From patchwork Wed Mar 8 20:54:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 9612037 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 326D060414 for ; Wed, 8 Mar 2017 21:41:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 245552863E for ; Wed, 8 Mar 2017 21:41:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1920728642; Wed, 8 Mar 2017 21:41:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 52E4F2863E for ; Wed, 8 Mar 2017 21:41:36 +0000 (UTC) Received: from localhost ([::1]:58596 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cljKx-00023R-BQ for patchwork-qemu-devel@patchwork.kernel.org; Wed, 08 Mar 2017 16:41:35 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52593) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1clj7X-0007S4-FS for qemu-devel@nongnu.org; Wed, 08 Mar 2017 16:27:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1clj7U-0005tw-AE for qemu-devel@nongnu.org; Wed, 08 Mar 2017 16:27:43 -0500 Received: from mail-dm3nam03on0074.outbound.protection.outlook.com ([104.47.41.74]:37696 helo=NAM03-DM3-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1clj7U-0005tl-32 for qemu-devel@nongnu.org; Wed, 08 Mar 2017 16:27:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=UHN+MMO9SFRhdVvkoKRm9LihjJwJHzymZoiSHrkdaiE=; b=UuFUG/EB8u3pe3V6pHa8pgVzI3XfZrLu4Uo/YQ8K6g+oWqNbeqpeX7/5OfVoxNQnvZG0W+7NFa2BgDhn7vYj3lBmDAe4UAjRknMgyaPoVa3wOPRMQozxxkZLjGUe9cwP1sr2GeqfWqXHnYWIZ+LsZM6ikNH2ze4+mKVdLiZynNE= Authentication-Results: amd.com; dkim=none (message not signed) header.d=none;amd.com; dmarc=none action=none header.from=amd.com; Received: from [127.0.1.1] (165.204.77.1) by DM5PR12MB1610.namprd12.prod.outlook.com (10.172.40.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Wed, 8 Mar 2017 20:54:14 +0000 From: Brijesh Singh To: , , , , , , , , Date: Wed, 8 Mar 2017 15:54:11 -0500 Message-ID: <148900645191.27090.14005849682729903734.stgit@brijesh-build-machine> In-Reply-To: <148900626714.27090.1616990932333159904.stgit@brijesh-build-machine> References: <148900626714.27090.1616990932333159904.stgit@brijesh-build-machine> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: CY4PR13CA0003.namprd13.prod.outlook.com (10.168.161.141) To DM5PR12MB1610.namprd12.prod.outlook.com (10.172.40.16) X-MS-Office365-Filtering-Correlation-Id: 6c64f133-1496-422e-b470-08d4666547e9 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:DM5PR12MB1610; X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1610; 