qapi/qom.json | 12 +++--- target/i386/sev.c | 95 +++++++++++++++++++++++++++++------------------ 2 files changed, 65 insertions(+), 42 deletions(-)
This RFC patch series is based on AMD's RFC upmv10-snpv3 tree [1]. In order to enable measured direct kernel boot on SNP, QEMU needs to fill the hashes page when kernel-hashes=on. This relies on several changes to the SNP metadata published by OVMF (See [2] for proposed OVMF patches). Patch 1 pulls the 'kernel-hashes' property from the SEV guest settings to the common settings to make it available for both SEV and SNP. Patch 2 adds the hashes table for SNP guests (or validates the page as a zero page if kernel-hashes=off). This patch series is also available at [3]. [1] https://github.com/mdroth/qemu/commits/upmv10-snpv3 [2] https://edk2.groups.io/g/devel/message/100286 [3] https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v2 v2 changes: * Rebase on top of upmv10-snpv3 which includes kernel-hashes. v1: https://lore.kernel.org/qemu-devel/20220329064038.96006-1-dovmurik%40linux.ibm.com/ Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Cc: Eduardo Habkost <eduardo@habkost.net> Cc: Eric Blake <eblake@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Marcelo Tosatti <mtosatti@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Ashish Kalra <ashish.kalra@amd.com> Cc: Mario Smarduch <mario.smarduch@amd.com> Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com> Dov Murik (2): qapi, i386: Move kernel-hashes to SevCommonProperties i386/sev: Allow measured direct kernel boot on SNP qapi/qom.json | 12 +++--- target/i386/sev.c | 95 +++++++++++++++++++++++++++++------------------ 2 files changed, 65 insertions(+), 42 deletions(-) -- 2.25.1
On Thu, Feb 16, 2023 at 08:49:11AM +0000, Dov Murik wrote: > This RFC patch series is based on AMD's RFC upmv10-snpv3 tree [1]. I've seen postings of the kernel patches for SNP using the kernel UPM support, but I don't recall ever seeing these QEMU pieces posted for review. The code in that QEMU branch looks different from the last posting of SNP to qemu-devel years ago. IMHO it would be very desirable if that QEMU UPM tree was submitted to qemu-devel for review feedback, before requesting review of patches that build on top of it. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
* Daniel P. Berrangé (berrange@redhat.com) wrote: > On Thu, Feb 16, 2023 at 08:49:11AM +0000, Dov Murik wrote: > > This RFC patch series is based on AMD's RFC upmv10-snpv3 tree [1]. > > I've seen postings of the kernel patches for SNP using the kernel > UPM support, but I don't recall ever seeing these QEMU pieces > posted for review. The code in that QEMU branch looks different > from the last posting of SNP to qemu-devel years ago. > > IMHO it would be very desirable if that QEMU UPM tree was submitted > to qemu-devel for review feedback Some of the patches in there look like they're not dependent on SNP or the UPM interface; (eg some CPU model updates). It's probably worth posting those separately so that they can be reviewed and merged and out of the way. > before requesting review of patches > that build on top of it. But at the same time it seems right for Dov to send these patches for review. Dave > > With regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On 16/02/2023 10:49, Dov Murik wrote: > This RFC patch series is based on AMD's RFC upmv10-snpv3 tree [1]. > Note that in order to test this you must use '-machine pc-q35-7.1' to circumvent the SETUP_RNG_SEED bug [1] that interferes with the measured kernel. [1] https://lore.kernel.org/qemu-devel/20230208211212.41951-1-mst@redhat.com/ -Dov > > In order to enable measured direct kernel boot on SNP, QEMU needs to > fill the hashes page when kernel-hashes=on. This relies on several > changes to the SNP metadata published by OVMF (See [2] for proposed > OVMF patches). > > Patch 1 pulls the 'kernel-hashes' property from the SEV guest settings > to the common settings to make it available for both SEV and SNP. > > Patch 2 adds the hashes table for SNP guests (or validates the page as a > zero page if kernel-hashes=off). > > This patch series is also available at [3]. > > > [1] https://github.com/mdroth/qemu/commits/upmv10-snpv3 > [2] https://edk2.groups.io/g/devel/message/100286 > [3] https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v2 > > v2 changes: > * Rebase on top of upmv10-snpv3 which includes kernel-hashes. > > v1: https://lore.kernel.org/qemu-devel/20220329064038.96006-1-dovmurik%40linux.ibm.com/ > > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: Daniel P. Berrangé <berrange@redhat.com> > Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> > Cc: Eduardo Habkost <eduardo@habkost.net> > Cc: Eric Blake <eblake@redhat.com> > Cc: Markus Armbruster <armbru@redhat.com> > Cc: Marcelo Tosatti <mtosatti@redhat.com> > Cc: Gerd Hoffmann <kraxel@redhat.com> > Cc: James Bottomley <jejb@linux.ibm.com> > Cc: Tom Lendacky <thomas.lendacky@amd.com> > Cc: Michael Roth <michael.roth@amd.com> > Cc: Ashish Kalra <ashish.kalra@amd.com> > Cc: Mario Smarduch <mario.smarduch@amd.com> > Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com> > > Dov Murik (2): > qapi, i386: Move kernel-hashes to SevCommonProperties > i386/sev: Allow measured direct kernel boot on SNP > > qapi/qom.json | 12 +++--- > target/i386/sev.c | 95 +++++++++++++++++++++++++++++------------------ > 2 files changed, 65 insertions(+), 42 deletions(-) >
© 2016 - 2024 Red Hat, Inc.