From patchwork Fri Jul 9 21:55:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368075 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2ECA3C07E99 for ; Fri, 9 Jul 2021 21:58:42 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A2CF0613C2 for ; Fri, 9 Jul 2021 21:58:41 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A2CF0613C2 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:42602 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yW8-0004Rl-8K for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 17:58:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48254) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yTs-0001yz-81 for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:21 -0400 Received: from mail-dm6nam12on2067.outbound.protection.outlook.com ([40.107.243.67]:33505 helo=NAM12-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yTp-0005q1-KX for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:19 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZrTaX+CsAYrNokH/sgrJM34pOeSkLFXyX1sD5uiUuOuUGqtrGekKZnfTuy2+MpcwNBAl/g3FxO45EzXoINRhJkwqqy5ViRgk1d1nVsklQnfQ7pV2qF/DajgRZyg4gPeYe/JBAYj0mWShK3C7DVgQ8DhzWaPGUr+l9a/N63FgBEB0tZbtLywmGzhWAdP6xBPXhzTCV91uioGuvNjgFr28gOKLDtPauNWGiiMhqFZ/4+TWUV35Ph3E5LNYqKgFUhque9dQ/sqKawd5luW07lGqpJFiwfGmX0u3wPn0Ju7Yt+/klHo7mUCIseNZo4mlO+GoxvH/KmJ5BRLHSyEC/b9FUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+xJGT0HcR5qZFQMgoHuLjT8knIauKod8GS2YRW73PeE=; b=DDK4gPHfMXDoDyNeI8/WJupYdWaIhrHCcJZ/kPv4MResfwzNfn1b98X3vu3T520GVEfdKFgnLObDFcCSws17MqAfEYX+b8SihETddNBCIH8n1lgVpkTWEAsFv90glBQCNsDFWqMDU0xXHjslIdHzDCxuhCiuVKed/VmvfwuGypOyHTcHOD5gHJl7CrXKqt8QxO/PvfDc1b4wshU/RssVVIIGeS5orFnizdkPrre8H+jRJht0t/e6OcPDsrIMI6TkGG1PEpoMRwF2VJ7oonZpR1mJNKYubZexWazxj0I6qKscY4I8MR5LT17mYZOa1+LME+IO0uBltyM8jh/tgamFsw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+xJGT0HcR5qZFQMgoHuLjT8knIauKod8GS2YRW73PeE=; b=43/d0dlopn0znK0/23fD8UjvNUMtXydT04hXC08Tt211S71Zu9lmCB4xnnW6dlVJHbnaELLpxk/Fdoum6S4DcQjaXdUnahmLaAsRyY0NjH0hpeGpDlESHMih6Jfngw3V6xJUTy/FtR4E381uCkhfg5v/fi4AdvHEoWgphydkaE0= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:10 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:10 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 1/6] linux-header: add the SNP specific command Date: Fri, 9 Jul 2021 16:55:45 -0500 Message-Id: <20210709215550.32496-2-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210709215550.32496-1-brijesh.singh@amd.com> References: <20210709215550.32496-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:09 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7a092e81-0390-4534-df84-08d943245c88 X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:792; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: D8vqCiWZNRqNUyOeNkMXCYH08yqzDKaBN6HQ5zOjs1ZsVHZPFpiEluymnU/j/0ljaD9gv2okIn1/5VX4g+qwrW9V2r3LBprdIZ4mnEMIa4PgWd3ecVCAgr+UK0l4cv4L+VjjjHzN7RxtvQC+LEL/bmU8ZTVCpVcfjI9O88fDvMe7bGS7tGlLp31FfCAtDGCj2L0GzzvnoXxi9k47qRH1+Eb4qWhbWy5r4TPbXSobzrpnSeHYfF+iG5OvkqRidkm2V2+sFxC7sWO4OtOZJ7Crl3NpifIJ5Qs3/dZ/MMT+p0Yg38tjuUdvO7Ergr82Gc4PhJmWbqNJqgcK8C/5VSYgaXOGcFcresn3sZzdS2cL3uV4gZDTC+mGSPDa+x+eH12wOsrzNvKPuqj0EZkiZ5PQe3Sfhvio9ldhCgDajhHJfQN1xqGW3+xysDHg1hjqrRuzXBnj+K06qI44ABCaKxlgL9pZlLu57g4JlIijAYs/OdB4zNQ7WLOotBsJe/pGgD3fbRmpei+3tjW5KvqHv7nPrcQZeucV+bfrEtZYPJfM0Hr9V9YqLhBl3l4TqI2FABpDOBjzjxsQQmFYvIw4AJvhX02+kETY6/H818V4jdP8geZ0eGcN9jE62fUanIpBj6gfwFvibdhezUMYZH2MHCH3OrJqHfU7mNcUqwj3IkMuq5AO5wU6OwXKUdwO0eLWnhHNgvrfMJs1bipFuAJdTucNlw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(54906003)(478600001)(1076003)(26005)(7416002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: zzGiQxlQ4lrjypRCpehiZqhHBaPic64HS90XyBPt3H7JMxKA3uoQY5I6Aig4cnjlLqFlO3ScEA+hZf70JOW71VEd9dQwjdy0SjVOWRM8FVfXWxA+ZJSfuW7Nv+N1O2n42tY0fdH4Jt+scAQZC/if0v/m5iK23H/kdkldRiAHI5ZIUz+/JjMFdM+Mt2AymwYMALX57yHJPbYBfF1JCogLUCEJoNlTMxbeg9W8/YPD2l4u3IywUi8nRRIuHjF0MHABOsot0t04REika2EiU7UQPDqPHywSCf+CyaSDZec6d4DQX9Q+6LbZ42VmPLhKEi2dreXsDrFTotpejSypEXNzZzfBsVOe2Bznts84z5XEsgbqWkYfYM2hEsLl7riRUHMWPiISXPqNjw1sMXrx8sSbmkBPZfH/lr2lqO7I0cL7XB0uMKa+K/6zWrh4nTk2hKkPCHyVDqvg2p4MM+ttzEedRyWq2zZp394vcsL3KEk2Ytiv9+GZ7wxZ00L2M3X+8E3zySU3SKjrjMbPupWVEnyp++JLsihEG3Jh+fL0D8sERfx6DPu8lg+42cB+Ysd2/FDxjJL/dzCIQ0bBHdenKg3x2ncR0eOEwpUyqSGff+wAmht2fyUPtxT8BT9ujHFxEMFR2F335/l9Qt5tOI36Ji2WANQBrMXjxRpvO3BSWHE+6n95ykxHcjXdcqginzD1Bv3kVskVc7fadXL62JBmpL4DeKMxm6G9e4heJ6o92UpaEsaZhCQE+NMpnwQVfAlA4TCNO/PxHiyK2dsK+slnIXK3VYReRI5I9wow73qQA8twqjOaBDy4NFXSzDowG/6IuIc5igZ/argbipXbqMZym/8aBoRiJyv69qI0ammRFJdqlPI/JR/aY430ib9zirjeouO/+aBerxmBH/p7bTJGvavUM4bii4Y6SUUVzfnjt8sfZvirAmgoYZe6mdB0UZjF0jFhVVIV8MuW8YctCsYkMhn0hIkSiPOWyDM26yJp1u/5v33ehkgIqqumBt87FzsO3R1zfXs5Ci1H/9opJWCMrCuUjRTBiJp/dY7Y45cHM68XT1LHemnR9V8CmZNH1jzsKUfDFhga5t2rVtVVMA5jJimiDOvcjFoZfa6+RSJVUV231WBX+ktPjkwfkQcXItWw2RCOs0uZOWTrsoOi8BWuJlhEqQT13vZ8OcJuJfantnA51f+e1Y/0bkZQCIj6rCuJxJMR6R0nS4UwNJxnwNpEqZ9/TMXc+6kIj/XYJvvyc4UVU4sFkXJUNWLGjElJfx3DbR6VXRRdZzMeI788R0Y+8MiHZUWazz/0CQwBKQnmQr3uNgtvbyD3VGzwiy2i5QiS8HvC X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7a092e81-0390-4534-df84-08d943245c88 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:10.1402 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SaLsfUSxIgurZrz15m6BrUgdKJdqVATd9nLYZCNzOlV7mPjc915u/C/1JBq/vnwRZ0Fa7/pO5UqPU+mAjCk86Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=40.107.243.67; envelope-from=brijesh.singh@amd.com; helo=NAM12-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Sync the kvm.h with the kernel to include the SNP specific commands. Signed-off-by: Brijesh Singh --- linux-headers/linux/kvm.h | 47 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h index 20d6a263bb..c17ace1ece 100644 --- a/linux-headers/linux/kvm.h +++ b/linux-headers/linux/kvm.h @@ -1679,6 +1679,12 @@ enum sev_cmd_id { /* Guest Migration Extension */ KVM_SEV_SEND_CANCEL, + /* SNP specific commands */ + KVM_SEV_SNP_INIT = 256, + KVM_SEV_SNP_LAUNCH_START, + KVM_SEV_SNP_LAUNCH_UPDATE, + KVM_SEV_SNP_LAUNCH_FINISH, + KVM_SEV_NR_MAX, }; @@ -1775,6 +1781,47 @@ struct kvm_sev_receive_update_data { __u32 trans_len; }; +struct kvm_snp_init { + __u64 flags; +}; + +struct kvm_sev_snp_launch_start { + __u64 policy; + __u64 ma_uaddr; + __u8 ma_en; + __u8 imi_en; + __u8 gosvw[16]; +}; + +#define KVM_SEV_SNP_PAGE_TYPE_NORMAL 0x1 +#define KVM_SEV_SNP_PAGE_TYPE_VMSA 0x2 +#define KVM_SEV_SNP_PAGE_TYPE_ZERO 0x3 +#define KVM_SEV_SNP_PAGE_TYPE_UNMEASURED 0x4 +#define KVM_SEV_SNP_PAGE_TYPE_SECRETS 0x5 +#define KVM_SEV_SNP_PAGE_TYPE_CPUID 0x6 + +struct kvm_sev_snp_launch_update { + __u64 uaddr; + __u32 len; + __u8 imi_page; + __u8 page_type; + __u8 vmpl3_perms; + __u8 vmpl2_perms; + __u8 vmpl1_perms; +}; + +#define KVM_SEV_SNP_ID_BLOCK_SIZE 96 +#define KVM_SEV_SNP_ID_AUTH_SIZE 4096 +#define KVM_SEV_SNP_FINISH_DATA_SIZE 32 + +struct kvm_sev_snp_launch_finish { + __u64 id_block_uaddr; + __u64 id_auth_uaddr; + __u8 id_block_en; + __u8 auth_key_en; + __u8 host_data[KVM_SEV_SNP_FINISH_DATA_SIZE]; +}; + #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) #define KVM_DEV_ASSIGN_MASK_INTX (1 << 2) From patchwork Fri Jul 9 21:55:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368079 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67EB1C07E99 for ; Fri, 9 Jul 2021 21:58:47 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C0DE7613C5 for ; Fri, 9 Jul 2021 21:58:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C0DE7613C5 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:42948 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yWD-0004ey-U9 for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 17:58:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48276) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yTy-0001zi-SY for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:27 -0400 Received: from mail-dm6nam12on2067.outbound.protection.outlook.com ([40.107.243.67]:33505 helo=NAM12-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yTt-0005q1-6k for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:26 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Od7qr1+rjah08GXh2JFio7DTzW9O7+Q7aKj4YT1J0aq8JCnMHkci8BNXxWlO0b49Wxtjxd6a4usMmpVAhyN2VWGVrBUfnQy9hPqPa+kjGa8ZsFPhsVD+fBVQ2us4ji1+IJOL2jZVNMaSEtC5Q28gFVSRWAw20YBdgHU8/Kk1Z7gNDj0J/wXddRTP8ctPEkBk7i0/o8JhdriCiZnnWAD6fpjCtcNt+gmJEYGweVLt14rAKqs+dyLcZuUUelnqL3eC58LtdNySXBvHaolJ2K5h0p0fs6Pt11/vYA9p4UlCGMFQucMYZuCuSuOQOsVKEysz9lMsKABL1GUu7z6b7isXkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qz/2JzX4a56wLgP9dFkSeajHUQGe8h0GKR7KnT3CW8c=; b=Io/v6yeSf+/MRIIoxsCl/tdL0/S8F/j3gXWn529vfAwgmCzB0l6nyvuQxf1P9pYMRGJEIjwvql8agMhiCbiQONxkHoanKLnlKGK+E2jUJvZ56A4sHgvz0eeFxaE521CE/kuDX7me9rByjYhsnnIvfog32HIyMQbDKYjbqd+5lKGjE7wDeH8h6ybSAjnungXcgQ0Kuv0EkWcgm+5N3gCDLHDehbCOfdcNLuW2xEG+xi22sVYJoHiw/NkJpu8sde9oicAiCBwAhaUz9Rg++zPVXZZw6YTIIeMd1piZPuepFWZNsKV4UscCUvsyOmrz0byyyx7Gxhd8Ff15yncchFeZTQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qz/2JzX4a56wLgP9dFkSeajHUQGe8h0GKR7KnT3CW8c=; b=NMcaoEkSIMgUns+H6TbHm1GKQjPhyHQ6opftbVEZwNwns8nut2++jvCPU4yglhbL+GzU7FZnOXfryxFuWrlJ5FYsw8SQG1gFEAXs29tOyR//I8qPQoOUfVAgpDFVun7p04fly76/YJzqOqTe0I5sactEUs4tBwyyUrqLbzUQxpc= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:10 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:10 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 2/6] i386/sev: extend sev-guest property to include SEV-SNP Date: Fri, 9 Jul 2021 16:55:46 -0500 Message-Id: <20210709215550.32496-3-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210709215550.32496-1-brijesh.singh@amd.com> References: <20210709215550.32496-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:10 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 80e2f6e3-c861-46ce-d7e1-08d943245cf4 X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2582; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YzgK1dXLTKdNJU1xN4gpNNNkTcNUfnj2sid+XwdpvIltOH6snjV20t8bntA9qtEp8kZpPsSHBDfG785i4A6lAlcQrIgo+ByypdaNXxU7dvLk5lFgzQt1dTsgIZO1OxyAIINPg3XYhOhy7UHlGhUc4k4ySDpBtoiZ35IJZXbGxIbPVDeVjuwtzKaRWhk9jirnSeY9c+YxYeZMOxjrjiIpR9sO0vFYzqfimzsasvxk38a+44FdW2vogUdSAc72tAAeyTLcRZNC6jUGWSfLIWIznO23hDx2cnfMofXlfPHJE1uBA8WBotNg6KGiid5tX2PvaBVloCiG03vONy7OLlTZv8vbdQm+RXDeI/sEwBULyPVXLtxYvRwMapB4tlnLcXXvN/l6JXorjW1q94I2JPhUy7hd30FuDL7FDYS4rZ2DGFH3ULAnLC09LP265kCMXSsWp8PamzlKVUTSrXpm1ylv+hXRx5g7YXULyO+v6sAuCTa0/586Hh+pglFNlwb40h9//4kSQlTDVOPjgtDki1Flg/rv1fAnQGEYuWfhDD4PS878AYRzW2kDNrcsgbUWhjMPpCJk9/xr9zll3Cy87CgsvPpkkXbxAYBNgyx+gUkmVsfcf3LVarDZROlKH5OB3OSD3OAbQx7KaeW8fId4Dt4rLcHDIAKz43wgZxFkYaR2qIIPMlfpZLhO+189Mv2FpArUERlxYGO4gojk6iwfDH2HbA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(30864003)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(54906003)(478600001)(1076003)(26005)(7416002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: flxAS2bmkWM+BXpp2iB5L9Z/R2NWcNIob9+nQVNZ6TzQNjly5lT/0+YN88SfQLJ0rlEph/2x2mM3z46ZYG++YhvIOmTczW7AWm21bn5hNEO+qF423mzNWlU35m5YcSvfnKT/eFTopU97m0lFnpS2OQNHrSchW1O+GShfFIMeXJIc9KVX17GU+IzaKPYYek5b9UKTPfuYAp1mWKp+AR6tzkIosfNIKkOJ7UPr+l8CpeRfEJInMOn1iciO4tc9VfbHf6vF5cISp99hj5RKyPGxjC5Z0Xgo0pSGnyC1xep8cF9dowqIXx6WHy1JeJbro1JJERA/I2JI8Bl5RIg5vBzBWzwKLwRlXLeQ3Y0X6zLOYpWHRovW+18Rcc4OX6lZEa/PjO7LmS2SjVrA5RF5HpzE8vEr3VCNUZEy8S6l5BzmnLNOw7lSPE274vwEK+cJ10NPvFff5gNCT1OygYVhq9+6W67ccMz63IxXB2Rnn0nvMzr7rDJU/0aVDMWBNPb4IwxrtnHlJHQoliP6fiWbBTmpPS/+3JDjsAScc1ekxVCM3eQkdP5IBtXCQS9SV1soiw4oD1HPOcUHLvIcM0nJor7XpJ0De7NYy2afPONlFvzu3tYNfjZLkASv3OQPPvxrm/L0qdDhMeP5KD/EPgLVkmMAC8am0wEIc0TuCs1MvcW+dPum0gNNtFtRGwh0dQzoU6LK6lFkwfxGFQZThGbbE01VFMsIs5N23oYosQq4hPMoYbNYDpt70AL9aFJmBLhzwRy5Y6RRDJkyYDwwIwufZau6IHMMC6ADc5RN8MTVFGKO7V2ppKCvIncRtnpLqDmWpENvhwi557h5Jlz9FZWidb77N2x+atonjsqNFgh7CZUEiB3woc9yc4cg412T+bI5+mC4y5P91qPzRXeTKlewS9Xqze16IcmTihLI5kM1T/mDByZmirv2Ut0hKY01wi4wrYtr1RrwsqRlo5dQG77mFfxPJm4SHREtva+yK5z9yeljELnKRo9E5g0BIzlp3E+L6WXi3XamYvZ3uX5kX0EAg1Hm5X4CjBb+vkpl5uHygUwyctd+zHt+pbNawwVvXUnbRmmbq+hloTRcLBhloZrBuonPHUciA9e1bz8CYE+QkBd5B5q38HusA7QPo7WGthmTVc/7kmD/z02s9lhtvVc5yWpSBlhrJjSxg0gKf7Ot6+I1E48yHsh95ab2lJOPr/NqdFSRvHe+jd+8WehwsgaJAtTxKU43iN8m5p5VZQlJTvh4dE1Q6tQhNaBcdY51JpWMhsqGwIhmhdYjpSuvuaZtED5c5ButI/2gGbrRvhLveRuub4dcRQyGmh7NIjPwHOdakuWj X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 80e2f6e3-c861-46ce-d7e1-08d943245cf4 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:10.8448 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: gjO7Y0mXznxe4QgEdYzycxR8kVhuP6HZlCZ86j7MvqxyCZlFylWadQVxbsk5H3CKTozYZS5YZ7iX7/9TcwXz4g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=40.107.243.67; envelope-from=brijesh.singh@amd.com; helo=NAM12-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" To launch the SEV-SNP guest, a user can specify up to 8 parameters. Passing all parameters through command line can be difficult. To simplify the launch parameter passing, introduce a .ini-like config file that can be used for passing the parameters to the launch flow. The contents of the config file will look like this: $ cat snp-launch.init # SNP launch parameters [SEV-SNP] init_flags = 0 policy = 0x1000 id_block = "YWFhYWFhYWFhYWFhYWFhCg==" Add 'snp' property that can be used to indicate that SEV guest launch should enable the SNP support. SEV-SNP guest launch examples: 1) launch without additional parameters $(QEMU_CLI) \ -object sev-guest,id=sev0,snp=on 2) launch with optional parameters $(QEMU_CLI) \ -object sev-guest,id=sev0,snp=on,launch-config= Signed-off-by: Brijesh Singh --- docs/amd-memory-encryption.txt | 81 +++++++++++- qapi/qom.json | 6 + target/i386/sev.c | 227 +++++++++++++++++++++++++++++++++ 3 files changed, 312 insertions(+), 2 deletions(-) diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt index ffca382b5f..322bf38f68 100644 --- a/docs/amd-memory-encryption.txt +++ b/docs/amd-memory-encryption.txt @@ -22,8 +22,8 @@ support for notifying a guest's operating system when certain types of VMEXITs are about to occur. This allows the guest to selectively share information with the hypervisor to satisfy the requested function. -Launching ---------- +Launching (SEV and SEV-ES) +-------------------------- Boot images (such as bios) must be encrypted before a guest can be booted. The MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images: LAUNCH_START, LAUNCH_UPDATE_DATA, LAUNCH_MEASURE and LAUNCH_FINISH. These four commands @@ -113,6 +113,83 @@ a SEV-ES guest: - Requires in-kernel irqchip - the burden is placed on the hypervisor to manage booting APs. +Launching (SEV-SNP) +------------------- +Boot images (such as bios) must be encrypted before a guest can be booted. The +MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images: +KVM_SNP_INIT, SNP_LAUNCH_START, SNP_LAUNCH_UPDATE, and SNP_LAUNCH_FINISH. These +four commands together generate a fresh memory encryption key for the VM, +encrypt the boot images for a successful launch. + +KVM_SNP_INIT is called first to initialize the SEV-SNP firmware and SNP +features in the KVM. The feature flags value can be provided through the +launch-config file. + ++------------+-------+----------+---------------------------------+ +| key | type | default | meaning | ++------------+-------+----------+---------------------------------+ +| init_flags | hex | 0 | SNP feature flags | ++-----------------------------------------------------------------+ + +Note: currently the init_flags must be zero. + +SNP_LAUNCH_START is called first to create a cryptographic launch context +within the firmware. To create this context, guest owner must provide a guest +policy and other parameters as described in the SEV-SNP firmware +specification. The launch parameters should be specified in the launch-config +ini file and should be treated as a binary blob and must be passed as-is to +the SEV-SNP