From patchwork Wed Dec 6 20:03:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 845335 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=amdcloud.onmicrosoft.com header.i=@amdcloud.onmicrosoft.com header.b="PGcWlj0j"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ysVW50vpdz9s72 for ; Thu, 7 Dec 2017 07:26:09 +1100 (AEDT) Received: from localhost ([::1]:57648 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMgGd-0003dX-5I for incoming@patchwork.ozlabs.org; Wed, 06 Dec 2017 15:26:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49750) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMfvr-00061u-0T for qemu-devel@nongnu.org; Wed, 06 Dec 2017 15:04:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMfvn-0002W6-Pp for qemu-devel@nongnu.org; Wed, 06 Dec 2017 15:04:39 -0500 Received: from mail-sn1nam01on0059.outbound.protection.outlook.com ([104.47.32.59]:29376 helo=NAM01-SN1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eMfvn-0002Vl-JA for qemu-devel@nongnu.org; Wed, 06 Dec 2017 15:04:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=QsllVgsRPkAWB6bdluXFEbVZKmFDAL5ufYErKBa/QdU=; b=PGcWlj0jOyjs2HKugpGGLPr2dxXp7Ecod+CppDzd8XNxvxQteDhWS3mjwWCosa8WoYsXFO1jtbLRakk2KwAUnYFlqf17vn80S7x0goAZI4C/Q6owTHS/HdbHNvOhSKe9YfFu03ht7gjXygejgxrDFviIH5MyfpA2mC9zERxoDVI= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by SN1PR12MB0158.namprd12.prod.outlook.com (10.162.3.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.5; Wed, 6 Dec 2017 20:04:30 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Date: Wed, 6 Dec 2017 14:03:33 -0600 Message-Id: <20171206200346.116537-11-brijesh.singh@amd.com> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20171206200346.116537-1-brijesh.singh@amd.com> References: <20171206200346.116537-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: BN6PR14CA0035.namprd14.prod.outlook.com (10.171.172.149) To SN1PR12MB0158.namprd12.prod.outlook.com (10.162.3.145) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 07921f15-fcb3-4187-f0e5-08d53ce490e2 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603286); SRVR:SN1PR12MB0158; X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 3:ZGCMPLHXqSdF5KQYOYeEYtT5SzSCA8ult66Wcb926/b2ymVB2yQopD8WGQjeFq8eSltxKTgttdSw2G04n8VktmJioZKSM9CGtIqQpNHYZ37N97NDwIQBMT2y3ZoWe34QEVV84Ml/YRMhqthTbF4guwpamxyhSFMRR5RG8o14nxqbFFuNe4d9hPHbje0bh562TBC2/mCr7yDEEdWjP5QGUBaeTglxWC4OftBocu8F41LjmdVZSipweg+mCYN+NsBh; 25:n2vujfMn7DgIUF6cXkbfEMadFO8Qy20QtM9TGMJ9cYpU37GoWmZw5ATlTGX7XkCjAE5cuikjgNqnzJLq5PWWN9kFa0noCTHOEw+H0ZyYS9VOVaRdRPsu+Lpi3dUb8XgMhAB2kRQws6rRK+qLrXZOi+Uluc9s6aElOUzKLqpzerzDIwkUNenjHjGkEg70kY2vj6lZuW/NtHzO9weQKUOXVK413usl8uRzVDxHu+T8mUrAiQDVywL+dnfSJ43ZBp3LzUhdbUwIwb17Tp4o6iGp43zZo4JEt6lo2W07NWuM5723RR5k7e0W37V32pb4KdUAFkp0/e/btxrvk5UZrzf+dw==; 31:K7XjF+WwvE0JnhI008EkrqNpM4+TsHrPjPP9YkUj7PailbKDVHH+wk6Ot5+yLI+tJE31Q1yWLk1Ez1j7+HMyLSbtpLfN+ygHSPzrDKQb5nGmbfhywmVATOXZiBVCicAx6ARhhaveKdb/wX2y3lLeHF/fVfnIy5CSFfABxfqd4n3PMPSPUrDprUU5LZIhRSeGbynXP9QQ8C7bCrXU6t7S2MQ3aqCfaqyCtK2AyFNwqUM= X-MS-TrafficTypeDiagnostic: SN1PR12MB0158: X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 