Re: [kvm-unit-tests 01/13] x86/efi: Allow specifying AMD SEV/SEV-ES guest launch policy

From: Tom Lendacky <thomas.lendacky@amd.com>
To: Varad Gautam <varad.gautam@suse.com>,
	kvm@vger.kernel.org, pbonzini@redhat.com, drjones@redhat.com
Cc: marcorr@google.com, zxwang42@gmail.com, erdemaktas@google.com,
	rientjes@google.com, seanjc@google.com, brijesh.singh@amd.com,
	jroedel@suse.de, bp@suse.de
Subject: Re: [kvm-unit-tests 01/13] x86/efi: Allow specifying AMD SEV/SEV-ES guest launch policy
Date: Thu, 20 Jan 2022 10:18:22 -0600	[thread overview]
Message-ID: <1a79ea5b-71dd-2782-feba-0d733f8c2fbf@amd.com> (raw)
In-Reply-To: <20220120125122.4633-2-varad.gautam@suse.com>

On 1/20/22 6:51 AM, Varad Gautam wrote:
> Make x86/efi/run check for AMDSEV envvar and set SEV/SEV-ES parameters
> on the qemu cmdline.
> 
> AMDSEV can be set to `sev` or `sev-es`.
> 
> Signed-off-by: Varad Gautam <varad.gautam@suse.com>
> ---
>   x86/efi/README.md |  5 +++++
>   x86/efi/run       | 16 ++++++++++++++++
>   2 files changed, 21 insertions(+)
> 
> diff --git a/x86/efi/README.md b/x86/efi/README.md
> index a39f509..1222b30 100644
> --- a/x86/efi/README.md
> +++ b/x86/efi/README.md
> @@ -30,6 +30,11 @@ the env variable `EFI_UEFI`:
>   
>       EFI_UEFI=/path/to/OVMF.fd ./x86/efi/run ./x86/msr.efi
>   
> +To run the tests under AMD SEV/SEV-ES, set env variable `AMDSEV=sev` or
> +`AMDSEV=sev-es`. This adds the desired guest policy to qemu command line.
> +
> +    AMDSEV=sev-es EFI_UEFI=/path/to/OVMF.fd ./x86/efi/run ./x86/amd_sev.efi
> +
>   ## Code structure
>   
>   ### Code from GNU-EFI
> diff --git a/x86/efi/run b/x86/efi/run
> index ac368a5..b48f626 100755
> --- a/x86/efi/run
> +++ b/x86/efi/run
> @@ -43,6 +43,21 @@ fi
>   mkdir -p "$EFI_CASE_DIR"
>   cp "$EFI_SRC/$EFI_CASE.efi" "$EFI_CASE_BINARY"
>   
> +amdsev_opts=
> +if [ -n "$AMDSEV" ]; then
> +	policy=
> +	if [ "$AMDSEV" = "sev" ]; then
> +		policy="0x1"
> +	elif [ "$AMDSEV" = "sev-es" ]; then
> +		policy="0x5"
> +	else
> +		echo "Cannot set AMDSEV policy. AMDSEV must be one of 'sev', 'sev-es'."
> +		exit 2
> +	fi
> +
> +	amdsev_opts="-object sev-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,policy=$policy -machine memory-encryption=sev0"

This won't work on Naples or Rome systems because the cbitpos is 47 on
those machines. You'll need to use CPUID to obtain the proper position for
the system on which you are running.

You can use the cpuid command to get Fn8000001F_EBX[5:0] or I've used
the following to find it from a bash script if you don't want to rely on
the cpuid command being present:

EBX=$(dd if=/dev/cpu/0/cpuid ibs=16 count=32 skip=134217728 | tail -c 16 | od -An -t u4 -j 4 -N 4 | sed -re 's|^ *||')
CBITPOS=$((EBX & 0x3f))

   where 134217728 == 0x80000000

(I'm sure there's probably an easier way, but this works for me, but
does rely on CONFIG_X86_CPUID)

Thanks,
Tom

> +fi
> +
>   # Run test case with 256MiB QEMU memory. QEMU default memory size is 128MiB.
>   # After UEFI boot up and we call `LibMemoryMap()`, the largest consecutive
>   # memory region is ~42MiB. Although this is sufficient for many test cases to
> @@ -61,4 +76,5 @@ cp "$EFI_SRC/$EFI_CASE.efi" "$EFI_CASE_BINARY"
>   	-nographic \
>   	-m 256 \
>   	"$@" \
> +	$amdsev_opts \
>   	-smp "$EFI_SMP"
> 