From: Cornelia Huck <cohuck@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: brijesh.singh@amd.com, pair@us.ibm.com, dgilbert@redhat.com,
pasic@linux.ibm.com, qemu-devel@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>,
Marcelo Tosatti <mtosatti@redhat.com>,
David Hildenbrand <david@redhat.com>,
borntraeger@de.ibm.com,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
mst@redhat.com, jun.nakajima@intel.com, thuth@redhat.com,
pragyansri.pathi@intel.com, kvm@vger.kernel.org,
Eduardo Habkost <ehabkost@redhat.com>,
qemu-s390x@nongnu.org, qemu-ppc@nongnu.org,
frankja@linux.ibm.com, Greg Kurz <groug@kaod.org>,
mdroth@linux.vnet.ibm.com, berrange@redhat.com,
andi.kleen@intel.com
Subject: Re: [PATCH v7 10/13] spapr: Add PEF based confidential guest support
Date: Fri, 15 Jan 2021 16:41:51 +0100 [thread overview]
Message-ID: <20210115164151.087826c5.cohuck@redhat.com> (raw)
In-Reply-To: <20210113235811.1909610-11-david@gibson.dropbear.id.au>
On Thu, 14 Jan 2021 10:58:08 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:
> Some upcoming POWER machines have a system called PEF (Protected
> Execution Facility) which uses a small ultravisor to allow guests to
> run in a way that they can't be eavesdropped by the hypervisor. The
> effect is roughly similar to AMD SEV, although the mechanisms are
> quite different.
>
> Most of the work of this is done between the guest, KVM and the
> ultravisor, with little need for involvement by qemu. However qemu
> does need to tell KVM to allow secure VMs.
>
> Because the availability of secure mode is a guest visible difference
> which depends on having the right hardware and firmware, we don't
> enable this by default. In order to run a secure guest you need to
> create a "pef-guest" object and set the confidential-guest-support
> property to point to it.
>
> Note that this just *allows* secure guests, the architecture of PEF is
> such that the guest still needs to talk to the ultravisor to enter
> secure mode. Qemu has no directl way of knowing if the guest is in
> secure mode, and certainly can't know until well after machine
> creation time.
>
> To start a PEF-capable guest, use the command line options:
> -object pef-guest,id=pef0 -machine confidential-guest-support=pef0
>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> docs/confidential-guest-support.txt | 3 +
> docs/papr-pef.txt | 30 +++++++
> hw/ppc/meson.build | 1 +
> hw/ppc/pef.c | 119 ++++++++++++++++++++++++++++
> hw/ppc/spapr.c | 6 ++
> include/hw/ppc/pef.h | 25 ++++++
> target/ppc/kvm.c | 18 -----
> target/ppc/kvm_ppc.h | 6 --
> 8 files changed, 184 insertions(+), 24 deletions(-)
> create mode 100644 docs/papr-pef.txt
> create mode 100644 hw/ppc/pef.c
> create mode 100644 include/hw/ppc/pef.h
>
> diff --git a/docs/confidential-guest-support.txt b/docs/confidential-guest-support.txt
> index 2790425b38..f0801814ff 100644
> --- a/docs/confidential-guest-support.txt
> +++ b/docs/confidential-guest-support.txt
> @@ -40,4 +40,7 @@ Currently supported confidential guest mechanisms are:
> AMD Secure Encrypted Virtualization (SEV)
> docs/amd-memory-encryption.txt
>
> +POWER Protected Execution Facility (PEF)
> + docs/papr-pef.txt
> +
> Other mechanisms may be supported in future.
> diff --git a/docs/papr-pef.txt b/docs/papr-pef.txt
> new file mode 100644
> index 0000000000..6419e995cf
> --- /dev/null
> +++ b/docs/papr-pef.txt
Same here, make this .rst and add it to the system guide?
> @@ -0,0 +1,30 @@
> +POWER (PAPR) Protected Execution Facility (PEF)
> +===============================================
> +
> +Protected Execution Facility (PEF), also known as Secure Guest support
> +is a feature found on IBM POWER9 and POWER10 processors.
> +
> +If a suitable firmware including an Ultravisor is installed, it adds
> +an extra memory protection mode to the CPU. The ultravisor manages a
> +pool of secure memory which cannot be accessed by the hypervisor.
> +
> +When this feature is enabled in qemu, a guest can use ultracalls to
s/qemu/QEMU/
> +enter "secure mode". This transfers most of its memory to secure
> +memory, where it cannot be eavesdropped by a compromised hypervisor.
> +
> +Launching
> +---------
> +
> +To launch a guest which will be permitted to enter PEF secure mode:
> +
> +# ${QEMU} \
> + -object pef-guest,id=pef0 \
> + -machine confidential-guest-support=pef0 \
> + ...
> +
> +Live Migration
> +----------------
> +
> +Live migration is not yet implemented for PEF guests. For
> +consistency, we currently prevent migration if the PEF feature is
> +enabled, whether or not the guest has actually entered secure mode.
