From: Ashish Kalra <ashish.kalra@amd.com>
To: Steve Rutherford <srutherford@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Joerg Roedel <joro@8bytes.org>, Borislav Petkov <bp@suse.de>,
Tom Lendacky <thomas.lendacky@amd.com>, X86 ML <x86@kernel.org>,
KVM list <kvm@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Sean Christopherson <seanjc@google.com>,
Venu Busireddy <venu.busireddy@oracle.com>,
Brijesh Singh <brijesh.singh@amd.com>
Subject: Re: [PATCH v13 00/12] Add AMD SEV guest live migration support
Date: Mon, 19 Apr 2021 14:40:57 +0000 [thread overview]
Message-ID: <20210419144057.GA1569@ashkalra_ubuntu_server> (raw)
In-Reply-To: <CABayD+dGWWha8opC7rFgNYs=bgWbohE+ngTRfKjw12fXrT+Q+g@mail.gmail.com>
On Fri, Apr 16, 2021 at 02:43:48PM -0700, Steve Rutherford wrote:
> On Thu, Apr 15, 2021 at 8:52 AM Ashish Kalra <Ashish.Kalra@amd.com> wrote:
> >
> > From: Ashish Kalra <ashish.kalra@amd.com>
> >
> > The series add support for AMD SEV guest live migration commands. To protect the
> > confidentiality of an SEV protected guest memory while in transit we need to
> > use the SEV commands defined in SEV API spec [1].
> >
> > SEV guest VMs have the concept of private and shared memory. Private memory
> > is encrypted with the guest-specific key, while shared memory may be encrypted
> > with hypervisor key. The commands provided by the SEV FW are meant to be used
> > for the private memory only. The patch series introduces a new hypercall.
> > The guest OS can use this hypercall to notify the page encryption status.
> > If the page is encrypted with guest specific-key then we use SEV command during
> > the migration. If page is not encrypted then fallback to default.
> >
> > The patch uses the KVM_EXIT_HYPERCALL exitcode and hypercall to
> > userspace exit functionality as a common interface from the guest back to the
> > VMM and passing on the guest shared/unencrypted page information to the
> > userspace VMM/Qemu. Qemu can consult this information during migration to know
> > whether the page is encrypted.
> >
> > This section descibes how the SEV live migration feature is negotiated
> > between the host and guest, the host indicates this feature support via
> > KVM_FEATURE_CPUID. The guest firmware (OVMF) detects this feature and
> > sets a UEFI enviroment variable indicating OVMF support for live
> > migration, the guest kernel also detects the host support for this
> > feature via cpuid and in case of an EFI boot verifies if OVMF also
> > supports this feature by getting the UEFI enviroment variable and if it
> > set then enables live migration feature on host by writing to a custom
> > MSR, if not booted under EFI, then it simply enables the feature by
> > again writing to the custom MSR. The MSR is also handled by the
> > userspace VMM/Qemu.
> >
> > A branch containing these patches is available here:
> > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Flinux%2Ftree%2Fsev-migration-v13&data=04%7C01%7CAshish.Kalra%40amd.com%7C7bee6d5c907b46d0998508d90120ce2d%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637542063133830260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FkKrciL41GDNyNDqrPMVblRa%2FaReogW4OzhbYaSYs04%3D&reserved=0
> >
> > [1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F55766.PDF&data=04%7C01%7CAshish.Kalra%40amd.com%7C7bee6d5c907b46d0998508d90120ce2d%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637542063133830260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FLFBR9ean0acMmR8WTLUHZsAynYPRAa7%2FeZEVVdpCo8%3D&reserved=0
> >
> > Changes since v12:
> > - Reset page encryption status during early boot instead of just
> > before the kexec to avoid SMP races during kvm_pv_guest_cpu_reboot().
>
> Does this series need to disable the MSR during kvm_pv_guest_cpu_reboot()?
>
Yes, i think that will make sense, it will be similar to the first time
VM boot where the MSR will be disabled till it is enabled at early
kernel boot. I will add this to the current patch series.
Thanks,
Ashish
> I _think_ going into blackout during the window after restart, but
> before the MSR is explicitly reenabled, would cause corruption. The
> historical shared pages could be re-allocated as non-shared pages
> during restart.
