accel/kvm/kvm-all.c | 69 +++++++++++++++++++++ accel/stubs/kvm-stub.c | 5 ++ hw/i386/pc_sysfw.c | 10 ++- include/sysemu/cpus.h | 2 + include/sysemu/hw_accel.h | 5 ++ include/sysemu/kvm.h | 26 ++++++++ include/sysemu/sev.h | 3 + softmmu/cpus.c | 5 ++ softmmu/runstate.c | 3 + target/arm/kvm.c | 5 ++ target/i386/cpu.c | 1 + target/i386/kvm/kvm.c | 10 ++- target/i386/sev-stub.c | 6 ++ target/i386/sev.c | 124 +++++++++++++++++++++++++++++++++++++- target/i386/sev_i386.h | 1 + target/mips/kvm.c | 5 ++ target/ppc/kvm.c | 5 ++ target/s390x/kvm.c | 5 ++ 18 files changed, 286 insertions(+), 4 deletions(-)
From: Tom Lendacky <thomas.lendacky@amd.com>
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System Programming",
section "15.35 Encrypted State (SEV-ES)" [1].
In order to allow a hypervisor to perform functions on behalf of a guest,
there is architectural support for notifying a guest's operating system
when certain types of VMEXITs are about to occur. This allows the guest to
selectively share information with the hypervisor to satisfy the requested
function. The notification is performed using a new exception, the VMM
Communication exception (#VC). The information is shared through the
Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
The GHCB format and the protocol for using it is documented in "SEV-ES
Guest-Hypervisor Communication Block Standardization" [2].
The main areas of the Qemu code that are updated to support SEV-ES are
around the SEV guest launch process and AP booting in order to support
booting multiple vCPUs.
There are no new command line switches required. Instead, the desire for
SEV-ES is presented using the SEV policy object. Bit 2 of the SEV policy
object indicates that SEV-ES is required.
The SEV launch process is updated in two ways. The first is that a the
KVM_SEV_ES_INIT ioctl is used to initialize the guest instead of the
standard KVM_SEV_INIT ioctl. The second is that before the SEV launch
measurement is calculated, the LAUNCH_UPDATE_VMSA SEV API is invoked for
each vCPU that Qemu has created. Once the LAUNCH_UPDATE_VMSA API has been
invoked, no direct changes to the guest register state can be made.
AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence
is typically used to boot the APs. However, the hypervisor is not allowed
to update the guest registers. For the APs, the reset vector must be known
in advance. An OVMF method to provide a known reset vector address exists
by providing an SEV information block, identified by UUID, near the end of
the firmware [3]. OVMF will program the jump to the actual reset vector in
this area of memory. Since the memory location is known in advance, an AP
can be created with the known reset vector address as its starting CS:IP.
The GHCB document [2] talks about how SMP booting under SEV-ES is
performed. SEV-ES also requires the use of the in-kernel irqchip support
in order to minimize the changes required to Qemu to support AP booting.
[1] https://www.amd.com/system/files/TechDocs/24593.pdf
[2] https://developer.amd.com/wp-content/resources/56421.pdf
[3] 30937f2f98c4 ("OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector")
https://github.com/tianocore/edk2/commit/30937f2f98c42496f2f143fe8374ae7f7e684847
Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: David Hildenbrand <david@redhat.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
---
These patches are based on commit:
9cd69f1a27 ("Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2021-01-25-1' into staging")
Additionally, these patches pre-req the following patch series that has
not yet been accepted into the Qemu tree:
[PATCH v2 0/2] sev: enable secret injection to a self described area in OVMF
https://lore.kernel.org/qemu-devel/20201214154429.11023-1-jejb@linux.ibm.com/
A version of the tree can be found at:
https://github.com/AMDESE/qemu/tree/sev-es-v14
Changes since v5:
- Rework the reset prevention patch to not issue the error message if the
--no-reboot option has been specified for SEV-ES guests.
Changes since v4:
- Add support for an updated Firmware GUID table implementation, that
is now present in OVMF SEV-ES firmware, when searching for the reset
vector information. The code will check for the new implementation
first, followed by the original implementation to maintain backward
compatibility.
