From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Brijesh Singh <brijesh.singh@amd.com>,
kvm@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
Stefan Hajnoczi <stefanha@gmail.com>,
Alexander Graf <agraf@suse.de>,
"Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
Markus Armbruster <armbru@redhat.com>,
Bruce Rogers <brogers@suse.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Marcel Apfelbaum <marcel@redhat.com>,
Borislav Petkov <bp@suse.de>,
Thomas Lendacky <Thomas.Lendacky@amd.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Richard Henderson <richard.henderson@linaro.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Alistair Francis <alistair.francis@xilinx.com>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
Richard Henderson <rth@twiddle.net>,
Peter Crosthwaite <crosthwaite.peter@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH v10 27/28] sev/i386: add sev_get_capabilities()
Date: Wed, 28 Feb 2018 15:10:27 -0600 [thread overview]
Message-ID: <20180228211028.83970-28-brijesh.singh@amd.com> (raw)
In-Reply-To: <20180228211028.83970-1-brijesh.singh@amd.com>
The function can be used to get the current SEV capabilities.
The capabilities include platform diffie-hellman key (pdh) and certificate
chain. The key can be provided to the external entities which wants to
establish a trusted channel between SEV firmware and guest owner.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
target/i386/monitor.c | 10 ++++++-
target/i386/sev-stub.c | 5 ++++
target/i386/sev.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/sev_i386.h | 1 +
4 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 1b55dd0fff88..b914915d9171 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -740,5 +740,13 @@ SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp)
SevCapability *qmp_query_sev_capabilities(Error **errp)
{
- return NULL;
+ SevCapability *data;
+
+ data = sev_get_capabilities();
+ if (!data) {
+ error_setg(errp, "SEV feature is not available");
+ return NULL;
+ }
+
+ return data;
}
diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
index 2f61c32ec975..59a003a4ebe6 100644
--- a/target/i386/sev-stub.c
+++ b/target/i386/sev-stub.c
@@ -44,3 +44,8 @@ char *sev_get_launch_measurement(void)
{
return NULL;
}
+
+SevCapability *sev_get_capabilities(void)
+{
+ return NULL;
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index ad94eeace1b0..20279177cdcd 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -421,6 +421,84 @@ sev_get_info(void)
return info;
}
+static int
+sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
+ size_t *cert_chain_len)
+{
+ guchar *pdh_data, *cert_chain_data;
+ struct sev_user_data_pdh_cert_export export = {};
+ int err, r;
+
+ /* query the certificate length */
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ if (err != SEV_RET_INVALID_LEN) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ return 1;
+ }
+ }
+
+ pdh_data = g_new(guchar, export.pdh_cert_len);
+ cert_chain_data = g_new(guchar, export.cert_chain_len);
+ export.pdh_cert_address = (unsigned long)pdh_data;
+ export.cert_chain_address = (unsigned long)cert_chain_data;
+
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ goto e_free;
+ }
+
+ *pdh = pdh_data;
+ *pdh_len = export.pdh_cert_len;
+ *cert_chain = cert_chain_data;
+ *cert_chain_len = export.cert_chain_len;
+ return 0;
+
+e_free:
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+ return 1;
+}
+
+SevCapability *
+sev_get_capabilities(void)
+{
+ SevCapability *cap;
+ guchar *pdh_data, *cert_chain_data;
+ size_t pdh_len = 0, cert_chain_len = 0;
+ uint32_t ebx;
+ int fd;
+
+ fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
+ if (fd < 0) {
+ error_report("%s: Failed to open %s '%s'", __func__,
+ DEFAULT_SEV_DEVICE, strerror(errno));
+ return NULL;
+ }
+
+ if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
+ &cert_chain_data, &cert_chain_len)) {
+ return NULL;
+ }
+
+ cap = g_new0(SevCapability, 1);
+ cap->pdh = g_base64_encode(pdh_data, pdh_len);
+ cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
+
+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+ cap->cbitpos = ebx & 0x3f;
+ cap->reduced_phys_bits = (ebx >> 6) & 0x3f;
+
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+
+ close(fd);
+ return cap;
+}
+
static int
sev_read_file_base64(const char *filename, guchar **data, gsize *len)
{
diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
index 2ecca66f6e64..cc89e273ccf6 100644
--- a/target/i386/sev_i386.h
+++ b/target/i386/sev_i386.h
@@ -43,6 +43,7 @@ extern SevInfo *sev_get_info(void);
extern uint32_t sev_get_cbit_position(void);
extern uint32_t sev_get_reduced_phys_bits(void);
extern char *sev_get_launch_measurement(void);
+extern SevCapability *sev_get_capabilities(void);
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
--