firmware. + +The SNP_LAUNCH_START uses the following parameters from the launch-config +file. See the SEV-SNP specification for more details. + ++--------+-------+----------+----------------------------------------------+ +| key | type | default | meaning | ++--------+-------+----------+----------------------------------------------+ +| policy | hex | 0x30000 | a 64-bit guest policy | +| imi_en | bool | 0 | 1 when IMI is enabled | +| ma_end | bool | 0 | 1 when migration agent is used | +| gosvw | string| 0 | 16-byte base64 encoded string for the guest | +| | | | OS visible workaround. | ++--------+-------+----------+----------------------------------------------+ + +SNP_LAUNCH_UPDATE encrypts the memory region using the cryptographic context +created via the SNP_LAUNCH_START command. If required, this command can be called +multiple times to encrypt different memory regions. The command also calculates +the measurement of the memory contents as it encrypts. + +SNP_LAUNCH_FINISH finalizes the guest launch flow. Optionally, while finalizing +the launch the firmware can perform checks on the launch digest computing +through the SNP_LAUNCH_UPDATE. To perform the check the user must supply +the id block, authentication blob and host data that should be included in the +attestation report. See the SEV-SNP spec for further details. + +The SNP_LAUNCH_FINISH uses the following parameters from the launch-config file. + ++------------+-------+----------+----------------------------------------------+ +| key | type | default | meaning | ++------------+-------+----------+----------------------------------------------+ +| id_block | string| none | base64 encoded ID block | ++------------+-------+----------+----------------------------------------------+ +| id_auth | string| none | base64 encoded authentication information | ++------------+-------+----------+----------------------------------------------+ +| auth_key_en| bool | 0 | auth block contains author key | ++------------+-------+----------+----------------------------------------------+ +| host_data | string| none | host provided data | ++------------+-------+----------+----------------------------------------------+ + +To launch a SEV-SNP guest + +# ${QEMU} \ + -machine ...,confidential-guest-support=sev0 \ + -object sev-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,snp=on + +To launch a SEV-SNP guest with launch configuration + +# ${QEMU} \ + -machine ...,confidential-guest-support=sev0 \ + -object sev-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,snp=on,launch-config= + Debugging ----------- Since the memory contents of a SEV guest are encrypted, hypervisor access to diff --git a/qapi/qom.json b/qapi/qom.json index 652be317b8..bdf89fda27 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -749,6 +749,10 @@ # @reduced-phys-bits: number of bits in physical addresses that become # unavailable when SEV is enabled # +# @snp: SEV-SNP is enabled (default: 0) +# +# @launch-config: launch config file to use +# # Since: 2.12 ## { 'struct': 'SevGuestProperties', @@ -758,6 +762,8 @@ '*policy': 'uint32', '*handle': 'uint32', '*cbitpos': 'uint32', + '*snp': 'bool', + '*launch-config': 'str', 'reduced-phys-bits': 'uint32' } } ## diff --git a/target/i386/sev.c b/target/i386/sev.c index 83df8c09f6..6b238ef969 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -37,6 +37,11 @@ #define TYPE_SEV_GUEST "sev-guest" OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST) +struct snp_launch_config { + struct kvm_snp_init init; + struct kvm_sev_snp_launch_start start; + struct kvm_sev_snp_launch_finish finish; +}; /** * SevGuestState: @@ -58,6 +63,8 @@ struct SevGuestState { char *session_file; uint32_t cbitpos; uint32_t reduced_phys_bits; + char *launch_config_file; + bool snp; /* runtime state */ uint32_t handle; @@ -72,10 +79,13 @@ struct SevGuestState { uint32_t reset_cs; uint32_t reset_ip; bool reset_data_valid; + + struct snp_launch_config snp_config; }; #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ #define DEFAULT_SEV_DEVICE "/dev/sev" +#define DEFAULT_SEV_SNP_POLICY 0x30000 #define SEV_INFO_BLOCK_GUID "00f771de-1a7e-4fcb-890e-68c77e2fb44e" typedef struct __attribute__((__packed__)) SevInfoBlock { @@ -298,6 +308,212 @@ sev_guest_set_sev_device(Object *obj, const char *value, Error **errp) sev->sev_device = g_strdup(value); } +static void +sev_guest_set_snp(Object *obj, bool value, Error **errp) +{ + SevGuestState *sev = SEV_GUEST(obj); + + sev->snp = value; +} + +static bool +sev_guest_get_snp(Object *obj, Error **errp) +{ + SevGuestState *sev = SEV_GUEST(obj); + + return sev->snp; +} + + +static char * +sev_guest_get_launch_config_file(Object *obj, Error **errp) +{ + SevGuestState *s = SEV_GUEST(obj); + + return g_strdup(s->launch_config_file); +} + +static int +config_read_uint64(GKeyFile *f, const char *key, uint64_t *value, Error **errp) +{ + g_autoptr(GError) error = NULL; + g_autofree gchar *str = NULL; + uint64_t res; + + str = g_key_file_get_string(f, "SEV-SNP", key, &error); + if (!str) { + /* key not found */ + return 0; + } + + res = g_ascii_strtoull(str, NULL, 16); + if (res == G_MAXUINT64) { + error_setg(errp, "Failed to convert %s", str); + return 1; + } + + *value = res; + return 0; +} + +static int +config_read_bool(GKeyFile *f, const char *key, bool *value, Error **errp) +{ + g_autoptr(GError) error = NULL; + gboolean val; + + val = g_key_file_get_boolean(f, "SEV-SNP", key, &error); + if (!val && g_error_matches(error, G_KEY_FILE_ERROR, + G_KEY_FILE_ERROR_INVALID_VALUE)) { + error_setg(errp, "%s", error->message); + return 1; + } + + *value = val; + return 0; +} + +static int +config_read_blob(GKeyFile *f, const char *key, uint8_t *blob, uint32_t len, + Error **errp) +{ + g_autoptr(GError) error = NULL; + g_autofree guchar *data = NULL; + g_autofree gchar *base64 = NULL; + gsize size; + + base64 = g_key_file_get_string(f, "SEV-SNP", key, &error); + if (!base64) { + /* key not found */ + return 0; + } + + /* lets decode the value string */ + data = g_base64_decode(base64, &size); + if (!data) { + error_setg(errp, "failed to decode '%s'", key); + return 1; + } + + /* verify the length */ + if (len != size) { + error_setg(errp, "invalid length for key '%s' (expected %d got %ld)", + key, len, size); + return 1; + } + + memcpy(blob, data, size); + return 0; +} + +static int +snp_parse_launch_config(SevGuestState *sev, const char *file, Error **errp) +{ + g_autoptr(GError) error = NULL; + g_autoptr(GKeyFile) key_file = g_key_file_new(); + struct kvm_sev_snp_launch_start *start = &sev->snp_config.start; + struct kvm_snp_init *init = &sev->snp_config.init; + struct kvm_sev_snp_launch_finish *finish = &sev->snp_config.finish; + uint8_t *id_block = NULL, *id_auth = NULL; + + if (!g_key_file_load_from_file(key_file, file, G_KEY_FILE_NONE, &error)) { + error_setg(errp, "Error loading config file: %s", error->message); + return 1; + } + + /* Check the group first */ + if (!g_key_file_has_group(key_file, "SEV-SNP")) { + error_setg(errp, "Error parsing config file, group SEV-SNP not found"); + return 1; + } + + /* Get the init_flags used in KVM_SNP_INIT */ + if (config_read_uint64(key_file, "init_flags", + (uint64_t *)&init->flags, errp)) { + goto err; + } + + /* Get the policy used in LAUNCH_START */ + if (config_read_uint64(key_file, "policy", + (uint64_t *)&start->policy, errp)) { + goto err; + } + + /* Get IMI_EN used in LAUNCH_START */ + if (config_read_bool(key_file, "imi_en", (bool *)&start->imi_en, errp)) { + goto err; + } + + /* Get MA_EN used in LAUNCH_START */ + if (config_read_bool(key_file, "imi_en", (bool *)&start->ma_en, errp)) { + goto err; + } + + /* Get GOSVW used in LAUNCH_START */ + if (config_read_blob(key_file, "gosvw", (uint8_t *)&start->gosvw, + sizeof(start->gosvw), errp)) { + goto