3:G0+HB3UsfZg8eB4Ewmoo2z7p0mHCOc48MFoNaSU12WlbvdRaMWF1TXu41or68E/3YsCClVe5fZl/hyMUI/Pu5PVeFp/jM69ZFgq5e5J6h0i9H5zcZ46RwJqT295qKtcS4QNISPKqyDhpLFg/4HIPlEhatPRREtWujK2rM0/uzdKYkiNNzrZF+iSnJbROOLxZ3ium9AUTBAggcow+g7KiaswpkNRKvabvsf5NiF7EsNjnIxtOp5t8hA8ZwZUahEfjOaql9VSESJB+8ibhCGwJY/tGG9Om+ZxrGrxf45gmrpQ=; 25:kMonynn6jnvpLU7pJ1BhCdWeaQmhnxAd8amV3UGkI9USMBbm2SBhZot4i5MZe/ErCooEIfyLWkg7tgWu/oVDHpTzENst7vmAdOBCW5If/M4KJDBdnn4rnqmSQexRWofxu2PlM6HV6LZ7ewgclwOkQTDYNF6gNcuuzAg5+vVsT27diJrXCQ8urSaDUjaWadOFuuEHenOFik3We2KWRxTCltj940HanLEtxeybScE9j0opi+IYXtkGL90hFP3pxs7uGS02x4Ei5FqC0rWsp4cwnbRD8cf704uNQY5tb4DvbQygYZn+4XfXDdAnq/jD49pPlhddo2KVdqBH0+rHDNi6JHFk7dPzHW5yt3Mwr/W2H5xdNbvRq7KH0H+Jw1Z2KJ7ZlUWc7xKTZUJS2yoi/GlY2HzWkYBeIOz8Jqo8h6CUgcZ7v3dgV0cTrXCtpc0yNAzZ X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1610; 31:7x/wzaq6YVC+0AbtwCNl6CuOXRp8XymbD1cFY8Rc72H91dL7lOtxuT9/4WZafMEAdD8CUChtXNCUh6Jm/mOr3Roxx7f7wnUKjQUXJ9MEupkEJtJ8qgfWex2l72hFKeTQ2Fy7UIv+4bWtPepuTFsyx1FSg1Wth33dqNUNRMyQihUGbtoO8s/0wHkiQZZyzdIDr5dLeFJ41uJFhgrIb0IW5bc18KnixTBfj5f8+vPN6Do4A5w2N+Rmv0yDiQuPEOQU; 20:EOBb4GLz6hjCK0EJcADqNv69BZm9LoEDvxqd8N8atCts+4CX1ok82TbDe0ewI2QOmnBg7eCgWlhtcUCf4qy1qo76mKV7K/uoqacQln6NxjIrZ1BFzqOGrsWLSxdYx7psBQ6hdgR/0YQ7VaQCfKC1dF3GsLLusGt2czeEevv24kCAu3UoCLZ1d9U10vdDOtYvD5xqWUy5C0xk/XN8jvrwXLDWx219khmitmdTo9fkqaCfRDMhZ2rVFruCJ/pHXInVpDoD0UkHlDwneUd18D85+MwPwDNM7an2mg2FON7kl8frbz1FeUexyQ6X4wF9zXVMqJeuEa6ipLcSlVd0l2DODlsytayvCyA5MelDFKuS28cT+pi5ZMSYO9LLAjpT/+Een313iaDD1sUJFx5aGRJYxkKbBnVC4v5bhbydn4RsgacMKLu8YjzVGpJrqrEndu5PnR9WtoyP9seUT2hPHGPPRbcYUNQdvu1LnMoiav5jQ9ess2TYobJ3Fsig3Q89c99s X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123560025)(20161123562025)(20161123558025)(20161123564025)(6072148); SRVR:DM5PR12MB1610; BCL:0; PCL:0; RULEID:; SRVR:DM5PR12MB1610; X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1610; 4:lPPXWCVkOBKYjK3WZK/TfUyd4PS7gCpa7KP00o7a/SR1IB3otamD0SHQb5UrSu++8Q4jfW96drAC5NJWCOhgsYBT+vcYOhOB7qmJ4Hf2QozOFgdW6moGxpCrDAtKQYAqGlu6dDi4iOgssSYjtT2US/wuTMF8R66Vy0UF0eanuxhEuKpzsTNtBC33kzRI3eMfuB4NhqqoHtelNvGEHVOgTFkXzdziQEGpd3EnV6hJzAjSjFFANg4sT02jnR1KCMsxF4O0YMvhjwSIF+Bu6CmwfIaTYpaWwe8qyPs/fc533aZCQsP/WNP8/7Tkpakef6J3r2AZ5Cdt5QL3FnwvWh6AhzMnPk1BmO0ri6IlcPAGP0KAv4mBgyj0S/blsohvcK8nPD4v6x4CwAIK4X4grNCOmAJMZv+JjlnI95+Ai+b+pbH+oyfN5yBHFzs2d5vI8lJ2McA74SgYQ1cZAHbIDNMF64v/w5sdoZkNk80KseFdhu2p48k6j9iQUpkQGa9EiB7Taurt7cWqJsX0vVKDKWpdQyYb3Jbr8i5QnPL837m3IelDR8a4ZkcY77MGCObq5Spdabqk6WVcBUFQ3Z9NGgdRYwNaMZSgmWK1WgjIi3+gSQTZjlcYSn1AzYc/NvYUkwyajDyvQZwiMs8IPrzgKH1jQoGxPlnCsxzjzIK9kJAUYvY= X-Forefront-PRVS: 02408926C4 