20:/d9oKicWjdOfbWjWAwzf5V2DB7WUnsDgAceY4nCKhWKOYt2CPSmAymEYHFEoRKWKtptVa21huc4tS9yustGdAJsA/tZXiQrY+Bpz7Cjqzhwh1ig6wFMh2xkBLp3jR/jNwBGpftFpejoraWEEJBg1KKJitfG1VqMbclU/PZr8sTLlJw6//I48vSbrh1KtPG3q6R/ihQgYX+/zdG6/EcKjJyenFruCqBVqJJfNO5igmmS0BSrZm1SuJD0VcYs3Tz+LjRf6ZDHpTRzzLwgJlNArB0Kd5C0l2N2UA5xv/bohBOariWigcuTAi7PncRqoSIXwdn3Z84IEQmRoyL/WZnwJS+FwUjt1fNmzOtFsi3IY0nx8cRU7t99MdN4RBZU80jc2xmatei9l2/n6JZP8veNSerMYsuwDgQSL7CZ7X2EqK1MCPrVsNT0h2Lhqjn97eFGBECF1ut7ehknbuEmqQNM6xO5Rj69yQplKoFzWy+y4THE10y9oGJf06cOzryRIzi7H; 4:PptaGr+7+/xkW8ZDweiT/fpOhBBuJtt7hzih5q0riYVUUdJw+sz8MDurgjeQDhItQoyIIAlaTvSuseG/Imo6MV9WoZkhJLc2UDEUCvSgR6pDgAUJByPKh8xbPSCKI2Y5YeLteCXw9qoUXy3y+DTgWB7dildRjUGjWS4UR20YM3NhAunsJOxBiA0ovdbxigIs8sSPY7onY1FMHAgqyDoVpJeT3/6jsNWDMnPaeEcaqGII/HdpirfW3Yb+98W3PRnvtJPLMc7lc1q917gxRR6qPieQcpmD18j0oxSZiYteeQ84D6D1P2M/R3uJIGpsiEEh X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231022)(6055026)(6041248)(20161123555025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(6072148)(201708071742011); SRVR:SN1PR12MB0158; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SN1PR12MB0158; X-Forefront-PRVS: 05134F8B4F X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(346002)(366004)(199004)(189003)(16526018)(16586007)(33646002)(53416004)(105586002)(39060400002)(4326008)(305945005)(2351001)(106356001)(2361001)(7736002)(7696005)(86362001)(52116002)(8936002)(316002)(575784001)(53936002)(97736004)(76176011)(51416003)(36756003)(66066001)(1076002)(3846002)(25786009)(6116002)(47776003)(50226002)(68736007)(54906003)(6916009)(2950100002)(478600001)(8666007)(5660300001)(8656006)(8676002)(101416001)(81156014)(81166006)(2906002)(7416002)(48376002)(6486002)(50466002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB0158; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN1PR12MB0158; 23:2RZHDY1IRmI9qlhoh/0PgzpjzhMHflgTeXWGsOdE9?= OU7JdC1KMk0NNUOIiTcdS6BXopn4FvbeuRhzJ1dYxPGewoZ2o1MobXSBifYxRfEE9BB5c7HRndXBpMtGsMRUaNzZzSLFsS9DrYoi7CnVYFG8yWK84VvDpRDD1LnPf4opRE4/YDJ/bvPxwXSlwC+zCYlvHrUxbOFcDj1MWFCTx5mZ32kpXos/o3/508viMlvI+eQDKi96fBvm/UVLuW9vp53ovu1Y70lz+0fdS1ekSJybQIOS1/ns4v4VlQ6GLW60qG8dtwBGGjX9wcsmhnhHHTxuH0x4wkGrpZcrlsfsDDyyMyn5o/OUPsLOrX10pcZ5HWPg4dDqyO+P1PM8xNPgPB0FX+UaZBADdxBUwmX3a4twy+fkxuclO5/aboQihPfWjkWrFvyqAxFovmysPC9VyDs2fZsbSwIwPUO6ApLjx/Fm+j29PDlOOAU9GmdIQJzE5G8K9P7FEXVCyPZVMJ/Z++DifmnjbTe/CfsNbsAZTmGe0nznHpE7gd85a7R4O639AFXr2C8Ct+1gtvgeftTPT5sYnXtGr8GfntgE+7R14paFnbcOTealmS7mpmi+TcN2k6/mjjySwNvZbdAx+f6x7vEF5EMo7q8h0KOrsz7CQy3X9x3CWtvJkqE/wKlGb9FcoDZHrYAGHC7dAXLfoykaKgSrVcaMglGFuu31Xk1wd/fxbY/P63ZY20w6O//1Q2oYhIOhxK0bjbaPpB2NuVH3RTyNRXDtZ1R3Mr4NWTofd/iPCnUrNaZbKY2+bLPReVltGFEAp1wuj8wAbAzMwHjIm5tEfXx++BPA53i3xXYxt4+ueLzUrLCFzaL3Eab6T2kmhw2lx6RH8EtTuvL26v1d26R1DCdHbNq2J73sVG2+wkeERpKzinnbCJueB19wsTbhdZKteccj/1brtdNBVs7j8ZwYjtyYeL6JY38heDbOOs4nGMxbJXr7coQaOQImX3R1RuyDE8c6fBzt8dabfgQ+zaqcYTCHXvyp40qU10JV36undH1aGxm7C59msUC9SmaOUisXr5RuukiQPZOM1I9pm5xIOnfqDJxYQnpywFVbniuzDWYtMK0MxVKpL/8+ukd+chnzNObm8wLLdL4xhBccWG5QuSAT5ruaPKEOKTXX4ilLnbGz+0cLjK7RhNcH8J2UpTxAi0TGEwKMVleD3dj7/HEbMZHZ82sKQivAC7Nlfei9w== X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 6:wJvW6H/DVseGxkPuIlWT5inERWlaYQSpE+BPATQQfGXoRmtdsdkvB3rkk9GtvvZn+5wg8vzwa1yK5TxKtK2dKElIDP1fGK7vgEfEyQQi/KO+Wlj2AzFo5MpACf8YriLbT/OM6fGlIcB1HmtgPeq/pIxf+J2sQVBL+y3fDXY/47TPX0moUeoRHKL1nOsbXBgPxzXl75vrgkg7I0Ocn9Ajk4DFP6vrR7eHLLxFDt5zldCtyQsRKtZ+6p6cV4/08geDGSVla7X0FS0FmnKrTZp98UY8uDo1/MXA4ZH0XSLwh5JR8926bcE9bk9cNIwwPg29rqKnDoegFUYRO0WTode4DbWRzwJf5WnE6o7RVCSNENo=; 