From: David Gibson <david@gibson.dropbear.id.au> To: Cornelia Huck <cohuck@redhat.com> Cc: brijesh.singh@amd.com, pair@us.ibm.com, dgilbert@redhat.com, pasic@linux.ibm.com, qemu-devel@nongnu.org, Richard Henderson <richard.henderson@linaro.org>, Marcelo Tosatti <mtosatti@redhat.com>, David Hildenbrand <david@redhat.com>, borntraeger@de.ibm.com, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Paolo Bonzini <pbonzini@redhat.com>, mst@redhat.com, jun.nakajima@intel.com, thuth@redhat.com, pragyansri.pathi@intel.com, kvm@vger.kernel.org, Eduardo Habkost <ehabkost@redhat.com>, qemu-s390x@nongnu.org, qemu-ppc@nongnu.org, frankja@linux.ibm.com, Greg Kurz <groug@kaod.org>, mdroth@linux.vnet.ibm.com, berrange@redhat.com, andi.kleen@intel.com Subject: Re: [PATCH v7 10/13] spapr: Add PEF based confidential guest support Date: Fri, 29 Jan 2021 13:43:38 +1100 [thread overview] Message-ID: <20210129024338.GJ6951@yekko.fritz.box> (raw) In-Reply-To: <20210115164151.087826c5.cohuck@redhat.com> [-- Attachment #1: Type: text/plain, Size: 5848 bytes --] On Fri, Jan 15, 2021 at 04:41:51PM +0100, Cornelia Huck wrote: > On Thu, 14 Jan 2021 10:58:08 +1100 > David Gibson <david@gibson.dropbear.id.au> wrote: > > > Some upcoming POWER machines have a system called PEF (Protected > > Execution Facility) which uses a small ultravisor to allow guests to > > run in a way that they can't be eavesdropped by the hypervisor. The > > effect is roughly similar to AMD SEV, although the mechanisms are > > quite different. > > > > Most of the work of this is done between the guest, KVM and the > > ultravisor, with little need for involvement by qemu. However qemu > > does need to tell KVM to allow secure VMs. > > > > Because the availability of secure mode is a guest visible difference > > which depends on having the right hardware and firmware, we don't > > enable this by default. In order to run a secure guest you need to > > create a "pef-guest" object and set the confidential-guest-support > > property to point to it. > > > > Note that this just *allows* secure guests, the architecture of PEF is > > such that the guest still needs to talk to the ultravisor to enter > > secure mode. Qemu has no directl way of knowing if the guest is in > > secure mode, and certainly can't know until well after machine > > creation time. > > > > To start a PEF-capable guest, use the command line options: > > -object pef-guest,id=pef0 -machine confidential-guest-support=pef0 > > > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> > > --- > > docs/confidential-guest-support.txt | 3 + > > docs/papr-pef.txt | 30 +++++++ > > hw/ppc/meson.build | 1 + > > hw/ppc/pef.c | 119 ++++++++++++++++++++++++++++ > > hw/ppc/spapr.c | 6 ++ > > include/hw/ppc/pef.h | 25 ++++++ > > target/ppc/kvm.c | 18 ----- > > target/ppc/kvm_ppc.h | 6 -- > > 8 files changed, 184 insertions(+), 24 deletions(-) > > create mode 100644 docs/papr-pef.txt > > create mode 100644 hw/ppc/pef.c > > create mode 100644 include/hw/ppc/pef.h > > > > diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt > > index 2790425b38..f0801814ff 100644 > > --- a/docs/confidential-guest-support.txt > > +++ b/docs/confidential-guest-support.txt > > @@ -40,4 +40,7 @@ Currently supported confidential guest mechanisms are: > > AMD Secure Encrypted Virtualization (SEV) > > docs/amd-memory-encryption.txt > > > > +POWER Protected Execution Facility (PEF) > > + docs/papr-pef.txt > > + > > Other mechanisms may be supported in future. > > diff --git a/docs/papr-pef.txt b/docs/papr-pef.txt > > new file mode 