From: Michael Roth <michael.roth@amd.com>
To: qemu-devel@nongnu.org
Cc: "Connor Kuehl" <ckuehl@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"James Bottomley" <jejb@linux.ibm.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Dov Murik" <dovmurik@linux.ibm.com>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Daniel P . Berrangé" <berrange@redhat.com>,
kvm@vger.kernel.org, "Eduardo Habkost" <ehabkost@redhat.com>,
"Brijesh Singh" <brijesh.singh@amd.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: [RFC PATCH v2 01/12] i386/sev: introduce "sev-common" type to encapsulate common SEV state
Date: Thu, 26 Aug 2021 17:26:16 -0500 [thread overview]
Message-ID: <20210826222627.3556-2-michael.roth@amd.com> (raw)
In-Reply-To: <20210826222627.3556-1-michael.roth@amd.com>
Currently all SEV/SEV-ES functionality is managed through a single
'sev-guest' QOM type. With upcoming support for SEV-SNP, taking this
same approach won't work well since some of the properties/state
managed by 'sev-guest' is not applicable to SEV-SNP, which will instead
rely on a new QOM type with its own set of properties/state.
To prepare for this, this patch moves common state into an abstract
'sev-common' parent type to encapsulate properties/state that is
common to both SEV/SEV-ES and SEV-SNP, leaving only SEV/SEV-ES-specific
properties/state in the current 'sev-guest' type. This should not
affect current behavior or command-line options.
As part of this patch, some related changes are also made:
- a static 'sev_guest' variable is currently used to keep track of
the 'sev-guest' instance. SEV-SNP would similarly introduce an
'sev_snp_guest' static variable. But these instances are now
available via qdev_get_machine()->cgs, so switch to using that
instead and drop the static variable.
- 'sev_guest' is currently used as the name for the static variable
holding a pointer to the 'sev-guest' instance. Re-purpose the name
as a local variable referring the 'sev-guest' instance, and use
that consistently throughout the code so it can be easily
distinguished from sev-common/sev-snp-guest instances.
- 'sev' is generally used as the name for local variables holding a
pointer to the 'sev-guest' instance. In cases where that now points
to common state, use the name 'sev_common'; in cases where that now
points to state specific to 'sev-guest' instance, use the name
'sev_guest'
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
qapi/qom.json | 34 +++--
target/i386/sev.c | 329 +++++++++++++++++++++++++++-------------------
2 files changed, 214 insertions(+), 149 deletions(-)
diff --git a/qapi/qom.json b/qapi/qom.json
index a25616bc7a..211e083727 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -735,12 +735,29 @@
'data': { '*filename': 'str' } }
##
-# @SevGuestProperties:
+# @SevCommonProperties:
#
-# Properties for sev-guest objects.
+# Properties common to objects that are derivatives of sev-common.
#
# @sev-device: SEV device to use (default: "/dev/sev")
#
+# @cbitpos: C-bit location in page table entry (default: 0)
+#
+# @reduced-phys-bits: number of bits in physical addresses that become
+# unavailable when SEV is enabled
+#
+# Since: 2.12
+##
+{ 'struct': 'SevCommonProperties',
+ 'data': { '*sev-device': 'str',
+ '*cbitpos': 'uint32',
+ 'reduced-phys-bits': 'uint32' } }
+
+##
+# @SevGuestProperties:
+#
+# Properties for sev-guest objects.