Changes since v3:
- Use the QemuUUID structure for GUID definitions
- Use SEV-ES policy bit definition from target/i386/sev_i386.h
- Update SMM support to a per-VM check in order to check SMM capability
at the VM level since SEV-ES guests don't currently support SMM
- Make the CPU resettable check an arch-specific check
Changes since v2:
- Add in-kernel irqchip requirement for SEV-ES guests
Changes since v1:
- Fixed checkpatch.pl errors/warnings
Tom Lendacky (6):
sev/i386: Add initial support for SEV-ES
sev/i386: Require in-kernel irqchip support for SEV-ES guests
sev/i386: Allow AP booting under SEV-ES
sev/i386: Don't allow a system reset under an SEV-ES guest
kvm/i386: Use a per-VM check for SMM capability
sev/i386: Enable an SEV-ES guest based on SEV policy
accel/kvm/kvm-all.c | 69 +++++++++++++++++++++
accel/stubs/kvm-stub.c | 5 ++
hw/i386/pc_sysfw.c | 10 ++-
include/sysemu/cpus.h | 2 +
include/sysemu/hw_accel.h | 5 ++
include/sysemu/kvm.h | 26 ++++++++
include/sysemu/sev.h | 3 +
softmmu/cpus.c | 5 ++
softmmu/runstate.c | 3 +
target/arm/kvm.c | 5 ++
target/i386/cpu.c | 1 +
target/i386/kvm/kvm.c | 10 ++-
target/i386/sev-stub.c | 6 ++
target/i386/sev.c | 124 +++++++++++++++++++++++++++++++++++++-
target/i386/sev_i386.h | 1 +
target/mips/kvm.c | 5 ++
target/ppc/kvm.c | 5 ++
target/s390x/kvm.c | 5 ++
18 files changed, 286 insertions(+), 4 deletions(-)
--
2.30.0
On 26/01/21 18:36, Tom Lendacky wrote:
> From: Tom Lendacky <thomas.lendacky@amd.com>
>
> This patch series provides support for launching an SEV-ES guest.
>
> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
> SEV support to protect the guest register state from the hypervisor. See
> "AMD64 Architecture Programmer's Manual Volume 2: System Programming",
> section "15.35 Encrypted State (SEV-ES)" [1].
>
> In order to allow a hypervisor to perform functions on behalf of a guest,
> there is architectural support for notifying a guest's operating system
> when certain types of VMEXITs are about to occur. This allows the guest to
> selectively share information with the hypervisor to satisfy the requested
> function. The notification is performed using a new exception, the VMM
> Communication exception (#VC). The information is shared through the
> Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction.
> The GHCB format and the protocol for using it is documented in "SEV-ES
> Guest-Hypervisor Communication Block Standardization" [2].
>
> The main areas of the Qemu code that are updated to support SEV-ES are
> around the SEV guest launch process and AP booting in order to support
> booting multiple vCPUs.
>
> There are no new command line switches required. Instead, the desire for
> SEV-ES is presented using the SEV policy object. Bit 2 of the SEV policy
> object indicates that SEV-ES is required.
>
> The SEV launch process is updated in two ways. The first is that a the
> KVM_SEV_ES_INIT ioctl is used to initialize the guest instead of the
> standard KVM_SEV_INIT ioctl. The second is that before the SEV launch
> measurement is calculated, the LAUNCH_UPDATE_VMSA SEV API is invoked for
> each vCPU that Qemu has created. Once the LAUNCH_UPDATE_VMSA API has been
> invoked, no direct changes to the guest register state can be made.
>
> AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence
> is typically used to boot the APs. However, the hypervisor is not allowed
> to update the guest registers. For the APs, the reset vector must be known
> in advance. An OVMF method to provide a known reset vector address exists
> by providing an SEV information block, identified by UUID, near the end of
> the firmware [3]. OVMF will program the jump to the actual reset vector in
> this area of memory. Since the memory location is known in advance, an AP
> can be created with the known reset vector address as its starting CS:IP.
> The GHCB document [2] talks about how SMP booting under SEV-ES is
> performed. SEV-ES also requires the use of the in-kernel irqchip support
> in order to minimize the changes required to Qemu to support AP booting.
>
> [1] https://www.amd.com/system/files/TechDocs/24593.pdf
> [2] https://developer.amd.com/wp-content/resources/56421.pdf
> [3] 30937f2f98c4 ("OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector")
> https://github.com/tianocore/edk2/commit/30937f2f98c42496f2f143fe8374ae7f7e684847
>
> Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
> Cc: Aurelien Jarno <aurelien@aurel32.net>
> Cc: David Gibson <david@gibson.dropbear.id.au>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Eduardo Habkost <ehabkost@redhat.com>
> Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
> Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
> Cc: Marcelo Tosatti <mtosatti@redhat.com>
> Cc: "Michael S. Tsirkin" <mst@redhat.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Richard Henderson <richard.henderson@linaro.org>
>
> ---
>
> These patches are based on commit:
> 9cd69f1a27 ("Merge remote-tracking branch 'remotes/stefanberger/tags/pull-tpm-2021-01-25-1' into staging")
>
> Additionally, these patches pre-req the following patch series that has
> not yet been accepted into the Qemu tree:
>
> [PATCH v2 0/2] sev: enable secret injection to a self described area in OVMF
> https://lore.kernel.org/qemu-devel/20201214154429.11023-1-jejb@linux.ibm.com/
>
> A version of the tree can be found at:
> https://github.com/AMDESE/qemu/tree/sev-es-v14
>
> Changes since v5:
> - Rework the reset prevention patch to not issue the error message if the
> --no-reboot option has been specified for SEV-ES guests.
