@@ -48,6 +48,7 @@
#include "kvm-cpus.h"
#include "system/dirtylimit.h"
#include "qemu/range.h"
+#include "system/confidential-guest-support.h"
#include "hw/boards.h"
#include "system/stats.h"
@@ -1691,28 +1692,91 @@ static int kvm_dirty_ring_init(KVMState *s)
return 0;
}
+static int kvm_private_shared_notify(StateChangeListener *scl,
+ MemoryRegionSection *section,
+ bool to_private)
+{
+ hwaddr start = section->offset_within_address_space;
+ hwaddr size = section->size;
+
+ if (to_private) {
+ return kvm_set_memory_attributes_private(start, size);
+ } else {
+ return kvm_set_memory_attributes_shared(start, size);
+ }
+}
+
+static int kvm_private_shared_notify_to_shared(StateChangeListener *scl,
+ MemoryRegionSection *section)
+{
+ return kvm_private_shared_notify(scl, section, false);
+}
+
+static int kvm_private_shared_notify_to_private(StateChangeListener *scl,
+ MemoryRegionSection *section)
+{
+ return kvm_private_shared_notify(scl, section, true);
+}
+
static void kvm_region_add(MemoryListener *listener,
MemoryRegionSection *section)
{
KVMMemoryListener *kml = container_of(listener, KVMMemoryListener, listener);
+ ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs;
+ GenericStateManager *gsm = memory_region_get_generic_state_manager(section->mr);
KVMMemoryUpdate *update;
+ CVMPrivateSharedListener *cpsl;
+ PrivateSharedListener *psl;
+
update = g_new0(KVMMemoryUpdate, 1);
update->section = *section;
QSIMPLEQ_INSERT_TAIL(&kml->transaction_add, update, next);
+
+ if (!memory_region_has_guest_memfd(section->mr) || !gsm) {
+ return;
+ }
+
+ cpsl = g_new0(CVMPrivateSharedListener, 1);
+ cpsl->mr = section->mr;
+ cpsl->offset_within_address_space = section->offset_within_address_space;
+ cpsl->granularity = generic_state_manager_get_min_granularity(gsm, section->mr);
+ psl = &cpsl->listener;
+ QLIST_INSERT_HEAD(&cgs->cvm_private_shared_list, cpsl, next);
+ private_shared_listener_init(psl, kvm_private_shared_notify_to_shared,
+ kvm_private_shared_notify_to_private);
+ generic_state_manager_register_listener(gsm, &psl->scl, section);
}
static void kvm_region_del(MemoryListener *listener,
MemoryRegionSection *section)
{
KVMMemoryListener *kml = container_of(listener, KVMMemoryListener, listener);
+ ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs;
+ GenericStateManager *gsm = memory_region_get_generic_state_manager(section->mr);
KVMMemoryUpdate *update;
+ CVMPrivateSharedListener *cpsl;
+ PrivateSharedListener *psl;
update = g_new0(KVMMemoryUpdate, 1);
update->section = *section;
QSIMPLEQ_INSERT_TAIL(&kml->transaction_del, update, next);
+ if (!memory_region_has_guest_memfd(section->mr) || !gsm) {
+ return;
+ }
+
+ QLIST_FOREACH(cpsl, &cgs->cvm_private_shared_list, next) {
+ if (cpsl->mr == section->mr &&
+ cpsl->offset_within_address_space == section->offset_within_address_space) {
+ psl = &cpsl->listener;
+ generic_state_manager_unregister_listener(gsm, &psl->scl);
+ QLIST_REMOVE(cpsl, next);
+ g_free(cpsl);
+ break;
+ }
+ }
}
static void kvm_region_commit(MemoryListener *listener)
@@ -3076,15 +3140,6 @@ int kvm_convert_memory(hwaddr start, hwaddr size, bool to_private)
goto out_unref;
}
- if (to_private) {
- ret = kvm_set_memory_attributes_private(start, size);
- } else {
- ret = kvm_set_memory_attributes_shared(start, size);
- }
- if (ret) {
- goto out_unref;
- }
-
addr = memory_region_get_ram_ptr(mr) + section.offset_within_region;
rb = qemu_ram_block_from_host(addr, false, &offset);
@@ -23,12 +23,20 @@
#endif
#include "qom/object.h"
+#include "exec/memory.h"
#define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
OBJECT_DECLARE_TYPE(ConfidentialGuestSupport,
ConfidentialGuestSupportClass,
CONFIDENTIAL_GUEST_SUPPORT)
+typedef struct CVMPrivateSharedListener {
+ MemoryRegion *mr;
+ hwaddr offset_within_address_space;
