x86, kvm: common confidential computing subset

[PATCH for-9.1 00/26] x86, kvm: common confidential computing subset

Paolo Bonzini posted 26 patches 1 month ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20240322181116.1228416-1-pbonzini@redhat.com

Maintainers: Paolo Bonzini <pbonzini@redhat.com>, David Hildenbrand <david@redhat.com>, Igor Mammedov <imammedo@redhat.com>, Eduardo Habkost <eduardo@habkost.net>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Yanan Wang <wangyanan55@huawei.com>, "Michael S. Tsirkin" <mst@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, Nicholas Piggin <npiggin@gmail.com>, Daniel Henrique Barboza <danielhb413@gmail.com>, David Gibson <david@gibson.dropbear.id.au>, Harsh Prateek Bora <harshpb@linux.ibm.com>, Thomas Huth <thuth@redhat.com>, Ilya Leoshkevich <iii@linux.ibm.com>, Halil Pasic <pasic@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Eric Farman <farman@linux.ibm.com>, Peter Xu <peterx@redhat.com>, Cornelia Huck <cohuck@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, Marcelo Tosatti <mtosatti@redhat.com>, Song Gao <gaosong@loongson.cn>, Huacai Chen <chenhuacai@kernel.org>, Aurelien Jarno <aurelien@aurel32.net>, Jiaxun Yang <jiaxun.yang@flygoat.com>, Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>, Palmer Dabbelt <palmer@dabbelt.com>, Alistair Francis <alistair.francis@wdc.com>, Bin Meng <bin.meng@windriver.com>, Weiwei Li <liwei1518@gmail.com>, Liu Zhiwei <zhiwei_liu@linux.alibaba.com>

include/exec/confidential-guest-support.h     |  34 +-
include/exec/cpu-common.h                     |   2 +
include/exec/memory.h                         |  20 +-
include/exec/ram_addr.h                       |   2 +-
include/exec/ramblock.h                       |   1 +
include/hw/boards.h                           |   2 +
include/hw/i386/pc.h                          |   1 +
include/hw/pci-host/q35.h                     |   1 +
include/hw/ppc/pef.h                          |  17 -
include/standard-headers/asm-x86/bootparam.h  |  17 +-
include/standard-headers/asm-x86/kvm_para.h   |   3 +-
include/standard-headers/asm-x86/setup_data.h |  83 ++
include/standard-headers/linux/ethtool.h      |  48 ++
include/standard-headers/linux/fuse.h         |  39 +-
.../linux/input-event-codes.h                 |   1 +
include/standard-headers/linux/virtio_gpu.h   |   2 +
include/standard-headers/linux/virtio_snd.h   | 154 ++++
include/sysemu/hostmem.h                      |   1 +
include/sysemu/kvm.h                          |  19 +-
include/sysemu/kvm_int.h                      |   3 +
linux-headers/asm-arm64/kvm.h                 |  15 +-
linux-headers/asm-arm64/sve_context.h         |  11 +
linux-headers/asm-generic/bitsperlong.h       |   4 +
linux-headers/asm-loongarch/kvm.h             |   2 -
linux-headers/asm-mips/kvm.h                  |   2 -
linux-headers/asm-powerpc/kvm.h               |  45 +-
linux-headers/asm-riscv/kvm.h                 |   3 +-
linux-headers/asm-s390/kvm.h                  | 315 +++++++-
linux-headers/asm-x86/kvm.h                   | 364 ++++++++-
linux-headers/linux/bits.h                    |  15 +
linux-headers/linux/kvm.h                     | 717 +-----------------
linux-headers/linux/psp-sev.h                 |  71 ++
target/i386/confidential-guest.h              |  59 ++
target/i386/kvm/kvm_i386.h                    |   2 +
target/i386/sev.h                             |   2 -
target/s390x/kvm/pv.h                         |  14 -
accel/kvm/kvm-accel-ops.c                     |   2 +-
accel/kvm/kvm-all.c                           | 236 +++++-
accel/stubs/kvm-stub.c                        |   5 +
backends/hostmem-file.c                       |   1 +
backends/hostmem-memfd.c                      |   1 +
backends/hostmem-ram.c                        |   1 +
backends/hostmem.c                            |   1 +
hw/core/machine.c                             |   5 +
hw/i386/pc_q35.c                              |   2 +
hw/i386/x86.c                                 |  19 +-
hw/pci-host/q35.c                             |  61 +-
hw/ppc/pef.c                                  |   9 +-
hw/ppc/spapr.c                                |  10 +-
hw/s390x/s390-virtio-ccw.c                    |   5 +-
system/memory.c                               |   5 +
system/physmem.c                              |  65 +-
system/runstate.c                             |  15 +-
target/arm/kvm.c                              |   5 -
target/i386/confidential-guest.c              |  33 +
target/i386/kvm/kvm.c                         | 507 +++++++------
target/i386/kvm/sev-stub.c                    |  21 -
target/i386/sev.c                             | 173 +++--
target/loongarch/kvm/kvm.c                    |   5 -
target/mips/kvm.c                             |   5 -
target/ppc/kvm.c                              |   5 -
target/riscv/kvm/kvm-cpu.c                    |   5 -
target/s390x/kvm/kvm.c                        |   5 -
target/s390x/kvm/pv.c                         |   8 +
accel/kvm/trace-events                        |   4 +-
roms/edk2                                     |   2 +-
scripts/update-linux-headers.sh               |   8 +-
target/i386/kvm/meson.build                   |   2 -
target/i386/meson.build                       |   2 +-
69 files changed, 2124 insertions(+), 1200 deletions(-)
delete mode 100644 include/hw/ppc/pef.h
create mode 100644 include/standard-headers/asm-x86/setup_data.h
create mode 100644 linux-headers/linux/bits.h
create mode 100644 target/i386/confidential-guest.h
create mode 100644 target/i386/confidential-guest.c
delete mode 100644 target/i386/kvm/sev-stub.c