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(6049001)(39840400002)(39860400002)(39450400003)(39850400002)(39410400002)(305945005)(47776003)(5660300001)(33646002)(6666003)(6116002)(3846002)(66066001)(2906002)(90366009)(2201001)(6486002)(7736002)(77096006)(81166006)(230700001)(8676002)(2950100002)(33716001)(575784001)(86362001)(103116003)(38730400002)(83506001)(42186005)(25786008)(54906002)(50986999)(76176999)(54356999)(9686003)(53936002)(189998001)(50466002)(4326008)(23676002)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR12MB1610; H:[127.0.1.1]; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjEyTUIxNjEwOzIzOlFldlI3RWpNb1FYQ3RYYi9wZzY5SHc0Wnhv?= =?utf-8?B?OG1QdVdJQ1ZUMTZWRlZ6MjRTV1kwMXVxYjdPZkZVOEZBQTlGOG41eWRlS0Mw?= =?utf-8?B?V29GUVB6dDd5U1NwaGVaQW8vQzh3T1pLYW1sWWEzU3lIT3NZU21KRDEwVEt3?= =?utf-8?B?OHI4MzhsRkJzUnE5OXFqYUVwRUcxZ1BrV05od1ZtY0J4WGxqWTUxRzdpb1hL?= =?utf-8?B?eXAzZUl5MzR4THVvemhQbFlGZHBhM1VvWFlCd2RRZk5JQUo3TUhtUHBBVUVC?= =?utf-8?B?RHpGcXBIcElkZExieUEyQnB4RWlxUGdMTS95M01pVUpxaFRGQUNqUEkvQ2Jq?= =?utf-8?B?VlVkaXJDc2g4TGUvQSthdTNncEYvZ0wyR3o0VTZSMCtnR240QVVaQUJiVTRL?= =?utf-8?B?N2JTRi9vWjlHSFVzbGgzYmFiYTJTT2RmU0pPTTNWRjlFUi9XVGZUZ0NoSXg4?= =?utf-8?B?d2xIM3p4Zjd0WUtlR0FnNlZqQ295M29XVDlBcThTSWNzbzBjRVpIaW9CSVZi?= =?utf-8?B?M2p6OXN2UjVhTXREQUFIaTRnQllDSHZtQmhOK2IyTU1ITUVXSDZhWk1pU2M4?= =?utf-8?B?dUR4aEczbC9GbUtTVGs4Qy9WL0dHalJSY3p2dzlZb1M5czRZOHZabjN6Umsz?= =?utf-8?B?WlpHUmFBQ0Y2WTZmbUkxNDIwY2YrRkd1eGRUQmw5TSswQWhxSFNWcnhrZDNG?= =?utf-8?B?NERYWWFyeGRqQk9HNXhlbzFKSWREbkVHNzVtY05rcmlVUXZmK1hyRlhwc2JX?= =?utf-8?B?cURKa3hRbm1wYVM5cXhiNno4T0RXK2NtUlZVdlBnb0N6RGUvZTliY1ZCM29a?= =?utf-8?B?YlYvb0w3TEhYcVBPRENuajNGbnZZcFo3UWZVVllkU0VPZVZVR3FPbWpvOFM4?= =?utf-8?B?L2FVU1U3QnozSU1RT2w0TWtwcENwSDdGY1lML0JNWktRSHFzSG1qT2xqZDh5?= =?utf-8?B?RFVEVjI2WHB3WEcwZW03bUgrcm0xdkIvTnZjclFYN2k4dnllM3dVemRIMlFB?= =?utf-8?B?aDRzejVRcFo0Ly9TTmkyRG5kcVVQTndRZHEwZ0VqcjJEOEY3b1F5UndaSXha?= =?utf-8?B?VGtMRXE5dkQwVHdUUmJpUzRzUnhqMHhFSFpuSjhKM29LT1hlV3NvczFxK0pN?= =?utf-8?B?bW83alFHb00yQ0Q2QnpTOENUWkx4YnRmMnNDTFNqL3pqVHBlMnpFODROa3ZK?= =?utf-8?B?ZDd1SUxGYVAxV0lsRjNQVk1iYU4xcldnUlhaazhxU0tLZlQxYVdpcXhaODU4?= =?utf-8?B?REVUb3VHMkZYaXRLVGMybkxHaWRyWTNMRkNEaXJ6MHJXNENPNFp0TUhDMXND?= =?utf-8?B?VTRDeE00Skk1SlE2cFNrd0VmN1FQekZwTlE3UmljMGNzeFlmbW9jYTE3a3Rh?= =?utf-8?B?VjY3Si9qK0xnYkZTN00zRTlSQk9qbCtTVVpQRTRMRm5zczRKcExmWkY4QTU1?= =?utf-8?B?SzZHeW9odHdHUlZpUklGNlg3WEVvNk40c3RNZWFsVTBqMTJXU1RQaWdaYUZP?= =?utf-8?Q?TqOJ3Q70pDgVaVN31upG/ZOnw=3D?