+#
# @dh-cert-file: guest owners DH certificate (encoded with base64)
#
# @session-file: guest owners session parameters (encoded with base64)
@@ -749,21 +766,14 @@
#
# @handle: SEV firmware handle (default: 0)
#
-# @cbitpos: C-bit location in page table entry (default: 0)
-#
-# @reduced-phys-bits: number of bits in physical addresses that become
-# unavailable when SEV is enabled
-#
# Since: 2.12
##
{ 'struct': 'SevGuestProperties',
- 'data': { '*sev-device': 'str',
- '*dh-cert-file': 'str',
+ 'base': 'SevCommonProperties',
+ 'data': { '*dh-cert-file': 'str',
'*session-file': 'str',
'*policy': 'uint32',
- '*handle': 'uint32',
- '*cbitpos': 'uint32',
- 'reduced-phys-bits': 'uint32' } }
+ '*handle': 'uint32' } }
##
# @ObjectType:
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 83df8c09f6..6acebfbd53 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -34,6 +34,8 @@
#include "exec/confidential-guest-support.h"
#include "hw/i386/pc.h"
+#define TYPE_SEV_COMMON "sev-common"
+OBJECT_DECLARE_SIMPLE_TYPE(SevCommonState, SEV_COMMON)
#define TYPE_SEV_GUEST "sev-guest"
OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST)
@@ -48,32 +50,38 @@ OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST)
* -object sev-guest,id=sev0 \
* -machine ...,memory-encryption=sev0
*/
-struct SevGuestState {
+struct SevCommonState {
ConfidentialGuestSupport parent_obj;
/* configuration parameters */
char *sev_device;
- uint32_t policy;
- char *dh_cert_file;
- char *session_file;
uint32_t cbitpos;
uint32_t reduced_phys_bits;
/* runtime state */
- uint32_t handle;
uint8_t api_major;
uint8_t api_minor;
uint8_t build_id;
uint64_t me_mask;
int sev_fd;
SevState state;
- gchar *measurement;
uint32_t reset_cs;
uint32_t reset_ip;
bool reset_data_valid;
};
+struct SevGuestState {
+ SevCommonState sev_common;
+ gchar *measurement;
+
+ /* configuration parameters */
+ uint32_t handle;
+ uint32_t policy;
+ char *dh_cert_file;
+ char *session_file;
+};
+
#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
#define DEFAULT_SEV_DEVICE "/dev/sev"
@@ -83,7 +91,6 @@ typedef struct __attribute__((__packed__)) SevInfoBlock {
uint32_t reset_addr;
} SevInfoBlock;
-static SevGuestState *sev_guest;
static Error *sev_mig_blocker;
static const char *const sev_fw_errlist[] = {
@@ -164,21 +171,21 @@ fw_error_to_str(int code)
}
static bool
-sev_check_state(const SevGuestState *sev, SevState state)
+sev_check_state(const SevCommonState *sev_common, SevState state)
{
- assert(sev);
- return sev->state == state ? true : false;
+ assert(sev_common);
+ return sev_common->state == state ? true : false;
}
static void
-sev_set_guest_state(SevGuestState *sev, SevState new_state)
+sev_set_guest_state(SevCommonState *sev_common, SevState new_state)
{
assert(new_state < SEV_STATE__MAX);
- assert(sev);
+ assert(sev_common);
- trace_kvm_sev_change_state(SevState_str(sev->state),
+ trace_kvm_sev_change_state(SevState_str(sev_common->state),
SevState_str(new_state));
- sev->state = new_state;
+ sev_common->state = new_state;
}
static void
@@ -245,67 +252,85 @@ static struct RAMBlockNotifier sev_ram_notifier = {
.ram_block_removed = sev_ram_block_removed,
};
-static void
-sev_guest_finalize(Object *obj)
+static char *
+sev_common_get_sev_device(Object *obj, Error **errp)
{
+ return g_strdup(SEV_COMMON(obj)->sev_device);
}
-static char *
-sev_guest_get_session_file(Object *obj, Error **errp)
+static void
+sev_common_set_sev_device(Object *obj, const char *value, Error **errp)
{
- SevGuestState *s = SEV_GUEST(obj);
+ SEV_COMMON(obj)->sev_device = g_strdup(value);
+}
- return s->session_file ? g_strdup(s->session_file) : NULL;
+static void
+sev_common_class_init(ObjectClass *oc, void *data)
+{
+ object_class_property_add_str(oc, "sev-device",
+ sev_common_get_sev_device,
+ sev_common_set_sev_device);
+ object_class_property_set_description(oc, "sev-device",
+ "SEV device to use");
}
static void
