[Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Natarajan, Janakarajan]

A client can register to this notifier to know whether the newly added or
removed memory region is marked as encrypted. This information is needed
for the SEV guest launch. In SEV guest, some memory regions may contain
encrypted data (e.g guest RAM). The memory region which contains the
encrypted data should be registered/unregistered using the
KVM_MEMORY_{REG,UNREG}_ENCRYPTED ioctl.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
---
 exec.c                 |  1 +
 include/exec/memory.h  | 18 ++++++++++++++++++
 include/exec/ramlist.h | 19 +++++++++++++++++++
 memory.c               | 16 ++++++++++++++++
 numa.c                 | 33 +++++++++++++++++++++++++++++++++
 stubs/ram-block.c      |  8 ++++++++
 6 files changed, 95 insertions(+)

diff --git a/exec.c b/exec.c
index 2646207661..a02c394e48 100644
--- a/exec.c
+++ b/exec.c
@@ -79,6 +79,7 @@
  * are protected by the ramlist lock.
  */
 RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
+RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
 
 static MemoryRegion *system_memory;
 static MemoryRegion *system_io;
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 9144a47f57..ae720ff511 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -374,6 +374,7 @@ struct MemoryRegion {
     bool terminates;
     bool ram_device;
     bool enabled;
+    bool encrypted;
     bool warning_printed; /* For reservations */
     uint8_t vga_logging_count;
     MemoryRegion *alias;
@@ -1131,6 +1132,23 @@ int memory_region_iommu_attrs_to_index(IOMMUMemoryRegion *iommu_mr,
  */
 int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr);
 
+/**
+ * memory_region_mark_encrypted: marks the memory region as encrypted and
+ * lets the listeners of encrypted ram know that a memory region containing
+ * encrypted ram block has been added
+ *
+ * @mr: the memory region
+ */
+void memory_region_mark_encrypted(MemoryRegion *mr);
+
+/**
+ * memory_region_is_encrypted: returns if the memory region was marked as
+ * encrypted when it was created
+ *
+ * @mr: the memory region
+ */
+bool memory_region_is_encrypted(MemoryRegion *mr);
+
 /**
  * memory_region_name: get a memory region's name
  *
diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
index bc4faa1b00..5349f27fa5 100644
--- a/include/exec/ramlist.h
+++ b/include/exec/ramlist.h
@@ -7,6 +7,7 @@
 #include "qemu/rcu_queue.h"
 
 typedef struct RAMBlockNotifier RAMBlockNotifier;
+typedef struct RAMBlockEncryptedNotifier RAMBlockEncryptedNotifier;
 
 #define DIRTY_MEMORY_VGA       0
 #define DIRTY_MEMORY_CODE      1
@@ -55,6 +56,11 @@ typedef struct RAMList {
 } RAMList;
 extern RAMList ram_list;
 
+typedef struct RAMBlockEncryptedNotifierList {
+    QLIST_HEAD(, RAMBlockEncryptedNotifier) ram_block_notifiers;
+} RAMBlockEncryptedNotifierList;
+extern RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
+
 /* Should be holding either ram_list.mutex, or the RCU lock. */
 #define  INTERNAL_RAMBLOCK_FOREACH(block)  \
     QLIST_FOREACH_RCU(block, &ram_list.blocks, next)
@@ -70,6 +76,14 @@ struct RAMBlockNotifier {
     QLIST_ENTRY(RAMBlockNotifier) next;
 };
 
+struct RAMBlockEncryptedNotifier {
+    void (*ram_block_encrypted_added)(RAMBlockEncryptedNotifier *n,
+                                      void *host, size_t size);
+    void (*ram_block_encrypted_removed)(RAMBlockEncryptedNotifier *n,
+                                        void *host, size_t size);
+    QLIST_ENTRY(RAMBlockEncryptedNotifier) next;
+};
+
 void ram_block_notifier_add(RAMBlockNotifier *n);
 void ram_block_notifier_remove(RAMBlockNotifier *n);
 void ram_block_notify_add(void *host, size_t size);
@@ -77,4 +91,9 @@ void ram_block_notify_remove(void *host, size_t size);
 
 void ram_block_dump(Monitor *mon);
 
+void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n);
+void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n);
+void ram_block_encrypted_notify_add(void *host, size_t size);
+void ram_block_encrypted_notify_remove(void *host, size_t size);
+
 #endif /* RAMLIST_H */
diff --git a/memory.c b/memory.c
index bb2b71ee38..eca02d369b 100644
--- a/memory.c
+++ b/memory.c
@@ -2009,6 +2009,22 @@ int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr)
     return imrc->num_indexes(iommu_mr);
 }
 
+void memory_region_mark_encrypted(MemoryRegion *mr)
+{
+    RAMBlock *block = mr->ram_block;
+
+    mr->encrypted = kvm_memcrypt_enabled();
+
+    if (mr->encrypted) {
+        ram_block_encrypted_notify_add(block->host, block->max_length);
+    }
+}
+
+bool memory_region_is_encrypted(MemoryRegion *mr)
+{
+    return mr->encrypted;
+}
+
 void memory_region_set_log(MemoryRegion *mr, bool log, unsigned client)
 {
     uint8_t mask = 1 << client;
diff --git a/numa.c b/numa.c
index 3875e1efda..08601366c5 100644
--- a/numa.c
+++ b/numa.c
@@ -638,6 +638,39 @@ MemdevList *qmp_query_memdev(Error **errp)
     return list;
 }
 
+void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
+{
+    QLIST_INSERT_HEAD(&ram_block_encrypted_notifier_list.ram_block_notifiers,
+                      n, next);
+}
+
+void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
+{
+    QLIST_REMOVE(n, next);
+}
+
+void ram_block_encrypted_notify_add(void *host, size_t size)
+{
+    RAMBlockEncryptedNotifier *notifier;
+
+    QLIST_FOREACH(notifier,
+                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
+                  next) {
+        notifier->ram_block_encrypted_added(notifier, host, size);
+    }
+}
+
+void ram_block_encrypted_notify_remove(void *host, size_t size)
+{
+    RAMBlockEncryptedNotifier *notifier;
+
+    QLIST_FOREACH(notifier,
+                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
+                  next) {
+        notifier->ram_block_encrypted_removed(notifier, host, size);
+    }
+}
+
 void ram_block_notifier_add(RAMBlockNotifier *n)
 {
     QLIST_INSERT_HEAD(&ram_list.ramblock_notifiers, n, next);
diff --git a/stubs/ram-block.c b/stubs/ram-block.c
index 73c0a3ee08..0f68922feb 100644
--- a/stubs/ram-block.c
+++ b/stubs/ram-block.c
@@ -25,6 +25,14 @@ void ram_block_notifier_remove(RAMBlockNotifier *n)
 {
 }
 
+void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
+{
+}
+
+void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
+{
+}
+
 int qemu_ram_foreach_block(RAMBlockIterFunc func, void *opaque)
 {
     return 0;
-- 
2.20.1

[Qemu-devel] [PATCH 0/3] Add RAM block encrypted notifier

[Natarajan, Janakarajan]

Currently, the SEV guest launch registers to a RAM block notifier. When
called, we issue KVM_MEMORY_ENCRYPT_{REG,UNREG}_REGION ioctl to register
the memory with the KVM driver. These ioctls should be called only for
the region which contains the encrypted data but the RAM block notifier
gets called for any memory region allocated during the guest creation.
Some of those memory regions do not contain encrypted data so we end up
calling the ioctl for a memory region which contains unencrypted data
(e.g. vga RAM etc.).

In case of SEV, only the guest RAM and pflash unit=0 contain the
encrypted data. To solve this problem, we introduce a new notifier (RAM
block encrypted). If a memory region will contain encrypted data then
the caller can use memory_region_mark_encrypted() to set the memory
region as encrypted. Clients can register to the RAM block encrypted
notifier and they will be called when a memory region is set encrypted.

Janakarajan Natarajan (3):
  ram-encrypted-notifier: Introduce a RAM block encrypted notifier
  hw: Notify listeners about guest pages which contain encrypted data
  sev: Change SEV to use EncryptedRAMBlock Notifier

 exec.c                 |  6 ++++++
 hw/i386/pc.c           |  1 +
 hw/i386/pc_sysfw.c     |  2 ++
 hw/mem/memory-device.c |  1 +
 include/exec/memory.h  | 18 ++++++++++++++++++
 include/exec/ramlist.h | 19 +++++++++++++++++++
 memory.c               | 16 ++++++++++++++++
 numa.c                 | 33 +++++++++++++++++++++++++++++++++
 stubs/ram-block.c      |  8 ++++++++
 target/i386/sev.c      | 25 ++++++++-----------------
 10 files changed, 112 insertions(+), 17 deletions(-)

-- 
2.20.1

[Qemu-devel] [PATCH 0/3] Add RAM block encrypted notifier

[Natarajan, Janakarajan]

Currently, the SEV guest launch registers to a RAM block notifier. When
called, we issue KVM_MEMORY_ENCRYPT_{REG,UNREG}_REGION ioctl to register
the memory with the KVM driver. These ioctls should be called only for
the region which contains the encrypted data but the RAM block notifier
gets called for any memory region allocated during the guest creation.
Some of those memory regions do not contain encrypted data so we end up
calling the ioctl for a memory region which contains unencrypted data
(e.g. vga RAM etc.).

In case of SEV, only the guest RAM and pflash unit=0 contain the
encrypted data. To solve this problem, we introduce a new notifier (RAM
block encrypted). If a memory region will contain encrypted data then
the caller can use memory_region_mark_encrypted() to set the memory
region as encrypted. Clients can register to the RAM block encrypted
notifier and they will be called when a memory region is set encrypted.

Janakarajan Natarajan (3):
  ram-encrypted-notifier: Introduce a RAM block encrypted notifier
  hw: Notify listeners about guest pages which contain encrypted data
  sev: Change SEV to use EncryptedRAMBlock Notifier

 exec.c                 |  6 ++++++
 hw/i386/pc.c           |  1 +
 hw/i386/pc_sysfw.c     |  2 ++
 hw/mem/memory-device.c |  1 +
 include/exec/memory.h  | 18 ++++++++++++++++++
 include/exec/ramlist.h | 19 +++++++++++++++++++
 memory.c               | 16 ++++++++++++++++
 numa.c                 | 33 +++++++++++++++++++++++++++++++++
 stubs/ram-block.c      |  8 ++++++++
 target/i386/sev.c      | 25 ++++++++-----------------
 10 files changed, 112 insertions(+), 17 deletions(-)

-- 
2.20.1

[Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Natarajan, Janakarajan]

A client can register to this notifier to know whether the newly added or
removed memory region is marked as encrypted. This information is needed
for the SEV guest launch. In SEV guest, some memory regions may contain
encrypted data (e.g guest RAM). The memory region which contains the
encrypted data should be registered/unregistered using the
KVM_MEMORY_{REG,UNREG}_ENCRYPTED ioctl.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
---
 exec.c                 |  1 +
 include/exec/memory.h  | 18 ++++++++++++++++++
 include/exec/ramlist.h | 19 +++++++++++++++++++
 memory.c               | 16 ++++++++++++++++
 numa.c                 | 33 +++++++++++++++++++++++++++++++++
 stubs/ram-block.c      |  8 ++++++++
 6 files changed, 95 insertions(+)

diff --git a/exec.c b/exec.c
index 2646207661..a02c394e48 100644
--- a/exec.c
+++ b/exec.c
@@ -79,6 +79,7 @@
  * are protected by the ramlist lock.
  */
 RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
+RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
 
 static MemoryRegion *system_memory;
 static MemoryRegion *system_io;
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 9144a47f57..ae720ff511 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -374,6 +374,7 @@ struct MemoryRegion {
     bool terminates;
     bool ram_device;
     bool enabled;
+    bool encrypted;
     bool warning_printed; /* For reservations */
     uint8_t vga_logging_count;
     MemoryRegion *alias;
@@ -1131,6 +1132,23 @@ int memory_region_iommu_attrs_to_index(IOMMUMemoryRegion *iommu_mr,
  */
 int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr);
 
+/**
+ * memory_region_mark_encrypted: marks the memory region as encrypted and
+ * lets the listeners of encrypted ram know that a memory region containing
+ * encrypted ram block has been added
+ *
+ * @mr: the memory region
+ */
+void memory_region_mark_encrypted(MemoryRegion *mr);
+
+/**
+ * memory_region_is_encrypted: returns if the memory region was marked as
+ * encrypted when it was created
+ *
+ * @mr: the memory region
+ */
+bool memory_region_is_encrypted(MemoryRegion *mr);
+
 /**
  * memory_region_name: get a memory region's name
  *
diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
index bc4faa1b00..5349f27fa5 100644
--- a/include/exec/ramlist.h
+++ b/include/exec/ramlist.h
@@ -7,6 +7,7 @@
 #include "qemu/rcu_queue.h"
 
 typedef struct RAMBlockNotifier RAMBlockNotifier;
+typedef struct RAMBlockEncryptedNotifier RAMBlockEncryptedNotifier;
 
 #define DIRTY_MEMORY_VGA       0
 #define DIRTY_MEMORY_CODE      1
@@ -55,6 +56,11 @@ typedef struct RAMList {
 } RAMList;
 extern RAMList ram_list;
 
+typedef struct RAMBlockEncryptedNotifierList {
+    QLIST_HEAD(, RAMBlockEncryptedNotifier) ram_block_notifiers;
+} RAMBlockEncryptedNotifierList;
+extern RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
+
 /* Should be holding either ram_list.mutex, or the RCU lock. */
 #define  INTERNAL_RAMBLOCK_FOREACH(block)  \
     QLIST_FOREACH_RCU(block, &ram_list.blocks, next)
@@ -70,6 +76,14 @@ struct RAMBlockNotifier {
     QLIST_ENTRY(RAMBlockNotifier) next;
 };
 
+struct RAMBlockEncryptedNotifier {
+    void (*ram_block_encrypted_added)(RAMBlockEncryptedNotifier *n,
+                                      void *host, size_t size);
+    void (*ram_block_encrypted_removed)(RAMBlockEncryptedNotifier *n,
+                                        void *host, size_t size);
+    QLIST_ENTRY(RAMBlockEncryptedNotifier) next;
+};
+
 void ram_block_notifier_add(RAMBlockNotifier *n);
 void ram_block_notifier_remove(RAMBlockNotifier *n);
 void ram_block_notify_add(void *host, size_t size);
@@ -77,4 +91,9 @@ void ram_block_notify_remove(void *host, size_t size);
 
 void ram_block_dump(Monitor *mon);
 
+void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n);
+void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n);
+void ram_block_encrypted_notify_add(void *host, size_t size);
+void ram_block_encrypted_notify_remove(void *host, size_t size);
+
 #endif /* RAMLIST_H */
diff --git a/memory.c b/memory.c
index bb2b71ee38..eca02d369b 100644
--- a/memory.c
+++ b/memory.c
@@ -2009,6 +2009,22 @@ int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr)
     return imrc->num_indexes(iommu_mr);
 }
 
