On 20.02.23 19:38, Michael Roth wrote:

> From: Brijesh Singh<brijesh.singh@amd.com>
>
> The KVM_SEV_SNP_LAUNCH_FINISH finalize the cryptographic digest and stores
> it as the measurement of the guest at launch.
>
> While finalizing the launch flow, it also issues the LAUNCH_UPDATE command
> to encrypt the VMSA pages.
>
> If its an SNP guest, then VMSA was added in the RMP entry as
> a guest owned page and also removed from the kernel direct map
> so flush it later after it is transitioned back to hypervisor
> state and restored in the direct map.
>
> Signed-off-by: Brijesh Singh<brijesh.singh@amd.com>
> Signed-off-by: Harald Hoyer<harald@profian.com>
> Signed-off-by: Ashish Kalra<ashish.kalra@amd.com>
> Signed-off-by: Michael Roth<michael.roth@amd.com>
> ---
>   .../virt/kvm/x86/amd-memory-encryption.rst    |  23 ++++
>   arch/x86/kvm/svm/sev.c                        | 122 ++++++++++++++++++
>   include/uapi/linux/kvm.h                      |  14 ++
>   3 files changed, 159 insertions(+)
>

[...]


>
> +#define KVM_SEV_SNP_ID_BLOCK_SIZE      96
> +#define KVM_SEV_SNP_ID_AUTH_SIZE       4096
> +#define KVM_SEV_SNP_FINISH_DATA_SIZE   32
> +
> +struct kvm_sev_snp_launch_finish {
> +       __u64 id_block_uaddr;
> +       __u64 id_auth_uaddr;
> +       __u8 id_block_en;
> +       __u8 auth_key_en;
> +       __u8 host_data[KVM_SEV_SNP_FINISH_DATA_SIZE];
> +       __u8 pad[6];


The LAUNCH_FINISH command received a new argument to disable VCEK 
(VCEK_DIS). Shouldn't we add that in this patch already?


Alex




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879