Expand all Fold all

[PATCH for-9.1 00/26] x86, kvm: common confidential computing subset

Posted by Paolo Bonzini 1 month ago

These are the common bits for TDX and SEV-SNP support for QEMU 9.1.

The main changes compared to what Michael posted is:

1) I am including KVM_SEV_INIT2 support patches without the linux-headers
update hack (however the linux-headers update in these patches is still
not final).  This also includes the bits to track whether guest state
are encrypted, that are needed by TDX as well as SEV-ES/SNP.

2) VFIO currently is blocked, pending a decision on what is worse
between possibly consuming twice the memory and disallowing device
assignment; or someone biting the bullet and implementing the
RamDiscardManager interface.

3) I included another easy patch from the TDX series, "i386/kvm: Move
architectural CPUID leaf generation to separate helper".

Please test. :)

Paolo

Chao Peng (2):
  kvm: Enable KVM_SET_USER_MEMORY_REGION2 for memslot
  kvm: handle KVM_EXIT_MEMORY_FAULT

Isaku Yamahata (2):
  pci-host/q35: Move PAM initialization above SMRAM initialization
  q35: Introduce smm_ranges property for q35-pci-host

Michael Roth (5):
  scripts/update-linux-headers: Add setup_data.h to import list
  scripts/update-linux-headers: Add bits.h to file imports
  [HACK] linux-headers: Update headers for 6.8 + kvm-coco-queue + SNP
  [TO SQUASH] hw/i386: Remove redeclaration of struct setup_data
  RAMBlock: Add support of KVM private guest memfd

Paolo Bonzini (7):
  runstate: skip initial CPU reset if reset is not actually possible
  KVM: track whether guest state is encrypted
  KVM: remove kvm_arch_cpu_check_are_resettable
  target/i386: introduce x86-confidential-guest
  target/i386: Implement mc->kvm_type() to get VM type
  target/i386: SEV: use KVM_SEV_INIT2 if possible
  RAMBlock: make guest_memfd require uncoordinated discard

Sean Christopherson (1):
  i386/kvm: Move architectural CPUID leaf generation to separate helper

Xiaoyao Li (9):
  confidential guest support: Add kvm_init() and kvm_reset() in class
  i386/sev: Switch to use confidential_guest_kvm_init()
  ppc/pef: switch to use confidential_guest_kvm_init/reset()
  s390: Switch to use confidential_guest_kvm_init()
  trace/kvm: Split address space and slot id in
    trace_kvm_set_user_memory()
  kvm: Introduce support for memory_attributes
  kvm/memory: Make memory type private by default if it has guest memfd
    backend
  HostMem: Add mechanism to opt in kvm guest memfd via MachineState
  physmem: Introduce ram_block_discard_guest_memfd_range()