+void memory_region_mark_encrypted(MemoryRegion *mr)
+{
+    RAMBlock *block = mr->ram_block;
+
+    mr->encrypted = kvm_memcrypt_enabled();
+
+    if (mr->encrypted) {
+        ram_block_encrypted_notify_add(block->host, block->max_length);
+    }
+}
+
+bool memory_region_is_encrypted(MemoryRegion *mr)
+{
+    return mr->encrypted;
+}
+
 void memory_region_set_log(MemoryRegion *mr, bool log, unsigned client)
 {
     uint8_t mask = 1 << client;
diff --git a/numa.c b/numa.c
index 3875e1efda..08601366c5 100644
--- a/numa.c
+++ b/numa.c
@@ -638,6 +638,39 @@ MemdevList *qmp_query_memdev(Error **errp)
     return list;
 }
 
+void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
+{
+    QLIST_INSERT_HEAD(&ram_block_encrypted_notifier_list.ram_block_notifiers,
+                      n, next);
+}
+
+void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
+{
+    QLIST_REMOVE(n, next);
+}
+
+void ram_block_encrypted_notify_add(void *host, size_t size)
+{
+    RAMBlockEncryptedNotifier *notifier;
+
+    QLIST_FOREACH(notifier,
+                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
+                  next) {
+        notifier->ram_block_encrypted_added(notifier, host, size);
+    }
+}
+
+void ram_block_encrypted_notify_remove(void *host, size_t size)
+{
+    RAMBlockEncryptedNotifier *notifier;
+
+    QLIST_FOREACH(notifier,
+                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
+                  next) {
+        notifier->ram_block_encrypted_removed(notifier, host, size);
+    }
+}
+
 void ram_block_notifier_add(RAMBlockNotifier *n)
 {
     QLIST_INSERT_HEAD(&ram_list.ramblock_notifiers, n, next);
diff --git a/stubs/ram-block.c b/stubs/ram-block.c
index 73c0a3ee08..0f68922feb 100644
--- a/stubs/ram-block.c
+++ b/stubs/ram-block.c
@@ -25,6 +25,14 @@ void ram_block_notifier_remove(RAMBlockNotifier *n)
 {
 }
 
+void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
+{
+}
+
+void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
+{
+}
+
 int qemu_ram_foreach_block(RAMBlockIterFunc func, void *opaque)
 {
     return 0;
-- 
2.20.1

[Qemu-devel] [PATCH 2/3] hw: Notify listeners about guest pages which contain encrypted data

[Natarajan, Janakarajan]

PC ram, pflash unit 0 rom and pc-dimm memory hotplug ram blocks need to be
encrypted.

Also, notify listeners when freeing a MemoryRegion if it has encrypted
data.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
---
 exec.c                 | 5 +++++
 hw/i386/pc.c           | 1 +
 hw/i386/pc_sysfw.c     | 2 ++
 hw/mem/memory-device.c | 1 +
 4 files changed, 9 insertions(+)

diff --git a/exec.c b/exec.c
index a02c394e48..25be8f84f3 100644
--- a/exec.c
+++ b/exec.c
@@ -2442,6 +2442,11 @@ void qemu_ram_free(RAMBlock *block)
     }
 
     if (block->host) {
+        /* Notify only if encrypted */
+        if (memory_region_is_encrypted(block->mr)) {
+            ram_block_encrypted_notify_remove(block->host, block->max_length);
+        }
+
         ram_block_notify_remove(block->host, block->max_length);
     }
 
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index f2c15bf1f2..3af3094543 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1740,6 +1740,7 @@ void pc_memory_init(PCMachineState *pcms,
     ram = g_malloc(sizeof(*ram));
     memory_region_allocate_system_memory(ram, NULL, "pc.ram",
                                          machine->ram_size);
+    memory_region_mark_encrypted(ram);
     *ram_memory = ram;
     ram_below_4g = g_malloc(sizeof(*ram_below_4g));
     memory_region_init_alias(ram_below_4g, NULL, "ram-below-4g", ram,
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index c628540774..40d7da5ff6 100644
--- a/hw/i386/pc_sysfw.c
+++ b/hw/i386/pc_sysfw.c
@@ -199,6 +199,8 @@ static void pc_system_flash_map(PCMachineState *pcms,
 
             /* Encrypt the pflash boot ROM */
             if (kvm_memcrypt_enabled()) {
+                /* Mark pflash unit 0 as encrypted. This will pin the pages */
+                memory_region_mark_encrypted(flash_mem);
                 flash_ptr = memory_region_get_ram_ptr(flash_mem);
                 flash_size = memory_region_size(flash_mem);
                 ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
diff --git a/hw/mem/memory-device.c b/hw/mem/memory-device.c
index 5f2c408036..b2e77774d4 100644
--- a/hw/mem/memory-device.c
+++ b/hw/mem/memory-device.c
@@ -295,6 +295,7 @@ void memory_device_plug(MemoryDeviceState *md, MachineState *ms)
 
     memory_region_add_subregion(&ms->device_memory->mr,
                                 addr - ms->device_memory->base, mr);
+    memory_region_mark_encrypted(mr);
     trace_memory_device_plug(DEVICE(md)->id ? DEVICE(md)->id : "", addr);
 }
 
-- 
2.20.1

[Qemu-devel] [PATCH 2/3] hw: Notify listeners about guest pages which contain encrypted data

[Natarajan, Janakarajan]

PC ram, pflash unit 0 rom and pc-dimm memory hotplug ram blocks need to be
encrypted.

Also, notify listeners when freeing a MemoryRegion if it has encrypted
data.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
---
 exec.c                 | 5 +++++
 hw/i386/pc.c           | 1 +
 hw/i386/pc_sysfw.c     | 2 ++
 hw/mem/memory-device.c | 1 +
 4 files changed, 9 insertions(+)

diff --git a/exec.c b/exec.c
index a02c394e48..25be8f84f3 100644
--- a/exec.c
+++ b/exec.c
@@ -2442,6 +2442,11 @@ void qemu_ram_free(RAMBlock *block)
     }
 
     if (block->host) {
+        /* Notify only if encrypted */
+        if (memory_region_is_encrypted(block->mr)) {
+            ram_block_encrypted_notify_remove(block->host, block->max_length);
+        }
+
         ram_block_notify_remove(block->host, block->max_length);
     }
 
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index f2c15bf1f2..3af3094543 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1740,6 +1740,7 @@ void pc_memory_init(PCMachineState *pcms,
     ram = g_malloc(sizeof(*ram));
     memory_region_allocate_system_memory(ram, NULL, "pc.ram",
                                          machine->ram_size);
+    memory_region_mark_encrypted(ram);
     *ram_memory = ram;
     ram_below_4g = g_malloc(sizeof(*ram_below_4g));
     memory_region_init_alias(ram_below_4g, NULL, "ram-below-4g", ram,
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index c628540774..40d7da5ff6 100644
--- a/hw/i386/pc_sysfw.c
+++ b/hw/i386/pc_sysfw.c
@@ -199,6 +199,8 @@ static void pc_system_flash_map(PCMachineState *pcms,
 
             /* Encrypt the pflash boot ROM */
             if (kvm_memcrypt_enabled()) {
+                /* Mark pflash unit 0 as encrypted. This will pin the pages */
+                memory_region_mark_encrypted(flash_mem);
                 flash_ptr = memory_region_get_ram_ptr(flash_mem);
                 flash_size = memory_region_size(flash_mem);
                 ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
diff --git a/hw/mem/memory-device.c b/hw/mem/memory-device.c
index 5f2c408036..b2e77774d4 100644
--- a/hw/mem/memory-device.c
+++ b/hw/mem/memory-device.c
@@ -295,6 +295,7 @@ void memory_device_plug(MemoryDeviceState *md, MachineState *ms)
 
     memory_region_add_subregion(&ms->device_memory->mr,
                                 addr - ms->device_memory->base, mr);
+    memory_region_mark_encrypted(mr);
     trace_memory_device_plug(DEVICE(md)->id ? DEVICE(md)->id : "", addr);
 }
 
-- 
2.20.1

[Qemu-devel] [PATCH 3/3] sev: Change SEV to use EncryptedRAMBlock Notifier

[Natarajan, Janakarajan]

The EncryptedRAMBlock Notifier lets SEV know which guest RAM pages
will contain encrypted guest data.