+ uint64_t granularity;
+ PrivateSharedListener listener;
+ QLIST_ENTRY(CVMPrivateSharedListener) next;
+} CVMPrivateSharedListener;
struct ConfidentialGuestSupport {
Object parent;
@@ -38,6 +46,8 @@ struct ConfidentialGuestSupport {
*/
bool require_guest_memfd;
+ QLIST_HEAD(, CVMPrivateSharedListener) cvm_private_shared_list;
+
/*
* ready: flag set by CGS initialization code once it's ready to
* start executing instructions in a potentially-secure
@@ -259,6 +259,7 @@ static void ram_block_attribute_notify_to_private(RamBlockAttribute *attr,
uint64_t offset, uint64_t size)
{
PrivateSharedListener *psl;
+ int ret;
QLIST_FOREACH(psl, &attr->psl_list, next) {
StateChangeListener *scl = &psl->scl;
@@ -267,7 +268,12 @@ static void ram_block_attribute_notify_to_private(RamBlockAttribute *attr,
if (!memory_region_section_intersect_range(&tmp, offset, size)) {
continue;
}
- scl->notify_to_state_clear(scl, &tmp);
+ /*
+ * No undo operation for the state_clear() callback failure at present.
+ * Expect the state_clear() callback always succeed.
+ */
+ ret = scl->notify_to_state_clear(scl, &tmp);
+ g_assert(!ret);
}
}
@@ -275,7 +281,7 @@ static int ram_block_attribute_notify_to_shared(RamBlockAttribute *attr,
uint64_t offset, uint64_t size)
{
PrivateSharedListener *psl, *psl2;
- int ret = 0;
+ int ret = 0, ret2 = 0;
QLIST_FOREACH(psl, &attr->psl_list, next) {
StateChangeListener *scl = &psl->scl;
@@ -302,7 +308,12 @@ static int ram_block_attribute_notify_to_shared(RamBlockAttribute *attr,
if (!memory_region_section_intersect_range(&tmp, offset, size)) {
continue;
}
- scl2->notify_to_state_clear(scl2, &tmp);
+ /*
+ * No undo operation for the state_clear() callback failure at present.
+ * Expect the state_clear() callback always succeed.
+ */
+ ret2 = scl2->notify_to_state_clear(scl2, &tmp);
+ g_assert(!ret2);
}
}
return ret;
@@ -1179,6 +1179,7 @@ static void tdx_guest_init(Object *obj)
qemu_mutex_init(&tdx->lock);
cgs->require_guest_memfd = true;
+ QLIST_INIT(&cgs->cvm_private_shared_list);
tdx->attributes = TDX_TD_ATTRIBUTES_SEPT_VE_DISABLE;
object_property_add_uint64_ptr(obj, "attributes", &tdx->attributes,
@@ -2432,6 +2432,7 @@ sev_snp_guest_instance_init(Object *obj)
SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
cgs->require_guest_memfd = true;
+ QLIST_INIT(&cgs->cvm_private_shared_list);
/* default init/start/finish params for kvm */
sev_snp_guest->kvm_start_conf.policy = DEFAULT_SEV_SNP_POLICY;
With the introduction of the RamBlockAttribute object to manage RAMBlocks with guest_memfd and the implementation of PrivateSharedManager interface to convey page conversion events, it is more elegant to move attribute changes into a PrivateSharedListener. The PrivateSharedListener is reigstered/unregistered for each memory region section during kvm_region_add/del(), and listeners are stored in a CVMPrivateSharedListener list for easy management. The listener handler performs attribute changes upon receiving notifications from private_shared_manager_state_change() calls. With this change, the state changes operations in kvm_convert_memory() can be removed. Note that after moving attribute changes into a listener, errors can be returned in ram_block_attribute_notify_to_private() if attribute changes fail in corner cases (e.g. -ENOMEM). Since there is currently no rollback operation for the to_private case, an assert is used to prevent the guest from continuing with a partially changed attribute state. Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com> --- Changes in v4: - Newly added. --- accel/kvm/kvm-all.c | 73 ++++++++++++++++++--- include/system/confidential-guest-support.h | 10 +++ system/ram-block-attribute.c | 17 ++++- target/i386/kvm/tdx.c | 1 + target/i386/sev.c | 1 + 5 files changed, 90 insertions(+), 12 deletions(-)