 include/exec/confidential-guest-support.h     |  34 +-
 include/exec/cpu-common.h                     |   2 +
 include/exec/memory.h                         |  20 +-
 include/exec/ram_addr.h                       |   2 +-
 include/exec/ramblock.h                       |   1 +
 include/hw/boards.h                           |   2 +
 include/hw/i386/pc.h                          |   1 +
 include/hw/pci-host/q35.h                     |   1 +
 include/hw/ppc/pef.h                          |  17 -
 include/standard-headers/asm-x86/bootparam.h  |  17 +-
 include/standard-headers/asm-x86/kvm_para.h   |   3 +-
 include/standard-headers/asm-x86/setup_data.h |  83 ++
 include/standard-headers/linux/ethtool.h      |  48 ++
 include/standard-headers/linux/fuse.h         |  39 +-
 .../linux/input-event-codes.h                 |   1 +
 include/standard-headers/linux/virtio_gpu.h   |   2 +
 include/standard-headers/linux/virtio_snd.h   | 154 ++++
 include/sysemu/hostmem.h                      |   1 +
 include/sysemu/kvm.h                          |  19 +-
 include/sysemu/kvm_int.h                      |   3 +
 linux-headers/asm-arm64/kvm.h                 |  15 +-
 linux-headers/asm-arm64/sve_context.h         |  11 +
 linux-headers/asm-generic/bitsperlong.h       |   4 +
 linux-headers/asm-loongarch/kvm.h             |   2 -
 linux-headers/asm-mips/kvm.h                  |   2 -
 linux-headers/asm-powerpc/kvm.h               |  45 +-
 linux-headers/asm-riscv/kvm.h                 |   3 +-
 linux-headers/asm-s390/kvm.h                  | 315 +++++++-
 linux-headers/asm-x86/kvm.h                   | 364 ++++++++-
 linux-headers/linux/bits.h                    |  15 +
 linux-headers/linux/kvm.h                     | 717 +-----------------
 linux-headers/linux/psp-sev.h                 |  71 ++
 target/i386/confidential-guest.h              |  59 ++
 target/i386/kvm/kvm_i386.h                    |   2 +
 target/i386/sev.h                             |   2 -
 target/s390x/kvm/pv.h                         |  14 -
 accel/kvm/kvm-accel-ops.c                     |   2 +-
 accel/kvm/kvm-all.c                           | 236 +++++-
 accel/stubs/kvm-stub.c                        |   5 +
 backends/hostmem-file.c                       |   1 +
 backends/hostmem-memfd.c                      |   1 +
 backends/hostmem-ram.c                        |   1 +
 backends/hostmem.c                            |   1 +
 hw/core/machine.c                             |   5 +
 hw/i386/pc_q35.c                              |   2 +
 hw/i386/x86.c                                 |  19 +-
 hw/pci-host/q35.c                             |  61 +-
 hw/ppc/pef.c                                  |   9 +-
 hw/ppc/spapr.c                                |  10 +-
 hw/s390x/s390-virtio-ccw.c                    |   5 +-
 system/memory.c                               |   5 +
 system/physmem.c                              |  65 +-
 system/runstate.c                             |  15 +-
 target/arm/kvm.c                              |   5 -
 target/i386/confidential-guest.c              |  33 +
 target/i386/kvm/kvm.c                         | 507 +++++++------
 target/i386/kvm/sev-stub.c                    |  21 -
 target/i386/sev.c                             | 173 +++--
 target/loongarch/kvm/kvm.c                    |   5 -
 target/mips/kvm.c                             |   5 -
 target/ppc/kvm.c                              |   5 -
 target/riscv/kvm/kvm-cpu.c                    |   5 -
 target/s390x/kvm/kvm.c                        |   5 -
 target/s390x/kvm/pv.c                         |   8 +
 accel/kvm/trace-events                        |   4 +-
 roms/edk2                                     |   2 +-
 scripts/update-linux-headers.sh               |   8 +-
 target/i386/kvm/meson.build                   |   2 -
 target/i386/meson.build                       |   2 +-
 69 files changed, 2124 insertions(+), 1200 deletions(-)
 delete mode 100644 include/hw/ppc/pef.h
 create mode 100644 include/standard-headers/asm-x86/setup_data.h
 create mode 100644 linux-headers/linux/bits.h
 create mode 100644 target/i386/confidential-guest.h
 create mode 100644 target/i386/confidential-guest.c
 delete mode 100644 target/i386/kvm/sev-stub.c

-- 
2.44.0