Re: [RFC PATCH v1 00/28] x86: Secure Encrypted Virtualization (AMD)

[Brijesh Singh <brijesh.singh@amd.com>]

Hi Paolo,

Thanks for reviews. I will incorporate your feedbacks in v2.

On 10/13/2016 06:19 AM, Paolo Bonzini wrote:
>
>
> On 23/08/2016 01:23, Brijesh Singh wrote:
>> TODO:
>> - send qemu/seabios RFC's on respective mailing list
>> - integrate the psp driver with CCP driver (they share the PCI id's)
>> - add SEV guest migration command support
>> - add SEV snapshotting command support
>> - determine how to do ioremap of physical memory with mem encryption enabled
>>   (e.g acpi tables)
>
> The would be encrypted, right?  Similar to the EFI data in patch 9.

Yes.

>
>> - determine how to share the guest memory with hypervisor for to support
>>   pvclock driver
>
> Is it enough if the guest makes that page unencrypted?
>

Yes that should be enough. If guest can mark a page as unencrypted then 
hypervisor should be able to read and write to that particular page.

Tom's patches have introduced API (set_memory_dec) to mark memory as 
unencrypted but pvclock drv runs very early during boot (when irq was 
disabled). Because of this we are not able to use set_memory_dec() to 
mark the page as unencrypted. Will need to come up with method for 
handling these cases.

> I reviewed the KVM host-side patches and they are pretty
> straightforward, so the comments on each patch suffice.
>
> Thanks,
>
> Paolo
>
>> Brijesh Singh (11):
>>       crypto: add AMD Platform Security Processor driver
>>       KVM: SVM: prepare to reserve asid for SEV guest
>>       KVM: SVM: prepare for SEV guest management API support
>>       KVM: introduce KVM_SEV_ISSUE_CMD ioctl
>>       KVM: SVM: add SEV launch start command
>>       KVM: SVM: add SEV launch update command
>>       KVM: SVM: add SEV_LAUNCH_FINISH command
>>       KVM: SVM: add KVM_SEV_GUEST_STATUS command
>>       KVM: SVM: add KVM_SEV_DEBUG_DECRYPT command
>>       KVM: SVM: add KVM_SEV_DEBUG_ENCRYPT command
>>       KVM: SVM: add command to query SEV API version
>>
>> Tom Lendacky (17):
>>       kvm: svm: Add support for additional SVM NPF error codes
>>       kvm: svm: Add kvm_fast_pio_in support
>>       kvm: svm: Use the hardware provided GPA instead of page walk
>>       x86: Secure Encrypted Virtualization (SEV) support
>>       KVM: SVM: prepare for new bit definition in nested_ctl
>>       KVM: SVM: Add SEV feature definitions to KVM
>>       x86: Do not encrypt memory areas if SEV is enabled
>>       Access BOOT related data encrypted with SEV active
>>       x86/efi: Access EFI data as encrypted when SEV is active
>>       x86: Change early_ioremap to early_memremap for BOOT data
>>       x86: Don't decrypt trampoline area if SEV is active
>>       x86: DMA support for SEV memory encryption
>>       iommu/amd: AMD IOMMU support for SEV
>>       x86: Don't set the SME MSR bit when SEV is active
>>       x86: Unroll string I/O when SEV is active
>>       x86: Add support to determine if running with SEV enabled
>>       KVM: SVM: Enable SEV by setting the SEV_ENABLE cpu feature
>>
>>
>>  arch/x86/boot/compressed/Makefile      |    2
>>  arch/x86/boot/compressed/head_64.S     |   19 +
>>  arch/x86/boot/compressed/mem_encrypt.S |  123 ++++
>>  arch/x86/include/asm/io.h              |   26 +
>>  arch/x86/include/asm/kvm_emulate.h     |    3
>>  arch/x86/include/asm/kvm_host.h        |   27 +
>>  arch/x86/include/asm/mem_encrypt.h     |    3
>>  arch/x86/include/asm/svm.h             |    3
>>  arch/x86/include/uapi/asm/hyperv.h     |    4
>>  arch/x86/include/uapi/asm/kvm_para.h   |    4
>>  arch/x86/kernel/acpi/boot.c            |    4
>>  arch/x86/kernel/head64.c               |    4
>>  arch/x86/kernel/mem_encrypt.S          |   44 ++
>>  arch/x86/kernel/mpparse.c              |   10
>>  arch/x86/kernel/setup.c                |    7
>>  arch/x86/kernel/x8664_ksyms_64.c       |    1
>>  arch/x86/kvm/cpuid.c                   |    4
>>  arch/x86/kvm/mmu.c                     |   20 +
>>  arch/x86/kvm/svm.c                     |  906 ++++++++++++++++++++++++++++++++
>>  arch/x86/kvm/x86.c                     |   73 +++
>>  arch/x86/mm/ioremap.c                  |    7
>>  arch/x86/mm/mem_encrypt.c              |   50 ++
>>  arch/x86/platform/efi/efi_64.c         |   14
>>  arch/x86/realmode/init.c               |   11
>>  drivers/crypto/Kconfig                 |   11
>>  drivers/crypto/Makefile                |    1
>>  drivers/crypto/psp/Kconfig             |    8
>>  drivers/crypto/psp/Makefile            |    3
>>  drivers/crypto/psp/psp-dev.c           |  220 ++++++++
>>  drivers/crypto/psp/psp-dev.h           |   95 +++
>>  drivers/crypto/psp/psp-ops.c           |  454 ++++++++++++++++
>>  drivers/crypto/psp/psp-pci.c           |  376 +++++++++++++
>>  drivers/sfi/sfi_core.c                 |    6
>>  include/linux/ccp-psp.h                |  833 +++++++++++++++++++++++++++++
>>  include/uapi/linux/Kbuild              |    1
>>  include/uapi/linux/ccp-psp.h           |  182 ++++++
>>  include/uapi/linux/kvm.h               |  125 ++++
>>  37 files changed, 3643 insertions(+), 41 deletions(-)
>>  create mode 100644 arch/x86/boot/compressed/mem_encrypt.S
>>  create mode 100644 drivers/crypto/psp/Kconfig
>>  create mode 100644 drivers/crypto/psp/Makefile
>>  create mode 100644 drivers/crypto/psp/psp-dev.c
>>  create mode 100644 drivers/crypto/psp/psp-dev.h
>>  create mode 100644 drivers/crypto/psp/psp-ops.c
>>  create mode 100644 drivers/crypto/psp/psp-pci.c
>>  create mode 100644 include/linux/ccp-psp.h
>>  create mode 100644 include/uapi/linux/ccp-psp.h
>>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>