qapi/misc-target.json | 28 ++++++++++++++++++++++++++-- target/i386/sev.c | 17 ++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-)
The AMD ASK/ARK certificate chain differs between AMD SEV
processor generations. SEV capabilities should provide
which ASK/ARK certificate should be used based on the host
processor.
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
---
qapi/misc-target.json | 28 ++++++++++++++++++++++++++--
target/i386/sev.c | 17 ++++++++++++++---
2 files changed, 40 insertions(+), 5 deletions(-)
diff --git a/qapi/misc-target.json b/qapi/misc-target.json
index 5aa2b95b7d..c64aa3ff57 100644
--- a/qapi/misc-target.json
+++ b/qapi/misc-target.json
@@ -166,6 +166,24 @@
{ 'command': 'query-sev-launch-measure', 'returns': 'SevLaunchMeasureInfo',
'if': 'TARGET_I386' }
+##
+# @SevAskArkCertName:
+#
+# This enum describes which ASK/ARK certificate should be
+# used based on the generation of an AMD Secure Encrypted
+# Virtualization processor.
+#
+# @naples: AMD Naples processor (SEV 1st generation)
+#
+# @rome: AMD Rome processor (SEV 2nd generation)
+#
+# @milan: AMD Milan processor (SEV 3rd generation)
+#
+# Since: 7.0
+##
+{ 'enum': 'SevAskArkCertName',
+ 'data': ['naples', 'rome', 'milan'],
+ 'if': 'TARGET_I386' }
##
# @SevCapability:
@@ -182,13 +200,18 @@
# @reduced-phys-bits: Number of physical Address bit reduction when SEV is
# enabled
#
+# @ask-ark-cert-name: The generation in which the AMD
+# ARK/ASK should be derived from
+# (since 7.0)
+#
# Since: 2.12
##
{ 'struct': 'SevCapability',
'data': { 'pdh': 'str',
'cert-chain': 'str',
'cbitpos': 'int',
- 'reduced-phys-bits': 'int'},
+ 'reduced-phys-bits': 'int',
+ 'ask-ark-cert-name': 'SevAskArkCertName'},
'if': 'TARGET_I386' }
##
@@ -205,7 +228,8 @@
#
# -> { "execute": "query-sev-capabilities" }
# <- { "return": { "pdh": "8CCDD8DDD", "cert-chain": "888CCCDDDEE",
-# "cbitpos": 47, "reduced-phys-bits": 5}}
+# "cbitpos": 47, "reduced-phys-bits": 5,
+# "ask-ark-cert-name": "naples"}}
#
##
{ 'command': 'query-sev-capabilities', 'returns': 'SevCapability',
diff --git a/target/i386/sev.c b/target/i386/sev.c
index eede07f11d..f30171e5ba 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -506,8 +506,9 @@ static SevCapability *sev_get_capabilities(Error **errp)
guchar *pdh_data = NULL;
guchar *cert_chain_data = NULL;
size_t pdh_len = 0, cert_chain_len = 0;
- uint32_t ebx;
- int fd;
+ uint32_t eax, ebx;
+ int fd, es, snp;
+
if (!kvm_enabled()) {
error_setg(errp, "KVM not enabled");
@@ -534,9 +535,19 @@ static SevCapability *sev_get_capabilities(Error **errp)
cap->pdh = g_base64_encode(pdh_data, pdh_len);
cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
- host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+ host_cpuid(0x8000001F, 0, &eax, &ebx, NULL, NULL);
cap->cbitpos = ebx & 0x3f;
+ es = eax & 0x8;
+ snp = eax & 0x10;
+ if (!es && !snp) {
+ cap->ask_ark_cert_name = SEV_ASK_ARK_CERT_NAME_NAPLES;
+ } else if (es && !snp) {
+ cap->ask_ark_cert_name = SEV_ASK_ARK_CERT_NAME_ROME;
+ } else {
+ cap->ask_ark_cert_name = SEV_ASK_ARK_CERT_NAME_MILAN;
+ }
+
/*
* When SEV feature is enabled, we loose one bit in guest physical
* addressing.
--
2.31.1
On Tue, Nov 16, 2021 at 04:38:59PM -0500, Tyler Fanelli wrote: > The AMD ASK/ARK certificate chain differs between AMD SEV > processor generations. SEV capabilities should provide > which ASK/ARK certificate should be used based on the host > processor. > > Signed-off-by: Tyler Fanelli <tfanelli@redhat.com> > --- > qapi/misc-target.json | 28 ++++++++++++++++++++++++++-- > target/i386/sev.c | 17 ++++++++++++++--- > 2 files changed, 40 insertions(+), 5 deletions(-) > > diff --git a/qapi/misc-target.json b/qapi/misc-target.json > index 5aa2b95b7d..c64aa3ff57 100644 > --- a/qapi/misc-target.json > +++ b/qapi/misc-target.json > @@ -166,6 +166,24 @@ > { 'command': 'query-sev-launch-measure', 'returns': 'SevLaunchMeasureInfo', > 'if': 'TARGET_I386' } > > +## > +# @SevAskArkCertName: > +# > +# This enum describes which ASK/ARK certificate should be > +# used based on the generation of an AMD Secure Encrypted > +# Virtualization processor. > +# > +# @naples: AMD Naples processor (SEV 1st generation) > +# > +# @rome: AMD Rome processor (SEV 2nd generation) > +# > +# @milan: AMD Milan processor (SEV 3rd generation) > +# > +# Since: 7.0 I've found that many (all?) Naples machines expose 'sev_es' in their CPU flags, which is contrary to my understanding that SEV-ES was only introduced in Zen2 / Rome. IOW, CPU flags don't seem to provide a viable alternative to identify the generations, so this info reported here is useful. > @@ -534,9 +535,19 @@ static SevCapability *sev_get_capabilities(Error **errp) > cap->pdh = g_base64_encode(pdh_data, pdh_len); > cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len); > > - host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); > + host_cpuid(0x8000001F, 0, &eax, &ebx, NULL, NULL); > cap->cbitpos = ebx & 0x3f; > > + es = eax & 0x8; > + snp = eax & 0x10; > + if (!es && !snp) { > + cap->ask_ark_cert_name = SEV_ASK_ARK_CERT_NAME_NAPLES; > + } else if (es && !snp) { > + cap->ask_ark_cert_name = SEV_ASK_ARK_CERT_NAME_ROME; > + } else { > + cap->ask_ark_cert_name = SEV_ASK_ARK_CERT_NAME_MILAN; > + } Ident appears off here - seems to have accidentally used tabs instead of spaces. Since that's a trivial fix, feel free to add Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> when reposting. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2024 Red Hat, Inc.