 9 Jul 2021 22:03:35 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 88251613E4 for ; Fri, 9 Jul 2021 22:03:35 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 88251613E4 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:53634 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yas-0003Pp-Gt for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 18:03:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48874) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yYe-0000ln-Uj for qemu-devel@nongnu.org; Fri, 09 Jul 2021 18:01:16 -0400 Received: from mail-mw2nam12on2061d.outbound.protection.outlook.com ([2a01:111:f400:fe5a::61d]:30089 helo=NAM12-MW2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yYc-0008Au-7R for qemu-devel@nongnu.org; Fri, 09 Jul 2021 18:01:16 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=blStnt+OCKGx7B6YibqfO+fIw1T+OPKjEuZ85OBs5hfsnXjbDaewMYMJoDwQQ6DP12jKAuUmc2uTmT5RKc/Gutg3MamJPjEkdBBafFSKJAlPjk5ePxVmF7cFPteiBuiWjA/+R6W/KJt8zI/XABekdSOZoDhO3CU+ESRs610eJhOAVeRgI5Y7BuOBuKSZ4arXg1rAyjsYxmq7c3Y1ueOM2r62zXTgyghOlIx68KwRbYx/ovPqVAlz80CR5ZQm2HUS4yafKEUdT6KxhdG5BBW6r6NiQe8uYP5bGIkE1w/Qan49Vy70pMrIaECtojNJBq4ICzHORT2V4r18ytbSVSYm8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAssQmr9qx+GZtyr5p9VW8nRiYgpmia750pPM0JvoSc=; b=hOffVaifyyIg9YL3w2GObXNPgSV8As8XQJysC6iUNso0nFXRjYtlUv/uXCjNhD4V7kQNCb9BCAvnv5JdyHzvEwyRsVSXG82b4/tOPyfhbFABC8r9MEdwclp+YWwci0AWjkPyba6Gpf3U9Z+u6dbaJQP6QDYbCP2skUqBQCsx+lL/mV90qUnp96Y/ZaO2lMqW5ysnOMldZnqhRbuoC5r6lR/uaZ0eCuGeKajvWCmauOHmB2LAh5bqee8/t5grTgj5yAMfewOVw4Uc0yyLiT+2KjCdkjLOmxFYkObiwo9JpdmOf1CYeHd1Lg8PcgH/iQ/Dd9XxS7Tjb7YIqN+eH1zCdw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAssQmr9qx+GZtyr5p9VW8nRiYgpmia750pPM0JvoSc=; b=w5DHB+/8CEQqzym3S0WjbCVnd25Zr0+68jUT88EYgDRy0YCm9x1CI/HvKabzupiJK4p95LR5+XaOzrgZhjKP48W07SBwHA315SkVHy9VDecKp6iGPRvZR8fKIvpmnKDRw2oPUpVvMPtIC4DNaX4etcWf95J/rw1wsfC37wcADzs= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:09 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:09 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 0/6] Add AMD Secure Nested Paging (SEV-SNP) support Date: Fri, 9 Jul 2021 16:55:44 -0500 Message-Id: <20210709215550.32496-1-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8c191492-2929-433d-8346-08d943245c1d X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Q2+U8pY4tkLAahi9zOsw6BwXeVyeL6V112ztWKf17jLgEnO9lJ6KGe8vg+Ko2x238IOEW87jR2a1r8RpSwayJ/P6SOZC25EDf4XkAjk7GpLFg4AKb6fS3iSzkFRvTPa3duLvRCSw9/SQ9chBqTYjhhgR7J29wcKy15M4HwUWaGAFwXg+91xBV9UGHj6Y9hu1IEF3igNc9rfUbaGEfdiu0vol1EyMMkcp2HscEjmVXxOuvUR/kKapMvpOshmi7X/GgbGTQ9KFRis8SxF/DQNrfQpI3koZ64QHQ91L3A112hNt2k6h24yHb+c9UU4a+ePzUcDoGlf+WMjD5aOzrIS4XJkcCjWvTq1vywDTEMCXmuzVLPGnwbJN/U1RygK2Z5lp/VwgHdHM6qjDs7rpjN1o5R87gmS1ZXqJDrsPih+vVVjTMvwpryRmHdE0XVxIyuVqxSM0ArWnyTejn+Orm6arckEjk2yyO/vTsGkLi46DKwuyomFFz60mIkuxqmLxkyeGE1Onrc9CYpgWius0LrhGagkPSWhTZ1wUKgYG2LgRLjFFH38jP/Tvhu06UbqqZ+DwnhxyOL4ITFa7JwAEg64gCdiRU8n5aHUGkAVeSwuR95EHwxLw8efK2GO7Nipl8pmjAelmrPDih5tNQkr9pIiboZf5CN56WAWsv+aIkr6kVton5bD7Zi0gWJegNZ+quhRg65c9oTYm4CCU4nA3CH/9/lSMelsuNV8lyTu6UEtuMBv+8qYKufaTC1Fw6HwXEYPZnlElM5Ikjme1Kf0rAV7PM3mvZNWW0hNygoA5zLfd0FN7a8wadcgJ9WSjMoqLwHdR X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(966005)(54906003)(478600001)(1076003)(26005)(7416002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: