From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BA97C433E0 for ; Mon, 8 Feb 2021 06:06:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EEFF764E07 for ; Mon, 8 Feb 2021 06:06:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229733AbhBHGGx (ORCPT ); Mon, 8 Feb 2021 01:06:53 -0500 Received: from bilbo.ozlabs.org ([203.11.71.1]:51239 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229681AbhBHGGe (ORCPT ); Mon, 8 Feb 2021 01:06:34 -0500 Received: by ozlabs.org (Postfix, from userid 1007) id 4DYwVs3z6Pz9sVt; Mon, 8 Feb 2021 17:05:41 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1612764341; bh=HatGcTSprIrTulxbpIQAS0oYiQKEyFDrhO9QP/pGcuE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=baOj3Flcmvp9RGtBHOPeNuS21B/6AWCw5OjRWusJf+y+P38MtYawnJJZ1FzjqGtMw astBTtEoZ0dLWs5mVPLGIk00lvZSIiGw7YY2VeJlNF6eFxgWEz5G9wY4KjswY3DQo7 fVnLed1qb5Ej7gNcEam/6F3XUr0G+SUN/o8uu7L4= From: David Gibson To: pasic@linux.ibm.com, dgilbert@redhat.com, pair@us.ibm.com, qemu-devel@nongnu.org, brijesh.singh@amd.com Cc: ehabkost@redhat.com, mtosatti@redhat.com, mst@redhat.com, jun.nakajima@intel.com, kvm@vger.kernel.org, Richard Henderson , qemu-s390x@nongnu.org, Marcel Apfelbaum , pbonzini@redhat.com, frankja@linux.ibm.com, andi.kleen@intel.com, cohuck@redhat.com, Thomas Huth , borntraeger@de.ibm.com, mdroth@linux.vnet.ibm.com, David Gibson , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-ppc@nongnu.org, David Hildenbrand , Greg Kurz , pragyansri.pathi@intel.com Subject: [PULL v9 05/13] confidential guest support: Rework the "memory-encryption" property Date: Mon, 8 Feb 2021 17:05:30 +1100 Message-Id: <20210208060538.39276-6-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210208060538.39276-1-david@gibson.dropbear.id.au> References: <20210208060538.39276-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Currently the "memory-encryption" property is only looked at once we get to kvm_init(). Although protection of guest memory from the hypervisor isn't something that could really ever work with TCG, it's not conceptually tied to the KVM accelerator. In addition, the way the string property is resolved to an object is almost identical to how a QOM link property is handled. So, create a new "confidential-guest-support" link property which sets this QOM interface link directly in the machine. For compatibility we keep the "memory-encryption" property, but now implemented in terms of the new property. Signed-off-by: David Gibson Reviewed-by: Greg Kurz Reviewed-by: Cornelia Huck --- accel/kvm/kvm-all.c | 5 +++-- accel/kvm/sev-stub.c | 5 +++-- hw/core/machine.c | 43 +++++++++++++++++++++++++++++++++++++------ include/hw/boards.h | 2 +- include/sysemu/sev.h | 2 +- target/i386/sev.c | 32 ++------------------------------ 6 files changed, 47 insertions(+), 42 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 3526e88b6c..88a6b8c19e 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -2184,8 +2184,9 @@ static int kvm_init(MachineState *ms) * if memory encryption object is specified then initialize the memory * encryption context. */ - if (ms->memory_encryption) { - ret = sev_guest_init(ms->memory_encryption); + if (ms->cgs) { + /* FIXME handle mechanisms other than SEV */ + ret = sev_kvm_init(ms->cgs); if (ret < 0) { goto err; } diff --git a/accel/kvm/sev-stub.c b/accel/kvm/sev-stub.c index 5db9ab8f00..3d4787ae4a 100644 --- a/accel/kvm/sev-stub.c +++ b/accel/kvm/sev-stub.c @@ -15,7 +15,8 @@ #include "qemu-common.h" #include "sysemu/sev.h" -int sev_guest_init(const char *id) +int sev_kvm_init(ConfidentialGuestSupport *cgs) { - return -1; + /* SEV can't be selected if it's not compiled */ + g_assert_not_reached(); } diff --git a/hw/core/machine.c b/hw/core/machine.c index 919067b5c9..f45a795478 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -32,6 +32,7 @@ #include "hw/mem/nvdimm.h" #include "migration/global_state.h" #include "migration/vmstate.h" +#include "exec/confidential-guest-support.h" GlobalProperty hw_compat_5_2[] = {}; const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2); @@ -427,16 +428,37 @@ static char *machine_get_memory_encryption(Object *obj, Error **errp) { MachineState *ms = MACHINE(obj); - return g_strdup(ms->memory_encryption); + if (ms->cgs) { + return g_strdup(object_get_canonical_path_component(OBJECT(ms->cgs))); + } + + return NULL; } static void machine_set_memory_encryption(Object *obj, const char *value, Error **errp) { - MachineState *ms = MACHINE(obj); + Object *cgs = + object_resolve_path_component(object_get_objects_root(), value); + + if (!cgs) { + error_setg(errp, "No such memory encryption object '%s'", value); + return; + } - g_free(ms->memory_encryption); - ms->memory_encryption = g_strdup(value); + object_property_set_link(obj, "confidential-guest-support", cgs, errp); +} + +static void machine_check_confidential_guest_support(const Object *obj, + const char *name, + Object *new_target, + Error **errp) +{ + /* + * So far the only constraint is that the target has the + * TYPE_CONFIDENTIAL_GUEST_SUPPORT interface, and that's checked + * by the QOM core + */ } static bool machine_get_nvdimm(Object *obj, Error **errp) @@ -836,6 +858,15 @@ static void machine_class_init(ObjectClass *oc, void *data) object_class_property_set_description(oc, "suppress-vmdesc", "Set on to disable self-describing migration"); + object_class_property_add_link(oc, "confidential-guest-support", + TYPE_CONFIDENTIAL_GUEST_SUPPORT, + offsetof(MachineState, cgs), + machine_check_confidential_guest_support, + OBJ_PROP_LINK_STRONG); + object_class_property_set_description(oc, "confidential-guest-support", + "Set confidential guest scheme to support"); + + /* For compatibility */ object_class_property_add_str(oc, "memory-encryption", machine_get_memory_encryption, machine_set_memory_encryption); object_class_property_set_description(oc, "memory-encryption", @@ -1158,9 +1189,9 @@ void machine_run_board_init(MachineState *machine) cc->deprecation_note); } - if (machine->memory_encryption) { + if (machine->cgs) { /* - * With memory encryption, the host can't see the real + * With confidential guests, the host can't see the real * contents of RAM, so there's no point in it trying to merge * areas. */ diff --git a/include/hw/boards.h b/include/hw/boards.h index 85af4faf76..a46dfe5d1a 100644 --- a/include/hw/boards.h +++ b/include/hw/boards.h @@ -270,7 +270,7 @@ struct MachineState { bool iommu; bool suppress_vmdesc; bool enable_graphics; - char *memory_encryption; + ConfidentialGuestSupport *cgs; char *ram_memdev_id; /* * convenience alias to ram_memdev_id backend memory region diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index 7335e59867..3b5b1aacf1 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -16,7 +16,7 @@ #include "sysemu/kvm.h" -int sev_guest_init(const char *id); +int sev_kvm_init(ConfidentialGuestSupport *cgs); int sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp); int sev_inject_launch_secret(const char *hdr, const char *secret, uint64_t gpa, Error **errp); diff --git a/target/i386/sev.c b/target/i386/sev.c index 8d4e1ea262..fa962d533c 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -335,26 +335,6 @@ static const TypeInfo sev_guest_info = { } }; -static SevGuestState * -lookup_sev_guest_info(const char *id) -{ - Object *obj; - SevGuestState *info; - - obj = object_resolve_path_component(object_get_objects_root(), id); - if (!obj) { - return NULL; - } - - info = (SevGuestState *) - object_dynamic_cast(obj, TYPE_SEV_GUEST); - if (!info) { - return NULL; - } - - return info; -} - bool sev_enabled(void) { @@ -682,10 +662,9 @@ sev_vm_state_change(void *opaque, int running, RunState state) } } -int -sev_guest_init(const char *id) +int sev_kvm_init(ConfidentialGuestSupport *cgs) { - SevGuestState *sev; + SevGuestState *sev = SEV_GUEST(cgs); char *devname; int ret, fw_error; uint32_t ebx; @@ -698,13 +677,6 @@ sev_guest_init(const char *id) return -1; } - sev = lookup_sev_guest_info(id); - if (!sev) { - error_report("%s: '%s' is not a valid '%s' object", - __func__, id, TYPE_SEV_GUEST); - goto err; - } - sev_guest = sev; sev->state = SEV_STATE_UNINIT; -- 2.29.2 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67E3EC433DB for ; Mon, 8 Feb 2021 09:42:26 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3176C64E85 for ; Mon, 8 Feb 2021 09:42:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3176C64E85 