100644 > > index 0000000000..6419e995cf > > --- /dev/null > > +++ b/docs/papr-pef.txt > > Same here, make this .rst and add it to the system guide? Again, I feel like I'm sufficiently bogged down in bikeshedding the technical details to feel inclined to block it on a nice-to-have like this. > > @@ -0,0 +1,30 @@ > > +POWER (PAPR) Protected Execution Facility (PEF) > > +=============================================== > > + > > +Protected Execution Facility (PEF), also known as Secure Guest support > > +is a feature found on IBM POWER9 and POWER10 processors. > > + > > +If a suitable firmware including an Ultravisor is installed, it adds > > +an extra memory protection mode to the CPU. The ultravisor manages a > > +pool of secure memory which cannot be accessed by the hypervisor. > > + > > +When this feature is enabled in qemu, a guest can use ultracalls to > > s/qemu/QEMU/ Fixed. > > +enter "secure mode". This transfers most of its memory to secure > > +memory, where it cannot be eavesdropped by a compromised hypervisor. > > + > > +Launching > > +--------- > > + > > +To launch a guest which will be permitted to enter PEF secure mode: > > + > > +# ${QEMU} \ > > + -object pef-guest,id=pef0 \ > > + -machine confidential-guest-support=pef0 \ > > + ... > > + > > +Live Migration > > +---------------- > > + > > +Live migration is not yet implemented for PEF guests. For > > +consistency, we currently prevent migration if the PEF feature is > > +enabled, whether or not the guest has actually entered secure mode. > > diff --git a/hw/ppc/meson.build b/hw/ppc/meson.build > > index ffa2ec37fa..218631c883 100644 > > --- a/hw/ppc/meson.build > > +++ b/hw/ppc/meson.build > > @@ -27,6 +27,7 @@ ppc_ss.add(when: 'CONFIG_PSERIES', if_true: files( > > 'spapr_nvdimm.c', > > 'spapr_rtas_ddw.c', > > 'spapr_numa.c', > > + 'pef.c', > > )) > > ppc_ss.add(when: 'CONFIG_SPAPR_RNG', if_true: files('spapr_rng.c')) > > ppc_ss.add(when: ['CONFIG_PSERIES', 'CONFIG_LINUX'], if_true: files( > > diff --git a/hw/ppc/pef.c b/hw/ppc/pef.c > > new file mode 100644 > > index 0000000000..02b9b3b460 > > --- /dev/null > > +++ b/hw/ppc/pef.c > > @@ -0,0 +1,119 @@ > > +/* > > + * PEF (Protected Execution Facility) for POWER support > > + * > > + * Copyright David Gibson, Redhat Inc. 2020 > > 2021? So, it happens that in the meantime I've had different cause to look up what Red Hat actually recommends as the copyright notice in open source files, and it turns out they suggest simply "Copyright Red Hat", with no names or dates. So I'll switch to that for all the new files in the series. > > + * > > + * This work is licensed under the terms of the GNU GPL, version 2 or later. > > + * See the COPYING file in the top-level directory. > > + * > > + */ > > + > -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: David Gibson <david@gibson.dropbear.id.au> To: Cornelia Huck <cohuck@redhat.com> Cc: pair@us.ibm.com, brijesh.singh@amd.com, kvm@vger.kernel.org, David Hildenbrand <david@redhat.com>, qemu-devel@nongnu.org, frankja@linux.ibm.com, pragyansri.pathi@intel.com, mst@redhat.com, mdroth@linux.vnet.ibm.com, pasic@linux.ibm.com, borntraeger@de.ibm.com, andi.kleen@intel.com, thuth@redhat.com, Eduardo Habkost <ehabkost@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, dgilbert@redhat.com, Greg Kurz <groug@kaod.org>, qemu-s390x@nongnu.org, jun.nakajima@intel.com, berrange@redhat.com, Marcelo Tosatti <mtosatti@redhat.com>, qemu-ppc@nongnu.org, Paolo Bonzini <pbonzini@redhat.com> Subject: Re: [PATCH v7 10/13] spapr: Add PEF based confidential guest