>
> Steve
next prev parent reply other threads:[~2021-04-19 14:41 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 15:52 [PATCH v13 00/12] Add AMD SEV guest live migration support Ashish Kalra
2021-04-15 15:53 ` [PATCH v13 01/12] KVM: SVM: Add KVM_SEV SEND_START command Ashish Kalra
2021-04-20 8:50 ` Paolo Bonzini
2021-04-15 15:53 ` [PATCH v13 02/12] KVM: SVM: Add KVM_SEND_UPDATE_DATA command Ashish Kalra
2021-04-15 15:54 ` [PATCH v13 03/12] KVM: SVM: Add KVM_SEV_SEND_FINISH command Ashish Kalra
2021-04-15 15:54 ` [PATCH v13 04/12] KVM: SVM: Add support for KVM_SEV_RECEIVE_START command Ashish Kalra
2021-04-20 8:38 ` Paolo Bonzini
2021-04-20 9:18 ` Paolo Bonzini
2021-04-15 15:55 ` [PATCH v13 05/12] KVM: SVM: Add KVM_SEV_RECEIVE_UPDATE_DATA command Ashish Kalra
2021-04-20 8:40 ` Paolo Bonzini
2021-04-20 8:43 ` Paolo Bonzini
2021-04-15 15:55 ` [PATCH v13 06/12] KVM: SVM: Add KVM_SEV_RECEIVE_FINISH command Ashish Kalra
2021-04-15 15:56 ` [PATCH v13 07/12] KVM: x86: Add AMD SEV specific Hypercall3 Ashish Kalra
2021-04-15 15:57 ` [PATCH v13 08/12] KVM: X86: Introduce KVM_HC_PAGE_ENC_STATUS hypercall Ashish Kalra
2021-04-20 11:10 ` Paolo Bonzini
2021-04-20 17:24 ` Sean Christopherson
2021-04-15 15:57 ` [PATCH v13 09/12] mm: x86: Invoke hypercall when page encryption status is changed Ashish Kalra
2021-04-20 9:39 ` Paolo Bonzini
2021-04-21 10:05 ` Borislav Petkov
2021-04-21 12:00 ` Paolo Bonzini
2021-04-21 14:09 ` Borislav Petkov
2021-04-21 12:12 ` Ashish Kalra
2021-04-21 13:50 ` Brijesh Singh
2021-04-21 13:52 ` Borislav Petkov
2021-04-15 15:58 ` [PATCH v13 10/12] KVM: x86: Introduce new KVM_FEATURE_SEV_LIVE_MIGRATION feature & Custom MSR Ashish Kalra
2021-04-19 23:06 ` Sean Christopherson
2021-04-20 10:49 ` Paolo Bonzini
2021-04-20 9:47 ` Paolo Bonzini
2021-04-15 15:58 ` [PATCH v13 11/12] EFI: Introduce the new AMD Memory Encryption GUID Ashish Kalra
2021-04-15 16:01 ` [PATCH v13 12/12] x86/kvm: Add guest support for detecting and enabling SEV Live Migration feature Ashish Kalra
2021-04-20 10:52 ` Paolo Bonzini
2021-04-21 14:44 ` Borislav Petkov
2021-04-21 15:22 ` Ashish Kalra
2021-04-21 15:32 ` Borislav Petkov
2021-04-21 15:38 ` Paolo Bonzini
2021-04-21 18:48 ` Ashish Kalra
2021-04-21 19:19 ` Ashish Kalra
2021-04-16 21:43 ` [PATCH v13 00/12] Add AMD SEV guest live migration support Steve Rutherford
2021-04-19 14:40 ` Ashish Kalra [this message]
2021-04-20 11:11 ` Paolo Bonzini
2021-04-20 18:51 ` Borislav Petkov
2021-04-20 19:08 ` Paolo Bonzini
2021-04-20 20:28 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210419144057.GA1569@ashkalra_ubuntu_server \
--to=ashish.kalra@amd.com \
--cc=bp@suse.de \
--cc=brijesh.singh@amd.com \
--cc=hpa@zytor.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=srutherford@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=venu.busireddy@oracle.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).