-sev_guest_set_session_file(Object *obj, const char *value, Error **errp)
+sev_common_instance_init(Object *obj)
{
- SevGuestState *s = SEV_GUEST(obj);
+ SevCommonState *sev_common = SEV_COMMON(obj);
+
+ sev_common->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
- s->session_file = g_strdup(value);
+ object_property_add_uint32_ptr(obj, "cbitpos", &sev_common->cbitpos,
+ OBJ_PROP_FLAG_READWRITE);
+ object_property_add_uint32_ptr(obj, "reduced-phys-bits",
+ &sev_common->reduced_phys_bits,
+ OBJ_PROP_FLAG_READWRITE);
}
+/* sev guest info common to sev/sev-es/sev-snp */
+static const TypeInfo sev_common_info = {
+ .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
+ .name = TYPE_SEV_COMMON,
+ .instance_size = sizeof(SevCommonState),
+ .class_init = sev_common_class_init,
+ .instance_init = sev_common_instance_init,
+ .abstract = true,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
static char *
sev_guest_get_dh_cert_file(Object *obj, Error **errp)
{
- SevGuestState *s = SEV_GUEST(obj);
-
- return g_strdup(s->dh_cert_file);
+ return g_strdup(SEV_GUEST(obj)->dh_cert_file);
}
static void
sev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
{
- SevGuestState *s = SEV_GUEST(obj);
-
- s->dh_cert_file = g_strdup(value);
+ SEV_GUEST(obj)->dh_cert_file = g_strdup(value);
}
static char *
-sev_guest_get_sev_device(Object *obj, Error **errp)
+sev_guest_get_session_file(Object *obj, Error **errp)
{
- SevGuestState *sev = SEV_GUEST(obj);
+ SevGuestState *sev_guest = SEV_GUEST(obj);
- return g_strdup(sev->sev_device);
+ return sev_guest->session_file ? g_strdup(sev_guest->session_file) : NULL;
}
static void
-sev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
+sev_guest_set_session_file(Object *obj, const char *value, Error **errp)
{
- SevGuestState *sev = SEV_GUEST(obj);
-
- sev->sev_device = g_strdup(value);
+ SEV_GUEST(obj)->session_file = g_strdup(value);
}
static void
sev_guest_class_init(ObjectClass *oc, void *data)
{
- object_class_property_add_str(oc, "sev-device",
- sev_guest_get_sev_device,
- sev_guest_set_sev_device);
- object_class_property_set_description(oc, "sev-device",
- "SEV device to use");
object_class_property_add_str(oc, "dh-cert-file",
sev_guest_get_dh_cert_file,
sev_guest_set_dh_cert_file);
@@ -321,80 +346,88 @@ sev_guest_class_init(ObjectClass *oc, void *data)
static void
sev_guest_instance_init(Object *obj)
{
- SevGuestState *sev = SEV_GUEST(obj);
+ SevGuestState *sev_guest = SEV_GUEST(obj);
- sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
- sev->policy = DEFAULT_GUEST_POLICY;
- object_property_add_uint32_ptr(obj, "policy", &sev->policy,
- OBJ_PROP_FLAG_READWRITE);
- object_property_add_uint32_ptr(obj, "handle", &sev->handle,
+ sev_guest->policy = DEFAULT_GUEST_POLICY;
+ object_property_add_uint32_ptr(obj, "handle", &sev_guest->handle,
OBJ_PROP_FLAG_READWRITE);
- object_property_add_uint32_ptr(obj, "cbitpos", &sev->cbitpos,
- OBJ_PROP_FLAG_READWRITE);
- object_property_add_uint32_ptr(obj, "reduced-phys-bits",
- &sev->reduced_phys_bits,
+ object_property_add_uint32_ptr(obj, "policy", &sev_guest->policy,
OBJ_PROP_FLAG_READWRITE);
}
-/* sev guest info */
+/* guest info specific sev/sev-es */
static const TypeInfo sev_guest_info = {
- .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
+ .parent = TYPE_SEV_COMMON,
.name = TYPE_SEV_GUEST,
.instance_size = sizeof(SevGuestState),
- .instance_finalize = sev_guest_finalize,
- .class_init = sev_guest_class_init,
.instance_init = sev_guest_instance_init,
- .interfaces = (InterfaceInfo[]) {
- { TYPE_USER_CREATABLE },
- { }
- }
+ .class_init = sev_guest_class_init,
};
bool
sev_enabled(void)
{
- return !!sev_guest;
+ ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs;
+
+ return !!object_dynamic_cast(OBJECT(cgs), TYPE_SEV_COMMON);
}
bool
sev_es_enabled(void)
{
- return sev_enabled() && (sev_guest->policy & SEV_POLICY_ES);
+ ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs;
+
