[v5,16/23] target/i386: encrypt bios rom

Message ID	20171206200346.116537-17-brijesh.singh@amd.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Brijesh Singh <brijesh.singh@amd.com> To: qemu-devel@nongnu.org Date: Wed, 6 Dec 2017 14:03:39 -0600 Message-Id: <20171206200346.116537-17-brijesh.singh@amd.com> In-Reply-To: <20171206200346.116537-1-brijesh.singh@amd.com> References: <20171206200346.116537-1-brijesh.singh@amd.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN1PR12MB0158; 23:1XKjLDhri1B19MZPSC6UMlqzy2RdfUYMgEu188pwY?= dL5pqx/kH8tAGS+oK5drCArCfrQrFnl3UX6+0hTObr96QpRgKnOXLeRsRhrldCKC6v+22U86EPMrSpr1HyHbHbV+SgUyhtiKoq1dklu2sotAVfdoRG/lqHMG0VCJZEtXVUqb2SCHMnnnkGJo7nUhVJ8rh+KNJfogds/Y/qH66VKDz0Ur/Rnl7afEzE2Z1xItxLukGpq/k4Y3l9mESASFoNrRTFePMebThkNHNWqIFpbHeGfLE4iHYF5///ho32csCNNxkQTEIfqkFUTcyqFPXUYPykIwcKlaxiiWEK8w0m8G+HKRu0Kv5J5vaARvLsXmeX0k9Dl6oxe945muXeF+hLt3Qisxt+gtLExBYpDNfgLZkDwqxPsCW0xR9wqEOduRLSN9YXlk8SP3iIJgn43GrTmuUIWk+DrAlPA+Cb4R1RX3hLPFx2V4nfg2/3I3nyzNfjJbkZGf6voNmVaLTY0FDA5WuR7rr4GGqz0BZ8wEcRVwqxM8+xwciogGR1BuuttAZ7POAxJ5BvIN7hdJxk1WRpF02qjKdIUH4E2Rizsln4q6Hmimx3eJwRkq4kfrh017qfiecHYiKi8KUTPoYaTdiNFt5O+6zZbXC94UBKq5I3Qt9RyjJ0xvB3Bjdb2Bgub0Uk8uhgRGSr3YR8zTZ4X6CDVxq+avvBHtkP3eAGRalqx9i3iHVMZOXa0aZ6c82rGGAakIRxAM1jXpmzQsDCuEwS7JFSLjjfjCJOYL8yYPnz3zxt6IhmyXBjZEpKDY9d/KhTMco6ThmTbx2BRPtVsDrmFgrvmbEH/76bSQ898+zRl7vfeRXxbHsZj7cjbHHZUu6vd+Lh3e/VEhH8jsfLWFZ6ldo45kG+4tL4eTP4kdG9iGBzJLqS2ZluZGxrsGmu3V60Dmsm3zli7H4AuDorOEgvKhkE1m4X84viEHRpVjSV0m4xs4iyHW0BNC8Gk/t5faZlSPthdUC/PJ8iDn16O8nSxnFp+A/OZ0h7grqnSGOrNgB5w0VHui5riBHGfZSoRfVJ6MTXpM8bMH8BIYPr3JOgaz6lvBnIpeUrwt36GyqWVMbB9DNSZW6LPULzAoDdyRJ7P6LHEKq3rA7ZUNrAFRCZzQ7SekcWlC95xpvIOugtdrWNXg2h2mHLXuUB1+C0prYiUaSCMevbS9EhIbfd0TYk6G0/tc5bEpQ/F9Q1MnDa/kQ== X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 6:gvls5EdZAF5L7luKIRxCE9IBmqDFiAQEkFPW134JcN/bnN/0G4+gb/oVfvKf5OjmUXwX0dFxs4dtR8g8OCY18/RmkWcNtK8soGv/2AVdAg0X/UMVvfWYCPLCj7cUMBUTNYbxkWQtlEmhCJ1sFMwm9jNsWJwk3pE1xOgRZvyci07/DDhx4a2U+t+j1eUXt4H8DaZ/Cs+JNIxfkWDZ5hW4DB+pSwD9Yv9IviL0jAVld5Mmv7chK5NrHz84EvqQ5PpCyQS21RCMv9yJg/cI0QydMyt1GWBLw87VKTjWJlaJsbFv7TUJpRgffHaqXiN8ZjN0XcVvFsuHLzASVLTh6Y1+AM+NHklTyahLDkuS/MqYmDU=; 5:LPKrbwJe31YXRHxEY7GtiXdxT4/NQOp94pqu0u+RVGqE/bPxmSUqWZnF643F+i0Vl/F93JulkzeynTkKH8VSDFiqjoBI29j4XcmP+OFlZcUzynZEXE0atTbc6x41213Nsi6KT48X7ND7jLTYzRYha+ssSLpByBDRufDDBVbAMAY=; 24:kIc5yB8kp+g/3bhjeNvSxTFgO6pq4mDa2UcLsM9yHnJkKUhBdVDIna2RsUuDfluOq8WgMv+vPAWACN2PbRBqBYzXh67Z0oSjtlhCi6UKvqY=; 7:I11rSwgJpGW2XrXwQbxKqlGghrobBatRr7sQ/iQw+mWwJt7mSPGBF4RTicpq4ik1rddqFjAuXKmDBXbB5I2zln7efAJHm8Sg3tKg95/ILIVh/ZY9CVhlNOOYHGQ8S628H43tlhRvS3K88/UKctKFnLpYT/CCnfmoFG7oGzKkYqTgmR1bzsCVIbre1KAvIUMLZcwi1Q+Aic8+Nli1sfWzDy21J4ikuzdg8yeJYCAZXxksQgSxQZCn7JM9+bB3roz9 