> diff --git a/hw/ppc/meson.build b/hw/ppc/meson.build
> index ffa2ec37fa..218631c883 100644
> --- a/hw/ppc/meson.build
> +++ b/hw/ppc/meson.build
> @@ -27,6 +27,7 @@ ppc_ss.add(when: 'CONFIG_PSERIES', if_true: files(
> 'spapr_nvdimm.c',
> 'spapr_rtas_ddw.c',
> 'spapr_numa.c',
> + 'pef.c',
> ))
> ppc_ss.add(when: 'CONFIG_SPAPR_RNG', if_true: files('spapr_rng.c'))
> ppc_ss.add(when: ['CONFIG_PSERIES', 'CONFIG_LINUX'], if_true: files(
> diff --git a/hw/ppc/pef.c b/hw/ppc/pef.c
> new file mode 100644
> index 0000000000..02b9b3b460
> --- /dev/null
> +++ b/hw/ppc/pef.c
> @@ -0,0 +1,119 @@
> +/*
> + * PEF (Protected Execution Facility) for POWER support
> + *
> + * Copyright David Gibson, Redhat Inc. 2020
2021?
> + *
> + * This work is licensed under the terms of the GNU GPL, version 2 or later.
> + * See the COPYING file in the top-level directory.
> + *
> + */
> +
next prev parent reply other threads:[~2021-01-15 15:44 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 23:57 [PATCH v7 00/13] Generalize memory encryption models David Gibson
2021-01-13 23:57 ` [PATCH v7 01/13] qom: Allow optional sugar props David Gibson
2021-01-13 23:58 ` [PATCH v7 02/13] confidential guest support: Introduce new confidential guest support class David Gibson
2021-01-14 9:34 ` Daniel P. Berrangé
2021-01-14 10:42 ` David Gibson
2021-01-18 18:51 ` Dr. David Alan Gilbert
2021-01-21 1:06 ` David Gibson
2021-01-21 9:08 ` Dr. David Alan Gilbert
2021-01-29 2:32 ` David Gibson
2021-01-13 23:58 ` [PATCH v7 03/13] sev: Remove false abstraction of flash encryption David Gibson
2021-01-15 12:54 ` Cornelia Huck
2021-01-18 2:59 ` David Gibson
2021-01-13 23:58 ` [PATCH v7 04/13] confidential guest support: Move side effect out of machine_set_memory_encryption() David Gibson
2021-01-15 12:56 ` Cornelia Huck
2021-01-13 23:58 ` [PATCH v7 05/13] confidential guest support: Rework the "memory-encryption" property David Gibson
2021-01-15 13:06 ` Cornelia Huck
2021-01-13 23:58 ` [PATCH v7 06/13] sev: Add Error ** to sev_kvm_init() David Gibson
2021-01-13 23:58 ` [PATCH v7 07/13] confidential guest support: Introduce cgs "ready" flag David Gibson
2021-01-14 8:55 ` Greg Kurz
2021-01-15 13:12 ` Cornelia Huck
2021-01-18 19:47 ` Dr. David Alan Gilbert
2021-01-19 8:16 ` Cornelia Huck
2021-02-02 1:41 ` David Gibson
2021-01-13 23:58 ` [PATCH v7 08/13] confidential guest support: Move SEV initialization into arch specific code David Gibson
2021-01-15 13:24 ` Cornelia Huck
2021-01-18 3:03 ` David Gibson
2021-01-18 8:03 ` Cornelia Huck
2021-01-29 3:12 ` David Gibson
2021-01-13 23:58 ` [PATCH v7 09/13] confidential guest support: Update documentation David Gibson
2021-01-14 10:07 ` Greg Kurz
2021-01-15 15:36 ` Cornelia Huck
2021-01-29 2:36 ` David Gibson
2021-01-13 23:58 ` [PATCH v7 10/13] spapr: Add PEF based confidential guest support David Gibson
2021-01-15 15:41 ` Cornelia Huck [this message]
2021-01-29 2:43 ` David Gibson
2021-01-13 23:58 ` [PATCH v7 11/13] spapr: PEF: prevent migration David Gibson
2021-01-13 23:58 ` [PATCH v7 12/13] confidential guest support: Alter virtio default properties for protected guests David Gibson
2021-01-13 23:58 ` [PATCH v7 13/13] s390: Recognize confidential-guest-support option David Gibson
2021-01-14 9:10 ` Christian Borntraeger
2021-01-14 9:19 ` Christian Borntraeger
2021-01-14 9:24 ` Christian Borntraeger
2021-01-15 0:13 ` David Gibson
2021-01-14 11:45 ` David Gibson
2021-01-15 16:36 ` Cornelia Huck
2021-01-18 17:06 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115164151.087826c5.cohuck@redhat.com \
--to=cohuck@redhat.com \
--cc=andi.kleen@intel.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=brijesh.singh@amd.com \
--cc=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=groug@kaod.org \
--cc=jun.nakajima@intel.com \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=pragyansri.pathi@intel.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).