+ return sev_enabled() && (SEV_GUEST(cgs)->policy & SEV_POLICY_ES);
}
uint64_t
sev_get_me_mask(void)
{
- return sev_guest ? sev_guest->me_mask : ~0;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+
+ return sev_common ? sev_common->me_mask : ~0;
}
uint32_t
sev_get_cbit_position(void)
{
- return sev_guest ? sev_guest->cbitpos : 0;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+
+ return sev_common ? sev_common->cbitpos : 0;
}
uint32_t
sev_get_reduced_phys_bits(void)
{
- return sev_guest ? sev_guest->reduced_phys_bits : 0;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+
+ return sev_common ? sev_common->reduced_phys_bits : 0;
}
SevInfo *
sev_get_info(void)
{
SevInfo *info;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+ SevGuestState *sev_guest =
+ (SevGuestState *)object_dynamic_cast(OBJECT(sev_common),
+ TYPE_SEV_GUEST);
info = g_new0(SevInfo, 1);
info->enabled = sev_enabled();
if (info->enabled) {
- info->api_major = sev_guest->api_major;
- info->api_minor = sev_guest->api_minor;
- info->build_id = sev_guest->build_id;
- info->policy = sev_guest->policy;
- info->state = sev_guest->state;
- info->handle = sev_guest->handle;
+ if (sev_guest) {
+ info->handle = sev_guest->handle;
+ }
+ info->api_major = sev_common->api_major;
+ info->api_minor = sev_common->api_minor;
+ info->build_id = sev_common->build_id;
+ info->state = sev_common->state;
+ /* we only report the lower 32-bits of policy for SNP, ok for now... */
+ info->policy =
+ (uint32_t)object_property_get_uint(OBJECT(sev_common),
+ "policy", NULL);
}
return info;
@@ -452,6 +485,8 @@ sev_get_capabilities(Error **errp)
size_t pdh_len = 0, cert_chain_len = 0;
uint32_t ebx;
int fd;
+ SevCommonState *sev_common;
+ char *sev_device;
if (!kvm_enabled()) {
error_setg(errp, "KVM not enabled");
@@ -462,12 +497,21 @@ sev_get_capabilities(Error **errp)
return NULL;
}
- fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
+ sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+ if (!sev_common) {
+ error_setg(errp, "SEV is not configured");
+ }
+
+ sev_device = object_property_get_str(OBJECT(sev_common), "sev-device",
+ &error_abort);
+ fd = open(sev_device, O_RDWR);
if (fd < 0) {
error_setg_errno(errp, errno, "Failed to open %s",
DEFAULT_SEV_DEVICE);
+ g_free(sev_device);
return NULL;
}
+ g_free(sev_device);
if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
&cert_chain_data, &cert_chain_len, errp)) {
@@ -499,7 +543,7 @@ sev_get_attestation_report(const char *mnonce, Error **errp)
{
struct kvm_sev_attestation_report input = {};
SevAttestationReport *report = NULL;
- SevGuestState *sev = sev_guest;
+ SevCommonState *sev_common;
guchar *data;
guchar *buf;
gsize len;
@@ -525,8 +569,10 @@ sev_get_attestation_report(const char *mnonce, Error **errp)
return NULL;
}
+ sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+
/* Query the report length */
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT,
+ ret = sev_ioctl(sev_common->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT,
&input, &err);
if (ret < 0) {
if (err != SEV_RET_INVALID_LEN) {
@@ -542,7 +588,7 @@ sev_get_attestation_report(const char *mnonce, Error **errp)
memcpy(input.mnonce, buf, sizeof(input.mnonce));
/* Query the report */
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT,
+ ret = sev_ioctl(sev_common->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT,
&input, &err);
if (ret) {
error_setg_errno(errp, errno, "Failed to get attestation report"
@@ -579,28 +625,29 @@ sev_read_file_base64(const char *filename, guchar **data, gsize *len)
}
static int
-sev_launch_start(SevGuestState *sev)
+sev_launch_start(SevGuestState *sev_guest)
{
gsize sz;
int ret = 1;
int fw_error, rc;
struct kvm_sev_launch_start *start;
guchar *session = NULL, *dh_cert = NULL;
+ SevCommonState *sev_common = SEV_COMMON(sev_guest);
start = g_new0(struct kvm_sev_launch_start, 1);
- start->handle = sev->handle;
- start->policy = sev->policy;
- if (sev->session_file) {