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 20:lt1hNU78S2mbDrecQqoi6GF+YVVP6qeCQZVvzJM6mDrqeu/02Xl/8HYRAn/cO3+dsZCnwbvg7HoX5r2jv/raLuwvk5wAhhBZ1lMvbXelZYe2+0vY4FqQy+j2hO2no0uedIxv0SQ8nyPZQKjhNd/OpDnuzf7wjWrUhVFTk+smJ3uwtPCtUskpzRP4z/q+zbDubjkfVyQHZn244as/Xus32zNEOSNVPj0wQgWpWXKyskJY6h+MV26B7GVfL+d/R98n Subject: [Qemu-devel] [PATCH v5 16/23] target/i386: encrypt bios rom Precedence: list Cc: "Edgar E . Iglesias " <edgar.iglesias@xilinx.com>, Peter Maydell <peter.maydell@linaro.org>, Peter Crosthwaite <crosthwaite.peter@gmail.com>, Eduardo Habkost <ehabkost@redhat.com>, kvm@vger.kernel.org, Marcel Apfelbaum <marcel@redhat.com>, Markus Armbruster <armbru@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, "Dr. David Alan Gilbert" <dgilbert@redhat.com>, Alistair Francis <alistair.francis@xilinx.com>, Christian Borntraeger <borntraeger@de.ibm.com>, Brijesh Singh <brijesh.singh@amd.com>, Stefan Hajnoczi <stefanha@gmail.com>, Cornelia Huck <cornelia.huck@de.ibm.com>, Paolo Bonzini <pbonzini@redhat.com>, Thomas Lendacky <Thomas.Lendacky@amd.com>, Borislav Petkov <bp@suse.de>, Richard Henderson <rth@twiddle.net> Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	x86: Secure Encrypted Virtualization (AMD) \| expand [v5,00/23] x86: Secure Encrypted Virtualization (AMD) [v5,01/23] memattrs: add debug attribute [v5,02/23] exec: add ram_debug_ops support [v5,03/23] exec: add debug version of physical memory read and write API [v5,04/23] monitor/i386: use debug APIs when accessing guest memory [v5,05/23] target/i386: add memory encryption feature cpuid support [v5,06/23] machine: add -memory-encryption property [v5,07/23] kvm: update kvm.h to include memory encryption ioctls [v5,08/23] docs: add AMD Secure Encrypted Virtualization (SEV) [v5,09/23] accel: add Secure Encrypted Virtulization (SEV) object [v5,10/23] sev: add command to initialize the memory encryption context [v5,11/23] sev: register the guest memory range which may contain encrypted data [v5,12/23] kvm: introduce memory encryption APIs [v5,13/23] hmp: display memory encryption support in 'info kvm' [v5,14/23] sev: add command to create launch memory encryption context [v5,15/23] sev: add command to encrypt guest memory region [v5,16/23] target/i386: encrypt bios rom [v5,17/23] qapi: add SEV_MEASUREMENT event [v5,18/23] sev: emit the SEV_MEASUREMENT event [v5,19/23] sev: Finalize the SEV guest launch flow [v5,20/23] hw: i386: set ram_debug_ops when memory encryption is enabled [v5,21/23] sev: add debug encrypt and decrypt commands [v5,22/23] target/i386: clear C-bit when walking SEV guest page table [v5,23/23] sev: add migration blocker

