From: "Singh, Brijesh" <brijesh.singh@amd.com>
To: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Cc: "pbonzini@redhat.com" <pbonzini@redhat.com>,
"Lendacky, Thomas" <Thomas.Lendacky@amd.com>,
"Singh, Brijesh" <brijesh.singh@amd.com>,
"dgilbert@redhat.com" <dgilbert@redhat.com>,
"ehabkost@redhat.com" <ehabkost@redhat.com>
Subject: [Qemu-devel] [PATCH v3 00/14] Add SEV guest live migration support
Date: Tue, 6 Aug 2019 16:54:45 +0000 [thread overview]
Message-ID: <20190806165429.19327-1-brijesh.singh@amd.com> (raw)
AMD SEV encrypts the memory of VMs and because this encryption is done using
an address tweak, the hypervisor will not be able to simply copy ciphertext
between machines to migrate a VM. Instead the AMD SEV Key Management API
provides a set of functions which the hypervisor can use to package a
guest encrypted pages for migration, while maintaining the confidentiality
provided by AMD SEV.
The patch series add the support required in Qemu to perform the SEV
guest live migration. Before initiating the live migration a user
should use newly added 'migrate-set-sev-info' command to pass the
target machines certificate chain. See the docs/amd-memory-encryption.txt
for further details.
The patch series depends on kernel patches available here:
https://marc.info/?l=kvm&m=156278967226011&w=2
The complete tree with patch is available at:
https://github.com/codomania/qemu/tree/sev-migration-v3
Known Issues:
- failed to reboot the guest after migration.
- The top 10 lines of the vga buffer is sent as encrypted and because of that
we get a garage on destination. I am still debugging it.
Changes since v2:
- Remove direct kvm_memcrpt calls from migration.
- Add MemoryEcryptionOps in machine which will be used by migration
instead of kvm_memcrypt calls.
- drop the RAM_SAVE_FLAG_PAGE_ENCRYPTED_BITMAP. Now the RAM_SAVE_FLAG_ENCRYPTED_PAGE
can be used for sending bitmap as well as guest RAM encrypted pages
- add some bound checks on incoming data
- drop migrate-sev-set-info object
- extend the migrate-parameters to include the SEV specific certificate fields.
- multiple fixes based on the review comments from Dave
Changes since v1:
- use the dirty log sync APIs to also sync the page encryption bitmap
when SEV is active.
Brijesh Singh (14):
doc: update AMD SEV API spec web link
doc: update AMD SEV to include Live migration flow
migration.json: add AMD SEV specific migration parameters
linux-headers: update kernel header to include SEV migration commands
hw/machine: add helper to query the memory encryption state
hw/machine: introduce MachineMemoryEncryptionOps for encrypted VMs
target/i386: sev: provide callback to setup outgoing context
target/i386: sev: do not create launch context for an incoming guest
target/i386: sev: add support to encrypt the outgoing page
target/i386: sev: add support to load incoming encrypted page
migration: add support to migrate page encryption bitmap
kvm: add support to sync the page encryption state bitmap
migration/ram: add support to send encrypted pages
target/i386: sev: remove migration blocker
accel/kvm/kvm-all.c | 91 ++++++
accel/kvm/sev-stub.c | 28 ++
docs/amd-memory-encryption.txt | 48 ++-
hw/core/machine.c | 5 +
include/exec/ram_addr.h | 199 +++++++++++++
include/exec/ramlist.h | 3 +-
include/hw/boards.h | 25 ++
include/sysemu/sev.h | 11 +
linux-headers/linux/kvm.h | 53 ++++
migration/migration.c | 61 ++++
migration/ram.c | 148 +++++++++-
monitor/hmp-cmds.c | 18 ++
qapi/migration.json | 41 ++-
target/i386/sev.c | 513 ++++++++++++++++++++++++++++++++-
target/i386/sev_i386.h | 8 +
target/i386/trace-events | 8 +
16 files changed, 1234 insertions(+), 26 deletions(-)
--
2.17.1
next reply other threads:[~2019-08-06 16:55 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-06 16:54 Singh, Brijesh [this message]
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 01/14] doc: update AMD SEV API spec web link Singh, Brijesh
2019-08-06 19:00 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 02/14] doc: update AMD SEV to include Live migration flow Singh, Brijesh
2019-08-07 11:01 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 03/14] migration.json: add AMD SEV specific migration parameters Singh, Brijesh
2019-08-07 11:06 ` Dr. David Alan Gilbert
2019-08-08 2:25 ` Singh, Brijesh
2019-08-08 10:48 ` Dr. David Alan Gilbert
2019-08-09 20:00 ` Singh, Brijesh
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 04/14] linux-headers: update kernel header to include SEV migration commands Singh, Brijesh
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 05/14] hw/machine: add helper to query the memory encryption state Singh, Brijesh
2019-08-07 16:14 ` Dr. David Alan Gilbert
2019-08-08 2:25 ` Singh, Brijesh
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 06/14] hw/machine: introduce MachineMemoryEncryptionOps for encrypted VMs Singh, Brijesh
2019-08-07 16:36 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 08/14] target/i386: sev: do not create launch context for an incoming guest Singh, Brijesh
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 07/14] target/i386: sev: provide callback to setup outgoing context Singh, Brijesh
2019-08-08 11:19 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 09/14] target/i386: sev: add support to encrypt the outgoing page Singh, Brijesh
2019-08-09 18:54 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 10/14] target/i386: sev: add support to load incoming encrypted page Singh, Brijesh
2019-08-13 17:38 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 11/14] migration: add support to migrate page encryption bitmap Singh, Brijesh
2019-08-13 18:57 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 13/14] migration/ram: add support to send encrypted pages Singh, Brijesh
2019-08-14 16:37 ` Dr. David Alan Gilbert
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 12/14] kvm: add support to sync the page encryption state bitmap Singh, Brijesh
2019-08-06 16:54 ` [Qemu-devel] [PATCH v3 14/14] target/i386: sev: remove migration blocker Singh, Brijesh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190806165429.19327-1-brijesh.singh@amd.com \
--to=brijesh.singh@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).