@@ -1250,6 +1250,7 @@ static int load_encrypted_data(QEMUFile *f, uint8_t *ptr)
cgs_class->memory_encryption_ops;
int flag;
+ hwaddr gpa;
flag = qemu_get_be32(f);
@@ -1257,6 +1258,12 @@ static int load_encrypted_data(QEMUFile *f, uint8_t *ptr)
return ops->load_incoming_page(f, ptr);
} else if (flag == RAM_SAVE_SHARED_REGIONS_LIST) {
return ops->load_incoming_shared_regions_list(f);
+ } else if (flag == RAM_SAVE_GUEST_MH_ENCRYPTED_PAGE) {
+ if (!kvm_physical_memory_addr_from_host(kvm_state, ptr, &gpa)) {
+ error_report("%s: failed to get gpa for host ptr %p", __func__, ptr);
+ return -EINVAL;
+ }
+ return cgs_mh_load_encrypted_page(f, gpa);
} else {
error_report("unknown encrypted flag %x", flag);
return 1;
@@ -3728,6 +3735,10 @@ void colo_release_ram_cache(void)
*/
static int ram_load_setup(QEMUFile *f, void *opaque)
{
+ if (confidential_guest()) {
+ cgs_mh_init();
+ }
+
if (compress_threads_load_setup(f)) {
return -1;
}
@@ -3754,6 +3765,10 @@ static int ram_load_cleanup(void *opaque)
rb->receivedmap = NULL;
}
+ if (confidential_guest()) {
+ cgs_mh_cleanup();
+ }
+
return 0;
}
@@ -4024,6 +4039,7 @@ void colo_flush_ram_cache(void)
static int ram_load_precopy(QEMUFile *f)
{
int flags = 0, ret = 0, invalid_flags = 0, len = 0, i = 0;
+
/* ADVISE is earlier, it shows the source has the postcopy capability on */
bool postcopy_advised = postcopy_is_advised();
if (!migrate_use_compression()) {
When loading encrypted RAM pages of a confidential guest, ask the in-guest migration helper to decrypt the incoming page and place it correctly in the guest memory at the appropriate address. This way the page's plaintext content remains inaccessible to the host. Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> --- migration/ram.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)