[Qemu-devel] [PATCH v3 00/14] Add SEV guest live migration support

Singh, Brijesh posted 14 patches 4 years, 7 months ago
Test asan passed
Test FreeBSD passed
Test checkpatch passed
Test docker-mingw@fedora passed
Test docker-clang@ubuntu passed
Test s390x failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20190806165429.19327-1-brijesh.singh@amd.com
Maintainers: "Dr. David Alan Gilbert" <dgilbert@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Richard Henderson <rth@twiddle.net>, Eduardo Habkost <ehabkost@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Eric Blake <eblake@redhat.com>, Cornelia Huck <cohuck@redhat.com>, Markus Armbruster <armbru@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Juan Quintela <quintela@redhat.com>
There is a newer version of this series
accel/kvm/kvm-all.c            |  91 ++++++
accel/kvm/sev-stub.c           |  28 ++
docs/amd-memory-encryption.txt |  48 ++-
hw/core/machine.c              |   5 +
include/exec/ram_addr.h        | 199 +++++++++++++
include/exec/ramlist.h         |   3 +-
include/hw/boards.h            |  25 ++
include/sysemu/sev.h           |  11 +
linux-headers/linux/kvm.h      |  53 ++++
migration/migration.c          |  61 ++++
migration/ram.c                | 148 +++++++++-
monitor/hmp-cmds.c             |  18 ++
qapi/migration.json            |  41 ++-
target/i386/sev.c              | 513 ++++++++++++++++++++++++++++++++-
target/i386/sev_i386.h         |   8 +
target/i386/trace-events       |   8 +
16 files changed, 1234 insertions(+), 26 deletions(-)
[Qemu-devel] [PATCH v3 00/14] Add SEV guest live migration support
Posted by Singh, Brijesh 4 years, 7 months ago
AMD SEV encrypts the memory of VMs and because this encryption is done using
an address tweak, the hypervisor will not be able to simply copy ciphertext
between machines to migrate a VM. Instead the AMD SEV Key Management API
provides a set of functions which the hypervisor can use to package a
guest encrypted pages for migration, while maintaining the confidentiality
provided by AMD SEV.

The patch series add the support required in Qemu to perform the SEV
guest live migration. Before initiating the live migration a user
should use newly added 'migrate-set-sev-info' command to pass the
target machines certificate chain. See the docs/amd-memory-encryption.txt
for further details.

The patch series depends on kernel patches available here:
https://marc.info/?l=kvm&m=156278967226011&w=2

The complete tree with patch is available at:
https://github.com/codomania/qemu/tree/sev-migration-v3

Known Issues:
 - failed to reboot the guest after migration.
 - The top 10 lines of the vga buffer is sent as encrypted and because of that
   we get a garage on destination. I am still debugging it.

Changes since v2:
 - Remove direct kvm_memcrpt calls from migration.
 - Add MemoryEcryptionOps in machine which will be used by migration
   instead of kvm_memcrypt calls.
 - drop the RAM_SAVE_FLAG_PAGE_ENCRYPTED_BITMAP. Now the RAM_SAVE_FLAG_ENCRYPTED_PAGE
   can be used for sending bitmap as well as guest RAM encrypted pages
 - add some bound checks on incoming data
 - drop migrate-sev-set-info object
 - extend the migrate-parameters to include the SEV specific certificate fields.
 - multiple fixes based on the review comments from Dave
 
Changes since v1:
 - use the dirty log sync APIs to also sync the page encryption bitmap
   when SEV is active.

Brijesh Singh (14):
  doc: update AMD SEV API spec web link
  doc: update AMD SEV to include Live migration flow
  migration.json: add AMD SEV specific migration parameters
  linux-headers: update kernel header to include SEV migration commands
  hw/machine: add helper to query the memory encryption state
  hw/machine: introduce MachineMemoryEncryptionOps for encrypted VMs
  target/i386: sev: provide callback to setup outgoing context
  target/i386: sev: do not create launch context for an incoming guest
  target/i386: sev: add support to encrypt the outgoing page
  target/i386: sev: add support to load incoming encrypted page
  migration: add support to migrate page encryption bitmap
  kvm: add support to sync the page encryption state bitmap
  migration/ram: add support to send encrypted pages
  target/i386: sev: remove migration blocker

 accel/kvm/kvm-all.c            |  91 ++++++
 accel/kvm/sev-stub.c           |  28 ++
 docs/amd-memory-encryption.txt |  48 ++-
 hw/core/machine.c              |   5 +
 include/exec/ram_addr.h        | 199 +++++++++++++
 include/exec/ramlist.h         |   3 +-
 include/hw/boards.h            |  25 ++
 include/sysemu/sev.h           |  11 +
 linux-headers/linux/kvm.h      |  53 ++++
 migration/migration.c          |  61 ++++
 migration/ram.c                | 148 +++++++++-
 monitor/hmp-cmds.c             |  18 ++
 qapi/migration.json            |  41 ++-
 target/i386/sev.c              | 513 ++++++++++++++++++++++++++++++++-
 target/i386/sev_i386.h         |   8 +
 target/i386/trace-events       |   8 +
 16 files changed, 1234 insertions(+), 26 deletions(-)

-- 
2.17.1