>
> Changes since v4:
> - Add support for an updated Firmware GUID table implementation, that
> is now present in OVMF SEV-ES firmware, when searching for the reset
> vector information. The code will check for the new implementation
> first, followed by the original implementation to maintain backward
> compatibility.
>
> Changes since v3:
> - Use the QemuUUID structure for GUID definitions
> - Use SEV-ES policy bit definition from target/i386/sev_i386.h
> - Update SMM support to a per-VM check in order to check SMM capability
> at the VM level since SEV-ES guests don't currently support SMM
> - Make the CPU resettable check an arch-specific check
>
> Changes since v2:
> - Add in-kernel irqchip requirement for SEV-ES guests
>
> Changes since v1:
> - Fixed checkpatch.pl errors/warnings
>
> Tom Lendacky (6):
> sev/i386: Add initial support for SEV-ES
> sev/i386: Require in-kernel irqchip support for SEV-ES guests
> sev/i386: Allow AP booting under SEV-ES
> sev/i386: Don't allow a system reset under an SEV-ES guest
> kvm/i386: Use a per-VM check for SMM capability
> sev/i386: Enable an SEV-ES guest based on SEV policy
>
> accel/kvm/kvm-all.c | 69 +++++++++++++++++++++
> accel/stubs/kvm-stub.c | 5 ++
> hw/i386/pc_sysfw.c | 10 ++-
> include/sysemu/cpus.h | 2 +
> include/sysemu/hw_accel.h | 5 ++
> include/sysemu/kvm.h | 26 ++++++++
> include/sysemu/sev.h | 3 +
> softmmu/cpus.c | 5 ++
> softmmu/runstate.c | 3 +
> target/arm/kvm.c | 5 ++
> target/i386/cpu.c | 1 +
> target/i386/kvm/kvm.c | 10 ++-
> target/i386/sev-stub.c | 6 ++
> target/i386/sev.c | 124 +++++++++++++++++++++++++++++++++++++-
> target/i386/sev_i386.h | 1 +
> target/mips/kvm.c | 5 ++
> target/ppc/kvm.c | 5 ++
> target/s390x/kvm.c | 5 ++
> 18 files changed, 286 insertions(+), 4 deletions(-)
>
Queued, thanks.
Paolo
On 2/5/21 4:59 AM, Paolo Bonzini wrote: > On 26/01/21 18:36, Tom Lendacky wrote: >> From: Tom Lendacky <thomas.lendacky@amd.com> >> >> This patch series provides support for launching an SEV-ES guest. >> ... >> > > Queued, thanks. It looks like David Gibson's patches for the memory encryption rework went into the main tree before mine. So, I think I'm going to have to rework my patches. Let me look into it. Thanks, Tom > > Paolo >
On 08/02/21 16:48, Tom Lendacky wrote: >>> >> >> Queued, thanks. > > It looks like David Gibson's patches for the memory encryption rework > went into the main tree before mine. So, I think I'm going to have to > rework my patches. Let me look into it. I was going to ask you to check out my own rebase, but it hadn't finished CI yet. Please take a look at branch sev-next at https://gitlab.com/bonzini/qemu (commit 15acccb1b769aa3854bfd875d3d17945703e3f2a, ignore the PPC failure). Paolo
On 2/8/21 10:31 AM, Paolo Bonzini wrote: > On 08/02/21 16:48, Tom Lendacky wrote: >>>> >>> >>> Queued, thanks. >> >> It looks like David Gibson's patches for the memory encryption rework >> went into the main tree before mine. So, I think I'm going to have to >> rework my patches. Let me look into it. > > I was going to ask you to check out my own rebase, but it hadn't finished > CI yet. Please take a look at branch sev-next at > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fbonzini%2Fqemu&data=04%7C01%7Cthomas.lendacky%40amd.com%7C0fd806ab779a47c04fb508d8cc4eef45%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637483986711396809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kxzVD%2FwGNrU0zIhZjxyA0XCDtyycPW%2FROsvs3BrlkJE%3D&reserved=0 > (commit 15acccb1b769aa3854bfd875d3d17945703e3f2a, ignore the PPC failure). Everything looked good from a review perspective and AP booting worked without a hitch, which was the main area effected. Thanks for taking care of it! Tom > > Paolo >
© 2016 - 2024 Red Hat, Inc.