[PATCH v4 00/14] Add SEV guest live migration support

[Ashish Kalra <Ashish.Kalra@amd.com>]

From: Ashish Kalra <ashish.kalra@amd.com>

AMD SEV encrypts the memory of VMs and because this encryption is done using
an address tweak, the hypervisor will not be able to simply copy ciphertext
between machines to migrate a VM. Instead the AMD SEV Key Management API
provides a set of functions which the hypervisor can use to package a
guest encrypted pages for migration, while maintaining the confidentiality
provided by AMD SEV.

The patch series add the support required in Qemu to perform the SEV
guest live migration. Before initiating the live migration a user
should use newly added 'migrate-set-sev-info' command to pass the
target machines certificate chain. See the docs/amd-memory-encryption.txt
for further details.

The complete tree with patch is available at:
https://github.com/AMDESE/qemu/tree/sev_live_migration_v4_1

Changes since v3:
 - Add new ConfidentialGuestMemoryEncryptionOps in 
   ConfidentialGuestSupportClass which will be used for migration of
   encrypted guests.
 - Add support for KVM_HC_MAP_GPA_RANGE hypercall and it's associated
   KVM_EXIT_HYPERCALL exit case which is currently used for SEV
   guest encrypted page status tracking. 
 - Add support for SEV guest encrypted page status tracking
   implemented using shared regions list.
 - Add support for userspace MSR filtering, which is currently used
   for MSR_KVM_MIGRATION_CONTROL for SEV guests to indicate if the
   guest is ready for migration. The KVM arch code calls into SEV
   guest specific code to delete the migrate blocker added during
   SEV_LAUNCH_FINISH.

Changes since v2:
 - Remove direct kvm_memcrpt calls from migration.
 - Add MemoryEcryptionOps in machine which will be used by migration
   instead of kvm_memcrypt calls.
 - drop the RAM_SAVE_FLAG_PAGE_ENCRYPTED_BITMAP. Now the RAM_SAVE_FLAG_ENCRYPTED_PAGE
   can be used for sending bitmap as well as guest RAM encrypted pages
 - add some bound checks on incoming data
 - drop migrate-sev-set-info object
 - extend the migrate-parameters to include the SEV specific certificate fields.
 - multiple fixes based on the review comments from Dave
 
Changes since v1:
 - use the dirty log sync APIs to also sync the page encryption bitmap
   when SEV is active.

Ashish Kalra (4):
  kvm: Add support for SEV shared regions list and KVM_EXIT_HYPERCALL.
  migration/ram: Force encrypted status for flash0 & flash1 devices.
  migration: for SEV live migration bump downtime limit to 1s.
  kvm: Add support for userspace MSR filtering and handling of
    MSR_KVM_MIGRATION_CONTROL.

Brijesh Singh (10):
  doc: update AMD SEV API spec web link
  doc: update AMD SEV to include Live migration flow
  migration.json: add AMD SEV specific migration parameters
  confidential guest support: introduce
    ConfidentialGuestMemoryEncryptionOps for encrypted VMs
  target/i386: sev: provide callback to setup outgoing context
  target/i386: sev: do not create launch context for an incoming guest
  target/i386: sev: add support to encrypt the outgoing page
  target/i386: sev: add support to load incoming encrypted page
  migration: add support to migrate shared regions list
  migration/ram: add support to send encrypted pages

 docs/amd-memory-encryption.txt            |  50 +-
 include/exec/confidential-guest-support.h |  27 +
 include/sysemu/sev.h                      |  15 +
 linux-headers/linux/kvm.h                 |   3 +
 migration/migration.c                     |  65 +++
 migration/migration.h                     |   1 +
 migration/ram.c                           | 170 +++++-
 monitor/hmp-cmds.c                        |  18 +
 qapi/migration.json                       |  40 +-
 target/i386/kvm/kvm.c                     | 107 ++++
 target/i386/sev.c                         | 602 +++++++++++++++++++++-
 target/i386/trace-events                  |   6 +
 12 files changed, 1091 insertions(+), 13 deletions(-)

-- 
2.17.1