On Thu, Jun 04, 2020 at 01:39:22AM -0300, Thiago Jung Bauermann wrote: > > Hello David, > > David Gibson writes: > > > A number of hardware platforms are implementing mechanisms whereby the > > hypervisor does not have unfettered access to guest memory, in order > > to mitigate the security impact of a compromised hypervisor. > > > > AMD's SEV implements this with in-cpu memory encryption, and Intel has > > its own memory encryption mechanism. POWER has an upcoming mechanism > > to accomplish this in a different way, using a new memory protection > > level plus a small trusted ultravisor. s390 also has a protected > > execution environment. > > > > The current code (committed or draft) for these features has each > > platform's version configured entirely differently. That doesn't seem > > ideal for users, or particularly for management layers. > > > > AMD SEV introduces a notionally generic machine option > > "machine-encryption", but it doesn't actually cover any cases other > > than SEV. > > > > This series is a proposal to at least partially unify configuration > > for these mechanisms, by renaming and generalizing AMD's > > "memory-encryption" property. It is replaced by a > > "guest-memory-protection" property pointing to a platform specific > > object which configures and manages the specific details. > > > > For now this series covers just AMD SEV and POWER PEF. I'm hoping it > > Thank you very much for this series! Using a machine property is a nice > way of configuring this. > > >From an end-user perspective, `-M pseries,guest-memory-protection` in > the command line already expresses everything that QEMU needs to know, > so having to add `-object pef-guest,id=pef0` seems a bit redundant. Is > it possible to make QEMU create the pef-guest object behind the scenes > when the guest-memory-protection property is specified? Not exactly - the object needs to exist for the QOM core to resolve it before we'd have a chance to look at the value to conditionally create the object. What we could do, however, is always create a PEF object in the machine, and it would just have no effect if the machine parameter wasn't specified. I did consider that option, but left it this way for greater consistency with AMD SEV - there the object can't be auto-created, since it has mandatory parameters needed to configure the encryption. I'm open to persuasion about changing that, though. > Regardless, I was able to successfuly launch POWER PEF guests using > these patches: > > Tested-by: Thiago Jung Bauermann Ah, great. > > can be extended to cover the Intel and s390 mechanisms as well, > > though. > > > > Note: I'm using the term "guest memory protection" throughout to refer > > to mechanisms like this. I don't particular like the term, it's both > > long and not really precise. If someone can think of a succinct way > > of saying "a means of protecting guest memory from a possibly > > compromised hypervisor", I'd be grateful for the suggestion. > > Is "opaque guest memory" any better? It's slightly shorter, and slightly > more precise about what the main characteristic this guest property conveys. > -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson