1. Patchew
  2. QEMU
  3. View series

[PATCH v9 00/16] Introduce support for IGVM files

Roy Hopkins posted 16 patches 5 months, 1 week ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/cover.1751554099.git.roy.hopkins@randomman.co.uk
Maintainers: "Philippe Mathieu-Daudé" <philmd@linaro.org>, "Daniel P. Berrangé" <berrange@redhat.com>, Kashyap Chamarthy <kchamart@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Marcelo Tosatti <mtosatti@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, Richard Henderson <richard.henderson@linaro.org>, Eduardo Habkost <eduardo@habkost.net>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>, Zhao Liu <zhao1.liu@intel.com>
backends/confidential-guest-support.c       |  43 +
backends/igvm-cfg.c                         |  51 +
backends/igvm.c                             | 988 ++++++++++++++++++++
backends/igvm.h                             |  22 +
backends/meson.build                        |   5 +
docs/interop/firmware.json                  |  30 +-
docs/system/i386/amd-memory-encryption.rst  |   2 +
docs/system/igvm.rst                        | 173 ++++
docs/system/index.rst                       |   1 +
hw/i386/pc.c                                |  12 +
hw/i386/pc_piix.c                           |  10 +
hw/i386/pc_q35.c                            |  10 +
hw/i386/pc_sysfw.c                          |  31 +-
include/hw/i386/x86.h                       |   3 +
include/system/confidential-guest-support.h |  88 ++
include/system/igvm-cfg.h                   |  49 +
meson.build                                 |   8 +
meson_options.txt                           |   2 +
qapi/qom.json                               |  17 +
qemu-options.hx                             |  28 +
scripts/meson-buildoptions.sh               |   3 +
target/i386/cpu.h                           |   9 +-
target/i386/sev.c                           | 850 +++++++++++++++--
target/i386/sev.h                           | 124 +++
24 files changed, 2475 insertions(+), 84 deletions(-)
create mode 100644 backends/igvm-cfg.c
create mode 100644 backends/igvm.c
create mode 100644 backends/igvm.h
create mode 100644 docs/system/igvm.rst
create mode 100644 include/system/igvm-cfg.h
[PATCH v9 00/16] Introduce support for IGVM files
Posted by Roy Hopkins 5 months, 1 week ago 
Here is v9 of the set of patches to add support for IGVM files to QEMU. This is
based on commit c77283dd5d79149f4e7e9edd00f65416c648ee59 of qemu.

Once again, this is mostly a rebase of the previous patch series. However,
thanks to those reviewers who have provided feedback on v8 which has now been
addressed in this new version.

This v9 patch series is also available on github: [2]

For testing IGVM support in QEMU you need to generate an IGVM file that is
configured for the platform you want to launch. You can use the `buildigvm`
test tool [3] to allow generation of IGVM files for all currently supported
platforms. Patch 11/17 contains information on how to generate an IGVM file
using this tool.

Changes in v9:

* Address review comments from v8
* Add metadata to relevant commits.

Patch summary:

1-11: Add support and documentation for processing IGVM files for SEV, SEV-ES,
SEV-SNP and native platforms. 

12-15: Processing of policy and SEV-SNP ID_BLOCK from IGVM file. 

16: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES'
from IGVM VMSA to KVM.

[1] Link to v8:
https://lists.gnu.org/archive/html/qemu-devel/2025-06/msg02324.html

[2] v8 patches also available here:
https://github.com/roy-hopkins/qemu/tree/igvm_master_v9

[3] `buildigvm` tool v0.2.0
https://github.com/roy-hopkins/buildigvm/releases/tag/v0.2.0

Roy Hopkins (16):
  meson: Add optional dependency on IGVM library
  backends/confidential-guest-support: Add functions to support IGVM
  backends/igvm: Add IGVM loader and configuration
  hw/i386: Add igvm-cfg object and processing for IGVM files
  i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with
    IGVM
  sev: Update launch_update_data functions to use Error handling
  target/i386: Allow setting of R_LDTR and R_TR with
    cpu_x86_load_seg_cache()
  i386/sev: Refactor setting of reset vector and initial CPU state
  i386/sev: Implement ConfidentialGuestSupport functions for SEV
  docs/system: Add documentation on support for IGVM
  docs/interop/firmware.json: Add igvm to FirmwareDevice
  backends/confidential-guest-support: Add set_guest_policy() function
  backends/igvm: Process initialization sections in IGVM file
  backends/igvm: Handle policy for SEV guests
  i386/sev: Add implementation of CGS set_guest_policy()
  sev: Provide sev_features flags from IGVM VMSA to KVM_SEV_INIT2