err; + } + + /* Get ID block used in LAUNCH_FINISH */ + if (g_key_file_has_key(key_file, "SEV-SNP", "id_block", &error)) { + + id_block = g_malloc(KVM_SEV_SNP_ID_BLOCK_SIZE); + + if (config_read_blob(key_file, "id_block", id_block, + KVM_SEV_SNP_ID_BLOCK_SIZE, errp)) { + goto err; + } + + finish->id_block_uaddr = (unsigned long)id_block; + finish->id_block_en = 1; + } + + /* Get authentication block used in LAUNCH_FINISH */ + if (g_key_file_has_key(key_file, "SEV-SNP", "id_auth", &error)) { + + id_auth = g_malloc(KVM_SEV_SNP_ID_AUTH_SIZE); + + if (config_read_blob(key_file, "auth_block", id_auth, + KVM_SEV_SNP_ID_AUTH_SIZE, errp)) { + goto err; + } + + finish->id_auth_uaddr = (unsigned long)id_auth; + + /* Get AUTH_KEY_EN used in LAUNCH_FINISH */ + if (config_read_bool(key_file, "auth_key_en", + (bool *)&finish->auth_key_en, errp)) { + goto err; + } + } + + /* Get host_data used in LAUNCH_FINISH */ + if (config_read_blob(key_file, "host_data", (uint8_t *)&finish->host_data, + sizeof(finish->host_data), errp)) { + goto err; + } + + return 0; + +err: + g_free(id_block); + g_free(id_auth); + return 1; +} + +static void +sev_guest_set_launch_config_file(Object *obj, const char *value, Error **errp) +{ + SevGuestState *s = SEV_GUEST(obj); + + if (snp_parse_launch_config(s, value, errp)) { + return; + } + + s->launch_config_file = g_strdup(value); +} + static void sev_guest_class_init(ObjectClass *oc, void *data) { @@ -316,6 +532,16 @@ sev_guest_class_init(ObjectClass *oc, void *data) sev_guest_set_session_file); object_class_property_set_description(oc, "session-file", "guest owners session parameters (encoded with base64)"); + object_class_property_add_bool(oc, "snp", + sev_guest_get_snp, + sev_guest_set_snp); + object_class_property_set_description(oc, "snp", + "enable SEV-SNP support"); + object_class_property_add_str(oc, "launch-config", + sev_guest_get_launch_config_file, + sev_guest_set_launch_config_file); + object_class_property_set_description(oc, "launch-config", + "the file provides the SEV-SNP guest launch parameters"); } static void @@ -325,6 +551,7 @@ sev_guest_instance_init(Object *obj) sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE); sev->policy = DEFAULT_GUEST_POLICY; + sev->snp_config.start.policy = DEFAULT_SEV_SNP_POLICY; object_property_add_uint32_ptr(obj, "policy", &sev->policy, OBJ_PROP_FLAG_READWRITE); object_property_add_uint32_ptr(obj, "handle", &sev->handle, From patchwork Fri Jul 9 21:55:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368077 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7411EC07E9C for ; Fri, 9 Jul 2021 21:58:47 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0C901613C2 for ; Fri, 9 Jul 2021 21:58:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0C901613C2 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:43052 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yWE-0004jF-1C for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 17:58:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48290) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yU0-00021V-SD for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:28 -0400 Received: from mail-dm6nam12on2067.outbound.protection.outlook.com ([40.107.243.67]:33505 helo=NAM12-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yTz-0005q1-4R for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:28 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pu6o+ZobULeCNAUJZvxSlq0KUEQW3n4GhGaM20LgXTPmJpNMXdnbbhgGLuqVWZq0YqTQSVz9t/daBpVDxIdqqWLrG271BsVBDnP7XUNVIznxWFhb4zHlE3CzGCj3pnAxLRssOQX9bCADkmojMzFbktAUVAvstmz5Z8NVqTTsZMCpH04k4BlLB9RVjPuD8KijfxJdCuhNuA7dKDwX+ydDxhvPD84+H+xCeqeGQDIai51UtF83aeMK6YTkjXWcPHRM4Kmd993aFGeS76YVcRy16rMcPKKvllgRRpJVJMFdM4dZWotBcEKqEuPDHpcOAS3XfWDnCb88JLzVhBr+g2xs4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cy37rgKPFXduWgu6fvACrKP6ieipd51K57Wju9q/1L4=; b=K7wzyIaXd4quJbFszsLBOY6nP1snBxt8SSHbUeKF6dm0Gw+N6IKH0VSDXrb57tk+e0cUznABfQ+jfMAEVyLgguvvo224SYW497F1eXHTeqX99bNcDzWngOHTwOTh21TW7TlKusctbQTuEFYpWLx6QcfCt9CMUJC21UjZt/ZJdI2N44S458HDK+dlXOHLnhFdOe2hmPbP9gXdMyRhVNPOcMbngc9YBRV+wS300BsdAnrdWbfiOz6XAv552hK6wA0XkzKodhmCf4cO08iCY9IPthFj2HiyA/mFk3vaMz+Y+YHdCdSGqDL3BYnlPvGmvVE081gngQdQ41yzI/0xZ0Wppg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cy37rgKPFXduWgu6fvACrKP6ieipd51K57Wju9q/1L4=; b=qWv22JPEHmXthiUdHi4yl2WJAoeF9Y8BWP3Si5+aXBHDVq+gE8Dd8luE5m37MjeFY5E0GOi1q++M3LFRawms999oWvSs679acb5NUm32oN82TycELuYMv2D4nA3ORlYfbSKWl/elmIgYCQVc4qB6u+fODAXgQzD27C85G4nCsA0= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:11 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:11 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 3/6] i386/sev: initialize SNP context Date: Fri, 9 Jul 2021 16:55:47 -0500 Message-Id: <20210709215550.32496-4-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210709215550.32496-1-brijesh.singh@amd.com> References: <20210709215550.32496-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:11 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 899c9154-571b-4f82-1a74-08d943245d5a X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:813; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HsnxluPV1JkHLE5kpAWBfIutehHv6ypiGqKFd5T7w29m3HoL58JomMSemIWDupDEaXfIxAWRYFEKiH9YUrWfoSeik7w8s1sNTlQ8mIrrIjOcs+FWUWXQmlgxy5gcSuRlPIq4bM70h+vM6UAsrzI9jW3BTHQ7/83gVcTkqY2gkcOAgmeVPdfCzEGhYq9xZyP+5EQmcbsnkwU42fLwwCBqLniMeNmxQQ8fx4lXBujLU2qgzky74W4p1JDQQwC7Ii6rb6KOk1XMJilbrbHZ6jNlRjFMAUVt3XfWum9v34w/bn3m2Mi/Jx67L6HeHLmIPBg8r20AC0K/YSLXWXJkZQ1oc2htMIrjQjsARmTM1pM2L8Pq61Juazq+giP5+XE9b9k6PU5apXS1uxVU8LYq7Qb6nXR0Z3X3mJ9ibRuFZaY2iyItcWd7AgNLCYtI5YJVNY6cIa3c6+ub2a2Vfv1odm2VX09+ooaN3d055X9M9C6g9dwSKRrcNo+DtMCFltnbsS8m8vC7NKjb+IRPupY9S1wfisqTWuj88/iNfus4KeQ/tlPINJUD9sekDntDKC/EtnYYWR1AOBkSIS1xX17d6ElWObWYRM/Gnipp7mO3m2/k6d1XHsW+XaZHXB5F+8gBHsmpItsUGWsWzJbvXg0OTdC59kWiJNHYuCxWPe2iVec31eQRng5+V0rhJdnLuewg+9V/OJBiWqYTTBGP344inMbfyOMzgMPh15fFLh8Kfe7k26Q= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(54906003)(478600001)(1076003)(26005)(7416002)(309714004); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: AXWwuk+ZhJP64RJ9joSIIAr56L8tdR3uQfikxBh/yw3HzbtrkE5fL5LdFx8yoxyYzSLZD2INsBLFU0poNifQzXdHNJZf1ppVp6Sb7XaAuu6Ny8StsdX9g8BMj9igvjpsUk14ULxueTrym8FKyYVGKVrMCOZ6EHSgc+m9B22Fg8zX66JwnxbQwuORzdokYGY+pw8myD9GKxD9EXdkWlMf72B5pbHNUbdBn/Pugwl+LSV1suioG9BFlFJ1rb0tq2dfWWXYvINGP04sF2XUctBxYIMjxrhqZvxmDH1F+HYAuo8Az7FAKCBHt8sJ6GMgrYCDA+yB1Pg4REuFVBNAC9wfWVoozjdC4D6c/Cd01iCYnAJCQ60qrr3pRAb/yUJK6z6N6z2mymzoJt2ystJUQq/ZGaefnWbIS3lNGPbdsyoX4Ba8nVP4tvlunOuuLPxRT6awHbKtflBpRtAX1gSeFPDttnwZZnvVmPARZ4SjRvhVEIdp6sUxkC8QGRFWCQhjdmE5doJ4fsL3fePhn+ngcDVaHuKKHSxGWBhRyGDgWtQprBLmsGeeSA3+VjQPdWt5ZWHcGsbJIez5BBDDI1b+zDBlMiIVHWmViP17UFB999HbNMt+U5mYfwfAdK/8AIui27cUw5qxSOUzmcYI1oTanUUeEzvpvrVh9L+Vq0bK0H6Wu2ptEPlb/Mz2dd7QkqROuZj3eCRkoe5ChkxFv3wowuxzxhps0Iflf1joJoMle5ykLIbB0XbyVa2zCIbGz2ZK7xyaYsc+T9WgNy+QktfjtOwGqWU8/KShdMtsMGXvKG1itsLBfjj12vDGbZ0Z3V96rzQQD9tATPhGNbNUVuT2pn1X71pL4prumg0fs/TdWQ+m9c6d6q4Jiv6lCyzW/qHrNk3CMLl48P4vJzSQqrEDc2qzBiMGrN6hbjAKK1z9u40CQEyFSJlyJVzzAEBaYbn7OeVcZ1B2pdq63BK0PaTh16YJbDnQ8B2F5HB0axV3Mzj31o3QCeeuVmdL9JVmbFgCP1Zb2seGE4c9TvNMoVmdxHUtmk4Xnz+sAq73AN6bEvJq3kYB+UDBwzIM/DdwaJnsw4+rc3lfUL92R0rvgdNUf82/QgcXFk37oc7H8LhKYJE9FnXqRGds17zjMj7vY2roGB24RfHepJK3JjCDj9ynTQOiA/Y3/NycoDl7IMhx4b+ThrKyDjeicEGXJZRzXH89OsyPs8uTLWQUbf5HoF0jR3GQCvY0mt2ajxXIwa2LFamjI7e+uKR6Zea+586MW9wJceU9PL0Y2KYa3FvW+Y8mLAIMTBHY4rJFc+NTxtHyg744fTOHsE6bnDSQN9ojc15D3xFN X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 899c9154-571b-4f82-1a74-08d943245d5a X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:11.5204 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jFRwfhR8Nboe6mdrZ1v9ERWKARBdRcB7rENqQ7pSytmi2Vy//unpzchIgANDcaH5pFuC6V2pcI/rXliOPJJORg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=40.107.243.67; envelope-from=brijesh.singh@amd.com; helo=NAM12-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When