Using this notifier lets SEV skip pinning pages that do not contain
encrypted data.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
---
 target/i386/sev.c | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index cd77f6b5d4..610e992e64 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -127,21 +127,11 @@ sev_set_guest_state(SevState new_state)
 }
 
 static void
-sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
+sev_ram_block_encrypted_added(RAMBlockEncryptedNotifier *n,
+                              void *host, size_t size)
 {
     int r;
     struct kvm_enc_region range;
-    ram_addr_t offset;
-    MemoryRegion *mr;
-
-    /*
-     * The RAM device presents a memory region that should be treated
-     * as IO region and should not be pinned.
-     */
-    mr = memory_region_from_host(host, &offset);
-    if (mr && memory_region_is_ram_device(mr)) {
-        return;
-    }
 
     range.addr = (__u64)(unsigned long)host;
     range.size = size;
@@ -156,7 +146,8 @@ sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
 }
 
 static void
-sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
+sev_ram_block_encrypted_removed(RAMBlockEncryptedNotifier *n,
+                                void *host, size_t size)
 {
     int r;
     struct kvm_enc_region range;
@@ -172,9 +163,9 @@ sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
     }
 }
 
-static struct RAMBlockNotifier sev_ram_notifier = {
-    .ram_block_added = sev_ram_block_added,
-    .ram_block_removed = sev_ram_block_removed,
+static struct RAMBlockEncryptedNotifier sev_ram_encrypted_notifier = {
+    .ram_block_encrypted_added = sev_ram_block_encrypted_added,
+    .ram_block_encrypted_removed = sev_ram_block_encrypted_removed,
 };
 
 static void
@@ -794,7 +785,7 @@ sev_guest_init(const char *id)
         goto err;
     }
 
-    ram_block_notifier_add(&sev_ram_notifier);
+    ram_block_encrypted_notifier_add(&sev_ram_encrypted_notifier);
     qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
     qemu_add_vm_change_state_handler(sev_vm_state_change, s);
 
-- 
2.20.1

[Qemu-devel] [PATCH 3/3] sev: Change SEV to use EncryptedRAMBlock Notifier

[Natarajan, Janakarajan]

The EncryptedRAMBlock Notifier lets SEV know which guest RAM pages
will contain encrypted guest data.

Using this notifier lets SEV skip pinning pages that do not contain
encrypted data.

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
---
 target/i386/sev.c | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index cd77f6b5d4..610e992e64 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -127,21 +127,11 @@ sev_set_guest_state(SevState new_state)
 }
 
 static void
-sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
+sev_ram_block_encrypted_added(RAMBlockEncryptedNotifier *n,
+                              void *host, size_t size)
 {
     int r;
     struct kvm_enc_region range;
-    ram_addr_t offset;
-    MemoryRegion *mr;
-
-    /*
-     * The RAM device presents a memory region that should be treated
-     * as IO region and should not be pinned.
-     */
-    mr = memory_region_from_host(host, &offset);
-    if (mr && memory_region_is_ram_device(mr)) {
-        return;
-    }
 
     range.addr = (__u64)(unsigned long)host;
     range.size = size;
@@ -156,7 +146,8 @@ sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
 }
 
 static void
-sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
+sev_ram_block_encrypted_removed(RAMBlockEncryptedNotifier *n,
+                                void *host, size_t size)
 {
     int r;
     struct kvm_enc_region range;
@@ -172,9 +163,9 @@ sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
     }
 }
 
-static struct RAMBlockNotifier sev_ram_notifier = {
-    .ram_block_added = sev_ram_block_added,
-    .ram_block_removed = sev_ram_block_removed,
+static struct RAMBlockEncryptedNotifier sev_ram_encrypted_notifier = {
+    .ram_block_encrypted_added = sev_ram_block_encrypted_added,
+    .ram_block_encrypted_removed = sev_ram_block_encrypted_removed,
 };
 
 static void
@@ -794,7 +785,7 @@ sev_guest_init(const char *id)
         goto err;
     }
 
-    ram_block_notifier_add(&sev_ram_notifier);
+    ram_block_encrypted_notifier_add(&sev_ram_encrypted_notifier);
     qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
     qemu_add_vm_change_state_handler(sev_vm_state_change, s);
 
-- 
2.20.1

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Igor Mammedov]

On Thu, 25 Apr 2019 22:58:18 +0000
"Natarajan, Janakarajan" <Janakarajan.Natarajan@amd.com> wrote:

> A client can register to this notifier to know whether the newly added or
> removed memory region is marked as encrypted. This information is needed
> for the SEV guest launch. In SEV guest, some memory regions may contain
> encrypted data (e.g guest RAM). The memory region which contains the
> encrypted data should be registered/unregistered using the
> KVM_MEMORY_{REG,UNREG}_ENCRYPTED ioctl.
> 
> Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
> ---
>  exec.c                 |  1 +
>  include/exec/memory.h  | 18 ++++++++++++++++++
>  include/exec/ramlist.h | 19 +++++++++++++++++++
>  memory.c               | 16 ++++++++++++++++
>  numa.c                 | 33 +++++++++++++++++++++++++++++++++
>  stubs/ram-block.c      |  8 ++++++++
>  6 files changed, 95 insertions(+)
> 
> diff --git a/exec.c b/exec.c
> index 2646207661..a02c394e48 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -79,6 +79,7 @@
>   * are protected by the ramlist lock.
>   */
>  RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
> +RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
>  
>  static MemoryRegion *system_memory;
>  static MemoryRegion *system_io;
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index 9144a47f57..ae720ff511 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -374,6 +374,7 @@ struct MemoryRegion {
>      bool terminates;
>      bool ram_device;
>      bool enabled;
> +    bool encrypted;
>      bool warning_printed; /* For reservations */
>      uint8_t vga_logging_count;
>      MemoryRegion *alias;
> @@ -1131,6 +1132,23 @@ int memory_region_iommu_attrs_to_index(IOMMUMemoryRegion *iommu_mr,
>   */
>  int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr);
>  
> +/**
> + * memory_region_mark_encrypted: marks the memory region as encrypted and
> + * lets the listeners of encrypted ram know that a memory region containing
> + * encrypted ram block has been added
> + *
> + * @mr: the memory region
> + */
> +void memory_region_mark_encrypted(MemoryRegion *mr);
> +
> +/**
> + * memory_region_is_encrypted: returns if the memory region was marked as
> + * encrypted when it was created
> + *
> + * @mr: the memory region
> + */
> +bool memory_region_is_encrypted(MemoryRegion *mr);
> +
>  /**
>   * memory_region_name: get a memory region's name
>   *
> diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
> index bc4faa1b00..5349f27fa5 100644
> --- a/include/exec/ramlist.h
> +++ b/include/exec/ramlist.h
> @@ -7,6 +7,7 @@
>  #include "qemu/rcu_queue.h"
>  
>  typedef struct RAMBlockNotifier RAMBlockNotifier;
> +typedef struct RAMBlockEncryptedNotifier RAMBlockEncryptedNotifier;
>  
>  #define DIRTY_MEMORY_VGA       0
>  #define DIRTY_MEMORY_CODE      1
> @@ -55,6 +56,11 @@ typedef struct RAMList {
>  } RAMList;
>  extern RAMList ram_list;
>  
> +typedef struct RAMBlockEncryptedNotifierList {
> +    QLIST_HEAD(, RAMBlockEncryptedNotifier) ram_block_notifiers;
> +} RAMBlockEncryptedNotifierList;
> +extern RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
> +
>  /* Should be holding either ram_list.mutex, or the RCU lock. */
>  #define  INTERNAL_RAMBLOCK_FOREACH(block)  \
>      QLIST_FOREACH_RCU(block, &ram_list.blocks, next)
> @@ -70,6 +76,14 @@ struct RAMBlockNotifier {
>      QLIST_ENTRY(RAMBlockNotifier) next;
>  };
>  
> +struct RAMBlockEncryptedNotifier {
> +    void (*ram_block_encrypted_added)(RAMBlockEncryptedNotifier *n,
> +                                      void *host, size_t size);
> +    void (*ram_block_encrypted_removed)(RAMBlockEncryptedNotifier *n,
> +                                        void *host, size_t size);
> +    QLIST_ENTRY(RAMBlockEncryptedNotifier) next;
> +};
> +
>  void ram_block_notifier_add(RAMBlockNotifier *n);
>  void ram_block_notifier_remove(RAMBlockNotifier *n);
>  void ram_block_notify_add(void *host, size_t size);
> @@ -77,4 +91,9 @@ void ram_block_notify_remove(void *host, size_t size);
>  
>  void ram_block_dump(Monitor *mon);
>  
> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n);
> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n);
> +void ram_block_encrypted_notify_add(void *host, size_t size);
> +void ram_block_encrypted_notify_remove(void *host, size_t size);
> +
>  #endif /* RAMLIST_H */
> diff --git a/memory.c b/memory.c
> index bb2b71ee38..eca02d369b 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -2009,6 +2009,22 @@ int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr)
>      return imrc->num_indexes(iommu_mr);
>  }
>  
> +void memory_region_mark_encrypted(MemoryRegion *mr)
> +{
> +    RAMBlock *block = mr->ram_block;
> +
> +    mr->encrypted = kvm_memcrypt_enabled();
> +
> +    if (mr->encrypted) {
> +        ram_block_encrypted_notify_add(block->host, block->max_length);
> +    }
> +}
> +
> +bool memory_region_is_encrypted(MemoryRegion *mr)
> +{
> +    return mr->encrypted;
> +}
> +
>  void memory_region_set_log(MemoryRegion *mr, bool log, unsigned client)
>  {
>      uint8_t mask = 1 << client;
> diff --git a/numa.c b/numa.c
> index 3875e1efda..08601366c5 100644
> --- a/numa.c
> +++ b/numa.c

looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c

> @@ -638,6 +638,39 @@ MemdevList *qmp_query_memdev(Error **errp)
>      return list;
>  }
>  
> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
> +{
> +    QLIST_INSERT_HEAD(&ram_block_encrypted_notifier_list.ram_block_notifiers,
> +                      n, next);
> +}
> +
> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
> +{
> +    QLIST_REMOVE(n, next);
> +}
> +
> +void ram_block_encrypted_notify_add(void *host, size_t size)
> +{
> +    RAMBlockEncryptedNotifier *notifier;
> +
> +    QLIST_FOREACH(notifier,
> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
> +                  next) {
> +        notifier->ram_block_encrypted_added(notifier, host, size);
> +    }
> +}
> +
> +void ram_block_encrypted_notify_remove(void *host, size_t size)
> +{
> +    RAMBlockEncryptedNotifier *notifier;
> +
> +    QLIST_FOREACH(notifier,
> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
> +                  next) {
> +        notifier->ram_block_encrypted_removed(notifier, host, size);
> +    }
> +}
> +
>  void ram_block_notifier_add(RAMBlockNotifier *n)
>  {
>      QLIST_INSERT_HEAD(&ram_list.ramblock_notifiers, n, next);
> diff --git a/stubs/ram-block.c b/stubs/ram-block.c
> index 73c0a3ee08..0f68922feb 100644
> --- a/stubs/ram-block.c
> +++ b/stubs/ram-block.c
> @@ -25,6 +25,14 @@ void ram_block_notifier_remove(RAMBlockNotifier *n)
>  {
>  }
>  
> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
> +{
> +}
> +
> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
> +{
> +}
> +
>  int qemu_ram_foreach_block(RAMBlockIterFunc func, void *opaque)
>  {
>      return 0;

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Igor Mammedov]

On Thu, 25 Apr 2019 22:58:18 +0000
"Natarajan, Janakarajan" <Janakarajan.Natarajan@amd.com> wrote:

> A client can register to this notifier to know whether the newly added or
> removed memory region is marked as encrypted. This information is needed
> for the SEV guest launch. In SEV guest, some memory regions may contain
> encrypted data (e.g guest RAM). The memory region which contains the
> encrypted data should be registered/unregistered using the
> KVM_MEMORY_{REG,UNREG}_ENCRYPTED ioctl.
> 
> Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
> ---
>  exec.c                 |  1 +
>  include/exec/memory.h  | 18 ++++++++++++++++++
>  include/exec/ramlist.h | 19 +++++++++++++++++++
>  memory.c               | 16 ++++++++++++++++
>  numa.c                 | 33 +++++++++++++++++++++++++++++++++
>  stubs/ram-block.c      |  8 ++++++++
>  6 files changed, 95 insertions(+)
> 
> diff --git a/exec.c b/exec.c
> index 2646207661..a02c394e48 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -79,6 +79,7 @@
>   * are protected by the ramlist lock.
>   */
>  RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
> +RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
>  
>  static MemoryRegion *system_memory;
>  static MemoryRegion *system_io;
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index 9144a47f57..ae720ff511 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -374,6 +374,7 @@ struct MemoryRegion {
>      bool terminates;
>      bool ram_device;
>      bool enabled;
> +    bool encrypted;
>      bool warning_printed; /* For reservations */
>      uint8_t vga_logging_count;
>      MemoryRegion *alias;
> @@ -1131,6 +1132,23 @@ int memory_region_iommu_attrs_to_index(IOMMUMemoryRegion *iommu_mr,
>   */
>  int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr);
>  
> +/**
> + * memory_region_mark_encrypted: marks the memory region as encrypted and
> + * lets the listeners of encrypted ram know that a memory region containing
> + * encrypted ram block has been added
> + *
> + * @mr: the memory region
> + */
> +void memory_region_mark_encrypted(MemoryRegion *mr);
> +
> +/**
> + * memory_region_is_encrypted: returns if the memory region was marked as
> + * encrypted when it was created
> + *
> + * @mr: the memory region
> + */
> +bool memory_region_is_encrypted(MemoryRegion *mr);
> +
>  /**
>   * memory_region_name: get a memory region's name
>   *
> diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
> index bc4faa1b00..5349f27fa5 100644
> --- a/include/exec/ramlist.h
> +++ b/include/exec/ramlist.h
> @@ -7,6 +7,7 @@
>  #include "qemu/rcu_queue.h"
>  
>  typedef struct RAMBlockNotifier RAMBlockNotifier;
> +typedef struct RAMBlockEncryptedNotifier RAMBlockEncryptedNotifier;
>  
>  #define DIRTY_MEMORY_VGA       0
>  #define DIRTY_MEMORY_CODE      1
> @@ -55,6 +56,11 @@ typedef struct RAMList {
>  } RAMList;
>  extern RAMList ram_list;
>  
> +typedef struct RAMBlockEncryptedNotifierList {
> +    QLIST_HEAD(, RAMBlockEncryptedNotifier) ram_block_notifiers;
> +} RAMBlockEncryptedNotifierList;
> +extern RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
> +
>  /* Should be holding either ram_list.mutex, or the RCU lock. */
>  #define  INTERNAL_RAMBLOCK_FOREACH(block)  \
>      QLIST_FOREACH_RCU(block, &ram_list.blocks, next)
> @@ -70,6 +76,14 @@ struct RAMBlockNotifier {
>      QLIST_ENTRY(RAMBlockNotifier) next;
>  };
>  
> +struct RAMBlockEncryptedNotifier {
> +    void (*ram_block_encrypted_added)(RAMBlockEncryptedNotifier *n,
> +                                      void *host, size_t size);
> +    void (*ram_block_encrypted_removed)(RAMBlockEncryptedNotifier *n,
> +                                        void *host, size_t size);
> +    QLIST_ENTRY(RAMBlockEncryptedNotifier) next;
> +};
> +
>  void ram_block_notifier_add(RAMBlockNotifier *n);
>  void ram_block_notifier_remove(RAMBlockNotifier *n);
>  void ram_block_notify_add(void *host, size_t size);
> @@ -77,4 +91,9 @@ void ram_block_notify_remove(void *host, size_t size);
>  
>  void ram_block_dump(Monitor *mon);
>  
> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n);
> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n);
> +void ram_block_encrypted_notify_add(void *host, size_t size);
> +void ram_block_encrypted_notify_remove(void *host, size_t size);
> +
>  #endif /* RAMLIST_H */
> diff --git a/memory.c b/memory.c
> index bb2b71ee38..eca02d369b 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -2009,6 +2009,22 @@ int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr)
>      return imrc->num_indexes(iommu_mr);
>  }
>  
> +void memory_region_mark_encrypted(MemoryRegion *mr)
> +{
> +    RAMBlock *block = mr->ram_block;
> +
> +    mr->encrypted = kvm_memcrypt_enabled();
> +
> +    if (mr->encrypted) {
> +        ram_block_encrypted_notify_add(block->host, block->max_length);
> +    }
> +}
> +
> +bool memory_region_is_encrypted(MemoryRegion *mr)
> +{
> +    return mr->encrypted;
> +}
> +
>  void memory_region_set_log(MemoryRegion *mr, bool log, unsigned client)
>  {
>      uint8_t mask = 1 << client;
> diff --git a/numa.c b/numa.c
> index 3875e1efda..08601366c5 100644
> --- a/numa.c
> +++ b/numa.c

looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c

> @@ -638,6 +638,39 @@ MemdevList *qmp_query_memdev(Error **errp)
>      return list;
>  }
>  
> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
> +{
> +    QLIST_INSERT_HEAD(&ram_block_encrypted_notifier_list.ram_block_notifiers,
> +                      n, next);
> +}
> +
> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
> +{
> +    QLIST_REMOVE(n, next);
> +}
> +
> +void ram_block_encrypted_notify_add(void *host, size_t size)
> +{
> +    RAMBlockEncryptedNotifier *notifier;
> +
> +    QLIST_FOREACH(notifier,
> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
> +                  next) {
> +        notifier->ram_block_encrypted_added(notifier, host, size);
> +    }
> +}
> +
> +void ram_block_encrypted_notify_remove(void *host, size_t size)
> +{
> +    RAMBlockEncryptedNotifier *notifier;
> +
> +    QLIST_FOREACH(notifier,
> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
> +                  next) {
> +        notifier->ram_block_encrypted_removed(notifier, host, size);
> +    }
> +}
> +
>  void ram_block_notifier_add(RAMBlockNotifier *n)
>  {
>      QLIST_INSERT_HEAD(&ram_list.ramblock_notifiers, n, next);
> diff --git a/stubs/ram-block.c b/stubs/ram-block.c
> index 73c0a3ee08..0f68922feb 100644
> --- a/stubs/ram-block.c
> +++ b/stubs/ram-block.c
> @@ -25,6 +25,14 @@ void ram_block_notifier_remove(RAMBlockNotifier *n)
>  {
>  }
>  
> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
> +{
> +}
> +
> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
> +{
> +}
> +
>  int qemu_ram_foreach_block(RAMBlockIterFunc func, void *opaque)
>  {
>      return 0;

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Janakarajan Natarajan]

On 4/26/19 7:29 AM, Igor Mammedov wrote:
> On Thu, 25 Apr 2019 22:58:18 +0000
> "Natarajan, Janakarajan" <Janakarajan.Natarajan@amd.com> wrote:
>
>> A client can register to this notifier to know whether the newly added or
>> removed memory region is marked as encrypted. This information is needed
>> for the SEV guest launch. In SEV guest, some memory regions may contain
>> encrypted data (e.g guest RAM). The memory region which contains the
>> encrypted data should be registered/unregistered using the
>> KVM_MEMORY_{REG,UNREG}_ENCRYPTED ioctl.
>>
>> Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
>> ---
>>   exec.c                 |  1 +
>>   include/exec/memory.h  | 18 ++++++++++++++++++
>>   include/exec/ramlist.h | 19 +++++++++++++++++++
>>   memory.c               | 16 ++++++++++++++++
>>   numa.c                 | 33 +++++++++++++++++++++++++++++++++
>>   stubs/ram-block.c      |  8 ++++++++
>>   6 files changed, 95 insertions(+)
>>
>> diff --git a/exec.c b/exec.c
>> index 2646207661..a02c394e48 100644
>> --- a/exec.c
>> +++ b/exec.c
>> @@ -79,6 +79,7 @@
>>    * are protected by the ramlist lock.
>>    */
>>   RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
>> +RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
>>   
>>   static MemoryRegion *system_memory;
>>   static MemoryRegion *system_io;
>> diff --git a/include/exec/memory.h b/include/exec/memory.h
>> index 9144a47f57..ae720ff511 100644
>> --- a/include/exec/memory.h
>> +++ b/include/exec/memory.h
>> @@ -374,6 +374,7 @@ struct MemoryRegion {
>>       bool terminates;
>>       bool ram_device;
>>       bool enabled;
>> +    bool encrypted;
>>       bool warning_printed; /* For reservations */
>>       uint8_t vga_logging_count;
>>       MemoryRegion *alias;
>> @@ -1131,6 +1132,23 @@ int memory_region_iommu_attrs_to_index(IOMMUMemoryRegion *iommu_mr,
>>    */
>>   int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr);
>>   
>> +/**
>> + * memory_region_mark_encrypted: marks the memory region as encrypted and
>> + * lets the listeners of encrypted ram know that a memory region containing
>> + * encrypted ram block has been added
>> + *
>> + * @mr: the memory region
>> + */
>> +void memory_region_mark_encrypted(MemoryRegion *mr);
>> +
>> +/**
>> + * memory_region_is_encrypted: returns if the memory region was marked as
>> + * encrypted when it was created
>> + *
>> + * @mr: the memory region
>> + */
>> +bool memory_region_is_encrypted(MemoryRegion *mr);
>> +
>>   /**
>>    * memory_region_name: get a memory region's name
>>    *
>> diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
>> index bc4faa1b00..5349f27fa5 100644
>> --- a/include/exec/ramlist.h
>> +++ b/include/exec/ramlist.h
>> @@ -7,6 +7,7 @@
>>   #include "qemu/rcu_queue.h"
>>   
>>   typedef struct RAMBlockNotifier RAMBlockNotifier;
>> +typedef struct RAMBlockEncryptedNotifier RAMBlockEncryptedNotifier;
>>   
>>   #define DIRTY_MEMORY_VGA       0
>>   #define DIRTY_MEMORY_CODE      1
>> @@ -55,6 +56,11 @@ typedef struct RAMList {
>>   } RAMList;
>>   extern RAMList ram_list;
>>   
>> +typedef struct RAMBlockEncryptedNotifierList {
>> +    QLIST_HEAD(, RAMBlockEncryptedNotifier) ram_block_notifiers;
>> +} RAMBlockEncryptedNotifierList;
>> +extern RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
>> +
>>   /* Should be holding either ram_list.mutex, or the RCU lock. */
>>   #define  INTERNAL_RAMBLOCK_FOREACH(block)  \
>>       QLIST_FOREACH_RCU(block, &ram_list.blocks, next)
>> @@ -70,6 +76,14 @@ struct RAMBlockNotifier {
>>       QLIST_ENTRY(RAMBlockNotifier) next;
>>   };
>>   
>> +struct RAMBlockEncryptedNotifier {
>> +    void (*ram_block_encrypted_added)(RAMBlockEncryptedNotifier *n,
>> +                                      void *host, size_t size);
>> +    void (*ram_block_encrypted_removed)(RAMBlockEncryptedNotifier *n,
>> +                                        void *host, size_t size);
>> +    QLIST_ENTRY(RAMBlockEncryptedNotifier) next;
>> +};
>> +
>>   void ram_block_notifier_add(RAMBlockNotifier *n);
>>   void ram_block_notifier_remove(RAMBlockNotifier *n);
>>   void ram_block_notify_add(void *host, size_t size);
>> @@ -77,4 +91,9 @@ void ram_block_notify_remove(void *host, size_t size);
>>   
>>   void ram_block_dump(Monitor *mon);
>>   
>> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n);
>> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n);
>> +void ram_block_encrypted_notify_add(void *host, size_t size);
>> +void ram_block_encrypted_notify_remove(void *host, size_t size);
>> +
>>   #endif /* RAMLIST_H */
>> diff --git a/memory.c b/memory.c
>> index bb2b71ee38..eca02d369b 100644
>> --- a/memory.c
>> +++ b/memory.c
>> @@ -2009,6 +2009,22 @@ int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr)
>>       return imrc->num_indexes(iommu_mr);
>>   }
>>   
>> +void memory_region_mark_encrypted(MemoryRegion *mr)
>> +{
>> +    RAMBlock *block = mr->ram_block;
>> +
>> +    mr->encrypted = kvm_memcrypt_enabled();
>> +
>> +    if (mr->encrypted) {
>> +        ram_block_encrypted_notify_add(block->host, block->max_length);
>> +    }
>> +}
>> +
>> +bool memory_region_is_encrypted(MemoryRegion *mr)
>> +{
>> +    return mr->encrypted;
>> +}
>> +
>>   void memory_region_set_log(MemoryRegion *mr, bool log, unsigned client)
>>   {
>>       uint8_t mask = 1 << client;
>> diff --git a/numa.c b/numa.c
>> index 3875e1efda..08601366c5 100644
>> --- a/numa.c
>> +++ b/numa.c
> looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c