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:48198 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l933j-0006wO-4K for qemu-devel@archiver.kernel.org; Mon, 08 Feb 2021 04:42:23 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58624) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l8zgU-0007oN-AW; Mon, 08 Feb 2021 01:06:06 -0500 Received: from ozlabs.org ([2401:3900:2:1::2]:51389) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l8zgS-00061Z-9Z; Mon, 08 Feb 2021 01:06:05 -0500 Received: by ozlabs.org (Postfix, from userid 1007) id 4DYwVs3z6Pz9sVt; Mon, 8 Feb 2021 17:05:41 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1612764341; bh=HatGcTSprIrTulxbpIQAS0oYiQKEyFDrhO9QP/pGcuE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=baOj3Flcmvp9RGtBHOPeNuS21B/6AWCw5OjRWusJf+y+P38MtYawnJJZ1FzjqGtMw astBTtEoZ0dLWs5mVPLGIk00lvZSIiGw7YY2VeJlNF6eFxgWEz5G9wY4KjswY3DQo7 fVnLed1qb5Ej7gNcEam/6F3XUr0G+SUN/o8uu7L4= From: David Gibson To: pasic@linux.ibm.com, dgilbert@redhat.com, pair@us.ibm.com, qemu-devel@nongnu.org, brijesh.singh@amd.com Subject: [PULL v9 05/13] confidential guest support: Rework the "memory-encryption" property Date: Mon, 8 Feb 2021 17:05:30 +1100 Message-Id: <20210208060538.39276-6-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210208060538.39276-1-david@gibson.dropbear.id.au> References: <20210208060538.39276-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2401:3900:2:1::2; envelope-from=dgibson@ozlabs.org; helo=ozlabs.org X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , cohuck@redhat.com, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , ehabkost@redhat.com, kvm@vger.kernel.org, mst@redhat.com, mtosatti@redhat.com, Richard Henderson , mdroth@linux.vnet.ibm.com, borntraeger@de.ibm.com, qemu-s390x@nongnu.org, Greg Kurz , qemu-ppc@nongnu.org, pragyansri.pathi@intel.com, jun.nakajima@intel.com, andi.kleen@intel.com, pbonzini@redhat.com, David Hildenbrand , David Gibson , frankja@linux.ibm.com Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Currently the "memory-encryption" property is only looked at once we get to kvm_init(). Although protection of guest memory from the hypervisor isn't something that could really ever work with TCG, it's not conceptually tied to the KVM accelerator. In addition, the way the string property is resolved to an object is almost identical to how a QOM link property is handled. So, create a new "confidential-guest-support" link property which sets this QOM interface link directly in the machine. For compatibility we keep the "memory-encryption" property, but now implemented in terms of the new property. Signed-off-by: David Gibson Reviewed-by: Greg Kurz Reviewed-by: Cornelia Huck --- accel/kvm/kvm-all.c | 5 +++-- accel/kvm/sev-stub.c | 5 +++-- hw/core/machine.c | 43 +++++++++++++++++++++++++++++++++++++------ include/hw/boards.h | 2 +- include/sysemu/sev.h | 2 +- target/i386/sev.c | 32 ++------------------------------ 6 files changed, 47 insertions(+), 42 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 3526e88b6c..88a6b8c19e 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -2184,8 +2184,9 @@ static int kvm_init(MachineState *ms) * if memory encryption object is specified then initialize the memory * encryption context. */ - if (ms->memory_encryption) { - ret = sev_guest_init(ms->memory_encryption); + if (ms->cgs) { + /* FIXME handle mechanisms other than SEV */ + ret = sev_kvm_init(ms->cgs); if (ret < 0) { goto err; } diff --git a/accel/kvm/sev-stub.c b/accel/kvm/sev-stub.c index 5db9ab8f00..3d4787ae4a 100644 --- a/accel/kvm/sev-stub.c +++ b/accel/kvm/sev-stub.c @@ -15,7 +15,8 @@ #include "qemu-common.h" #include "sysemu/sev.h" -int sev_guest_init(const char *id) +int sev_kvm_init(ConfidentialGuestSupport *cgs) { - return -1; + /* SEV can't be selected if it's not compiled */ + g_assert_not_reached(); } diff --git a/hw/core/machine.c b/hw/core/machine.c index 919067b5c9..f45a795478 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -32,6 +32,7 @@ #include "hw/mem/nvdimm.h" #include "migration/global_state.h" #include "migration/vmstate.h" +#include "exec/confidential-guest-support.h" GlobalProperty