| Message ID | 20210215131626.65640-3-pbonzini@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | [PULL,01/19] pc: add parser for OVMF reset block | expand |
On 2/15/21 2:16 PM, Paolo Bonzini wrote: > From: James Bottomley <jejb@linux.ibm.com> > > If the gpa isn't specified, it's value is extracted from the OVMF > properties table located below the reset vector (and if this doesn't > exist, an error is returned). OVMF has defined the GUID for the SEV > secret area as 4c2eb361-7d9b-4cc3-8081-127c90d3d294 and the format of > the <data> is: <base>|<size> where both are uint32_t. We extract > <base> and use it as the gpa for the injection. > > Note: it is expected that the injected secret will also be GUID > described but since qemu can't interpret it, the format is left > undefined here. > > Signed-off-by: James Bottomley <jejb@linux.ibm.com> > > Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> > Message-Id: <20210204193939.16617-3-jejb@linux.ibm.com> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- > qapi/misc-target.json | 2 +- > target/i386/monitor.c | 23 ++++++++++++++++++++++- > 2 files changed, 23 insertions(+), 2 deletions(-) > > diff --git a/qapi/misc-target.json b/qapi/misc-target.json > index 06ef8757f0..0c7491cd82 100644 > --- a/qapi/misc-target.json > +++ b/qapi/misc-target.json > @@ -216,7 +216,7 @@ > # > ## > { 'command': 'sev-inject-launch-secret', > - 'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': 'uint64' }, > + 'data': { 'packet-header': 'str', 'secret': 'str', '*gpa': 'uint64' }, > 'if': 'defined(TARGET_I386)' } > > ## > diff --git a/target/i386/monitor.c b/target/i386/monitor.c > index 1bc91442b1..5994408bee 100644 > --- a/target/i386/monitor.c > +++ b/target/i386/monitor.c > @@ -34,6 +34,7 @@ > #include "sev_i386.h" > #include "qapi/qapi-commands-misc-target.h" > #include "qapi/qapi-commands-misc.h" > +#include "hw/i386/pc.h" > > /* Perform linear address sign extension */ > static hwaddr addr_canonical(CPUArchState *env, hwaddr addr) > @@ -730,9 +731,29 @@ SevCapability *qmp_query_sev_capabilities(Error **errp) > return sev_get_capabilities(errp); > } > > +#define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" > +struct sev_secret_area { > + uint32_t base; > + uint32_t size; > +}; > + > void qmp_sev_inject_launch_secret(const char *packet_hdr, > - const char *secret, uint64_t gpa, > + const char *secret, > + bool has_gpa, uint64_t gpa, > Error **errp) > { > + if (!has_gpa) { > + uint8_t *data; > + struct sev_secret_area *area; > + > + if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, NULL)) { FYI trying to build MicroVM standalone (--without-default-devices): /usr/bin/ld: libqemu-i386-softmmu.fa.p/target_i386_monitor.c.o: in function `qmp_sev_inject_launch_secret': target/i386/monitor.c:749: undefined reference to `pc_system_ovmf_table_find' I'm adding this to my TODO list.