Message ID

20171206200346.116537-17-brijesh.singh@amd.com

State

New

Headers

From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Date: Wed,  6 Dec 2017 14:03:39 -0600
Message-Id: <20171206200346.116537-17-brijesh.singh@amd.com>
In-Reply-To: <20171206200346.116537-1-brijesh.singh@amd.com>
References: <20171206200346.116537-1-brijesh.singh@amd.com>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Dec 2017 20:04:44.6917
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8bbc604e-1025-45ca-8399-08d53ce4993d
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0158
X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy]
X-Received-From: 104.47.32.54
Subject: [Qemu-devel] [PATCH v5 16/23] target/i386: encrypt bios rom
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: "Edgar E . Iglesias " <edgar.iglesias@xilinx.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Eduardo Habkost <ehabkost@redhat.com>, kvm@vger.kernel.org,
	Marcel Apfelbaum <marcel@redhat.com>,
	Markus Armbruster <armbru@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Alistair Francis <alistair.francis@xilinx.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Stefan Hajnoczi <stefanha@gmail.com>,
	Cornelia Huck <cornelia.huck@de.ibm.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Lendacky <Thomas.Lendacky@amd.com>, Borislav Petkov <bp@suse.de>, 
	Richard Henderson <rth@twiddle.net>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

x86: Secure Encrypted Virtualization (AMD) | expand

Commit Message

Brijesh Singh Dec. 6, 2017, 8:03 p.m. UTC

SEV requires that guest bios must be encrypted before booting the guest.

Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 hw/i386/pc_sysfw.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index 6b183747fcea..8ddbbf74d330 100644
--- a/hw/i386/pc_sysfw.c
+++ b/hw/i386/pc_sysfw.c
@@ -112,6 +112,8 @@  static void pc_system_flash_init(MemoryRegion *rom_memory)
     pflash_t *system_flash;
     MemoryRegion *flash_mem;
     char name[64];
+    void *flash_ptr;
+    int ret, flash_size;
 
     sector_bits = 12;
     sector_size = 1 << sector_bits;
@@ -168,6 +170,17 @@  static void pc_system_flash_init(MemoryRegion *rom_memory)
         if (unit == 0) {
             flash_mem = pflash_cfi01_get_memory(system_flash);
             pc_isa_bios_init(rom_memory, flash_mem, size);
+
+            /* Encrypt the pflash boot ROM */
+            if (kvm_memcrypt_enabled()) {
+                flash_ptr = memory_region_get_ram_ptr(flash_mem);
+                flash_size = memory_region_size(flash_mem);
+                ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
+                if (ret) {
+                    error_report("failed to encrypt pflash rom");
+                    exit(1);
+                }
+            }
         }
     }
 }

[v5,16/23] target/i386: encrypt bios rom

Commit Message

Patch