hw_compat_5_2[] = {}; const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2); @@ -427,16 +428,37 @@ static char *machine_get_memory_encryption(Object *obj, Error **errp) { MachineState *ms = MACHINE(obj); - return g_strdup(ms->memory_encryption); + if (ms->cgs) { + return g_strdup(object_get_canonical_path_component(OBJECT(ms->cgs))); + } + + return NULL; } static void machine_set_memory_encryption(Object *obj, const char *value, Error **errp) { - MachineState *ms = MACHINE(obj); + Object *cgs = + object_resolve_path_component(object_get_objects_root(), value); + + if (!cgs) { + error_setg(errp, "No such memory encryption object '%s'", value); + return; + } - g_free(ms->memory_encryption); - ms->memory_encryption = g_strdup(value); + object_property_set_link(obj, "confidential-guest-support", cgs, errp); +} + +static void machine_check_confidential_guest_support(const Object *obj, + const char *name, + Object *new_target, + Error **errp) +{ + /* + * So far the only constraint is that the target has the + * TYPE_CONFIDENTIAL_GUEST_SUPPORT interface, and that's checked + * by the QOM core + */ } static bool machine_get_nvdimm(Object *obj, Error **errp) @@ -836,6 +858,15 @@ static void machine_class_init(ObjectClass *oc, void *data) object_class_property_set_description(oc, "suppress-vmdesc", "Set on to disable self-describing migration"); + object_class_property_add_link(oc, "confidential-guest-support", + TYPE_CONFIDENTIAL_GUEST_SUPPORT, + offsetof(MachineState, cgs), + machine_check_confidential_guest_support, + OBJ_PROP_LINK_STRONG); + object_class_property_set_description(oc, "confidential-guest-support", + "Set confidential guest scheme to support"); + + /* For compatibility */ object_class_property_add_str(oc, "memory-encryption", machine_get_memory_encryption, machine_set_memory_encryption); object_class_property_set_description(oc, "memory-encryption", @@ -1158,9 +1189,9 @@ void machine_run_board_init(MachineState *machine) cc->deprecation_note); } - if (machine->memory_encryption) { + if (machine->cgs) { /* - * With memory encryption, the host can't see the real + * With confidential guests, the host can't see the real * contents of RAM, so there's no point in it trying to merge * areas. */ diff --git a/include/hw/boards.h b/include/hw/boards.h index 85af4faf76..a46dfe5d1a 100644 --- a/include/hw/boards.h +++ b/include/hw/boards.h @@ -270,7 +270,7 @@ struct MachineState { bool iommu; bool suppress_vmdesc; bool enable_graphics; - char *memory_encryption; + ConfidentialGuestSupport *cgs; char *ram_memdev_id; /* * convenience alias to ram_memdev_id backend memory region diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index 7335e59867..3b5b1aacf1 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -16,7 +16,7 @@ #include "sysemu/kvm.h" -int sev_guest_init(const char *id); +int sev_kvm_init(ConfidentialGuestSupport *cgs); int sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp); int sev_inject_launch_secret(const char *hdr, const char *secret, uint64_t gpa, Error **errp); diff --git a/target/i386/sev.c b/target/i386/sev.c index 8d4e1ea262..fa962d533c 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -335,26 +335,6 @@ static const TypeInfo sev_guest_info = { } }; -static SevGuestState * -lookup_sev_guest_info(const char *id) -{ - Object *obj; - SevGuestState *info; - - obj = object_resolve_path_component(object_get_objects_root(), id); - if (!obj) { - return NULL; - } - - info = (SevGuestState *) - object_dynamic_cast(obj, TYPE_SEV_GUEST); - if (!info) { - return NULL; - } - - return info; -} - bool sev_enabled(void) { @@ -682,10 +662,9 @@ sev_vm_state_change(void *opaque, int running, RunState state) } } -int -sev_guest_init(const char *id) +int sev_kvm_init(ConfidentialGuestSupport *cgs) { - SevGuestState *sev; + SevGuestState *sev = SEV_GUEST(cgs); char *devname; int ret, fw_error; uint32_t ebx; @@ -698,13 +677,6 @@ sev_guest_init(const char *id) return -1; } - sev = lookup_sev_guest_info(id); - if (!sev) { - error_report("%s: '%s' is not a valid '%s' object", - __func__, id, TYPE_SEV_GUEST); - goto err; - } - sev_guest = sev; sev->state = SEV_STATE_UNINIT; -- 2.29.2