- if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) {
+ start->handle = sev_guest->handle;
+ start->policy = sev_guest->policy;
+ if (sev_guest->session_file) {
+ if (sev_read_file_base64(sev_guest->session_file, &session, &sz) < 0) {
goto out;
}
start->session_uaddr = (unsigned long)session;
start->session_len = sz;
}
- if (sev->dh_cert_file) {
- if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) {
+ if (sev_guest->dh_cert_file) {
+ if (sev_read_file_base64(sev_guest->dh_cert_file, &dh_cert, &sz) < 0) {
goto out;
}
start->dh_uaddr = (unsigned long)dh_cert;
@@ -608,15 +655,15 @@ sev_launch_start(SevGuestState *sev)
}
trace_kvm_sev_launch_start(start->policy, session, dh_cert);
- rc = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_START, start, &fw_error);
+ rc = sev_ioctl(sev_common->sev_fd, KVM_SEV_LAUNCH_START, start, &fw_error);
if (rc < 0) {
error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
__func__, ret, fw_error, fw_error_to_str(fw_error));
goto out;
}
- sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE);
- sev->handle = start->handle;
+ sev_set_guest_state(sev_common, SEV_STATE_LAUNCH_UPDATE);
+ sev_guest->handle = start->handle;
ret = 0;
out:
@@ -627,7 +674,7 @@ out:
}
static int
-sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len)
+sev_launch_update_data(SevGuestState *sev_guest, uint8_t *addr, uint64_t len)
{
int ret, fw_error;
struct kvm_sev_launch_update_data update;
@@ -639,7 +686,7 @@ sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len)
update.uaddr = (__u64)(unsigned long)addr;
update.len = len;
trace_kvm_sev_launch_update_data(addr, len);
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA,
+ ret = sev_ioctl(SEV_COMMON(sev_guest)->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA,
&update, &fw_error);
if (ret) {
error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'",
@@ -650,11 +697,12 @@ sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len)
}
static int
-sev_launch_update_vmsa(SevGuestState *sev)
+sev_launch_update_vmsa(SevGuestState *sev_guest)
{
int ret, fw_error;
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_VMSA, NULL, &fw_error);
+ ret = sev_ioctl(SEV_COMMON(sev_guest)->sev_fd, KVM_SEV_LAUNCH_UPDATE_VMSA,
+ NULL, &fw_error);
if (ret) {
error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'",
__func__, ret, fw_error, fw_error_to_str(fw_error));
@@ -666,18 +714,19 @@ sev_launch_update_vmsa(SevGuestState *sev)
static void
sev_launch_get_measure(Notifier *notifier, void *unused)
{
- SevGuestState *sev = sev_guest;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+ SevGuestState *sev_guest = SEV_GUEST(sev_common);
int ret, error;
guchar *data;
struct kvm_sev_launch_measure *measurement;
- if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) {
+ if (!sev_check_state(sev_common, SEV_STATE_LAUNCH_UPDATE)) {
return;
}
if (sev_es_enabled()) {
/* measure all the VM save areas before getting launch_measure */
- ret = sev_launch_update_vmsa(sev);
+ ret = sev_launch_update_vmsa(sev_guest);
if (ret) {
exit(1);
}
@@ -686,7 +735,7 @@ sev_launch_get_measure(Notifier *notifier, void *unused)
measurement = g_new0(struct kvm_sev_launch_measure, 1);
/* query the measurement blob length */
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE,
+ ret = sev_ioctl(sev_common->sev_fd, KVM_SEV_LAUNCH_MEASURE,
measurement, &error);
if (!measurement->len) {
error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
@@ -698,7 +747,7 @@ sev_launch_get_measure(Notifier *notifier, void *unused)
measurement->uaddr = (unsigned long)data;
/* get the measurement blob */
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE,
+ ret = sev_ioctl(sev_common->sev_fd, KVM_SEV_LAUNCH_MEASURE,
measurement, &error);
if (ret) {
error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
@@ -706,11 +755,11 @@ sev_launch_get_measure(Notifier *notifier, void *unused)
goto free_data;
}