5:q0vQfq9b8eKulgBV2JZa7U4Rx2K1ANMUHMQq/DjIjFkQ7Z2RylvrLF+SR3XFW6NLr7eXTsRRwtBFNenJbv+WrVDEoeP+sqBBVnrjZCbLoc8q3/uughwdDkTbVLOKX8RMY+t3auu1w8Gvo4JNU4hotXSg2rS2sx1Mnbs14jLFEWA=; 24:tf+H0EVTtZ3niZjoOKuKOSnitg4HfwGbBcybb0xlS/YmZQbBUtJLw24eLhA65uD7RaDaQIcLIO05GJX8JAbXZElDRQiGAtarxVyC/DK0Rcc=; 7:XuxsmvEOWUXs4SdwNyLugybhgzkgKqYxFNgaokNOS6+pCujD+gWEbhvvB+TZCtJ0ACQcsRXfoho9eMY2IVwW4/tlohP+RSZOYdK+XSU/CKsjV8Pyeydb3gkuaOhFf+8OFhhWJs65b90RTL5G8vsegd1btC2Z91kvKl01d/JIIXy77Sg3Bav4QYcsYmw7jLqcNmx1hILYiLvXZpq8IkYi4314BEBAA9cz/Lgyf2Qz9WeEwJ37MPDbQyalp44UNwE8 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 20:/3UMIXX/N/JJj9NMTZUWmIB7E9i7MASwriTLw6BYNK7OIoJFyYEG6R9xMnKj+UF/5d0S5T1OgCPj/vfHCv4aiZONbKIdQMZaESkz8JIXPr1EUz8Loc6RAjn8akvKtzT5cZ0zk4k1Wmyj4v3bqcLivFU6ZYjyWxTXsK6a8OaQQWzNO+WFTSDpTCLGZjfmOKhDYS4538qKN+QO7TAz8SyC6AhPpdJvLVnJU+hlytKSaJ4g0i8zXfwq/uf0EzIMD1MS X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Dec 2017 20:04:30.3639 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 07921f15-fcb3-4187-f0e5-08d53ce490e2 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0158 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 104.47.32.59 Subject: [Qemu-devel] [PATCH v5 10/23] sev: add command to initialize the memory encryption context X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Edgar E . Iglesias " , Peter Maydell , Peter Crosthwaite , Eduardo Habkost , kvm@vger.kernel.org, Marcel Apfelbaum , Markus Armbruster , "Michael S. Tsirkin" , Richard Henderson , "Dr. David Alan Gilbert" , Alistair Francis , Christian Borntraeger , Brijesh Singh , Stefan Hajnoczi , Cornelia Huck , Paolo Bonzini , Thomas Lendacky , Borislav Petkov , Richard Henderson Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" When memory encryption is enabled, KVM_SEV_INIT command is used to initialize the platform. The command loads the SEV related persistent data from non-volatile storage and initializes the platform context. This command should be first issued before invoking any other guest commands provided by the SEV firmware. Cc: Paolo Bonzini Signed-off-by: Brijesh Singh --- accel/kvm/kvm-all.c | 15 +++++++ accel/kvm/sev.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++ include/sysemu/sev.h | 10 +++++ 3 files changed, 147 insertions(+) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index f290f487a573..a9b16846675e 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -38,6 +38,7 @@ #include "qemu/event_notifier.h" #include "trace.h" #include "hw/irq.h" +#include "sysemu/sev.h" #include "hw/boards.h" @@ -103,6 +104,9 @@ struct KVMState #endif KVMMemoryListener memory_listener; QLIST_HEAD(, KVMParkedVcpu) kvm_parked_vcpus; + + /* memory encryption */ + void *memcrypt_handle; }; KVMState *kvm_state; @@ -1632,6 +1636,17 @@ static int kvm_init(MachineState *ms) kvm_state = s; + /* + * if memory encryption object is specified then initialize the memory + * encryption context. + * */ + if (ms->memory_encryption) { + kvm_state->memcrypt_handle = sev_guest_init(ms->memory_encryption); + if (!kvm_state->memcrypt_handle) { + goto err; + } + } + ret = kvm_arch_init(ms, s); if (ret < 0) { goto err; diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c index a9b9a63c2da0..37020751bd14 100644 --- a/accel/kvm/sev.c +++ b/accel/kvm/sev.c @@ -22,6 +22,67 @@ #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ #define DEFAULT_SEV_DEVICE "/dev/sev" +static int sev_fd; + +#define SEV_FW_MAX_ERROR 0x17 + +static char sev_fw_errlist[SEV_FW_MAX_ERROR][100] = { + "", + "Platform state is invalid", + "Guest state is invalid", + "Platform configuration is invalid", + "Buffer too small", + "Platform is already owned", + "Certificate is invalid", + "Policy is not allowed", + "Guest is not active", + "Invalid address", + "Bad signature", + "Bad measurement", + "Asid is already owned", + "Invalid ASID", + "WBINVD is required", + "DF_FLUSH is required", + "Guest handle is invalid", + "Invalid command", + "Guest is active", + "Hardware error", + "Hardware unsafe", + "Feature not supported", + "Invalid parameter" +}; + +static int +sev_ioctl(int cmd, void *data, int *error) +{ + int r; + struct kvm_sev_cmd input; + + memset(&input, 0x0, sizeof(input)); + + input.id = cmd; + input.sev_fd = sev_fd; + input.data = (__u64)data; + + r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input); + + if (error) { + *error = input.error; + } + + return r; +} + +static char * +fw_error_to_str(int code) +{ + if (code > SEV_FW_MAX_ERROR) { + return NULL; + } + + return sev_fw_errlist[code]; +} + static void qsev_guest_finalize(Object *obj) { @@ -170,6 +231,67 @@ static const TypeInfo qsev_guest_info = { } }; +static QSevGuestInfo * +lookup_sev_guest_info(const char *id) +{ + Object *obj; + QSevGuestInfo *info; + + obj = object_resolve_path_component(object_get_objects_root(), id); + if (!obj) { + return NULL; + } + + info = (QSevGuestInfo *) + object_dynamic_cast(obj, TYPE_QSEV_GUEST_INFO); + if (!info) { + return NULL; + } + + return info; +} + +void * +sev_guest_init(const char *id) +{ + SEVState *s; + char *devname; + int ret, fw_error; + + s = g_malloc0(sizeof(SEVState)); + if (!s) { + return NULL; + } + + s->sev_info = lookup_sev_guest_info(id); + if (!s->sev_info) { + error_report("%s: '%s' is not a valid '%s' object", + __func__, id, TYPE_QSEV_GUEST_INFO); + goto err; + } + + devname = object_property_get_str(OBJECT(s->sev_info), "sev-device", NULL); + sev_fd = open(devname, O_RDWR); + if (sev_fd < 0) { + error_report("%s: Failed to open %s '%s'", __func__, + devname, strerror(errno)); + goto err; + } + g_free(devname); + + ret = sev_ioctl(KVM_SEV_INIT, NULL, &fw_error); + if (ret) { + error_report("%s: failed to initialize ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); + goto err; + } + + return s; +err: + g_free(s); + return NULL; +} + static void sev_register_types(void) { diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index e00794ec1805..f85517c0b5b5 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -14,6 +14,8 @@ #ifndef QEMU_SEV_H #define QEMU_SEV_H +#include + #include "qom/object.h" #include "qapi/error.h" #include "sysemu/kvm.h" @@ -49,5 +51,13 @@ struct QSevGuestInfoClass { ObjectClass parent_class; }; +struct SEVState { + QSevGuestInfo *sev_info; +}; + +typedef struct SEVState SEVState; + +void *sev_guest_init(const char *id); + #endif