SEV-SNP is enabled, the KVM_SNP_INIT command is used to initialize the platform. The command checks whether SNP is enabled in the KVM, if enabled then it allocate a new ASID from the SNP pool and calls the firmware to initialize the all the resources. Signed-off-by: Brijesh Singh --- target/i386/sev.c | 24 +++++++++++++++++++++--- target/i386/sev_i386.h | 1 + 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 6b238ef969..84ae244af0 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -583,10 +583,17 @@ sev_enabled(void) return !!sev_guest; } +bool +sev_snp_enabled(void) +{ + return sev_guest->snp; +} + bool sev_es_enabled(void) { - return sev_enabled() && (sev_guest->policy & SEV_POLICY_ES); + return sev_snp_enabled() || + (sev_enabled() && (sev_guest->policy & SEV_POLICY_ES)); } uint64_t @@ -1008,6 +1015,7 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) uint32_t ebx; uint32_t host_cbitpos; struct sev_user_data_status status = {}; + void *init_args = NULL; if (!sev) { return 0; @@ -1061,7 +1069,17 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) sev->api_major = status.api_major; sev->api_minor = status.api_minor; - if (sev_es_enabled()) { + if (sev_snp_enabled()) { + if (!kvm_kernel_irqchip_allowed()) { + error_report("%s: SEV-SNP guests require in-kernel irqchip support", + __func__); + goto err; + } + + cmd = KVM_SEV_SNP_INIT; + init_args = (void *)&sev->snp_config.init; + + } else if (sev_es_enabled()) { if (!kvm_kernel_irqchip_allowed()) { error_report("%s: SEV-ES guests require in-kernel irqchip support", __func__); @@ -1080,7 +1098,7 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) } trace_kvm_sev_init(); - ret = sev_ioctl(sev->sev_fd, cmd, NULL, &fw_error); + ret = sev_ioctl(sev->sev_fd, cmd, init_args, &fw_error); if (ret) { error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'", __func__, ret, fw_error, fw_error_to_str(fw_error)); diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h index ae6d840478..e0e1a599be 100644 --- a/target/i386/sev_i386.h +++ b/target/i386/sev_i386.h @@ -29,6 +29,7 @@ #define SEV_POLICY_SEV 0x20 extern bool sev_es_enabled(void); +extern bool sev_snp_enabled(void); extern uint64_t sev_get_me_mask(void); extern SevInfo *sev_get_info(void); extern uint32_t sev_get_cbit_position(void); From patchwork Fri Jul 9 21:55:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EE43C07E99 for ; Fri, 9 Jul 2021 21:58:52 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B3455613C7 for ; Fri, 9 Jul 2021 21:58:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B3455613C7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:43230 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yWI-0004qD-Ra for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 17:58:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48308) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yU2-00024y-L3 for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:30 -0400 Received: from mail-dm6nam12on2067.outbound.protection.outlook.com ([40.107.243.67]:33505 helo=NAM12-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yU1-0005q1-2b for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:30 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KLzOgYxx7taE2CgcCkknkMtMYLk7ai98DpagkcBfjati4cdQdAj0B8OW1mZVJ4VgxzA6QUbFtmb18D+X2vsnGovyu6z2rxoDLmWSPCHgzDHhKPCYXGcZtqpQtvS9yRH3W+JI8bkPKXPCPclzOzgjO9fitRBWnXGI4lyyvo6sD7P1UnWRaC0MjnYAIlPiSgcKUFaRaF9a1iS1AmEmXZMjfUVZ3P934ehA5ADSr7Ed/rPuamL5HbF2V+zlfcchMJwbzmFWwflhhxn+RPC4fldLYLtJfzDKbfd9spACHvvXXBXgSGRtY/HTCeK1l940BNRsObmWxCfExLg0RsDIsA26vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SS5kgrI8gBb97Fva2W60j49RkiZfbbvK9wWxZ2hB5N0=; b=OF9U7b9puLHkndPFtK95iClFALNOmwIMEnaGp59irEkuLUQq3avIvp+JYN1Qa8HEfVdt+KjKYHuPluO9g5h2oLunZSJVUghinWmecQr+N/95/b1txrvFSKzh18c7JmfK6FsQOQGlxyAp8PXmWhFu6Emkvi9rvNU0Ep7Ex0pnTLQkXTIub0z+YHDHdU13PZglviWuliYyaHZdoRfglWjw8FTLIViI3fGEqH9DP1IVg+/Q60wX7/qrfAxe+KKXLYNcoKVUl4VNHNjWPirtMrkMcMdZzRgWHVIekttS7a85rYXNqagKEi2grJ/A0UPRm+uBQaWdaVffzutAQ4dwJepLgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SS5kgrI8gBb97Fva2W60j49RkiZfbbvK9wWxZ2hB5N0=; b=wswZhP2yiAvKrDzLHFTokWyT4iLA47Wu2aTjaT3hFsIVhm54faJ1fN8dW3+kwEEJfCDqiI0qE3yK4T9SzWuJV6iAIfZRmBpXQWbiBU11VeHqgsGYxY8och4hXZ/ruq2bNjCt+k0R7pYmQ/DOPdczEDptRN9Sf8qxgWd/qnmWhaM= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:12 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:12 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 4/6] i386/sev: add the SNP launch start context Date: Fri, 9 Jul 2021 16:55:48 -0500 Message-Id: <20210709215550.32496-5-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210709215550.32496-1-brijesh.singh@amd.com> References: <20210709215550.32496-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:11 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 35fd1136-dac2-4def-46ad-08d943245dc9 X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:208; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vLaFPJHqVWkt3xmLfYF3MpIVv+631upqSd7iuh0CvShhP/lJ7rqHUYlxFCWOgzF53/YfiDyzEAuPGj4seG45LKwUfxBnDMrDXlTCNblcaZVhsyM38Xnj7QoDIBhWtLYpyDgVNvMlb/xM8glcOd4ugIElRMlHz+QDupdeei+9wz0aku5KeZz8ezok4yCedfOXdFItXjmgLIh5JiIWaC4D7dXUREv+ljgtRMTes8kMi4ThobY2d3OoCRPekIjGV2myRsbOlpQwJmg6DW7WMlKUjsa6cXQiLCoeNwC4xHMHT79sUm0eBST962rMPw+770rtryJjWRu6zRu//jZ0q4wrEElltrcr46fb1gcdhG6ySUgShmh0gCfDf0KPf2HqwL5zac3rfKRg5+ciozwOXpOV6TWkXLnaOfEkhHSiLbsFYnqdJe8u8Nql6JQ0ZhWyDAA8oxUd4iB32b3pbvRs+Ysm91WzqjeSyByk8JAPqNJxAkYJKP7MOQLduMgyNtHZthDSdSQVx1RoTTwR2LvDyKoDCIR68neK1N/Zdybh+tDOXQNbrbs9nc6KWj/ZhHZ24jJX43TmaRdVtd6Dg2bmJ23Cd88NRqxkGzuQbxZfdsec5XTudemMMcB7XbBhwiie0kPNjuzAESwF6BBkcOGaAeFoKecCJf5DYzw+qu220tL9zkTsMFW8NdnMyiVidSAHJSWnzQfl1fViqytJCm65fSXjRg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(54906003)(478600001)(1076003)(26005)(7416002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: omKuYw+JW2UfJRIKm2fzRKq2C/kdiMcPaQBekhgAIDwgm9iobJxrWv0iGj3cjBgGs1TqZFp8BFzpE5sb6uHDtD3194K4BNUbVmJ24lSAWHPSJzA0eWGKq0S0Hfc1fs9PAa5uxAQOyBEQBwdw0cHXBc9ceYPn2dwnBmkmMIfvzx7YVzCZvZGs65hlyiamExEc0FsxUNlkg8HMvnWTdQSt+hO4FX+yZ14E5ouE7dIabiKepjEguzrK/GCmKrbbMt/wM95KqepJQ3eWVr4LF0/aekCaAm3NjyKx7WMjKSs3q/HKx4fpk3U007yTy2yUyLljVTAIpwyJTHMrf0OgVP4NMrCyZBh3coVWxGrUy4kTS5kFwB8ZZhlZ8OU4caIo3/8FwcaFRn6HBxC/sF6TlhQDVX63TPwdqdtYhqtql1RlTXRVNdnYMQ2XgL8qOzHkk29Asmb4f66ov1V1yJ8X6rtatE8iKYyHY8b94aZ7lMUbjZE7h5FGHp3xZfNEXk2OX4QWPjTMx/gC7c6V5hC8IWjD4ZUnES89LeIVfBBHV49gG8K+p5FfFArL+2Nk/DCLFgC2vZjOl3xmQG2npZgfDw3QKzrBb5P/OZQ2WNX/RhZCeSdf2rJD3rFNe8qDBbsBz7FXe6H2+UEdylp6g3ozuC4DzjNEbBD05iWtlXURaxuRjUeX1u+/YTDZSG9XfoLZL2gqVvZ182EnU2bnIWirMBT3zebgheDT/GThXFuP8bsIt8TqMLV2xgq7Qo79wAoxj3nES/bG3Hpl+TTcQHLN5SUHd5wCdtmk2VyvbnEQap8E7ejaH4Nz7NZZL47uQkkGEstk5g6S2t0uqfmYYQ+aI+EwQbyFpdFBDaeJUdlwt/KzaCRwWo34HsxAHIjD7Be9xaY7TvPXzPyazO/DuYwxn99GTritNGSrkVNpXhUdhtOuDCvKC4wayi1bDjyRrbHXqvf1+r9MQIAwqr99X4ebOFCwibMrArZd4+s+recZseBrdIRaYLAY+NmT/nhgeQbBw38MuE8wxndaFGqR+DlD8pNqnQIPy5mmLI6/I/9xOy8sX1ZybsIQeH9xIG6gZGtZs7k473ZZyy8/S30hR4ebWOm2Gic9P4N4uYqNjr0QyCM/C94WvpkHMUSQywJm3jrPuOYVPtWjbw9nTGrZPMtlVDOBbZK+wVoqYFFRIpkExNBPWu5CpBFjBVTag6aXfsnI+0bnvZBkbXjkvZ1o2CeCCMCec6JXWmsLSykUISO8AikNJDRiP/Z0MrAKY2LA42F7rRgXPFU6A4ADismGeN9tg41FEfw7czfq3/d4ktwml3Oq7FM3ySuOl9WwUXzoKN9Wwr/f X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 35fd1136-dac2-4def-46ad-08d943245dc9 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:12.2610 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LP3G8LG2TyVHnSqA9mdHCDi3/SyXvpiXbXI7fZ5EnV6Oo0BRlPlM5UjMZrdGwe1YqI9XaLvmsx1aXeo00Aa+0g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=40.107.243.67; envelope-from=brijesh.singh@amd.com; helo=NAM12-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The SNP_LAUNCH_START is called first to create a cryptographic launch context within the firmware. Signed-off-by: Brijesh Singh --- target/i386/sev.c | 30 +++++++++++++++++++++++++++++- target/i386/trace-events | 1 + 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 84ae244af0..259408a8f1 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -812,6 +812,29 @@ sev_read_file_base64(const char *filename, guchar **data, gsize *len) return 0; } +static int +sev_snp_launch_start(SevGuestState *sev) +{ + int ret = 1; + int fw_error, rc; + struct kvm_sev_snp_launch_start *start = &sev->snp_config.start; + + trace_kvm_sev_snp_launch_start(start->policy); + + rc = sev_ioctl(sev->sev_fd, KVM_SEV_SNP_LAUNCH_START, start, &fw_error); + if (rc < 0) { + error_report("%s: SNP_LAUNCH_START ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); + goto out; + } + + sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE); + ret = 0; + +out: + return ret; +} + static int sev_launch_start(SevGuestState *sev) { @@ -1105,7 +1128,12 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) goto err; } - ret = sev_launch_start(sev); + if (sev_snp_enabled()) { + ret = sev_snp_launch_start(sev); + } else { + ret = sev_launch_start(sev); + } + if (ret) { error_setg(errp, "%s: failed to create encryption context", __func__); goto err; diff --git a/target/i386/trace-events b/target/i386/trace-events index 2cd8726eeb..18cc14b956 100644 --- a/target/i386/trace-events +++ b/target/i386/trace-events @@ -11,3 +11,4 @@ kvm_sev_launch_measurement(const char *value) "data %s" kvm_sev_launch_finish(void) "" kvm_sev_launch_secret(uint64_t hpa, uint64_t hva, uint64_t secret, int len) "hpa 0x%" PRIx64 " hva 0x%" PRIx64 " data 0x%" PRIx64 " len %d" kvm_sev_attestation_report(const char *mnonce, const char *data) "mnonce %s data %s" +kvm_sev_snp_launch_start(uint64_t policy) "policy 0x%" PRIx64 From patchwork Fri Jul 9 21:55:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368085 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E57B3C07E99 for ; Fri, 9 Jul 2021 22:01:56 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7C346613E8 for ; Fri, 9 Jul 2021 22:01:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7C346613E8 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:49770 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yZH-0000qh-Hg for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 18:01:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48320) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yU4-0002Ap-O8 for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:32 -0400 Received: from mail-dm6nam12on2067.outbound.protection.outlook.com ([40.107.243.67]:33505 helo=NAM12-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yU2-0005q1-SF for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:32 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bJoeZsIWPdDY8V0JQMk5H7F3XZAj1QCyVuUTdxa4dTjZpU0VGXzbh0YnT/PoGhGFgRf0ZOxDUeODyd2gCC02/kXFLyFiWztkDaFQT/E41Te+2ugyKgFj5KkT5Vwq+f1zZ9QOBvabnXqyN7rwcE4EJeHwSa8SYQqR8kojx6SL/T7WiLtSgF/XcwSFvUcT7QXIeABaJi3cPMvhtejrh1g4zL0kdm7DSaeVjL0ZOrj+zOWRBvbZjVJMrOPwgEdJb7TYfEQO+twzKFFvnfPMXeOYGMy67d+he1RrwWh2XrkOBlF44i1NdHtclfdthOZfma7CLnyv7mYwlzd/53NCvqVdUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7/Vie47PxRPlWdAkPdp5i3FY8mj0catEPt6gPEFGvxQ=; b=lCVB7bQJMYL1nsp1cHu6sqWA8010vMmOK9T7x8OzCtisVWnh5Yn+xmSMz+kGtgN4CaIjpV05AwFigzhT+IYMdLIBp2wYT51SARtzZUQfM+//IqLK3j4a5HKSw2MZXhmOJbdte3dZifh5Amm5EMDmhndEz/a2nicrHnBhPZ6zVGIC/vYrW2UMokdOEEaFM/zediGFupPhc9NfOhFL+JXpBgG1nev1pmje9cQbJTBwlt1t7zoEuRwWVgz5ogqEmeg9v6IQsmjXaoy5wTa3blQhG7JOYDYNCJAET6Pmb+77OiIZb++KHh4FcM742TBV2gt+CrCrMPxSG8KmFh4MmcrRkg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7/Vie47PxRPlWdAkPdp5i3FY8mj0catEPt6gPEFGvxQ=; b=WdBSBy/b1D3RLdhyeZGlqsXYZwGWUzTFfmTpoTirvIA3ozoreHebgajmpf12sOGSVA2piWpRglvPT0zXdhHq5/S7JYYbROvCO75v3uDsvlHSqkRc67jQJ6niMMeWj4UcM3V2/dF9ASvsko+sI9rtqrUCObTsXyO/xruYb89JPEQ= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:13 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:13 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 5/6] i386/sev: add support to encrypt BIOS when SEV-SNP is enabled Date: Fri, 9 Jul 2021 16:55:49 -0500 Message-Id: <20210709215550.32496-6-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210709215550.32496-1-brijesh.singh@amd.com> References: <20210709215550.32496-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:12 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1e8adfde-3b26-4af2-f056-08d943245e3d X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:660; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IFCTxhTSmM3FU8ZeLndUEdxS8ex8xNUS0FObjaZzFdlIoqPg/7vj+HONHgzxXxT5oYsn8snS2ZxCw1+Qkxa92jlEdYVUxnIxp1x3MVC9YwRgNzZhAXV2gDanAr7SmagJit3m1Obk5ClkJEGr6B7++ZRiTM5TVRNrLK8sv9T6o8ffdCV42CzITBeFsFMjljNQKErUtsNeq2IMDoDw0GS/IHlLsky/jzGtB6G9529iSjxRRfM/oa/UECtqF+4m9hpMKMspNHMxyE9Y8VmY7K7gG1dg8xEaLaFQWnvDDc03Fv6i8mqmXPf1UB7Wm9bffnfg94hlDVTphkLadsmBHVXMuMMZo6yILu2bAVOdlHiKVWNxXCx8PXHfEp759uUDVslaF6CSj+Gy8s/zBgurVF+auoQh1QLEumA0PhiUZXfHOpjd3xz4h4Oi5nc5vl2NGJJBbf2wZ/PdhNnF+n22wtbd9hpM+QXokDQQbkgT5c+uCJWDtDc3oCs6LilcyjGWx1GRB3cLdxC5BKNu+QP1AjxvB4PtnK9RURdkcufDvt3T9X7unnoPJWaijNx4x/QYaERwXw/tF59jrJcgaUuY3mkkhqQKJbn+6nogvFb6lY2GSee4YZKRS1ljnD9VYAO9tUhwXPwgCkTT7y5srRefIFR4pwScojSsqZQDrCwT4vIgtbManLxT63z0OHarMMeX0of2u9e/DTJkfnIbywa00d+n6Q== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(54906003)(478600001)(1076003)(26005)(7416002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: F6swLJEP6P+OVH9IoJ2TGagV8Gnk32sn+8iqRKh4tTIKtCC2c4BmCkMee4ll4FD/o8+/GyqO4wlNQmL7Ajxg7bWbDhYQEkXPDavfzP7tlc+W+NjuotS2NSSj8ELfZ5AVVseANpJeyt+tdGYHs+x2rcJKOcN9hOUn8Ah5ZZfJAjo09PSHgqvHvrLEd7EnCn42CR+qHK06GF6CwnMO8gzXDmkVyrAWwKDdJpxEEefrI2bQrIJK2ULPtN1utUeDruPVkRauuq7X0iVwe8gLNhXVjlD6EnoC2E5faB6Wxj+5koZek7dMKbIulOx1BHi2v8KtL57brMYh3rtgLrK7OONWSDJ8Kd5zBi+Dq/hfA6JUdOyidktuPV8XEmYU8GkLCmvEgPZ1Ss7Lzt1mQbMdEqzdS2vlgW24ojSyrU47zxbd7qFK1/Izt9kwHIf6OVN9thgcdCxjtoiaTEbV0VTh5NuxgCMhwxfX+UcE3xiHWfm46FGOHQDTZLN2bDg0a2KxbFd1Nj8EM0BN6oflDzwyvYwijXs6P+FXw3wZpRYNXP7fCMMQDdDOsoUJ1MWVjZCg53dyTBb1csdme6RlS61TuMKiz2eQ9jc71XX72zLL+sJPMABjiMZyMTKcgJSqGaK18busmmyDlqxoCWuOzDqtpLAjYgeramrsWvh2CGc00PBlkr+I0GeMkuA1DBy2wH9sr1x0G5O92Jw5fStu3dxP3mbW5bbW+w1iYsCyQNwrC4JQU1bRXq1R+IU5lPGC2KLLQxem4uFXiKtwi7e0YlqChlMPSV1IQgwJG3YlKbXAM+mIzpJJNSE8ocqh9SNwXY/hnuX6jh0Y9bfoNAtp6KhmpjBTlTr9wcCSoiPgIY1S4RyCnj8GxauSh8p4+NH/KksI+XD9Vez4wJWeByDtyOXWqvAIfb1X2Ah7C9uhd2qiMFPIWNPpfpJX9hvGVF1FnI/BHdgonC1dqx1FfcSJvdK3pZmagIow7jNdIs9S/uAsEJN2FHxSAadp+UahQ1tHB1XZBhfL4NDqCV8ee+GSA8Nqqi9I7lmLaeFicA82vC/MhBv3XoK0vkfuoGMJfsO1TOK+hf/y1Fgf1wcB+VuUqjeOX5IZT3s8RmBLsRRPw4ER/7bdgq7qDQdlQhAp0efdOZWD5JLHirReoqwHiC9SKLzXNtMdhEke1U1IpauFjTbf6QdfuuPU36GUU69/VZJ10dkH/eFvoX21ePrpd9KkNKAEtBFVsTi6Rn2aJTByvIjyz3NXLU0C8uJCztwBpTVdWPCU0JMidAutT/RZcTVEYVegO/7okHyeP3JHQSul6ZBghXhkjPNUZxBBQM0gsr0t0OszK3ot X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1e8adfde-3b26-4af2-f056-08d943245e3d X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:12.9886 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pjcLUpoqjuxY5A/+2RqGnQxbzO/piiFLmHO4cxE/ECZ+ido4Y9/5X4dxIdpUOZgyHPwNS/8zi+nreD8bK9BOCg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=40.107.243.67; envelope-from=brijesh.singh@amd.com; helo=NAM12-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The KVM_SEV_SNP_LAUNCH_UPDATE command is used for encrypting the bios image used for booting the SEV-SNP guest. Signed-off-by: Brijesh Singh --- target/i386/sev.c | 33 ++++++++++++++++++++++++++++++++- target/i386/trace-events | 1 + 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 259408a8f1..41dcb084d1 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -883,6 +883,30 @@ out: return ret; } +static int +sev_snp_launch_update(SevGuestState *sev, uint8_t *addr, uint64_t len, int type) +{ + int ret, fw_error; + struct kvm_sev_snp_launch_update update = {}; + + if (!addr || !len) { + return 