- sev_set_guest_state(sev, SEV_STATE_LAUNCH_SECRET);
+ sev_set_guest_state(sev_common, SEV_STATE_LAUNCH_SECRET);
/* encode the measurement value and emit the event */
- sev->measurement = g_base64_encode(data, measurement->len);
- trace_kvm_sev_launch_measurement(sev->measurement);
+ sev_guest->measurement = g_base64_encode(data, measurement->len);
+ trace_kvm_sev_launch_measurement(sev_guest->measurement);
free_data:
g_free(data);
@@ -721,8 +770,10 @@ free_measurement:
char *
sev_get_launch_measurement(void)
{
+ SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs);
+
if (sev_guest &&
- sev_guest->state >= SEV_STATE_LAUNCH_SECRET) {
+ SEV_COMMON(sev_guest)->state >= SEV_STATE_LAUNCH_SECRET) {
return g_strdup(sev_guest->measurement);
}
@@ -734,20 +785,21 @@ static Notifier sev_machine_done_notify = {
};
static void
-sev_launch_finish(SevGuestState *sev)
+sev_launch_finish(SevGuestState *sev_guest)
{
int ret, error;
Error *local_err = NULL;
trace_kvm_sev_launch_finish();
- ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error);
+ ret = sev_ioctl(SEV_COMMON(sev_guest)->sev_fd, KVM_SEV_LAUNCH_FINISH, 0,
+ &error);
if (ret) {
error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'",
__func__, ret, error, fw_error_to_str(error));
exit(1);
}
- sev_set_guest_state(sev, SEV_STATE_RUNNING);
+ sev_set_guest_state(SEV_COMMON(sev_guest), SEV_STATE_RUNNING);
/* add migration blocker */
error_setg(&sev_mig_blocker,
@@ -763,26 +815,25 @@ sev_launch_finish(SevGuestState *sev)
static void
sev_vm_state_change(void *opaque, bool running, RunState state)
{
- SevGuestState *sev = opaque;
+ SevCommonState *sev_common = opaque;
if (running) {
- if (!sev_check_state(sev, SEV_STATE_RUNNING)) {
- sev_launch_finish(sev);
+ if (!sev_check_state(sev_common, SEV_STATE_RUNNING)) {
+ sev_launch_finish(SEV_GUEST(sev_common));
}
}
}
int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
{
- SevGuestState *sev
- = (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST);
+ SevCommonState *sev_common = SEV_COMMON(cgs);
char *devname;
int ret, fw_error, cmd;
uint32_t ebx;
uint32_t host_cbitpos;
struct sev_user_data_status status = {};
- if (!sev) {
+ if (!sev_common) {
return 0;
}
@@ -792,29 +843,28 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
return -1;
}
- sev_guest = sev;
- sev->state = SEV_STATE_UNINIT;
+ sev_common->state = SEV_STATE_UNINIT;
host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
host_cbitpos = ebx & 0x3f;
- if (host_cbitpos != sev->cbitpos) {
+ if (host_cbitpos != sev_common->cbitpos) {
error_setg(errp, "%s: cbitpos check failed, host '%d' requested '%d'",
- __func__, host_cbitpos, sev->cbitpos);
+ __func__, host_cbitpos, sev_common->cbitpos);
goto err;
}
- if (sev->reduced_phys_bits < 1) {
+ if (sev_common->reduced_phys_bits < 1) {
error_setg(errp, "%s: reduced_phys_bits check failed, it should be >=1,"
- " requested '%d'", __func__, sev->reduced_phys_bits);
+ " requested '%d'", __func__, sev_common->reduced_phys_bits);
goto err;
}
- sev->me_mask = ~(1UL << sev->cbitpos);
+ sev_common->me_mask = ~(1UL << sev_common->cbitpos);
- devname = object_property_get_str(OBJECT(sev), "sev-device", NULL);
- sev->sev_fd = open(devname, O_RDWR);
- if (sev->sev_fd < 0) {
+ devname = object_property_get_str(OBJECT(sev_common), "sev-device", NULL);
+ sev_common->sev_fd = open(devname, O_RDWR);
+ if (sev_common->sev_fd < 0) {
error_setg(errp, "%s: Failed to open %s '%s'", __func__,
devname, strerror(errno));
g_free(devname);
@@ -822,7 +872,7 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
}
g_free(devname);
- ret = sev_platform_ioctl(sev->sev_fd, SEV_PLATFORM_STATUS, &status,
+ ret = sev_platform_ioctl(sev_common->sev_fd, SEV_PLATFORM_STATUS, &status,
&fw_error);
if (ret) {
error_setg(errp, "%s: failed to get platform status ret=%d "
@@ -830,9 +880,9 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
fw_error_to_str(fw_error));
goto err;
}
- sev->build_id = status.build;