support Date: Fri, 29 Jan 2021 13:43:38 +1100 [thread overview] Message-ID: <20210129024338.GJ6951@yekko.fritz.box> (raw) In-Reply-To: <20210115164151.087826c5.cohuck@redhat.com> [-- Attachment #1: Type: text/plain, Size: 5848 bytes --] On Fri, Jan 15, 2021 at 04:41:51PM +0100, Cornelia Huck wrote: > On Thu, 14 Jan 2021 10:58:08 +1100 > David Gibson <david@gibson.dropbear.id.au> wrote: > > > Some upcoming POWER machines have a system called PEF (Protected > > Execution Facility) which uses a small ultravisor to allow guests to > > run in a way that they can't be eavesdropped by the hypervisor. The > > effect is roughly similar to AMD SEV, although the mechanisms are > > quite different. > > > > Most of the work of this is done between the guest, KVM and the > > ultravisor, with little need for involvement by qemu. However qemu > > does need to tell KVM to allow secure VMs. > > > > Because the availability of secure mode is a guest visible difference > > which depends on having the right hardware and firmware, we don't > > enable this by default. In order to run a secure guest you need to > > create a "pef-guest" object and set the confidential-guest-support > > property to point to it. > > > > Note that this just *allows* secure guests, the architecture of PEF is > > such that the guest still needs to talk to the ultravisor to enter > > secure mode. Qemu has no directl way of knowing if the guest is in > > secure mode, and certainly can't know until well after machine > > creation time. > > > > To start a PEF-capable guest, use the command line options: > > -object pef-guest,id=pef0 -machine confidential-guest-support=pef0 > > > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> > > --- > > docs/confidential-guest-support.txt | 3 + > > docs/papr-pef.txt | 30 +++++++ > > hw/ppc/meson.build | 1 + > > hw/ppc/pef.c | 119 ++++++++++++++++++++++++++++ > > hw/ppc/spapr.c | 6 ++ > > include/hw/ppc/pef.h | 25 ++++++ > > target/ppc/kvm.c | 18 ----- > > target/ppc/kvm_ppc.h | 6 -- > > 8 files changed, 184 insertions(+), 24 deletions(-) > > create mode 100644 docs/papr-pef.txt > > create mode 100644 hw/ppc/pef.c > > create mode 100644 include/hw/ppc/pef.h > > > > diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt > > index 2790425b38..f0801814ff 100644 > > --- a/docs/confidential-guest-support.txt > > +++ b/docs/confidential-guest-support.txt > > @@ -40,4 +40,7 @@ Currently supported confidential guest mechanisms are: > > AMD Secure Encrypted Virtualization (SEV) > > docs/amd-memory-encryption.txt > > > > +POWER Protected Execution Facility (PEF) > > + docs/papr-pef.txt > > + > > Other mechanisms may be supported in future. > > diff --git a/docs/papr-pef.txt b/docs/papr-pef.txt > > new file mode 100644 > > index 0000000000..6419e995cf > > --- /dev/null > > +++ b/docs/papr-pef.txt > > Same here, make this .rst and add it to the system guide? Again, I feel like I'm sufficiently bogged down in bikeshedding the technical details to feel inclined to block it on a nice-to-have like this. > > @@ -0,0 +1,30 @@ > > +POWER (PAPR) Protected Execution Facility (PEF) > > +=============================================== > > + > > +Protected Execution Facility (PEF), also known as Secure Guest support > > +is a feature found on IBM POWER9 and POWER10 processors. > > + > > +If a suitable firmware including an Ultravisor is installed, it adds > > +an extra memory protection mode to the CPU. The ultravisor manages a > > +pool of secure memory which cannot be accessed by the hypervisor. > > + > > +When this feature is