2.14.3
WARNING: multiple messages have this Message-ID (diff)
From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Cc: Alistair Francis <alistair.francis@xilinx.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
"Daniel P . Berrange" <berrange@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Eric Blake <eblake@redhat.com>,
kvm@vger.kernel.org, Marcel Apfelbaum <marcel@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Crosthwaite <crosthwaite.peter@gmail.com>,
Peter Maydell <peter.maydell@linaro.org>,
Richard Henderson <richard.henderson@linaro.org>,
Stefan Hajnoczi <stefanha@gmail.com>,
Thomas Lendacky <Thomas.Lendacky@amd.com>,
Borislav Petkov <bp@suse.de>, Alexander Graf <agraf@suse.de>,
Bruce Rogers <brogers@suse.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Richard Henderson <rth@twiddle.net>
Subject: [Qemu-devel] [PATCH v10 27/28] sev/i386: add sev_get_capabilities()
Date: Wed, 28 Feb 2018 15:10:27 -0600 [thread overview]
Message-ID: <20180228211028.83970-28-brijesh.singh@amd.com> (raw)
In-Reply-To: <20180228211028.83970-1-brijesh.singh@amd.com>
The function can be used to get the current SEV capabilities.
The capabilities include platform diffie-hellman key (pdh) and certificate
chain. The key can be provided to the external entities which wants to
establish a trusted channel between SEV firmware and guest owner.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
target/i386/monitor.c | 10 ++++++-
target/i386/sev-stub.c | 5 ++++
target/i386/sev.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/sev_i386.h | 1 +
4 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 1b55dd0fff88..b914915d9171 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -740,5 +740,13 @@ SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp)
SevCapability *qmp_query_sev_capabilities(Error **errp)
{
- return NULL;
+ SevCapability *data;
+
+ data = sev_get_capabilities();
+ if (!data) {
+ error_setg(errp, "SEV feature is not available");
+ return NULL;
+ }
+
+ return data;
}
diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
index 2f61c32ec975..59a003a4ebe6 100644
--- a/target/i386/sev-stub.c
+++ b/target/i386/sev-stub.c
@@ -44,3 +44,8 @@ char *sev_get_launch_measurement(void)
{
return NULL;
}
+
+SevCapability *sev_get_capabilities(void)
+{
+ return NULL;
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index ad94eeace1b0..20279177cdcd 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -421,6 +421,84 @@ sev_get_info(void)
return info;
}
+static int
+sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
+ size_t *cert_chain_len)
+{
+ guchar *pdh_data, *cert_chain_data;
+ struct sev_user_data_pdh_cert_export export = {};
+ int err, r;
+
+ /* query the certificate length */
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ if (err != SEV_RET_INVALID_LEN) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ return 1;
+ }
+ }
+
+ pdh_data = g_new(guchar, export.pdh_cert_len);
+ cert_chain_data = g_new(guchar, export.cert_chain_len);
+ export.pdh_cert_address = (unsigned long)pdh_data;
+ export.cert_chain_address = (unsigned long)cert_chain_data;
+
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ goto e_free;
+ }
+
+ *pdh = pdh_data;
+ *pdh_len = export.pdh_cert_len;
+ *cert_chain = cert_chain_data;
+ *cert_chain_len = export.cert_chain_len;
+ return 0;
+
+e_free:
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+ return 1;
+}
+
+SevCapability *
+sev_get_capabilities(void)
+{
+ SevCapability *cap;
+ guchar *pdh_data, *cert_chain_data;
+ size_t pdh_len = 0, cert_chain_len = 0;
+ uint32_t ebx;
+ int fd;
+
+ fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
+ if (fd < 0) {
+ error_report("%s: Failed to open %s '%s'", __func__,
+ DEFAULT_SEV_DEVICE, strerror(errno));
+ return NULL;
+ }
+
+ if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
+ &cert_chain_data, &cert_chain_len)) {
+ return NULL;
+ }
+
+ cap = g_new0(SevCapability, 1);
+ cap->pdh = g_base64_encode(pdh_data, pdh_len);
+ cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
+
+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+ cap->cbitpos = ebx & 0x3f;
+ cap->reduced_phys_bits = (ebx >> 6) & 0x3f;
+
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+
+ close(fd);
+ return cap;
+}
+
static int
sev_read_file_base64(const char *filename, guchar **data, gsize *len)
{
diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
index 2ecca66f6e64..cc89e273ccf6 100644
--- a/target/i386/sev_i386.h
+++ b/target/i386/sev_i386.h
@@ -43,6 +43,7 @@ extern SevInfo *sev_get_info(void);
extern uint32_t sev_get_cbit_position(void);
extern uint32_t sev_get_reduced_phys_bits(void);
extern char *sev_get_launch_measurement(void);
+extern SevCapability *sev_get_capabilities(void);
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
--
2.14.3