= X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1610; 6:GvVM/xOofY7iOj3E79E7ihyOqxzVVcnd3iqAgtEF61hbRVQ5jFY53S/9u+EDCU4SLOvkFbjRFwiagttBLp4sfD8/zCkUSuUz4Ai7/WkJIoGLV/SaGHIC0j/RGtU3WWmlxUjNBaliYOsgteb8Akzc8cAbqCZ8rwjB1wjmqmgHoS2z1ER3LFyrVYnRGLaquHOC8PzqYr+DahJ/1OuwoP/NBcYrTHM+h/LtIEbnHuFYMz+ZuUvIiQj/lSmKMk6UEC9wPD7h8RrE43qbSumcjkvvLfqWof6Ly18OXV4gLBJTFFR6oIudZVLrX195DiNouegDri2xi0UTDovC5p/r1Dg8UlmnUePKCGoE3aUGwXUg9Z15zGDcvY3E6P1Q4htNuKl4qYZz07pCpvVFuwR/hfWCJEavVnODZmh5D1f3CNphi4I=; 5:UkaUYu6pwBEUlZ/1Jb+z92iKtnGquecD4XEteRPmrSiv4ceH/EPjnq4/QEW4yCPHSFB9UgqUJDj3I4KYVM9fcwPT2COsq8naVIbcg/Yy9twa+W8LHfsLQ/WGSfy3odB0d2IR/U7Zv9eRKArRcO31uOBJy7X4THcYrt7cIRb0P0c=; 24:BdsltE8HpN0+8auFPnTrrWLVyq21kyaxp+vW2OVO9SzsRhZpiPjyGPk7+mohOQvKsjO9eHea40sYTX5mHAswi92Chqy6DfqeoykU/Zjxa1s= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1610; 7:Wap6foP8XQVEnRN16XGosJE2Grr69gHuFL6e/9WyzypkKpgTTP4rNbgbS8u7rvFDiChAZElDOo0Uo+4fzUlBgLvdPV1PVyRh62Rlvhdv1ex+XM3XbNKzEeSKj3NR0Ln2Pusnx8Eq+jn7d2kqkPaRL6FZJ10uL90ulEI56mCu6px0gtmasa4LGMCt6qdCtaW7KRWYIxH5vsluOspsj8ICzIgWFRmr/Aj2BU49G5o0SljAsfJ00PNNe2N+A5YuF7SIQEzqOpjfTJ00Hx+9VvRmB48NUkf5s7gX21XJmxUWlORj5npgIDL+O1TzL7e0u52AiKyGp2f1dSS/NHJ+8x9FTA==; 20:Z2CIHYQZJPq2NQNl0k0xdkAABNIKFldkjAXeEL/Zk92Oa+mwG3hzRfO82/r4q74TP+uAMksY3V5vQnsGQ4N/4du6PefxgVWf6xBu2cm12PLmTLIvwG5GLxT3TK5DdJiDgmcDvFpFvZ0IRSOWW1BD04qA2pKczcVfbgysJJnY3Dp1qOEVnWIi9u3mibMaDY94zr9TNatgtVqQAMqYv0BRnScqKTdPv1hFT899r+narx7d7YGM6CACp+qrPynkK2KK X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Mar 2017 20:54:14.0322 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1610 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 104.47.41.74 Subject: [Qemu-devel] [RFC PATCH v4 17/20] target/i386: encrypt bios rom when memory encryption is enabled X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas.Lendacky@amd.com, brijesh.singh@amd.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP If guest is launched with memory encryption enabled then we encrypt the data copied into pflash device also set the debug ops for PC.BIOS, PC.RAM and PLFASH memory regions. This will ensure that any debug access to these memory region will go through the memory encryption APIs. It cover both plfash type of device as well as passing the bios image via -bios option in qemu command line. Signed-off-by: Brijesh Singh --- hw/i386/pc.c | 7 +++++++ hw/i386/pc_sysfw.