enabled in qemu, a guest can use ultracalls to > > s/qemu/QEMU/ Fixed. > > +enter "secure mode". This transfers most of its memory to secure > > +memory, where it cannot be eavesdropped by a compromised hypervisor. > > + > > +Launching > > +--------- > > + > > +To launch a guest which will be permitted to enter PEF secure mode: > > + > > +# ${QEMU} \ > > + -object pef-guest,id=pef0 \ > > + -machine confidential-guest-support=pef0 \ > > + ... > > + > > +Live Migration > > +---------------- > > + > > +Live migration is not yet implemented for PEF guests. For > > +consistency, we currently prevent migration if the PEF feature is > > +enabled, whether or not the guest has actually entered secure mode. > > diff --git a/hw/ppc/meson.build b/hw/ppc/meson.build > > index ffa2ec37fa..218631c883 100644 > > --- a/hw/ppc/meson.build > > +++ b/hw/ppc/meson.build > > @@ -27,6 +27,7 @@ ppc_ss.add(when: 'CONFIG_PSERIES', if_true: files( > > 'spapr_nvdimm.c', > > 'spapr_rtas_ddw.c', > > 'spapr_numa.c', > > + 'pef.c', > > )) > > ppc_ss.add(when: 'CONFIG_SPAPR_RNG', if_true: files('spapr_rng.c')) > > ppc_ss.add(when: ['CONFIG_PSERIES', 'CONFIG_LINUX'], if_true: files( > > diff --git a/hw/ppc/pef.c b/hw/ppc/pef.c > > new file mode 100644 > > index 0000000000..02b9b3b460 > > --- /dev/null > > +++ b/hw/ppc/pef.c > > @@ -0,0 +1,119 @@ > > +/* > > + * PEF (Protected Execution Facility) for POWER support > > + * > > + * Copyright David Gibson, Redhat Inc. 2020 > > 2021? So, it happens that in the meantime I've had different cause to look up what Red Hat actually recommends as the copyright notice in open source files, and it turns out they suggest simply "Copyright Red Hat", with no names or dates. So I'll switch to that for all the new files in the series. > > + * > > + * This work is licensed under the terms of the GNU GPL, version 2 or later. > > + * See the COPYING file in the top-level directory. > > + * > > + */ > > + > -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-01-29 5:09 UTC|newest] Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-13 23:57 [PATCH v7 00/13] Generalize memory encryption models David Gibson 2021-01-13 23:57 ` David Gibson 2021-01-13 23:57 ` [PATCH v7 01/13] qom: Allow optional sugar props David Gibson 2021-01-13 23:57 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 02/13] confidential guest support: Introduce new confidential guest support class David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-14 9:34 ` Daniel P. Berrangé 2021-01-14 9:34 ` Daniel P. Berrangé 2021-01-14 10:42 ` David Gibson 2021-01-14 10:42 ` David Gibson 2021-01-18 18:51 ` Dr. David Alan Gilbert 2021-01-18 18:51 ` Dr. David Alan Gilbert 2021-01-21 1:06 ` David Gibson 2021-01-21 1:06 ` David Gibson 2021-01-21 9:08 ` Dr. David Alan Gilbert 2021-01-21 9:08 ` Dr. David Alan Gilbert 2021-01-29 2:32 ` David Gibson 2021-01-29 2:32 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 03/13] sev: Remove false abstraction of flash encryption David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-15 12:54 ` Cornelia Huck 2021-01-15 12:54 ` Cornelia Huck 2021-01-18 2:59 ` David Gibson 2021-01-18 2:59 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 04/13] confidential guest support: Move side effect out of machine_set_memory_encryption() David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-15 12:56 ` Cornelia Huck 2021-01-15 12:56 ` Cornelia Huck 2021-01-13 23:58 ` [PATCH v7 05/13] confidential guest support: Rework the "memory-encryption" property David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-15 