| Message ID | 20200320232353.1022066-1-farosas@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [RFC] target/ppc: Add capability for enabling secure guests | expand |
On Fri, Mar 20, 2020 at 08:23:53PM -0300, Fabiano Rosas wrote: > Making use of ppc's Protected Execution Facility (PEF) feature, a > guest can become a secure guest (aka. secure VM - SVM) and have its > memory protected from access by the host. This feature is mediated by > a piece of firmware called the Ultravisor (UV). > > The transition from a regular to a secure VM is initiated by the guest > kernel during prom_init via the use of an ultracall (enter secure mode > - UV_ESM) and with cooperation from the hypervisor via an hcall > (H_SVM_INIT_START). > > Currently QEMU has no knowledge of this process and no way to > determine if a host supports the feature. A guest with PEF support > enabled would always try to enter secure mode regardless of user > intent or hardware support. > > To address the above, a new KVM capability (KVM_CAP_PPC_SECURE_GUEST > [1]) is being introduced in the kernel without which KVM will block > the secure transition. > > This patch adds support for checking/enabling this KVM capability via > a new spapr capability (SPAPR_CAP_SECURE_GUEST) and the equivalent > command line switch (-machine pseries,cap-svm). The capability > defaults to off. > > 1- https://lore.kernel.org/kvm/20200319043301.GA13052@blackberry > > Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com> > --- > > I have implemented this to be able to test Paul's patch. I'm sending > it as RFC in case it helps anyone else and if we decide to go in this > direction I can develop it further. LGTM Reviewed-by: David Gibson <david@gibson.dropbear.id.au> It will miss the qemu-5.0 cut-off, of course, but that should be ok. > > PS: TCG currently gets in a loop of 0x700 due to the lack of 'sc 2' > emulation - and all the rest of PEF, of course =). > > --- > hw/ppc/spapr.c | 1 + > hw/ppc/spapr_caps.c | 30 ++++++++++++++++++++++++++++++ > include/hw/ppc/spapr.h | 3 ++- > target/ppc/kvm.c | 12 ++++++++++++ > target/ppc/kvm_ppc.h | 12 ++++++++++++ > 5 files changed, 57 insertions(+), 1 deletion(-) > > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c > index 9a2bd501aa..a881ac4e29 100644 > --- a/hw/ppc/spapr.c > +++ b/hw/ppc/spapr.c > @@ -4542,6 +4542,7 @@ static void spapr_machine_class_init(ObjectClass *oc, void *data) > smc->default_caps.caps[SPAPR_CAP_LARGE_DECREMENTER] = SPAPR_CAP_ON; > smc->default_caps.caps[SPAPR_CAP_CCF_ASSIST] = SPAPR_CAP_ON; > smc->default_caps.caps[SPAPR_CAP_FWNMI] = SPAPR_CAP_ON; > + smc->default_caps.caps[SPAPR_CAP_SECURE_GUEST] = SPAPR_CAP_OFF; > spapr_caps_add_properties(smc, &error_abort); > smc->irq = &spapr_irq_dual; > smc->dr_phb_enabled = true; > diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c > index 679ae7959f..375b7e0b30 100644 > --- a/hw/ppc/spapr_caps.c > +++ b/hw/ppc/spapr_caps.c > @@ -524,6 +524,27 @@ static void cap_fwnmi_apply(SpaprMachineState *spapr, uint8_t val, > } > } > > +static void cap_secure_guest_apply(SpaprMachineState *spapr, > + uint8_t val, Error **errp) > +{ > + if (!val) { > + /* capability disabled by default */ > + return; > + } > + > + if (!kvm_enabled()) { > + error_setg(errp, "No PEF support in tcg, try cap-svm=off"); > + return; > + } > + > + if (!kvmppc_has_cap_secure_guest()) { > + error_setg(errp, "KVM implementation does not support secure guests, " > + "try cap-svm=off"); > + } else if (kvmppc_enable_cap_secure_guest() < 0) { > + error_setg(errp, "Error enabling cap-svm, try cap-svm=off"); > + } > +} > + > SpaprCapabilityInfo capability_table[SPAPR_CAP_NUM] = { > [SPAPR_CAP_HTM] = { > .name = "htm", > @@ -632,6 +653,15 @@ SpaprCapabilityInfo capability_table[SPAPR_CAP_NUM] = { > .type = "bool", > .apply = cap_fwnmi_apply, > }, > + [SPAPR_CAP_SECURE_GUEST] = { > + .name = "svm", > + .description = "Allow the guest to become a Secure Guest", > + .index = SPAPR_CAP_SECURE_GUEST, > + .get = spapr_cap_get_bool, > + .set = spapr_cap_set_bool, > + .type = "bool", > + .apply = cap_secure_guest_apply, > + }, > }; > > static SpaprCapabilities default_caps_with_cpu(SpaprMachineState *spapr, > diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h > index 42d64a0368..7f5289782d 100644 > --- a/include/hw/ppc/spapr.h > +++ b/include/hw/ppc/spapr.h > @@ -81,8 +81,9 @@ typedef enum { > #define SPAPR_CAP_CCF_ASSIST 0x09 > /* Implements PAPR FWNMI option */ > #define SPAPR_CAP_FWNMI 0x0A > +#define SPAPR_CAP_SECURE_GUEST 0x0B > /* Num Caps */ > -#define SPAPR_CAP_NUM (SPAPR_CAP_FWNMI + 1) > +#define SPAPR_CAP_NUM (SPAPR_CAP_SECURE_GUEST + 1) > > /* > * Capability Values > diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c > index 597f72be1b..9254749cd7 100644 > --- a/target/ppc/kvm.c > +++ b/target/ppc/kvm.c > @@ -88,6 +88,7 @@ static int cap_ppc_safe_indirect_branch; > static int cap_ppc_count_cache_flush_assist; > static int cap_ppc_nested_kvm_hv; > static int cap_large_decr; > +static int cap_ppc_secure_guest; > > static uint32_t debug_inst_opcode; > > @@ -135,6 +136,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s) > cap_resize_hpt = kvm_vm_check_extension(s, KVM_CAP_SPAPR_RESIZE_HPT); > kvmppc_get_cpu_characteristics(s); > cap_ppc_nested_kvm_hv = kvm_vm_check_extension(s, KVM_CAP_PPC_NESTED_HV); > + cap_ppc_secure_guest = kvm_vm_check_extension(s, KVM_CAP_PPC_SECURE_GUEST); > cap_large_decr = kvmppc_get_dec_bits(); > /* > * Note: setting it to false because there is not such capability > @@ -2532,6 +2534,16 @@ int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable) > return 0; > } > > +bool kvmppc_has_cap_secure_guest(void) > +{ > + return !!cap_ppc_secure_guest; > +} > + > +int kvmppc_enable_cap_secure_guest(void) > +{ > + return kvm_vm_enable_cap(kvm_state, KVM_CAP_PPC_SECURE_GUEST, 0, 1); > +} > + > PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void) > { > uint32_t host_pvr = mfpvr(); > diff --git a/target/ppc/kvm_ppc.h b/target/ppc/kvm_ppc.h > index 332fa0aa1c..a9a3aa67c6 100644 > --- a/target/ppc/kvm_ppc.h > +++ b/target/ppc/kvm_ppc.h > @@ -72,6 +72,8 @@ int kvmppc_set_cap_nested_kvm_hv(int enable); > int kvmppc_get_cap_large_decr(void); > int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable); > int kvmppc_enable_hwrng(void); > +bool kvmppc_has_cap_secure_guest(void); > +int kvmppc_enable_cap_secure_guest(void); > int kvmppc_put_books_sregs(PowerPCCPU *cpu); > PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void); > void kvmppc_check_papr_resize_hpt(Error **errp); > @@ -380,6 +382,16 @@ static inline int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable) > return -1; > } > > +static inline bool kvmppc_has_cap_secure_guest(void) > +{ > + return false; > +} > + > +static inline int kvmppc_enable_cap_secure_guest(void) > +{ > + return -1; > +} > + > static inline int kvmppc_enable_hwrng(void) > { > return -1;
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 9a2bd501aa..a881ac4e29 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -4542,6 +4542,7 @@ static void spapr_machine_class_init(ObjectClass *oc, void *data) smc->default_caps.caps[SPAPR_CAP_LARGE_DECREMENTER] = SPAPR_CAP_ON; smc->default_caps.caps[SPAPR_CAP_CCF_ASSIST] = SPAPR_CAP_ON; smc->default_caps.caps[SPAPR_CAP_FWNMI] = SPAPR_CAP_ON; + smc->default_caps.caps[SPAPR_CAP_SECURE_GUEST] = SPAPR_CAP_OFF; spapr_caps_add_properties(smc, &error_abort); smc->irq = &spapr_irq_dual; smc->dr_phb_enabled = true; diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c index 679ae7959f..375b7e0b30 100644 --- a/hw/ppc/spapr_caps.c +++ b/hw/ppc/spapr_caps.c @@ -524,6 +524,27 @@ static void cap_fwnmi_apply(SpaprMachineState *spapr, uint8_t val, } } +static void cap_secure_guest_apply(SpaprMachineState *spapr, + uint8_t val, Error **errp) +{ + if (!val) { + /* capability disabled by default */ + return; + } + + if (!kvm_enabled()) { + error_setg(errp, "No PEF support in tcg, try cap-svm=off"); + return; + } + + if (!kvmppc_has_cap_secure_guest()) { + error_setg(errp, "KVM implementation does not support secure guests, " + "try cap-svm=off"); + } else if (kvmppc_enable_cap_secure_guest() < 0) { + error_setg(errp, "Error enabling cap-svm, try cap-svm=off"); + } +} + SpaprCapabilityInfo capability_table[SPAPR_CAP_NUM] = { [SPAPR_CAP_HTM] = { .name = "htm", @@ -632,6 +653,15 @@ SpaprCapabilityInfo capability_table[SPAPR_CAP_NUM] = { .type = "bool", .apply = cap_fwnmi_apply, }, + [SPAPR_CAP_SECURE_GUEST] = { + .name = "svm", + .description = "Allow the guest to become a Secure Guest", + .index = SPAPR_CAP_SECURE_GUEST, + .get = spapr_cap_get_bool, + .set = spapr_cap_set_bool, + .type = "bool", + .apply = cap_secure_guest_apply, + }, }; static