From patchwork Wed Feb 7 16:06:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 870499 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=amdcloud.onmicrosoft.com header.i=@amdcloud.onmicrosoft.com header.b="bAg6iyPP"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zc6Dd1gl9z9s7F for ; Thu, 8 Feb 2018 03:27:29 +1100 (AEDT) Received: from localhost ([::1]:56201 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejSZC-00086e-Rj for incoming@patchwork.ozlabs.org; Wed, 07 Feb 2018 11:27:26 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51699) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejSFs-00061d-4K for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ejSFo-0006x3-2d for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:28 -0500 Received: from mail-by2nam03on0082.outbound.protection.outlook.com ([104.47.42.82]:39492 helo=NAM03-BY2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ejSFn-0006wj-OS for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uHqymAKkeTqZo2t5CwEa6ITL8vuYYXuRDStck+y5KaE=; b=bAg6iyPPG3vfwTADXNWS6WzNVWYUV2VuLsI7j8v6B6h7ae1YGXls9hFdvYZkTPscWlBoifsmLEowaDDeLSoka/RXDgOO8hpnX+qTDUODTespSmxR1E1p/ONLL0O2CQs76WbdlVg1oPLSPQHjLR6XYsC3D7+wi3f8a0XPPTiS7yo= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by CY1PR12MB0152.namprd12.prod.outlook.com (10.161.173.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.11; Wed, 7 Feb 2018 16:07:20 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Date: Wed, 7 Feb 2018 10:06:27 -0600 Message-Id: <20180207160638.98872-15-brijesh.singh@amd.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180207160638.98872-1-brijesh.singh@amd.com> References: <20180207160638.98872-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: DM3PR12CA0071.namprd12.prod.outlook.com (10.161.151.143) To CY1PR12MB0152.namprd12.prod.outlook.com (10.161.173.22) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 55e206f3-8738-4e6e-2855-08d56e44dea9 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603307)(7153060)(7193020); SRVR:CY1PR12MB0152; X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 3:b+eTUrdj6wFV3EPZfx5R/S378K0UKByUbCP8Fwew5Q294QORUdz0ScnowuH72ThvZ6ZZ+6A2tdD/9BIGIZqVi8SSpzClNjn6GOSN7CIZ1xGPLsP/qPhq8OTPJPMUYpXR7FHbBwY55fako405RYP4ibQg+mYt0IE26HqEWxwvtoKfxgF9sg2BFX1Su7NbgoHcE5BHBhc9+N/o2VUV6l2I1m/u50R/ZkJ41ZM7wqIw3y4aj2ybeFEjovg1B6gHFdDq; 25:OVUpSpJT9ybypkmJLfpvZ+Mirl/TZpuRXZpRxnxBam78PYjteKx5SDnw+d+4J/yCw6bpa5RjBrJIRib5lwG/HbSWvcc51NndUOd37tadtFhkYTSy/fMoeLJ+aFIarES37gFlFC1C8C2r/vOenq21M70IAtnRFyqEklVlPHlSEv3JiRT2/xtYzLHSsG+ISZU/9FyJ5CUCCWTaI5ZYPDJr36hQ8Iy4l35kU+bQXcXqwlLLDpPk8BVa0vaFPdFC2MBFvOZpoat5rO+Oqh1/kjD6ZP6NLgqrJyXk/Qz6Dh09a/96Mnhw9/BEOHAjQRLPMTf5kqlOki0gS6DyzFxGyixrfg==; 31:X2dPlKqh3huOFG/k1Sm6SfRejc76hoClR+Wv6GPWJSoZvOxAOhiuwr94ZI0dVJvLhOgBWthcFIWXcQGH9Vn1GQqQyjRKwNq055KHlevMtNV2iFPZFqgk1PrrEIAEmVRpYE/OPm4dZq2l2zzz/xM4Y9T0B/aogLYfN6K0Br+dbbIlfj0cJVJ49zfHRCgBdAaeBanuB/GWt1wvJUmoYglBEvQuSK8LDj5QAeZaDLsiShw= X-MS-TrafficTypeDiagnostic: CY1PR12MB0152: X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 