I placed the RAMBlockEncrypted Notifier code along with the RAMBlock 
Notifier code.


>
>> @@ -638,6 +638,39 @@ MemdevList *qmp_query_memdev(Error **errp)
>>       return list;
>>   }
>>   
>> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
>> +{
>> +    QLIST_INSERT_HEAD(&ram_block_encrypted_notifier_list.ram_block_notifiers,
>> +                      n, next);
>> +}
>> +
>> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
>> +{
>> +    QLIST_REMOVE(n, next);
>> +}
>> +
>> +void ram_block_encrypted_notify_add(void *host, size_t size)
>> +{
>> +    RAMBlockEncryptedNotifier *notifier;
>> +
>> +    QLIST_FOREACH(notifier,
>> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
>> +                  next) {
>> +        notifier->ram_block_encrypted_added(notifier, host, size);
>> +    }
>> +}
>> +
>> +void ram_block_encrypted_notify_remove(void *host, size_t size)
>> +{
>> +    RAMBlockEncryptedNotifier *notifier;
>> +
>> +    QLIST_FOREACH(notifier,
>> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
>> +                  next) {
>> +        notifier->ram_block_encrypted_removed(notifier, host, size);
>> +    }
>> +}
>> +
>>   void ram_block_notifier_add(RAMBlockNotifier *n)
>>   {
>>       QLIST_INSERT_HEAD(&ram_list.ramblock_notifiers, n, next);
>> diff --git a/stubs/ram-block.c b/stubs/ram-block.c
>> index 73c0a3ee08..0f68922feb 100644
>> --- a/stubs/ram-block.c
>> +++ b/stubs/ram-block.c
>> @@ -25,6 +25,14 @@ void ram_block_notifier_remove(RAMBlockNotifier *n)
>>   {
>>   }
>>   
>> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
>> +{
>> +}
>> +
>> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
>> +{
>> +}
>> +
>>   int qemu_ram_foreach_block(RAMBlockIterFunc func, void *opaque)
>>   {
>>       return 0;

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Janakarajan Natarajan]

On 4/26/19 7:29 AM, Igor Mammedov wrote:
> On Thu, 25 Apr 2019 22:58:18 +0000
> "Natarajan, Janakarajan" <Janakarajan.Natarajan@amd.com> wrote:
>
>> A client can register to this notifier to know whether the newly added or
>> removed memory region is marked as encrypted. This information is needed
>> for the SEV guest launch. In SEV guest, some memory regions may contain
>> encrypted data (e.g guest RAM). The memory region which contains the
>> encrypted data should be registered/unregistered using the
>> KVM_MEMORY_{REG,UNREG}_ENCRYPTED ioctl.
>>
>> Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
>> ---
>>   exec.c                 |  1 +
>>   include/exec/memory.h  | 18 ++++++++++++++++++
>>   include/exec/ramlist.h | 19 +++++++++++++++++++
>>   memory.c               | 16 ++++++++++++++++
>>   numa.c                 | 33 +++++++++++++++++++++++++++++++++
>>   stubs/ram-block.c      |  8 ++++++++
>>   6 files changed, 95 insertions(+)
>>
>> diff --git a/exec.c b/exec.c
>> index 2646207661..a02c394e48 100644
>> --- a/exec.c
>> +++ b/exec.c
>> @@ -79,6 +79,7 @@
>>    * are protected by the ramlist lock.
>>    */
>>   RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
>> +RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
>>   
>>   static MemoryRegion *system_memory;
>>   static MemoryRegion *system_io;
>> diff --git a/include/exec/memory.h b/include/exec/memory.h
>> index 9144a47f57..ae720ff511 100644
>> --- a/include/exec/memory.h
>> +++ b/include/exec/memory.h
>> @@ -374,6 +374,7 @@ struct MemoryRegion {
>>       bool terminates;
>>       bool ram_device;
>>       bool enabled;
>> +    bool encrypted;
>>       bool warning_printed; /* For reservations */
>>       uint8_t vga_logging_count;
>>       MemoryRegion *alias;
>> @@ -1131,6 +1132,23 @@ int memory_region_iommu_attrs_to_index(IOMMUMemoryRegion *iommu_mr,
>>    */
>>   int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr);
>>   
>> +/**
>> + * memory_region_mark_encrypted: marks the memory region as encrypted and
>> + * lets the listeners of encrypted ram know that a memory region containing
>> + * encrypted ram block has been added
>> + *
>> + * @mr: the memory region
>> + */
>> +void memory_region_mark_encrypted(MemoryRegion *mr);
>> +
>> +/**
>> + * memory_region_is_encrypted: returns if the memory region was marked as
>> + * encrypted when it was created
>> + *
>> + * @mr: the memory region
>> + */
>> +bool memory_region_is_encrypted(MemoryRegion *mr);
>> +
>>   /**
>>    * memory_region_name: get a memory region's name
>>    *
>> diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h
>> index bc4faa1b00..5349f27fa5 100644
>> --- a/include/exec/ramlist.h
>> +++ b/include/exec/ramlist.h
>> @@ -7,6 +7,7 @@
>>   #include "qemu/rcu_queue.h"
>>   
>>   typedef struct RAMBlockNotifier RAMBlockNotifier;
>> +typedef struct RAMBlockEncryptedNotifier RAMBlockEncryptedNotifier;
>>   
>>   #define DIRTY_MEMORY_VGA       0
>>   #define DIRTY_MEMORY_CODE      1
>> @@ -55,6 +56,11 @@ typedef struct RAMList {
>>   } RAMList;
>>   extern RAMList ram_list;
>>   
>> +typedef struct RAMBlockEncryptedNotifierList {
>> +    QLIST_HEAD(, RAMBlockEncryptedNotifier) ram_block_notifiers;
>> +} RAMBlockEncryptedNotifierList;
>> +extern RAMBlockEncryptedNotifierList ram_block_encrypted_notifier_list;
>> +
>>   /* Should be holding either ram_list.mutex, or the RCU lock. */
>>   #define  INTERNAL_RAMBLOCK_FOREACH(block)  \
>>       QLIST_FOREACH_RCU(block, &ram_list.blocks, next)
>> @@ -70,6 +76,14 @@ struct RAMBlockNotifier {
>>       QLIST_ENTRY(RAMBlockNotifier) next;
>>   };
>>   
>> +struct RAMBlockEncryptedNotifier {
>> +    void (*ram_block_encrypted_added)(RAMBlockEncryptedNotifier *n,
>> +                                      void *host, size_t size);
>> +    void (*ram_block_encrypted_removed)(RAMBlockEncryptedNotifier *n,
>> +                                        void *host, size_t size);
>> +    QLIST_ENTRY(RAMBlockEncryptedNotifier) next;
>> +};
>> +
>>   void ram_block_notifier_add(RAMBlockNotifier *n);
>>   void ram_block_notifier_remove(RAMBlockNotifier *n);
>>   void ram_block_notify_add(void *host, size_t size);
>> @@ -77,4 +91,9 @@ void ram_block_notify_remove(void *host, size_t size);
>>   
>>   void ram_block_dump(Monitor *mon);
>>   
>> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n);
>> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n);
>> +void ram_block_encrypted_notify_add(void *host, size_t size);
>> +void ram_block_encrypted_notify_remove(void *host, size_t size);
>> +
>>   #endif /* RAMLIST_H */
>> diff --git a/memory.c b/memory.c
>> index bb2b71ee38..eca02d369b 100644
>> --- a/memory.c
>> +++ b/memory.c
>> @@ -2009,6 +2009,22 @@ int memory_region_iommu_num_indexes(IOMMUMemoryRegion *iommu_mr)
>>       return imrc->num_indexes(iommu_mr);
>>   }
>>   
>> +void memory_region_mark_encrypted(MemoryRegion *mr)
>> +{
>> +    RAMBlock *block = mr->ram_block;
>> +
>> +    mr->encrypted = kvm_memcrypt_enabled();
>> +
>> +    if (mr->encrypted) {
>> +        ram_block_encrypted_notify_add(block->host, block->max_length);
>> +    }
>> +}
>> +
>> +bool memory_region_is_encrypted(MemoryRegion *mr)
>> +{
>> +    return mr->encrypted;
>> +}
>> +
>>   void memory_region_set_log(MemoryRegion *mr, bool log, unsigned client)
>>   {
>>       uint8_t mask = 1 << client;
>> diff --git a/numa.c b/numa.c
>> index 3875e1efda..08601366c5 100644
>> --- a/numa.c
>> +++ b/numa.c
> looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c