hB6a9zy/B0E2F/NENvYkOdEleWTURdzdORMK1S/bCySOn8F6/D+NTcv6lTw2fUEbHte4QPPQ9KIQpgl5ZRJ6fPy939LKTknX3Wzt5AY7wgW+uWJWRgynk7J5C3+3B1RLf4UT9TYrdstiqsiLMFps/V5heNgARirLZhxHwrxOAGneuGABKY3Pfzrk6y+0eLeWrnsquKp5fvOZ0BfErYDcpnjiYnMO4sH6DTNsrzrmupC/zGfRZwnBqDakNMOfjRF/YZzaAKF87lrx4tN8RWFW9gNlrZumZnnetlm39P9MP95/S2ohpytAR2Mjt+a8JVRcxKJ4DB9cqT8zXZ6TxfvmApxSkRwI6GfcJrihIwhFyjS/ZLrSft5j7bGl0j1rzGgWuE/aIr5WoOx38br1by7Nj4cc2TYE5BihdyBvW/wZiBvORW+P1VDIFkTGUQHORTrtciOFB7N0f2HSlG1RwEOzcYbMSAqGmzen/QkKDvXKi6kV1mL53DE5YbCvLAXJRZ6P8wbSItGrzA1dD2NgtiL4o/YNVcsrE+fKHwcDqzcrIya05fr6486K6+h7e5DPtVTlOiVUmK5FafRsFM2vGD+2rEU++NXc174APDEtCL/Y1k2FlAusWbLvD8orjbTnpk9bXG0QPQ5joFSGWWWUwYPsCrTIpZnNe1ZYSN56iQEld9VbDz+mxbzgTVf0S0RIpnpDXf4KM5acCg/bmT2t99l/1QwHDYuL0qULUmWjsWI95RTKG+tc9F30qQ3wIchpwcFw22wiJAQ/mr/QjghJCJ7yI6XCERtvTWe9iOeESvgjRCw0dcBwlN7E2P6I50Li1h0SbXxzF2MlF3HWhv3pOuiCKFLDGz5vhfItIw+UHWoy+VaKD/NuHl0sECB0RdZ3fWNZl8bmRJFBq0JGNf8UoQ6P/l+F5P7OPQFAA78YEF/G9oRF8MMRHFBsUX750MzFR9gEtWVg/bVaCN1d1veRC7J0ODbTHCDRdPIzSBekjnMVvU1kAb2gmhpuGjKEZJixxfx7t3BIuTRtrrtJiTGYotz4b8yustNyEZj8yKCtjG3lLI2cetgIWLJV25z6mIpg37kvMrKoRmsa9omtWKzRsFUprH+SHhWVMiPYEhxd0MldYg5VtuZkoM2Zy7xh7aoCN8XxPsroHgIg0bQS64+YETcQ1YC0pVBeH1/PM2zSYjZ5DQ3m6pfMeINHvzrLopC1pZXltyvO+sHjgYeQmTvDYZLCQ3Mkcz0rj4i8pwNv6iFQVOv69v12eORGxuFEgeltUYOJ4hzntdkDg1L0trKzqeuGj9j3MVJYIIvRq5nSfjzogB0Drp7jo+XlAZjuvRW0lt8S X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8c191492-2929-433d-8346-08d943245c1d X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:09.4406 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7jHxiIMEBQSxC6IAAFbH6nuD3AJqpOJmfdqNikSHV9xm7b/YfH9L5IrqWDaSQwkDHcefQ8/BnbBWeS0SJ/1DHA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=2a01:111:f400:fe5a::61d; envelope-from=brijesh.singh@amd.com; helo=NAM12-MW2-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" SEV-SNP builds upon existing SEV and SEV-ES functionality while adding new hardware-based memory protections. SEV-SNP adds strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay, memory re-mapping and more in order to create an isolated memory encryption environment. The patches to support the SEV-SNP in Linux kernel and OVMF are available: https://lore.kernel.org/kvm/20210707181506.30489-1-brijesh.singh@amd.com/ https://lore.kernel.org/kvm/20210707183616.5620-1-brijesh.singh@amd.com/ https://edk2.groups.io/g/devel/message/77335?p=,,,20,0,0,0::Created,,posterid%3A5969970,20,2,20,83891508 The Qemu patches uses the command id added by the SEV-SNP hypervisor patches to bootstrap the SEV-SNP VMs. TODO: * Add support to filter CPUID values through the PSP. Additional resources --------------------- SEV-SNP whitepaper https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf APM 2: https://www.amd.com/system/files/TechDocs/24593.pdf (section 15.36) GHCB spec: https://developer.amd.com/wp-content/resources/56421.pdf SEV-SNP firmware specification: https://www.amd.com/system/files/TechDocs/56860.pdf Brijesh Singh (6): linux-header: add the SNP specific command i386/sev: extend sev-guest property to include SEV-SNP i386/sev: initialize SNP context i386/sev: add the SNP launch start context i386/sev: add support to encrypt BIOS when SEV-SNP is enabled i386/sev: populate secrets and cpuid page and finalize the SNP launch docs/amd-memory-encryption.txt | 81 +++++- linux-headers/linux/kvm.h | 47 ++++ qapi/qom.json | 6 + target/i386/sev.c | 498 ++++++++++++++++++++++++++++++++- target/i386/sev_i386.h | 1 + target/i386/trace-events | 4 + 6 files changed, 628 insertions(+), 9 deletions(-)