From: David Gibson <david@gibson.dropbear.id.au>
To: dgilbert@redhat.com, frankja@linux.ibm.com, pair@us.redhat.com,
qemu-devel@nongnu.org, brijesh.singh@amd.com
Cc: kvm@vger.kernel.org, qemu-ppc@nongnu.org,
David Gibson <david@gibson.dropbear.id.au>,
Richard Henderson <rth@twiddle.net>,
cohuck@redhat.com, Paolo Bonzini <pbonzini@redhat.com>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
qemu-devel@nongnu.-rg, mdroth@linux.vnet.ibm.com
Subject: [RFC 00/18] Refactor configuration of guest memory protection
Date: Thu, 14 May 2020 16:41:02 +1000 [thread overview]
Message-ID: <20200514064120.449050-1-david@gibson.dropbear.id.au> (raw)
A number of hardware platforms are implementing mechanisms whereby the
hypervisor does not have unfettered access to guest memory, in order
to mitigate the security impact of a compromised hypervisor.
AMD's SEV implements this with in-cpu memory encryption, and Intel has
its own memory encryption mechanism. POWER has an upcoming mechanism
to accomplish this in a different way, using a new memory protection
level plus a small trusted ultravisor. s390 also has a protected
execution environment.
The current code (committed or draft) for these features has each
platform's version configured entirely differently. That doesn't seem
ideal for users, or particularly for management layers.
AMD SEV introduces a notionally generic machine option
"machine-encryption", but it doesn't actually cover any cases other
than SEV.
This series is a proposal to at least partially unify configuration
for these mechanisms, by renaming and generalizing AMD's
"memory-encryption" property. It is replaced by a
"guest-memory-protection" property pointing to a platform specific
object which configures and manages the specific details.
For now this series covers just AMD SEV and POWER PEF. I'm hoping it
can be extended to cover the Intel and s390 mechanisms as well,
though.
Note: I'm using the term "guest memory protection" throughout to refer
to mechanisms like this. I don't particular like the term, it's both
long and not really precise. If someone can think of a succinct way
of saying "a means of protecting guest memory from a possibly
compromised hypervisor", I'd be grateful for the suggestion.
David Gibson (18):
target/i386: sev: Remove unused QSevGuestInfoClass
target/i386: sev: Move local structure definitions into .c file
target/i386: sev: Rename QSevGuestInfo
target/i386: sev: Embed SEVState in SevGuestState
target/i386: sev: Partial cleanup to sev_state global
target/i386: sev: Remove redundant cbitpos and reduced_phys_bits
fields
target/i386: sev: Remove redundant policy field
target/i386: sev: Remove redundant handle field
target/i386: sev: Unify SEVState and SevGuestState
guest memory protection: Add guest memory protection interface
guest memory protection: Handle memory encrption via interface
guest memory protection: Perform KVM init via interface
guest memory protection: Move side effect out of
machine_set_memory_encryption()
guest memory protection: Rework the "memory-encryption" property
guest memory protection: Decouple kvm_memcrypt_*() helpers from KVM
use errp for gmpo kvm_init
spapr: Added PEF based guest memory protection
guest memory protection: Alter virtio default properties for protected
guests
accel/kvm/kvm-all.c | 40 +--
accel/kvm/sev-stub.c | 5 -
accel/stubs/kvm-stub.c | 10 -
backends/Makefile.objs | 2 +
backends/guest-memory-protection.c | 29 ++
hw/core/machine.c | 61 ++++-
hw/i386/pc_sysfw.c | 6 +-
include/exec/guest-memory-protection.h | 77 ++++++
include/hw/boards.h | 4 +-
include/sysemu/kvm.h | 17 --
include/sysemu/sev.h | 6 +-
target/i386/sev.c | 358 +++++++++++++------------
target/i386/sev_i386.h | 49 ----
target/ppc/Makefile.objs | 2 +-
target/ppc/pef.c | 81 ++++++
15 files changed, 445 insertions(+), 302 deletions(-)
create mode 100644 backends/guest-memory-protection.c
create mode 100644 include/exec/guest-memory-protection.h
create mode 100644 target/ppc/pef.c
--
2.26.2
next reply other threads:[~2020-05-14 6:41 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 6:41 David Gibson [this message]
2020-05-14 6:41 ` [RFC 01/18] target/i386: sev: Remove unused QSevGuestInfoClass David Gibson
2020-05-14 6:41 ` [RFC 02/18] target/i386: sev: Move local structure definitions into .c file David Gibson
2020-05-14 6:41 ` [RFC 03/18] target/i386: sev: Rename QSevGuestInfo David Gibson
2020-05-14 6:41 ` [RFC 04/18] target/i386: sev: Embed SEVState in SevGuestState David Gibson
2020-05-14 6:41 ` [RFC 05/18] target/i386: sev: Partial cleanup to sev_state global David Gibson
2020-05-14 6:41 ` [RFC 06/18] target/i386: sev: Remove redundant cbitpos and reduced_phys_bits fields David Gibson
2020-05-14 6:41 ` [RFC 07/18] target/i386: sev: Remove redundant policy field David Gibson
2020-05-14 6:41 ` [RFC 08/18] target/i386: sev: Remove redundant handle field David Gibson
2020-05-14 6:41 ` [RFC 09/18] target/i386: sev: Unify SEVState and SevGuestState David Gibson
2020-05-14 6:41 ` [RFC 10/18] guest memory protection: Add guest memory protection interface David Gibson
2020-05-14 6:41 ` [RFC 11/18] guest memory protection: Handle memory encrption via interface David Gibson
2020-05-14 6:41 ` [RFC 12/18] guest memory protection: Perform KVM init " David Gibson
2020-05-14 6:41 ` [RFC 13/18] guest memory protection: Move side effect out of machine_set_memory_encryption() David Gibson
2020-05-14 6:41 ` [RFC 14/18] guest memory protection: Rework the "memory-encryption" property David Gibson
2020-05-14 6:41 ` [RFC 15/18] guest memory protection: Decouple kvm_memcrypt_*() helpers from KVM David Gibson
2020-05-14 6:41 ` [RFC 16/18] use errp for gmpo kvm_init David Gibson
2020-05-14 17:09 ` Dr. David Alan Gilbert
2020-05-15 0:14 ` David Gibson
2020-05-15 0:20 ` David Gibson
2020-05-14 6:41 ` [RFC 17/18] spapr: Added PEF based guest memory protection David Gibson
2020-05-14 6:41 ` [RFC 18/18] guest memory protection: Alter virtio default properties for protected guests David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200514064120.449050-1-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=brijesh.singh@amd.com \
--cc=cohuck@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pair@us.redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.-rg \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).