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c index d24388e..a0c0816 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -1392,6 +1392,13 @@ void pc_memory_init(PCMachineState *pcms, e820_add_entry(0x100000000ULL, pcms->above_4g_mem_size, E820_RAM); } + /* if memory encryption is enabled then set the memory encryption + * ops so that any debug read and write to guest memory from hypervisor will + * go through encryption routines. */ + if (kvm_memcrypt_enabled()) { + kvm_memcrypt_set_debug_ops(ram); + } + if (!pcmc->has_reserved_memory && (machine->ram_slots || (machine->maxram_size > machine->ram_size))) { diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index f915ad0..518a341 100644 --- a/hw/i386/pc_sysfw.c +++ b/hw/i386/pc_sysfw.c @@ -47,7 +47,7 @@ static void pc_isa_bios_init(MemoryRegion *rom_memory, MemoryRegion *flash_mem, int ram_size) { - int isa_bios_size; + int ret, isa_bios_size; MemoryRegion *isa_bios; uint64_t flash_size; void *flash_ptr, *isa_bios_ptr; @@ -72,6 +72,15 @@ static void pc_isa_bios_init(MemoryRegion *rom_memory, ((uint8_t*)flash_ptr) + (flash_size - isa_bios_size), isa_bios_size); + /* If memory encryption is enabled then encrypt the ISA rom */ + if (kvm_memcrypt_enabled()) { + ret = kvm_memcrypt_encrypt_launch_data(isa_bios_ptr, isa_bios_size); + if (ret) { + fprintf(stderr, "Error: failed to encrypt isa_bios image\n"); + } + kvm_memcrypt_set_debug_ops(isa_bios); + } + memory_region_set_readonly(isa_bios, true); } @@ -103,6 +112,7 @@ static void pc_isa_bios_init(MemoryRegion *rom_memory, */ static void pc_system_flash_init(MemoryRegion *rom_memory) { + int ret; int unit; DriveInfo *pflash_drv; BlockBackend *blk; @@ -113,6 +123,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) pflash_t *system_flash; MemoryRegion *flash_mem; char name[64]; + void *flash_ptr; + int flash_size; sector_bits = 12; sector_size = 1 << sector_bits; @@ -168,7 +180,20 @@ static void pc_system_flash_init(MemoryRegion *rom_memory) 0 /* be */); if (unit == 0) { flash_mem = pflash_cfi01_get_memory(system_flash); + pc_isa_bios_init(rom_memory, flash_mem, size); + + /* Encrypt the pflash boot ROM */ + if (kvm_memcrypt_enabled()) { + flash_ptr = memory_region_get_ram_ptr(flash_mem); + flash_size = memory_region_size(flash_mem); + ret = kvm_memcrypt_encrypt_launch_data(flash_ptr, flash_size); + if (ret) { + fprintf(stderr, "Error: failed to encrypt %s\n", name); + exit(1); + } + kvm_memcrypt_set_debug_ops(flash_mem); + } } } } @@ -208,6 +233,9 @@ static void old_pc_system_rom_init(MemoryRegion *rom_memory, bool isapc_ram_fw) } g_free(filename); + if (kvm_memcrypt_enabled()) { + kvm_memcrypt_set_debug_ops(bios); + } /* map the last 128KB of the BIOS in ISA space */ isa_bios_size = bios_size; if (isa_bios_size > (128 * 1024)) {