13:06 ` Cornelia Huck 2021-01-15 13:06 ` Cornelia Huck 2021-01-13 23:58 ` [PATCH v7 06/13] sev: Add Error ** to sev_kvm_init() David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 07/13] confidential guest support: Introduce cgs "ready" flag David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-14 8:55 ` Greg Kurz 2021-01-14 8:55 ` Greg Kurz 2021-01-15 13:12 ` Cornelia Huck 2021-01-15 13:12 ` Cornelia Huck 2021-01-18 19:47 ` Dr. David Alan Gilbert 2021-01-18 19:47 ` Dr. David Alan Gilbert 2021-01-19 8:16 ` Cornelia Huck 2021-01-19 8:16 ` Cornelia Huck 2021-02-02 1:41 ` David Gibson 2021-02-02 1:41 ` David Gibson 2021-01-29 6:30 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 08/13] confidential guest support: Move SEV initialization into arch specific code David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-15 13:24 ` Cornelia Huck 2021-01-15 13:24 ` Cornelia Huck 2021-01-18 3:03 ` David Gibson 2021-01-18 3:03 ` David Gibson 2021-01-18 8:03 ` Cornelia Huck 2021-01-18 8:03 ` Cornelia Huck 2021-01-29 3:12 ` David Gibson 2021-01-29 3:12 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 09/13] confidential guest support: Update documentation David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-14 10:07 ` Greg Kurz 2021-01-14 10:07 ` Greg Kurz 2021-01-15 15:36 ` Cornelia Huck 2021-01-15 15:36 ` Cornelia Huck 2021-01-29 2:36 ` David Gibson 2021-01-29 2:36 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 10/13] spapr: Add PEF based confidential guest support David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-14 10:39 ` Greg Kurz 2021-01-29 6:23 ` David Gibson 2021-01-15 15:41 ` Cornelia Huck 2021-01-15 15:41 ` Cornelia Huck 2021-01-29 2:43 ` David Gibson [this message] 2021-01-29 2:43 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 11/13] spapr: PEF: prevent migration David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 12/13] confidential guest support: Alter virtio default properties for protected guests David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-13 23:58 ` [PATCH v7 13/13] s390: Recognize confidential-guest-support option David Gibson 2021-01-13 23:58 ` David Gibson 2021-01-14 9:10 ` Christian Borntraeger 2021-01-14 9:10 ` Christian Borntraeger 2021-01-14 9:19 ` Christian Borntraeger 2021-01-14 9:19 ` Christian Borntraeger 2021-01-14 9:24 ` Christian Borntraeger 2021-01-14 9:24 ` Christian Borntraeger 2021-01-15 0:13 ` David Gibson 2021-01-15 0:13 ` David Gibson 2021-01-14 11:45 ` David Gibson 2021-01-14 11:45 ` David Gibson 2021-01-15 16:36 ` Cornelia Huck 2021-01-15 16:36 ` Cornelia Huck 2021-01-18 17:06 ` Christian Borntraeger 2021-01-18 17:06 ` Christian Borntraeger
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210129024338.GJ6951@yekko.fritz.box \ --to=david@gibson.dropbear.id.au \ --cc=andi.kleen@intel.com \ --cc=berrange@redhat.com \ --cc=borntraeger@de.ibm.com \ --cc=brijesh.singh@amd.com \ --cc=cohuck@redhat.com \ --cc=david@redhat.com \ --cc=dgilbert@redhat.com \ --cc=ehabkost@redhat.com \ --cc=frankja@linux.ibm.com \ --cc=groug@kaod.org \ --cc=jun.nakajima@intel.com \ --cc=kvm@vger.kernel.org \ --cc=marcel.apfelbaum@gmail.com \ --cc=mdroth@linux.vnet.ibm.com \ --cc=mst@redhat.com \ --cc=mtosatti@redhat.com \ --cc=pair@us.ibm.com \ --cc=pasic@linux.ibm.com \ --cc=pbonzini@redhat.com \ --cc=pragyansri.pathi@intel.com \ --cc=qemu-devel@nongnu.org \ --cc=qemu-ppc@nongnu.org \ --cc=qemu-s390x@nongnu.org \ --cc=richard.henderson@linaro.org \ --cc=thuth@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.