From: David Gibson <david@gibson.dropbear.id.au>
To: Greg Kurz <groug@kaod.org>
Cc: dgilbert@redhat.com, pair@us.ibm.com, qemu-devel@nongnu.org,
brijesh.singh@amd.com, pasic@linux.ibm.com,
pragyansri.pathi@intel.com, richard.henderson@linaro.org,
berrange@redhat.com, David Hildenbrand <david@redhat.com>,
mdroth@linux.vnet.ibm.com, kvm@vger.kernel.org,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
pbonzini@redhat.com, mtosatti@redhat.com, borntraeger@de.ibm.com,
Cornelia Huck <cohuck@redhat.com>,
qemu-ppc@nongnu.org, qemu-s390x@nongnu.org, thuth@redhat.com,
mst@redhat.com, frankja@linux.ibm.com, jun.nakajima@intel.com,
andi.kleen@intel.com, Eduardo Habkost <ehabkost@redhat.com>
Subject: Re: [PATCH v8 07/13] confidential guest support: Introduce cgs "ready" flag
Date: Thu, 4 Feb 2021 13:45:48 +1100 [thread overview]
Message-ID: <20210204024548.GA4729@yekko.fritz.box> (raw)
In-Reply-To: <20210203171548.0d8e0494@bahia.lan>
[-- Attachment #1: Type: text/plain, Size: 4979 bytes --]
On Wed, Feb 03, 2021 at 05:15:48PM +0100, Greg Kurz wrote:
> On Tue, 2 Feb 2021 15:13:09 +1100
> David Gibson <david@gibson.dropbear.id.au> wrote:
>
> > The platform specific details of mechanisms for implementing
> > confidential guest support may require setup at various points during
> > initialization. Thus, it's not really feasible to have a single cgs
> > initialization hook, but instead each mechanism needs its own
> > initialization calls in arch or machine specific code.
> >
> > However, to make it harder to have a bug where a mechanism isn't
> > properly initialized under some circumstances, we want to have a
> > common place, late in boot, where we verify that cgs has been
> > initialized if it was requested.
> >
> > This patch introduces a ready flag to the ConfidentialGuestSupport
> > base type to accomplish this, which we verify in
> > qemu_machine_creation_done().
> >
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> > include/exec/confidential-guest-support.h | 24 +++++++++++++++++++++++
> > softmmu/vl.c | 10 ++++++++++
> > target/i386/sev.c | 2 ++
> > 3 files changed, 36 insertions(+)
> >
> > diff --git a/include/exec/confidential-guest-support.h b/include/exec/confidential-guest-support.h
> > index 3db6380e63..5dcf602047 100644
> > --- a/include/exec/confidential-guest-support.h
> > +++ b/include/exec/confidential-guest-support.h
> > @@ -27,6 +27,30 @@ OBJECT_DECLARE_SIMPLE_TYPE(ConfidentialGuestSupport, CONFIDENTIAL_GUEST_SUPPORT)
> >
> > struct ConfidentialGuestSupport {
> > Object parent;
> > +
> > + /*
> > + * ready: flag set by CGS initialization code once it's ready to
> > + * start executing instructions in a potentially-secure
> > + * guest
> > + *
> > + * The definition here is a bit fuzzy, because this is essentially
> > + * part of a self-sanity-check, rather than a strict mechanism.
> > + *
> > + * It's not fasible to have a single point in the common machine
>
> s/fasible/feasible
Fixed, thanks.
>
> Anyway,
>
> Reviewed-by: Greg Kurz <groug@kaod.org>
>
> > + * init path to configure confidential guest support, because
> > + * different mechanisms have different interdependencies requiring
> > + * initialization in different places, often in arch or machine
> > + * type specific code. It's also usually not possible to check
> > + * for invalid configurations until that initialization code.
> > + * That means it would be very easy to have a bug allowing CGS
> > + * init to be bypassed entirely in certain configurations.
> > + *
> > + * Silently ignoring a requested security feature would be bad, so
> > + * to avoid that we check late in init that this 'ready' flag is
> > + * set if CGS was requested. If the CGS init hasn't happened, and
> > + * so 'ready' is not set, we'll abort.