On Thu, 2021-05-20 at 23:36 +0200, Philippe Mathieu-Daudé wrote: > On 2/15/21 2:16 PM, Paolo Bonzini wrote: > > From: James Bottomley <jejb@linux.ibm.com> > > > > If the gpa isn't specified, it's value is extracted from the OVMF > > properties table located below the reset vector (and if this > > doesn't > > exist, an error is returned). OVMF has defined the GUID for the > > SEV > > secret area as 4c2eb361-7d9b-4cc3-8081-127c90d3d294 and the format > > of > > the <data> is: <base>|<size> where both are uint32_t. We extract > > <base> and use it as the gpa for the injection. > > > > Note: it is expected that the injected secret will also be GUID > > described but since qemu can't interpret it, the format is left > > undefined here. > > > > Signed-off-by: James Bottomley <jejb@linux.ibm.com> > > > > Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> > > Message-Id: <20210204193939.16617-3-jejb@linux.ibm.com> > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > > --- > > qapi/misc-target.json | 2 +- > > target/i386/monitor.c | 23 ++++++++++++++++++++++- > > 2 files changed, 23 insertions(+), 2 deletions(-) > > > > diff --git a/qapi/misc-target.json b/qapi/misc-target.json > > index 06ef8757f0..0c7491cd82 100644 > > --- a/qapi/misc-target.json > > +++ b/qapi/misc-target.json > > @@ -216,7 +216,7 @@ > > # > > ## > > { 'command': 'sev-inject-launch-secret', > > - 'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': > > 'uint64' }, > > + 'data': { 'packet-header': 'str', 'secret': 'str', '*gpa': > > 'uint64' }, > > 'if': 'defined(TARGET_I386)' } > > > > ## > > diff --git a/target/i386/monitor.c b/target/i386/monitor.c > > index 1bc91442b1..5994408bee 100644 > > --- a/target/i386/monitor.c > > +++ b/target/i386/monitor.c > > @@ -34,6 +34,7 @@ > > #include "sev_i386.h" > > #include "qapi/qapi-commands-misc-target.h" > > #include "qapi/qapi-commands-misc.h" > > +#include "hw/i386/pc.h" > > > > /* Perform linear address sign extension */ > > static hwaddr addr_canonical(CPUArchState *env, hwaddr addr) > > @@ -730,9 +731,29 @@ SevCapability > > *qmp_query_sev_capabilities(Error **errp) > > return sev_get_capabilities(errp); > > } > > > > +#define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" > > +struct sev_secret_area { > > + uint32_t base; > > + uint32_t size; > > +}; > > + > > void qmp_sev_inject_launch_secret(const char *packet_hdr, > > - const char *secret, uint64_t > > gpa, > > + const char *secret, > > + bool has_gpa, uint64_t gpa, > > Error **errp) > > { > > + if (!has_gpa) { > > + uint8_t *data; > > + struct sev_secret_area *area; > > + > > + if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, > > NULL)) { > > FYI trying to build MicroVM standalone (--without-default-devices): > > /usr/bin/ld: libqemu-i386-softmmu.fa.p/target_i386_monitor.c.o: in > function `qmp_sev_inject_launch_secret': > target/i386/monitor.c:749: undefined reference to > `pc_system_ovmf_table_find' > > I'm adding this to my TODO list. I'm pretty clueless with the new meson build system but I think this is something to do with CONFIG_PC not being defined ... can you verify? in which case it could be fixed with a pc_sysfw-stub.c that builds it as a function returning false. James
On 5/21/21 12:19 AM, James Bottomley wrote: > On Thu, 2021-05-20 at 23:36 +0200, Philippe Mathieu-Daudé wrote: >> On 2/15/21 2:16 PM, Paolo Bonzini wrote: >>> From: James Bottomley <jejb@linux.ibm.com> >>> >>> If the gpa isn't specified, it's value is extracted from the OVMF >>> properties table located below the reset vector (and if this >>> doesn't >>> exist, an error is returned). OVMF has defined the GUID for the >>> SEV >>> secret area as 4c2eb361-7d9b-4cc3-8081-127c90d3d294 and the format >>> of >>> the <data> is: <base>|<size> where both are uint32_t. We extract >>> <base> and use it as the gpa for the injection. >>> >>> Note: it is expected that the injected secret will also be GUID >>> described but since qemu can't interpret it, the format is left >>> undefined here. >>> >>> Signed-off-by: James Bottomley <jejb@linux.ibm.com> >>> >>> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> >>> Message-Id: <20210204193939.16617-3-jejb@linux.ibm.com> >>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> >>> --- >>> qapi/misc-target.json | 2 +- >>> target/i386/monitor.c | 23 ++++++++++++++++++++++- >>> 2 files changed, 23 insertions(+), 2 deletions(-) >>> >>> diff --git a/qapi/misc-target.json b/qapi/misc-target.json >>> index 06ef8757f0..0c7491cd82 100644 >>> --- a/qapi/misc-target.json >>> +++ b/qapi/misc-target.json >>> @@ -216,7 +216,7 @@ >>> # >>> ## >>> { 'command': 'sev-inject-launch-secret', >>> - 'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': >>> 'uint64' }, >>> + 'data': { 'packet-header': 'str', 'secret': 'str', '*gpa': >>> 'uint64' }, >>> 'if': 'defined(TARGET_I386)' } >>> >>> ## >>> diff --git a/target/i386/monitor.c b/target/i386/monitor.c >>> index 1bc91442b1..5994408bee 100644 >>> --- a/target/i386/monitor.c >>> +++ b/target/i386/monitor.c >>> @@ -34,6 +34,7 @@ >>> #include "sev_i386.h" >>> #include "qapi/qapi-commands-misc-target.h" >>> #include "qapi/qapi-commands-misc.h" >>> +#include "hw/i386/pc.h" >>> >>> /* Perform linear address sign extension */ >>> static hwaddr addr_canonical(CPUArchState *env, hwaddr addr) >>> @@ -730,9 +731,29 @@ SevCapability >>> *qmp_query_sev_capabilities(Error **errp) >>> return sev_get_capabilities(errp); >>> } >>> >>> +#define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" >>> +struct sev_secret_area { >>> + uint32_t base; >>> + uint32_t size; >>> +}; >>> + >>> void qmp_sev_inject_launch_secret(const char *packet_hdr, >>> - const char *secret, uint64_t >>> gpa, >>> + const char *secret, >>> + bool has_gpa, uint64_t gpa, >>> Error **errp) >>> { >>> + if (!has_gpa) { >>> + uint8_t *data; >>> + struct sev_secret_area *area; >>> + >>> + if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, >>> NULL)) { >> >> FYI trying to build MicroVM standalone (--without-default-devices): >> >> /usr/bin/ld: libqemu-i386-softmmu.fa.p/target_i386_monitor.c.o: in >> function `qmp_sev_inject_launch_secret': >> target/i386/monitor.c:749: undefined reference to >> `pc_system_ovmf_table_find' >> >> I'm adding this to my TODO list. > > I'm pretty clueless with the new meson build system but I think this is > something to do with CONFIG_PC not being defined ... can you verify? in > which case it could be fixed with a pc_sysfw-stub.c that builds it as a > function returning false. Oh actually I wrote the fix this morning, but haven't posted it yet. Beside what you said, I added a X86_FW_OVMF symbol and have SEV depends on it. I'll cc you when posting. Regards, Phil.
diff --git a/qapi/misc-target.json b/qapi/misc-target.json index 06ef8757f0..0c7491cd82 100644 --- a/qapi/misc-target.json +++ b/qapi/misc-target.json @@ -216,7 +216,7 @@ # ## { 'command': 'sev-inject-launch-secret', - 'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': 'uint64' }, + 'data': { 'packet-header': 'str', 'secret': 'str', '*gpa': 'uint64' }, 'if': 'defined(TARGET_I386)' } ## diff --git a/target/i386/monitor.c b/target/i386/monitor.c index 1bc91442b1..5994408bee 100644 --- a/target/i386/monitor.c +++ b/target/i386/monitor.c @@ -34,6 +34,7 @@ #include "sev_i386.h" #include "qapi/qapi-commands-misc-target.h" #include "qapi/qapi-commands-misc.h" +#include "hw/i386/pc.h" /* Perform linear address sign extension */ static hwaddr addr_canonical(CPUArchState *env, hwaddr addr) @@ -730,9 +731,29 @@ SevCapability *qmp_query_sev_capabilities(Error **errp) return sev_get_capabilities(errp); } +#define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" +struct sev_secret_area { + uint32_t base; + uint32_t size; +}; + void qmp_sev_inject_launch_secret(const char *packet_hdr, - const char *secret, uint64_t gpa, + const char *secret, + bool has_gpa, uint64_t gpa, Error **errp) { + if (!has_gpa) { + uint8_t *data; + struct sev_secret_area *area; + + if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, NULL)) { + error_setg(errp, "SEV: no secret area found in OVMF," + " gpa must be specified."); + return; + } + area = (struct sev_secret_area *)data; + gpa = area->base; + } + sev_inject_launch_secret(packet_hdr, secret, gpa, errp); }