I placed the RAMBlockEncrypted Notifier code along with the RAMBlock 
Notifier code.


>
>> @@ -638,6 +638,39 @@ MemdevList *qmp_query_memdev(Error **errp)
>>       return list;
>>   }
>>   
>> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
>> +{
>> +    QLIST_INSERT_HEAD(&ram_block_encrypted_notifier_list.ram_block_notifiers,
>> +                      n, next);
>> +}
>> +
>> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
>> +{
>> +    QLIST_REMOVE(n, next);
>> +}
>> +
>> +void ram_block_encrypted_notify_add(void *host, size_t size)
>> +{
>> +    RAMBlockEncryptedNotifier *notifier;
>> +
>> +    QLIST_FOREACH(notifier,
>> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
>> +                  next) {
>> +        notifier->ram_block_encrypted_added(notifier, host, size);
>> +    }
>> +}
>> +
>> +void ram_block_encrypted_notify_remove(void *host, size_t size)
>> +{
>> +    RAMBlockEncryptedNotifier *notifier;
>> +
>> +    QLIST_FOREACH(notifier,
>> +                  &ram_block_encrypted_notifier_list.ram_block_notifiers,
>> +                  next) {
>> +        notifier->ram_block_encrypted_removed(notifier, host, size);
>> +    }
>> +}
>> +
>>   void ram_block_notifier_add(RAMBlockNotifier *n)
>>   {
>>       QLIST_INSERT_HEAD(&ram_list.ramblock_notifiers, n, next);
>> diff --git a/stubs/ram-block.c b/stubs/ram-block.c
>> index 73c0a3ee08..0f68922feb 100644
>> --- a/stubs/ram-block.c
>> +++ b/stubs/ram-block.c
>> @@ -25,6 +25,14 @@ void ram_block_notifier_remove(RAMBlockNotifier *n)
>>   {
>>   }
>>   
>> +void ram_block_encrypted_notifier_add(RAMBlockEncryptedNotifier *n)
>> +{
>> +}
>> +
>> +void ram_block_encrypted_notifier_remove(RAMBlockEncryptedNotifier *n)
>> +{
>> +}
>> +
>>   int qemu_ram_foreach_block(RAMBlockIterFunc func, void *opaque)
>>   {
>>       return 0;

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Eduardo Habkost]

On Fri, Apr 26, 2019 at 02:32:51PM +0000, Janakarajan Natarajan wrote:
> On 4/26/19 7:29 AM, Igor Mammedov wrote:
[...]
> >> diff --git a/numa.c b/numa.c
> >> index 3875e1efda..08601366c5 100644
> >> --- a/numa.c
> >> +++ b/numa.c
> > looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c
> 
> 
> I placed the RAMBlockEncrypted Notifier code along with the RAMBlock 
> Notifier code.

Paolo, Fam, do you remember why was the ram block notifier code
added to numa.c instead of memory.c or exec.c?

-- 
Eduardo

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Eduardo Habkost]

On Fri, Apr 26, 2019 at 02:32:51PM +0000, Janakarajan Natarajan wrote:
> On 4/26/19 7:29 AM, Igor Mammedov wrote:
[...]
> >> diff --git a/numa.c b/numa.c
> >> index 3875e1efda..08601366c5 100644
> >> --- a/numa.c
> >> +++ b/numa.c
> > looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c
> 
> 
> I placed the RAMBlockEncrypted Notifier code along with the RAMBlock 
> Notifier code.

Paolo, Fam, do you remember why was the ram block notifier code
added to numa.c instead of memory.c or exec.c?

-- 
Eduardo

Re: [Qemu-devel] [PATCH 1/3] ram-encrypted-notifier: Introduce a RAM block encrypted notifier

[Natarajan, Janakarajan]

On 5/3/2019 1:25 PM, Eduardo Habkost wrote:
> [CAUTION: External Email]
>
> On Fri, Apr 26, 2019 at 02:32:51PM +0000, Janakarajan Natarajan wrote:
>> On 4/26/19 7:29 AM, Igor Mammedov wrote:
> [...]
>>>> diff --git a/numa.c b/numa.c
>>>> index 3875e1efda..08601366c5 100644
>>>> --- a/numa.c
>>>> +++ b/numa.c
>>> looks like wrong file to put RAMBlock code in. I though that we should put it in exec.c
>>
>> I placed the RAMBlockEncrypted Notifier code along with the RAMBlock
>> Notifier code.
> Paolo, Fam, do you remember why was the ram block notifier code
> added to numa.c instead of memory.c or exec.c?


Any updates on this?


>
> --
> Eduardo