- sev->api_major = status.api_major;
- sev->api_minor = status.api_minor;
+ sev_common->build_id = status.build;
+ sev_common->api_major = status.api_major;
+ sev_common->api_minor = status.api_minor;
if (sev_es_enabled()) {
if (!kvm_kernel_irqchip_allowed()) {
@@ -853,14 +903,14 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
}
trace_kvm_sev_init();
- ret = sev_ioctl(sev->sev_fd, cmd, NULL, &fw_error);
+ ret = sev_ioctl(sev_common->sev_fd, cmd, NULL, &fw_error);
if (ret) {
error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'",
__func__, ret, fw_error, fw_error_to_str(fw_error));
goto err;
}
- ret = sev_launch_start(sev);
+ ret = sev_launch_start(SEV_GUEST(sev_common));
if (ret) {
error_setg(errp, "%s: failed to create encryption context", __func__);
goto err;
@@ -868,13 +918,12 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
ram_block_notifier_add(&sev_ram_notifier);
qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
- qemu_add_vm_change_state_handler(sev_vm_state_change, sev);
+ qemu_add_vm_change_state_handler(sev_vm_state_change, sev_common);
cgs->ready = true;
return 0;
err:
- sev_guest = NULL;
ram_block_discard_disable(false);
return -1;
}
@@ -882,13 +931,15 @@ err:
int
sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp)
{
- if (!sev_guest) {
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
+
+ if (!sev_common) {
return 0;
}
/* if SEV is in update state then encrypt the data else do nothing */
- if (sev_check_state(sev_guest, SEV_STATE_LAUNCH_UPDATE)) {
- int ret = sev_launch_update_data(sev_guest, ptr, len);
+ if (sev_check_state(sev_common, SEV_STATE_LAUNCH_UPDATE)) {
+ int ret = sev_launch_update_data(SEV_GUEST(sev_common), ptr, len);
if (ret < 0) {
error_setg(errp, "failed to encrypt pflash rom");
return ret;
@@ -907,16 +958,17 @@ int sev_inject_launch_secret(const char *packet_hdr, const char *secret,
void *hva;
gsize hdr_sz = 0, data_sz = 0;
MemoryRegion *mr = NULL;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
- if (!sev_guest) {
+ if (!sev_common) {
error_setg(errp, "SEV: SEV not enabled.");
return 1;
}
/* secret can be injected only in this state */
- if (!sev_check_state(sev_guest, SEV_STATE_LAUNCH_SECRET)) {
+ if (!sev_check_state(sev_common, SEV_STATE_LAUNCH_SECRET)) {
error_setg(errp, "SEV: Not in correct state. (LSECRET) %x",
- sev_guest->state);
+ sev_common->state);
return 1;
}
@@ -950,7 +1002,7 @@ int sev_inject_launch_secret(const char *packet_hdr, const char *secret,
trace_kvm_sev_launch_secret(gpa, input.guest_uaddr,
input.trans_uaddr, input.trans_len);
- ret = sev_ioctl(sev_guest->sev_fd, KVM_SEV_LAUNCH_SECRET,
+ ret = sev_ioctl(sev_common->sev_fd, KVM_SEV_LAUNCH_SECRET,
&input, &error);
if (ret) {
error_setg(errp, "SEV: failed to inject secret ret=%d fw_error=%d '%s'",
@@ -1026,9 +1078,10 @@ void sev_es_set_reset_vector(CPUState *cpu)
{
X86CPU *x86;
CPUX86State *env;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
/* Only update if we have valid reset information */
- if (!sev_guest || !sev_guest->reset_data_valid) {
+ if (!sev_common || !sev_common->reset_data_valid) {
return;
}
@@ -1040,11 +1093,11 @@ void sev_es_set_reset_vector(CPUState *cpu)
x86 = X86_CPU(cpu);
env = &x86->env;
- cpu_x86_load_seg_cache(env, R_CS, 0xf000, sev_guest->reset_cs, 0xffff,
+ cpu_x86_load_seg_cache(env, R_CS, 0xf000, sev_common->reset_cs, 0xffff,
DESC_P_MASK | DESC_S_MASK | DESC_CS_MASK |
DESC_R_MASK | DESC_A_MASK);
- env->eip = sev_guest->reset_ip;
+ env->eip = sev_common->reset_ip;
}
int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size)
@@ -1052,6 +1105,7 @@ int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size)
CPUState *cpu;
uint32_t addr;
int ret;
+ SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
if (!sev_es_enabled()) {
return 0;
@@ -1065,9 +1119,9 @@ int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size)
}
if (addr) {
- sev_guest->reset_cs = addr & 0xffff0000;
- sev_guest->reset_ip = addr & 0x0000ffff;