SpaprCapabilities default_caps_with_cpu(SpaprMachineState *spapr, diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h index 42d64a0368..7f5289782d 100644 --- a/include/hw/ppc/spapr.h +++ b/include/hw/ppc/spapr.h @@ -81,8 +81,9 @@ typedef enum { #define SPAPR_CAP_CCF_ASSIST 0x09 /* Implements PAPR FWNMI option */ #define SPAPR_CAP_FWNMI 0x0A +#define SPAPR_CAP_SECURE_GUEST 0x0B /* Num Caps */ -#define SPAPR_CAP_NUM (SPAPR_CAP_FWNMI + 1) +#define SPAPR_CAP_NUM (SPAPR_CAP_SECURE_GUEST + 1) /* * Capability Values diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c index 597f72be1b..9254749cd7 100644 --- a/target/ppc/kvm.c +++ b/target/ppc/kvm.c @@ -88,6 +88,7 @@ static int cap_ppc_safe_indirect_branch; static int cap_ppc_count_cache_flush_assist; static int cap_ppc_nested_kvm_hv; static int cap_large_decr; +static int cap_ppc_secure_guest; static uint32_t debug_inst_opcode; @@ -135,6 +136,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s) cap_resize_hpt = kvm_vm_check_extension(s, KVM_CAP_SPAPR_RESIZE_HPT); kvmppc_get_cpu_characteristics(s); cap_ppc_nested_kvm_hv = kvm_vm_check_extension(s, KVM_CAP_PPC_NESTED_HV); + cap_ppc_secure_guest = kvm_vm_check_extension(s, KVM_CAP_PPC_SECURE_GUEST); cap_large_decr = kvmppc_get_dec_bits(); /* * Note: setting it to false because there is not such capability @@ -2532,6 +2534,16 @@ int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable) return 0; } +bool kvmppc_has_cap_secure_guest(void) +{ + return !!cap_ppc_secure_guest; +} + +int kvmppc_enable_cap_secure_guest(void) +{ + return kvm_vm_enable_cap(kvm_state, KVM_CAP_PPC_SECURE_GUEST, 0, 1); +} + PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void) { uint32_t host_pvr = mfpvr(); diff --git a/target/ppc/kvm_ppc.h b/target/ppc/kvm_ppc.h index 332fa0aa1c..a9a3aa67c6 100644 --- a/target/ppc/kvm_ppc.h +++ b/target/ppc/kvm_ppc.h @@ -72,6 +72,8 @@ int kvmppc_set_cap_nested_kvm_hv(int enable); int kvmppc_get_cap_large_decr(void); int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable); int kvmppc_enable_hwrng(void); +bool kvmppc_has_cap_secure_guest(void); +int kvmppc_enable_cap_secure_guest(void); int kvmppc_put_books_sregs(PowerPCCPU *cpu); PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void); void kvmppc_check_papr_resize_hpt(Error **errp); @@ -380,6 +382,16 @@ static inline int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable) return -1; } +static inline bool kvmppc_has_cap_secure_guest(void) +{ + return false; +} + +static inline int kvmppc_enable_cap_secure_guest(void) +{ + return -1; +} + static inline int kvmppc_enable_hwrng(void) { return -1;
Making use of ppc's Protected Execution Facility (PEF) feature, a guest can become a secure guest (aka. secure VM - SVM) and have its memory protected from access by the host. This feature is mediated by a piece of firmware called the Ultravisor (UV). The transition from a regular to a secure VM is initiated by the guest kernel during prom_init via the use of an ultracall (enter secure mode - UV_ESM) and with cooperation from the hypervisor via an hcall (H_SVM_INIT_START). Currently QEMU has no knowledge of this process and no way to determine if a host supports the feature. A guest with PEF support enabled would always try to enter secure mode regardless of user intent or hardware support. To address the above, a new KVM capability (KVM_CAP_PPC_SECURE_GUEST [1]) is being introduced in the kernel without which KVM will block the secure transition. This patch adds support for checking/enabling this KVM capability via a new spapr capability (SPAPR_CAP_SECURE_GUEST) and the equivalent command line switch (-machine pseries,cap-svm). The capability defaults to off. 1- https://lore.kernel.org/kvm/20200319043301.GA13052@blackberry Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com> --- I have implemented this to be able to test Paul's patch. I'm sending it as RFC in case it helps anyone else and if we decide to go in this direction I can develop it further. PS: TCG currently gets in a loop of 0x700 due to the lack of 'sc 2' emulation - and all the rest of PEF, of course =). --- hw/ppc/spapr.c | 1 + hw/ppc/spapr_caps.c | 30 ++++++++++++++++++++++++++++++ include/hw/ppc/spapr.h | 3 ++- target/ppc/kvm.c | 12 ++++++++++++ target/ppc/kvm_ppc.h | 12 ++++++++++++ 5 files changed, 57 insertions(+), 1 deletion(-) -- 2.23.0