> > + */
> > + bool ready;
> > };
> >
> > typedef struct ConfidentialGuestSupportClass {
> > diff --git a/softmmu/vl.c b/softmmu/vl.c
> > index 1b464e3474..1869ed54a9 100644
> > --- a/softmmu/vl.c
> > +++ b/softmmu/vl.c
> > @@ -101,6 +101,7 @@
> > #include "qemu/plugin.h"
> > #include "qemu/queue.h"
> > #include "sysemu/arch_init.h"
> > +#include "exec/confidential-guest-support.h"
> >
> > #include "ui/qemu-spice.h"
> > #include "qapi/string-input-visitor.h"
> > @@ -2497,6 +2498,8 @@ static void qemu_create_cli_devices(void)
> >
> > static void qemu_machine_creation_done(void)
> > {
> > + MachineState *machine = MACHINE(qdev_get_machine());
> > +
> > /* Did we create any drives that we failed to create a device for? */
> > drive_check_orphaned();
> >
> > @@ -2516,6 +2519,13 @@ static void qemu_machine_creation_done(void)
> >
> > qdev_machine_creation_done();
> >
> > + if (machine->cgs) {
> > + /*
> > + * Verify that Confidential Guest Support has actually been initialized
> > + */
> > + assert(machine->cgs->ready);
> > + }
> > +
> > if (foreach_device_config(DEV_GDB, gdbserver_start) < 0) {
> > exit(1);
> > }
> > diff --git a/target/i386/sev.c b/target/i386/sev.c
> > index 590cb31fa8..f9e9b5d8ae 100644
> > --- a/target/i386/sev.c
> > +++ b/target/i386/sev.c
> > @@ -737,6 +737,8 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
> > qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
> > qemu_add_vm_change_state_handler(sev_vm_state_change, sev);
> >
> > + cgs->ready = true;
> > +
> > return 0;
> > err:
> > sev_guest = NULL;
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-02-04 2:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 4:13 [PATCH v8 00/13] Generalize memory encryption models David Gibson
2021-02-02 4:13 ` [PATCH v8 01/13] qom: Allow optional sugar props David Gibson
2021-02-02 4:13 ` [PATCH v8 02/13] confidential guest support: Introduce new confidential guest support class David Gibson
2021-02-02 4:13 ` [PATCH v8 03/13] sev: Remove false abstraction of flash encryption David Gibson
2021-02-02 4:13 ` [PATCH v8 04/13] confidential guest support: Move side effect out of machine_set_memory_encryption() David Gibson
2021-02-02 4:13 ` [PATCH v8 05/13] confidential guest support: Rework the "memory-encryption" property David Gibson
2021-02-02 4:13 ` [PATCH v8 06/13] sev: Add Error ** to sev_kvm_init() David Gibson
2021-02-02 4:13 ` [PATCH v8 07/13] confidential guest support: Introduce cgs "ready" flag David Gibson
2021-02-03 10:42 ` Dr. David Alan Gilbert
2021-02-03 16:15 ` Greg Kurz
2021-02-04 2:45 ` David Gibson [this message]
2021-02-10 16:25 ` Venu Busireddy
2021-02-11 23:48 ` David Gibson
2021-02-02 4:13 ` [PATCH v8 08/13] confidential guest support: Move SEV initialization into arch specific code David Gibson
2021-02-03 16:19 ` Greg Kurz
2021-02-02 4:13 ` [PATCH v8 09/13] confidential guest support: Update documentation David Gibson
2021-02-02 4:13 ` [PATCH v8 10/13] spapr: Add PEF based confidential guest support David Gibson
2021-02-03 17:50 ` Greg Kurz
2021-02-04 2:47 ` David Gibson
2021-02-02 4:13 ` [PATCH v8 11/13] spapr: PEF: prevent migration David Gibson
2021-02-02 4:13 ` [PATCH v8 12/13] confidential guest support: Alter virtio default properties for protected guests David Gibson
2021-02-02 23:06 ` Michael S. Tsirkin
2021-02-03 4:53 ` David Gibson
2021-02-02 4:13 ` [PATCH v8 13/13] s390: Recognize confidential-guest-support option David Gibson
2021-02-03 9:05 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210204024548.GA4729@yekko.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=andi.kleen@intel.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=brijesh.singh@amd.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=groug@kaod.org \
--cc=jun.nakajima@intel.com \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=pragyansri.pathi@intel.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).