 backends/confidential-guest-support.c       |  43 +
 backends/igvm-cfg.c                         |  51 +
 backends/igvm.c                             | 988 ++++++++++++++++++++
 backends/igvm.h                             |  22 +
 backends/meson.build                        |   5 +
 docs/interop/firmware.json                  |  30 +-
 docs/system/i386/amd-memory-encryption.rst  |   2 +
 docs/system/igvm.rst                        | 173 ++++
 docs/system/index.rst                       |   1 +
 hw/i386/pc.c                                |  12 +
 hw/i386/pc_piix.c                           |  10 +
 hw/i386/pc_q35.c                            |  10 +
 hw/i386/pc_sysfw.c                          |  31 +-
 include/hw/i386/x86.h                       |   3 +
 include/system/confidential-guest-support.h |  88 ++
 include/system/igvm-cfg.h                   |  49 +
 meson.build                                 |   8 +
 meson_options.txt                           |   2 +
 qapi/qom.json                               |  17 +
 qemu-options.hx                             |  28 +
 scripts/meson-buildoptions.sh               |   3 +
 target/i386/cpu.h                           |   9 +-
 target/i386/sev.c                           | 850 +++++++++++++++--
 target/i386/sev.h                           | 124 +++
 24 files changed, 2475 insertions(+), 84 deletions(-)
 create mode 100644 backends/igvm-cfg.c
 create mode 100644 backends/igvm.c
 create mode 100644 backends/igvm.h
 create mode 100644 docs/system/igvm.rst
 create mode 100644 include/system/igvm-cfg.h

-- 
2.43.0
Re: [PATCH v9 00/16] Introduce support for IGVM files
Posted by Paolo Bonzini 5 months, 1 week ago 
Queued, thanks.

Paolo
Re: [PATCH v9 00/16] Introduce support for IGVM files
Posted by Daniel P. Berrangé 5 months, 1 week ago 
On Thu, Jul 03, 2025 at 03:59:33PM +0100, Roy Hopkins wrote:
> Here is v9 of the set of patches to add support for IGVM files to QEMU. This is
> based on commit c77283dd5d79149f4e7e9edd00f65416c648ee59 of qemu.
> 
> Once again, this is mostly a rebase of the previous patch series. However,
> thanks to those reviewers who have provided feedback on v8 which has now been
> addressed in this new version.
> 
> This v9 patch series is also available on github: [2]
> 
> For testing IGVM support in QEMU you need to generate an IGVM file that is
> configured for the platform you want to launch. You can use the `buildigvm`
> test tool [3] to allow generation of IGVM files for all currently supported
> platforms. Patch 11/17 contains information on how to generate an IGVM file
> using this tool.
> 
> Changes in v9:
> 
> * Address review comments from v8
> * Add metadata to relevant commits.
> 
> Patch summary:
> 
> 1-11: Add support and documentation for processing IGVM files for SEV, SEV-ES,
> SEV-SNP and native platforms. 
> 
> 12-15: Processing of policy and SEV-SNP ID_BLOCK from IGVM file. 
> 
> 16: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES'
> from IGVM VMSA to KVM.

IIRC, way back in the early draft of this you have included some pieces
related to TDX which we then dropped since TDX wasn't ready in QEMU
upstream.

Now that TDX merged in QEMU a few weeks back, I'm wondering what gaps there
are in this series wrt TDX support ?

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH v9 00/16] Introduce support for IGVM files
Posted by Stefano Garzarella 5 months, 1 week ago 
On Thu, Jul 03, 2025 at 03:59:33PM +0100, Roy Hopkins wrote:
>Here is v9 of the set of patches to add support for IGVM files to QEMU. This is
>based on commit c77283dd5d79149f4e7e9edd00f65416c648ee59 of qemu.