1; + } + + update.uaddr = (__u64)(unsigned long)addr; + update.len = len; + update.page_type = type; + trace_kvm_sev_snp_launch_update(addr, len, type); + ret = sev_ioctl(sev->sev_fd, KVM_SEV_SNP_LAUNCH_UPDATE, + &update, &fw_error); + if (ret) { + error_report("%s: SNP_LAUNCH_UPDATE ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); + } + + return ret; +} + static int sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len) { @@ -1161,7 +1185,14 @@ sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp) /* if SEV is in update state then encrypt the data else do nothing */ if (sev_check_state(sev_guest, SEV_STATE_LAUNCH_UPDATE)) { - int ret = sev_launch_update_data(sev_guest, ptr, len); + int ret; + + if (sev_snp_enabled()) { + ret = sev_snp_launch_update(sev_guest, ptr, len, + KVM_SEV_SNP_PAGE_TYPE_NORMAL); + } else { + ret = sev_launch_update_data(sev_guest, ptr, len); + } if (ret < 0) { error_setg(errp, "failed to encrypt pflash rom"); return ret; diff --git a/target/i386/trace-events b/target/i386/trace-events index 18cc14b956..0c2d250206 100644 --- a/target/i386/trace-events +++ b/target/i386/trace-events @@ -12,3 +12,4 @@ kvm_sev_launch_finish(void) "" kvm_sev_launch_secret(uint64_t hpa, uint64_t hva, uint64_t secret, int len) "hpa 0x%" PRIx64 " hva 0x%" PRIx64 " data 0x%" PRIx64 " len %d" kvm_sev_attestation_report(const char *mnonce, const char *data) "mnonce %s data %s" kvm_sev_snp_launch_start(uint64_t policy) "policy 0x%" PRIx64 +kvm_sev_snp_launch_update(void *addr, uint64_t len, int type) "addr %p len 0x%" PRIx64 " type %d" From patchwork Fri Jul 9 21:55:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 12368083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93790C07E99 for ; Fri, 9 Jul 2021 22:01:47 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1A014613E4 for ; Fri, 9 Jul 2021 22:01:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1A014613E4 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amd.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:49388 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1yZ8-0000bD-7f for qemu-devel@archiver.kernel.org; Fri, 09 Jul 2021 18:01:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48340) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yUA-0002IQ-Pm for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:38 -0400 Received: from mail-dm6nam12on2067.outbound.protection.outlook.com ([40.107.243.67]:33505 helo=NAM12-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1yU4-0005q1-UG for qemu-devel@nongnu.org; Fri, 09 Jul 2021 17:56:38 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VfQ+h4Yd6NWDWl4oiUp0/nJ6lir19V/ODt8NiNHl0+dyXVXsJWpv6aGVlmY6gTvpkSnJHMgBuyX8NNQynKMvbeaIgzg8b7jgLq9QJuWukyG4wysEIDgBfWUsp2MPOuL8w8OKUodgwppBJZcaOsTArTlpyitnEPjYbhwXLyAWO3hTBxPDCYjLWSyYLCheyfEor+2eBHoZP+S2MTuiVfWdSCTmwoCLPZ4RBS48iPGK2cnSbv+i8jD+CNInkwT1UN29jTt4iG3FxersoEyPYDaxuRlZbx+FDHRXZMCvSqoPDA6AZ4iUp6jdtsgCHIp2VPjUPbgZnp9RvfFj0C4JMEeD8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t5EGslmX1O1I9KE1GjjFQXW6pNm8NomEgQBFNqrAl10=; b=Ae2BMQTEd0kyTzm8RaaJCrGptg+aUGtDRT6zp51fsOr76+26A1+jgOgKNuPUhhb+W3Icwexa0bFsdvLjM74ocix8anb6+bh/T0QLi2dEe3AcyKeD9CntG9eVhZSS/K4rWf3eURXNfLv7kz/mVgovEwCZsb/SpLlaB/nns+LNXlxFvlNw9Pn7aX1psW0ik6JwqYznAylSgY9RFBqyWKPnVYYVolvWoXWNOjLvsC2D/iOD6FO60WqS4urEtCaRbeF6kHMoUzT8uZnf7O+moiSTFhFA7R1CluBJolEQwDojsBUgeTrI38RqNo/H4G8V4o4RUsEmBVlhmqFVGW+DEQn2BQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t5EGslmX1O1I9KE1GjjFQXW6pNm8NomEgQBFNqrAl10=; b=a3w2iLOn3acIn9shoM/fZuv6dCEhJly6Gp+bv/aZMTLoQjDPIPWwZdpe+rQtUujv/Ua5dOfO97UkpAopyOujbnacM9oTnn7yxzfc25RhAuY/QOdf6gEPp0Q52bpFp9R+HU/f08BP9SGXIHv6/F0Tai/Z1NE/wktM+KBi58KI/3g= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Fri, 9 Jul 2021 21:56:13 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4308.022; Fri, 9 Jul 2021 21:56:13 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Cc: Connor Kuehl , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , "Michael S . Tsirkin" , James Bottomley , "Dr . David Alan Gilbert" , Tom Lendacky , Paolo Bonzini , Dov Murik , David Gibson , =?utf-8?q?Daniel_P=2E_Berrang?= =?utf-8?q?=C3=A9?= , kvm@vger.kernel.org, Michael Roth , Eduardo Habkost , Brijesh Singh Subject: [RFC PATCH 6/6] i386/sev: populate secrets and cpuid page and finalize the SNP launch Date: Fri, 9 Jul 2021 16:55:50 -0500 Message-Id: <20210709215550.32496-7-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210709215550.32496-1-brijesh.singh@amd.com> References: <20210709215550.32496-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0007.namprd06.prod.outlook.com (2603:10b6:803:2f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Fri, 9 Jul 2021 21:56:13 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 64c4f448-ca78-43b8-780d-08d943245ea7 X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:525; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UfRDvxfwbZ6GAdbp4D2LbAN9NtrjL+vBI3PqqC7o8ssrsOWIrBz/2EsPLLTc6yHt9W6PC88Kb0NxLOuQq8wKkluP6WKMVSn9nneYG9Fw+8RMMTGnU/NEEe0e47YSAKx4QA+ppCun4ywLGCPQIJ6Rehz0sagUFV+MsXYISZvmJrl7RkGLeBmfElQG185kx8cxIV2OjwQD7Ws2SOstD8orx2wIlwjTMhLSTw10nWGU2X7p2HHe3RXF/l0iONxB1m01StJS3QL5h3bOSaHrSXE4/g2mTR2h0Rvo+i1LzfkRvoNgfpGAQY8OoamLwV7mx7dvwKS/5jn3L9N0aXKkDoGRZNj3dYZ6Nb/x+Ju28YBjvROufDStbvvIENKmk/hLomR7LXVRD0THEOp3DSYQhQ1pKjTSZeiSXj1j+3dCiTZbJ0KFz0Lc4wvlxjWyFRnJuN2avNQwMlo6RTdiTVuHukYMb+6jJB2T7mq7AgIbsKB3Pp9EQPN4zshSN4fd4YESjl71f/jAXn3L7nqEZS0JWNNxnlOBwj3pGUUyrjqxOOMVGcGUDUFUEK0x6EKA19Jc0/+JYai3ezdlW8J34FMo937LeV7gOjHoNLqVFHL93vxE2t/bbEKljJIsPSGAWX3OefG8bE47SbD+FgJPe+Zq2ZOmQa4vNequZHuBnZWAaMFhy2fcKNysLh59DEx5AOSlsc7iwjhhLaevTcXBZ494RG1heg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR12MB2718.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(6916009)(2616005)(66556008)(36756003)(6666004)(6486002)(83380400001)(7696005)(52116002)(2906002)(66476007)(316002)(4326008)(186003)(38100700002)(66946007)(38350700002)(8676002)(8936002)(956004)(86362001)(5660300002)(44832011)(54906003)(478600001)(1076003)(26005)(7416002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: I9cnBYkOecaet5sAbUqmRWsH5TS90upY4z9uG0bujv/JQzaLJgyutmv1Gl7uNhFXceQ/YZnZ1Sm3120cKmWbBXGkHDh3qrApccfMwxcCX+ukVRZS5DM9CbGkBEvjoanXmAVgTE+J2Qe25qr85BEG+BvInjegfIaEeK817471pJ2ZnPbZNmyuSaSIQKI+iCfmHyAukbvZLiW/sTt1fyXdLWJLYosH0QyIJFGznXw35pF7z1lwF9da3j/DCJ5A1HCqHtpI68aVy+ZunyinZkKuET0RrJm8p7K1//udkNhvuWyRa+akFdhRP3FUtzzALBhMYqSBIVbecTrCCBD65MZRA0+XviPcCibMreF4tr9BAkYlk6YibSaFa0fT1FkhZsO16wuFddSbrs4WtAdYVY8YTLfvFWZuKuriK9TLkFONOxbT5k31dotppDsM2wNIrdelXdQ//2MHsXabpFaAKq8p1U5C3zLsJ5vzl3bu9THeWqff+8f8o6hPbEB8zTNng6zD/+jDHNMURLiiAqsnxn/O6PbGg8J55CyAVCW+LF/gjudHNwVB6E7swGfyDqHY+0fUWgL+cVpE5bY3Ckhji8qNPBgEZ2oiQewJzOkaiQevv8LlMAYnyguXWhk8ND3C/cGryny0fdgbBYpKmxuaYrseq4gHbtwERQiZoaIaSfSkX/5GQ45uUHuTtHsgMpNVw/yFXIvkUg2k9KTbVTGXyxuZTSVROcVoa7AjZ1UgMTInmXO+XugjUshT+reD4vpaoz3h0YE1US8mH2WJab5wOhebCPRe/lcxEh1YtUvCvT0fhXIjmnOjHoqNAmBUCfg3fXVWwKJ0YyyMhNcu9xjGAYo7Rro9Q1RsG1ratvk84HwsJf7sPo7aEsc9qntEkeAK1J+4Vip+1ehbLc/Ev41HzdZqa55LUMK9ZKKXIp+rgyw3hCdhDifnL/G9FN77F1DwWCIawSZXD1Z6YMsH+CQ1op67X2cj1kyrWjGvE5kvCufl0ouhTaD2OyX0cw24SsVfn0tw3crpPfB0fzEHhYg5LW+hOnWDXEhUJum/FKj0vaK81hH6ab8G6R18LI84bzFGDx0yQew2jvLVsIGxeh+FJL5lnb7HJqS91bHiTlwYFXXm++POohOrWJAqo/vfxYieZMb2Ps3NO6izL98bWEfUXth74lyeLLtre2z67NF5Hf7j12YU3qCpXp8i13Vrlau3wVvtfOzpwCiUphWSiP5GUNDzag8X2ldfK3v5LY01y0DQkusyo6PfHtBkmbMY7S7NiJKKNsmTi6tZDXey7qfOcMyoUqS0vroQ4CrKG6PhcCyr392kxQiinG7yIeuISYy7HycH X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 64c4f448-ca78-43b8-780d-08d943245ea7 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2021 21:56:13.7352 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6hSA4kr8/X/mlX5JGF67wsgaL9L9gsOPl+DzdRZ/q2wS31o5y7zeVQhmMgjzr4tC9VMIAkzlgjUyZ+kScwBgsg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Received-SPF: softfail