- sev_guest->reset_data_valid = true;
+ sev_common->reset_cs = addr & 0xffff0000;
+ sev_common->reset_ip = addr & 0x0000ffff;
+ sev_common->reset_data_valid = true;
CPU_FOREACH(cpu) {
sev_es_set_reset_vector(cpu);
@@ -1080,6 +1134,7 @@ int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size)
static void
sev_register_types(void)
{
+ type_register_static(&sev_common_info);
type_register_static(&sev_guest_info);
}
--
2.25.1
next prev parent reply other threads:[~2021-08-26 22:27 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-26 22:26 [RFC PATCH v2 00/12] Add AMD Secure Nested Paging (SEV-SNP) support Michael Roth
2021-08-26 22:26 ` Michael Roth [this message]
2021-09-01 14:18 ` [RFC PATCH v2 01/12] i386/sev: introduce "sev-common" type to encapsulate common SEV state Markus Armbruster
2021-09-03 15:11 ` Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 02/12] linux-header: add the SNP specific command Michael Roth
2021-09-03 20:36 ` Dov Murik
2021-09-03 20:36 ` Dov Murik
2021-09-07 14:27 ` Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 03/12] i386/sev: introduce 'sev-snp-guest' object Michael Roth
2021-09-01 14:29 ` Markus Armbruster
2021-09-03 15:15 ` Michael Roth
2021-09-03 21:12 ` Dov Murik
2021-09-03 21:12 ` Dov Murik
2021-09-07 14:20 ` Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 04/12] i386/sev: initialize SNP context Michael Roth
2021-09-05 7:07 ` Dov Murik
2021-09-05 7:07 ` Dov Murik
2021-09-05 13:58 ` Brijesh Singh
2021-09-05 17:09 ` Dov Murik
2021-09-05 17:09 ` Dov Murik
2021-09-05 9:19 ` Dov Murik
2021-09-05 9:19 ` Dov Murik
2021-09-05 14:05 ` Brijesh Singh
2021-09-05 17:03 ` Dov Murik
2021-09-05 17:03 ` Dov Murik
2021-08-26 22:26 ` [RFC PATCH v2 05/12] i386/sev: add the SNP launch start context Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 06/12] i386/sev: add support to encrypt BIOS when SEV-SNP is enabled Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 07/12] i386/sev: populate secrets and cpuid page and finalize the SNP launch Michael Roth
2021-09-03 20:24 ` Dov Murik
2021-09-03 20:24 ` Dov Murik
2021-09-07 16:18 ` Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 08/12] target/i386: set SEV-SNP CPUID bit when SNP enabled Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 09/12] target/i386: allow versioned CPUs to specify new cache_info Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 10/12] target/i386: add new EPYC CPU versions with updated cache_info Michael Roth
2021-08-26 22:26 ` [RFC PATCH v2 11/12] i386/sev: sev-snp: add support for CPUID validation Michael Roth
2021-09-05 10:02 ` Dov Murik
2021-09-05 10:02 ` Dov Murik
2021-09-07 16:50 ` Michael Roth
2021-09-07 17:44 ` Dov Murik
2021-09-07 17:44 ` Dov Murik
2021-08-26 22:26 ` [RFC PATCH v2 12/12] i386/sev: update query-sev QAPI format to handle SEV-SNP Michael Roth
2021-09-01 14:14 ` Markus Armbruster
2021-09-03 15:13 ` Michael Roth
2021-09-03 15:30 ` Daniel P. Berrangé
2021-09-03 15:30 ` Daniel P. Berrangé
2021-09-03 15:43 ` Michael Roth
2021-09-03 15:43 ` Michael Roth via
2021-09-03 15:58 ` Daniel P. Berrangé
2021-09-03 15:58 ` Daniel P. Berrangé
2021-09-03 16:01 ` Daniel P. Berrangé
2021-09-03 16:01 ` Daniel P. Berrangé
2021-09-04 5:41 ` Markus Armbruster
2021-09-07 11:52 ` Dr. David Alan Gilbert
2021-09-07 11:52 ` Dr. David Alan Gilbert
2021-09-07 14:33 ` Michael Roth
2021-09-07 14:33 ` Michael Roth via
2021-09-03 15:27 ` Daniel P. Berrangé
2021-09-03 15:27 ` Daniel P. Berrangé
2021-11-16 9:23 ` [RFC PATCH v2 00/12] Add AMD Secure Nested Paging (SEV-SNP) support Daniel P. Berrangé
2021-11-16 9:23 ` Daniel P. Berrangé
2021-11-16 11:54 ` Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210826222627.3556-2-michael.roth@amd.com \
--to=michael.roth@amd.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=ckuehl@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=eblake@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.