next prev parent reply other threads:[~2018-02-28 21:10 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-28 21:10 [PATCH v10 00/29] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 01/28] memattrs: add debug attribute Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 02/28] exec: add ram_debug_ops support Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 03/28] exec: add debug version of physical memory read and write API Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 04/28] monitor/i386: use debug APIs when accessing guest memory Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 05/28] machine: add -memory-encryption property Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 06/28] kvm: update kvm.h to include memory encryption ioctls Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 07/28] docs: add AMD Secure Encrypted Virtualization (SEV) Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 08/28] target/i386: add Secure Encrypted Virtulization (SEV) object Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 09/28] qmp: add query-sev command Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-03-01 20:09 ` Eric Blake
2018-03-01 20:09 ` [Qemu-devel] " Eric Blake
2018-02-28 21:10 ` [PATCH v10 10/28] include: add psp-sev.h header file Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 11/28] sev/i386: add command to initialize the memory encryption context Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-03-05 13:37 ` Laszlo Ersek
2018-03-05 13:37 ` [Qemu-devel] " Laszlo Ersek
2018-03-07 13:19 ` Brijesh Singh
2018-03-07 13:19 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 12/28] sev/i386: register the guest memory range which may contain encrypted data Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 13/28] kvm: introduce memory encryption APIs Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 14/28] hmp: add 'info sev' command Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-03-02 11:31 ` Dr. David Alan Gilbert
2018-03-02 11:31 ` [Qemu-devel] " Dr. David Alan Gilbert
2018-02-28 21:10 ` [PATCH v10 15/28] sev/i386: add command to create launch memory encryption context Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 16/28] sev/i386: add command to encrypt guest memory region Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 17/28] target/i386: encrypt bios rom Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 18/28] sev/i386: add support to LAUNCH_MEASURE command Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 19/28] sev/i386: finalize the SEV guest launch flow Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 20/28] hw/i386: set ram_debug_ops when memory encryption is enabled Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 21/28] sev/i386: add debug encrypt and decrypt commands Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 22/28] target/i386: clear C-bit when walking SEV guest page table Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 23/28] qmp: add query-sev-launch-measure command Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-03-01 20:11 ` Eric Blake
2018-03-01 20:11 ` [Qemu-devel] " Eric Blake
2018-02-28 21:10 ` [PATCH v10 24/28] sev/i386: add migration blocker Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 25/28] cpu/i386: populate CPUID 0x8000_001F when SEV is active Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-03-06 12:39 ` Eduardo Habkost
2018-03-06 12:39 ` [Qemu-devel] " Eduardo Habkost
2018-02-28 21:10 ` [PATCH v10 26/28] qmp: add query-sev-capabilities command Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-03-01 20:13 ` Eric Blake
2018-03-01 20:13 ` [Qemu-devel] " Eric Blake
2018-03-05 17:35 ` Brijesh Singh
2018-03-05 17:35 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:10 ` Brijesh Singh [this message]
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 27/28] sev/i386: add sev_get_capabilities() Brijesh Singh
2018-02-28 21:10 ` [PATCH v10 28/28] tests/qmp-test: blacklist sev specific qmp commands Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] " Brijesh Singh
2018-02-28 21:43 ` [PATCH v10 00/29] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2018-02-28 21:43 ` [Qemu-devel] " Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180228211028.83970-28-brijesh.singh@amd.com \
--to=brijesh.singh@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=agraf@suse.de \
--cc=alistair.francis@xilinx.com \
--cc=armbru@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@suse.de \
--cc=brogers@suse.com \
--cc=cornelia.huck@de.ibm.com \
--cc=crosthwaite.peter@gmail.com \
--cc=dgilbert@redhat.com \
--cc=edgar.iglesias@xilinx.com \
--cc=ehabkost@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=marcel@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=rth@twiddle.net \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.