From nobody Sun Feb 8 21:33:42 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1666174665; cv=none; d=zohomail.com; s=zohoarc; b=O8Pazhl70pEPelAv76WialjMD53P4WtrfFnIggUGiT5upLu5c1AvzH+bg22Sk97gzj84rnh5w8muySFIvB1N38P8UbPKSU0lWA8DHg80KbLBiHGHf2O4TawaJz5knr+2hEI3TnZ5QKq8EP78McoHQnmjP93qzWmOyXk49P+/Kp4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1666174665; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=reDonJEk6lLzFi2K95aKhJJUqB0+UFrSkeyDpO8ZKMo=; b=CzJMwx62qLH4MdWoP/sFPFKZg+mOLoZxIizywpS/HyFwmIdFNqzeuqnCH2/zBJfbbgUNzHAwP6TzQ/UKjhwkKUBZaIPvxbv3CoG0038OwTbe0nPxSLED5QjKyM0aBHSbfiLJEfquxWDMQrntKst7yMswSrTW+78VfAaZFC3/iPk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 166617466534172.25973474898979; Wed, 19 Oct 2022 03:17:45 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-639-Mj9zNd4LMIKT7J0eqm7F8w-1; Wed, 19 Oct 2022 06:17:39 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ECC591C1A948; Wed, 19 Oct 2022 10:17:29 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id D221439D6A; Wed, 19 Oct 2022 10:17:29 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 783551946A4F; Wed, 19 Oct 2022 10:17:28 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 9E9741946587 for ; Wed, 19 Oct 2022 10:17:26 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 817211468702; Wed, 19 Oct 2022 10:17:26 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.69]) by smtp.corp.redhat.com (Postfix) with ESMTP id F11251468704; Wed, 19 Oct 2022 10:17:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666174663; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=reDonJEk6lLzFi2K95aKhJJUqB0+UFrSkeyDpO8ZKMo=; b=Hj8rnbKMKhhAAx28VxD8CCNU7Jb2JfSg9ZRoT8CIynu5u7pS1gQ3RiQ5/VHzOi87h6xH2V C2Kt5zT2MTAwCZA15M09pZBExK5zf8ir4FGCU0TZ6pahpYY0sHcOTCwFMKwYelfgsdwtTc YsYbIyFi8BBzpAxQqAJH8AQLnOI74A8= X-MC-Unique: Mj9zNd4LMIKT7J0eqm7F8w-1 X-Original-To: libvir-list@listman.corp.redhat.com From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 11/12] scripts: add systemtap script for capturing SEV-ES VMSA Date: Wed, 19 Oct 2022 11:17:11 +0100 Message-Id: <20221019101712.2231862-12-berrange@redhat.com> In-Reply-To: <20221019101712.2231862-1-berrange@redhat.com> References: <20221019101712.2231862-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1666174666215100001 In general we expect to be able to construct a SEV-ES VMSA blob from knowledge about the AMD achitectural CPU register defaults, KVM setup and QEMU setup. If any of this unexpectedly changes, figuring out what's wrong could be horrible. This systemtap script demonstrates how to capture the real VMSA that is used for a SEV-ES as it is booted. The captured data can be fed into the 'sevctl vmsa show' command in order to produce formatted info with named registers, allowing a 'diff' to be performed. This script will need updating for any kernel version that is not 6.0, to set the correct line numbers. Signed-off-by: Daniel P. Berrang=C3=A9 --- examples/systemtap/amd-sev-es-vmsa.stp | 48 ++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 examples/systemtap/amd-sev-es-vmsa.stp diff --git a/examples/systemtap/amd-sev-es-vmsa.stp b/examples/systemtap/am= d-sev-es-vmsa.stp new file mode 100644 index 0000000000..551ed739b7 --- /dev/null +++ b/examples/systemtap/amd-sev-es-vmsa.stp @@ -0,0 +1,48 @@ +#!/usr/bin/stap +# +# Copyright (C) 2022 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see +# . +# +# A script that captures the VMSA blob for the boot vCPU and +# first additional vCPU, when a KVM guest is booted with SEV-ES +# +# The captured VMSA will be printed to the console in hex format, +# and can be converted to the required binary format by feeding +# it through +# +# perl -e 'while (<>) { print pack("C64", map { hex($_) } ( $_ =3D~ m/../g= )); }' > vmsa.bin +# + +probe begin { + printf("Running\n") +} + +function dump_vmsa(addr:long) { + printf("VMSA\n") + for (i =3D 0; i < 4096 ; i+=3D 64) { + printf("%.64M\n", addr + i); + } +} + +# This line number will need to be updated for the specific kernel +# version that is being probed. The line that needs to be targetted +# is the one beween the call to clflush_cache_range(...) and the +# call to sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE...). +# +# Line 632 is correct for Linux v6.0 +probe module("kvm_amd").statement("__sev_launch_update_vmsa@arch/x86/kvm/s= vm/sev.c:632") { + dump_vmsa($svm->vmsa) +} --=20 2.37.3