I successfully tested this series with the IGVM file generated by
COCONUT SVSM [1] in this way:

$ cd svsm
$ FW_FILE=/path/to/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd make
$ ./scripts/launch_guest.sh \
     --qemu /path/to/qemu/build/qemu-system-x86_64 \
     --image /path/to/fedora.qcow2 -- -vga none

Host kernel: https://github.com/coconut-svsm/linux/tree/svsm
QEMU: master (commit df6fe2abf2e990f767ce755d426bc439c7bba336) + this
       series
SVSM: commit 00b24f830a318a40b56b492b917466e28fde12e2
EDK2: https://github.com/coconut-svsm/edk2/tree/svsm
Guest kernel: Linux 6.16-rc5

[1] https://github.com/coconut-svsm/svsm

Tested-by: Stefano Garzarella <sgarzare@redhat.com>

Thanks!

>
>Once again, this is mostly a rebase of the previous patch series. However,
>thanks to those reviewers who have provided feedback on v8 which has now been
>addressed in this new version.
>
>This v9 patch series is also available on github: [2]
>
>For testing IGVM support in QEMU you need to generate an IGVM file that is
>configured for the platform you want to launch. You can use the `buildigvm`
>test tool [3] to allow generation of IGVM files for all currently supported
>platforms. Patch 11/17 contains information on how to generate an IGVM file
>using this tool.
>
>Changes in v9:
>
>* Address review comments from v8
>* Add metadata to relevant commits.
>
>Patch summary:
>
>1-11: Add support and documentation for processing IGVM files for SEV, SEV-ES,
>SEV-SNP and native platforms.
>
>12-15: Processing of policy and SEV-SNP ID_BLOCK from IGVM file.
>
>16: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES'
>from IGVM VMSA to KVM.
>
>[1] Link to v8:
>https://lists.gnu.org/archive/html/qemu-devel/2025-06/msg02324.html
>
>[2] v8 patches also available here:
>https://github.com/roy-hopkins/qemu/tree/igvm_master_v9
>
>[3] `buildigvm` tool v0.2.0
>https://github.com/roy-hopkins/buildigvm/releases/tag/v0.2.0
>
>Roy Hopkins (16):
>  meson: Add optional dependency on IGVM library
>  backends/confidential-guest-support: Add functions to support IGVM
>  backends/igvm: Add IGVM loader and configuration
>  hw/i386: Add igvm-cfg object and processing for IGVM files
>  i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with
>    IGVM
>  sev: Update launch_update_data functions to use Error handling
>  target/i386: Allow setting of R_LDTR and R_TR with
>    cpu_x86_load_seg_cache()
>  i386/sev: Refactor setting of reset vector and initial CPU state
>  i386/sev: Implement ConfidentialGuestSupport functions for SEV
>  docs/system: Add documentation on support for IGVM
>  docs/interop/firmware.json: Add igvm to FirmwareDevice
>  backends/confidential-guest-support: Add set_guest_policy() function
>  backends/igvm: Process initialization sections in IGVM file
>  backends/igvm: Handle policy for SEV guests
>  i386/sev: Add implementation of CGS set_guest_policy()
>  sev: Provide sev_features flags from IGVM VMSA to KVM_SEV_INIT2
>
> backends/confidential-guest-support.c       |  43 +
> backends/igvm-cfg.c                         |  51 +
> backends/igvm.c                             | 988 ++++++++++++++++++++
> backends/igvm.h                             |  22 +
> backends/meson.build                        |   5 +
> docs/interop/firmware.json                  |  30 +-
> docs/system/i386/amd-memory-encryption.rst  |   2 +
> docs/system/igvm.rst                        | 173 ++++
> docs/system/index.rst                       |   1 +
> hw/i386/pc.c                                |  12 +
> hw/i386/pc_piix.c                           |  10 +
> hw/i386/pc_q35.c                            |  10 +
> hw/i386/pc_sysfw.c                          |  31 +-
> include/hw/i386/x86.h                       |   3 +
> include/system/confidential-guest-support.h |  88 ++
> include/system/igvm-cfg.h                   |  49 +
> meson.build                                 |   8 +
> meson_options.txt                           |   2 +
> qapi/qom.json                               |  17 +
> qemu-options.hx                             |  28 +
> scripts/meson-buildoptions.sh               |   3 +
> target/i386/cpu.h                           |   9 +-
> target/i386/sev.c                           | 850 +++++++++++++++--
> target/i386/sev.h                           | 124 +++
> 24 files changed, 2475 insertions(+), 84 deletions(-)
> create mode 100644 backends/igvm-cfg.c
> create mode 100644 backends/igvm.c
> create mode 100644 backends/igvm.h
> create mode 100644 docs/system/igvm.rst
> create mode 100644 include/system/igvm-cfg.h
>
>-- 
>2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.