client-ip=40.107.243.67; envelope-from=brijesh.singh@amd.com; helo=NAM12-DM6-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" During the SNP guest launch sequence, a special secrets and cpuid page needs to be populated by the SEV-SNP firmware. The secrets page contains the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. And CPUID page will contain the CPUID value filtered through the PSP. The guest BIOS (OVMF) reserves these pages in MEMFD and location of it is available through the SNP boot block GUID. While finalizing the guest boot flow, lookup for the boot block and call the SNP_LAUNCH_UPDATE command to populate secrets and cpuid pages. In order to support early boot code, the OVMF may ask hypervisor to request the pre-validation of certain memory range. If such range is present the call LAUNCH_UPDATE command to validate those address range without affecting the measurement. See the SEV-SNP specification for further details. Finally, call the SNP_LAUNCH_FINISH to finalize the guest boot. Signed-off-by: Brijesh Singh --- target/i386/sev.c | 184 ++++++++++++++++++++++++++++++++++++++- target/i386/trace-events | 2 + 2 files changed, 184 insertions(+), 2 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 41dcb084d1..f438e09d33 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -93,6 +93,19 @@ typedef struct __attribute__((__packed__)) SevInfoBlock { uint32_t reset_addr; } SevInfoBlock; +#define SEV_SNP_BOOT_BLOCK_GUID "bd39c0c2-2f8e-4243-83e8-1b74cebcb7d9" +typedef struct __attribute__((__packed__)) SevSnpBootInfoBlock { + /* Prevalidate range address */ + uint32_t pre_validated_start; + uint32_t pre_validated_end; + /* Secrets page address */ + uint32_t secrets_addr; + uint32_t secrets_len; + /* CPUID page address */ + uint32_t cpuid_addr; + uint32_t cpuid_len; +} SevSnpBootInfoBlock; + static SevGuestState *sev_guest; static Error *sev_mig_blocker; @@ -1014,6 +1027,158 @@ static Notifier sev_machine_done_notify = { .notify = sev_launch_get_measure, }; +static int +sev_snp_launch_update_gpa(uint32_t hwaddr, uint32_t size, uint8_t type) +{ + void *hva; + MemoryRegion *mr = NULL; + + hva = gpa2hva(&mr, hwaddr, size, NULL); + if (!hva) { + error_report("SEV-SNP failed to get HVA for GPA 0x%x", hwaddr); + return 1; + } + + return sev_snp_launch_update(sev_guest, hva, size, type); +} + +struct snp_pre_validated_range { + uint32_t start; + uint32_t end; +}; + +static struct snp_pre_validated_range pre_validated[2]; + +static bool +detectoverlap(uint32_t start, uint32_t end, + struct snp_pre_validated_range *overlap) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(pre_validated); i++) { + if (pre_validated[i].start < end && start < pre_validated[i].end) { + memcpy(overlap, &pre_validated[i], sizeof(*overlap)); + return true; + } + } + + return false; +} + +static void snp_ovmf_boot_block_setup(void) +{ + struct snp_pre_validated_range overlap; + SevSnpBootInfoBlock *info; + uint32_t start, end, sz; + int ret; + + /* + * Extract the SNP boot block for the SEV-SNP guests by locating the + * SNP_BOOT GUID. The boot block contains the information such as location + * of secrets and CPUID page, additionaly it may contain the range of + * memory that need to be pre-validated for the boot. + */ + if (!pc_system_ovmf_table_find(SEV_SNP_BOOT_BLOCK_GUID, + (uint8_t **)&info, NULL)) { + error_report("SEV-SNP: failed to find the SNP boot block"); + exit(1); + } + + trace_kvm_sev_snp_ovmf_boot_block_info(info->secrets_addr, + info->secrets_len, info->cpuid_addr, + info->cpuid_len, + info->pre_validated_start, + info->pre_validated_end); + + /* Populate the secrets page */ + ret = sev_snp_launch_update_gpa(info->secrets_addr, info->secrets_len, + KVM_SEV_SNP_PAGE_TYPE_SECRETS); + if (ret) { + error_report("SEV-SNP: failed to insert secret page GPA 0x%x", + info->secrets_addr); + exit(1); + } + + /* Populate the cpuid page */ + ret = sev_snp_launch_update_gpa(info->cpuid_addr, info->cpuid_len, + KVM_SEV_SNP_PAGE_TYPE_CPUID); + if (ret) { + error_report("SEV-SNP: failed to insert cpuid page GPA 0x%x", + info->cpuid_addr); + exit(1); + } + + /* + * Pre-validate the range using the LAUNCH_UPDATE_DATA, if the + * pre-validation range contains the CPUID and Secret page GPA then skip + * it. This is because SEV-SNP firmware pre-validates those pages as part + * of adding secrets and cpuid LAUNCH_UPDATE type. + */ + pre_validated[0].start = info->secrets_addr; + pre_validated[0].end = info->secrets_addr + info->secrets_len; + pre_validated[1].start = info->cpuid_addr; + pre_validated[1].end = info->cpuid_addr + info->cpuid_len; + start = info->pre_validated_start; + end = info->pre_validated_end; + + while (start < end) { + /* Check if the requested range overlaps with Secrets and CPUID page */ + if (detectoverlap(start, end, &overlap)) { + if (start < overlap.start) { + sz = overlap.start - start; + if (sev_snp_launch_update_gpa(start, sz, + KVM_SEV_SNP_PAGE_TYPE_UNMEASURED)) { + error_report("SEV-SNP: failed to validate gpa 0x%x sz %d", + start, sz); + exit(1); + } + } + + start = overlap.end; + continue; + } + + /* Validate the remaining range */ + if (sev_snp_launch_update_gpa(start, end - start, + KVM_SEV_SNP_PAGE_TYPE_UNMEASURED)) { + error_report("SEV-SNP: failed to validate gpa 0x%x sz %d", + start, end - start); + exit(1); + } + + start = end; + } +} + +static void +sev_snp_launch_finish(SevGuestState *sev) +{ + int ret, error; + Error *local_err = NULL; + struct kvm_sev_snp_launch_finish *finish = &sev->snp_config.finish; + + trace_kvm_sev_snp_launch_finish(); + ret = sev_ioctl(sev->sev_fd, KVM_SEV_SNP_LAUNCH_FINISH, finish, &error); + if (ret) { + error_report("%s: SNP_LAUNCH_FINISH ret=%d fw_error=%d '%s'", + __func__, ret, error, fw_error_to_str(error)); + exit(1); + } + + sev_set_guest_state(sev, SEV_STATE_RUNNING); + + /* add migration blocker */ + error_setg(&sev_mig_blocker, + "SEV: Migration is not implemented"); + ret = migrate_add_blocker(sev_mig_blocker, &local_err); + if (local_err) { + error_report_err(local_err); + error_free(sev_mig_blocker); + exit(1); + } +} + + static void sev_launch_finish(SevGuestState *sev) { @@ -1048,7 +1213,12 @@ sev_vm_state_change(void *opaque, bool running, RunState state) if (running) { if (!sev_check_state(sev, SEV_STATE_RUNNING)) { - sev_launch_finish(sev); + if (sev_snp_enabled()) { + snp_ovmf_boot_block_setup(); + sev_snp_launch_finish(sev); + } else { + sev_launch_finish(sev); + } } } } @@ -1164,7 +1334,17 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) } ram_block_notifier_add(&sev_ram_notifier); - qemu_add_machine_init_done_notifier(&sev_machine_done_notify); + + /* + * The machine done notify event is used by the SEV guest to get the + * measurement of the encrypted images. When SEV-SNP is enabled then + * measurement is part of the attestation report and the measurement + * command does not exist. So skip registering the notifier. + */ + if (!sev_snp_enabled()) { + qemu_add_machine_init_done_notifier(&sev_machine_done_notify); + } + qemu_add_vm_change_state_handler(sev_vm_state_change, sev); cgs->ready = true; diff --git a/target/i386/trace-events b/target/i386/trace-events index 0c2d250206..db91287439 100644 --- a/target/i386/trace-events +++ b/target/i386/trace-events @@ -13,3 +13,5 @@ kvm_sev_launch_secret(uint64_t hpa, uint64_t hva, uint64_t secret, int len) "hpa kvm_sev_attestation_report(const char *mnonce, const char *data) "mnonce %s data %s" kvm_sev_snp_launch_start(uint64_t policy) "policy 0x%" PRIx64 kvm_sev_snp_launch_update(void *addr, uint64_t len, int type) "addr %p len 0x%" PRIx64 " type %d" +kvm_sev_snp_launch_finish(void) "" +kvm_sev_snp_ovmf_boot_block_info(uint32_t secrets_gpa, uint32_t slen, uint32_t cpuid_gpa, uint32_t clen, uint32_t s, uint32_t e) "secrets 0x%x+0x%x cpuid 0x%x+0x%x pre-validate 0x%x+0x%x"