20:SF/lC/6EZzLx1EwOdlVVhegArQBMiNZHnPZDPlkSIMSVQ9l7rjEFs8NllOCXO3yPZVlS7X2TNiPMddQg7sTKPcaaY7gfZM/UCXD5E1m2BuwD6JnYGYPRGmiaVM0D9tSBtJ3ROFHbe+q4gmQunGbsh3mMRGNM1mkqo71WZRhaMGIhvVl4MtzJMl4IZNHdOBKk29Ze9nbzK/edQ7OVpKn5TZDOcRKxyvpwBjuIK9Yfi1B42vVDSy0MWbyRNf1uem8uxRiFodmc7QbPNY+mfSOsEAf4zLiQMHQ8Xx++wJ3UwR4pUUN1Z75pLrgYyTmLuw3g11T/Dm0UO2EBFYETVr+LlGDzk4kSfw7FN/V69qQsB/p2klX2nX9MYUwSIzEgyYz2rczYOX+A++e21P9GP9qupKh/4P5mnzeYP64RucKZOj/1hkA19fZhUCO+4CCqGkcu8Tz1M60Vo5JB1zDMWKS+5tWz13mcybbMRw1B0BLn3wXS/fkkdvbF94c7iVi3Th2j; 4:7lBnuQQbkhaiSaSPf03AmkL8xLiGPZ3zymQkAwJ4gjT/04opmjSfdNFAijeWAWSc605/3cLeR8f5JJpMFFqq7iLSzwvwfSf18gZHExeUQTT5YCW2UMWG7YQF0M5Mp0VtGLgKpzkVcRLd7WnQsJhn1Aszdbg56ZFt6G3TSTkMiwTh1CG7JE6XgT0P7+DJiRx0NV1m2icKk1EPJxGdFLUBs+FZZi7vHXGQwDoqgGn3enJGkGv2l3LkXX2mvQF1y1PJm+aSGx+aQ7hXPoWEOHWEeSOF+nOBcr5+YR9KDMZUhBLrvjXShga05Cjo86DozcucAyZhZXwECvB3votqAOLblQ== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231101)(2400082)(944501161)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:CY1PR12MB0152; BCL:0; PCL:0; RULEID:; SRVR:CY1PR12MB0152; X-Forefront-PRVS: 0576145E86 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(1496009)(39860400002)(366004)(39380400002)(346002)(396003)(376002)(199004)(189003)(50226002)(68736007)(8666007)(51416003)(6916009)(7696005)(16526019)(1076002)(50466002)(6486002)(53416004)(7736002)(305945005)(53936002)(8656006)(8936002)(8676002)(7416002)(86362001)(4326008)(81156014)(81166006)(52116002)(2950100002)(478600001)(2351001)(66066001)(16586007)(2906002)(54906003)(5660300001)(106356001)(2361001)(47776003)(48376002)(105586002)(3846002)(6116002)(36756003)(386003)(316002)(39060400002)(26005)(97736004)(186003)(76176011)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR12MB0152; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR12MB0152; 23:M0+LjrhnBQU8xpycPcQrk0lqZkJ36ATCPL38ZoU+c?= l/w6mjNNV4VNWVgg2j+xshdNrQa7gdLbKFq0+n5nsZwXR7KesbszUlkJBe76h1sbrMfunbxgMkT+TE80w4H7Hw0/9xkD09bO+i14vRWK0t5Cetgn25gr/9bj9/0wZJ9mqKnrss+QE8G1/k0CKOwn2AIUtV5O4jkFRIQI6Pi5HA4rvfIDT2Uh5mXXG9dgkds7j+rxakIDZtY7+0Wkjo2GGl3Ib2ZbvKCMmPttscoCqhHdvO7f6hFS3mvnihxVptYIT5OrCJng2nwr9Z3Tl8hVDOY13YFRJpVyD7Z28xg9c9Ydpguu7InvxadpGMQevORVFqmL3Vpux2yeSBss1HjIo4mkLXJ+a1n3uvjr2M9871DJu+V2eGq/Wh1g5MvG8KESHWyvFS/7BnM/zqQ/kRa29vlJc4KR3oYHkaniCvGtXJODBtIVfektlpmh3ugqOCv9/oFViiESbamhjhHjHTvn+ZCRwIviU/SYmshU6G5DuKooqZcIpOBHIEc6Ecazuu8CAFnC7wPnaK8z12Kka+fVTFZbc/uHvyIk0k0lNnlggQKsdVQIIYTxEYc14wR2os/9+7butlgwpwEVrN9oSHzhLXCPQg3lkcCk5AFqgLWivYHqEpxf1t13CFcSxr6uQDT3zGgnFLCie/wIKaXG9BGrJbohoR1J7BSAGTL5E45cAlyYLVbCT9CYWSpvDQb8aASrN+1uuTOzsK1Da1Ir2/+t63HAx/8oQwXhfxSu2nbqmHbGqCTefSkuevAuZbHz+ZwsgKs49Lyuy5mTzKRTl6goyA9CCKbV2/A8zS73DHNbLgwLr6NZD66xr9HiUgjhs41zaUh+xKupJvqs37chSZVsH3PTdvD75Zt/ThnpbV5HnpjhSTtcAqvCh0Cxiav1W9dvlMrn9Fd5w3tN+9wfPNYz07lZa8Mv1qjzYOkaxMLGb1lxsmkMJJDi5fipXZGGvrXjjaZvtUEWDsIqowjR/saYCxW+UWTRfSHYu1HInGeMSPCmJtx/Ck4z+XMCCxm5Uq6eG6XVp21h0E0Vzzqid3QeOn1AliUC7yqpYSsx8SoKZzSSqSmvcITEHb4ihqCOjpFUvdKuY0aI6xZnKkX0q2B3RUYT4iYwkL325ODrTfoHmuHfGiS49KvwgS3QtiHqlz4xdBdgxhVfYK3YNGk0L4KXfN2AJI2pt0WT05lRqvx6lN9eSg/EpprZvjU3wmZ2E2nhI1D3fPbSWupoNZxzQtyb2ET X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 6:kXAquJSKnOCBgixRDpl8OtbjxuDN1V9Kq88b8qeaG0OCTvE0REFZxkwmcpwAW6RBWHcW2zhRVJzHRMM5xvcxuCDUAb5sXlvQL3cZckhzi1WMMAd0Q1rpklS0qAs1V8xb6mvbyQXVbSea8iKEKDCWXvvyHIUtaz0BxMfv9CvLLxNtNlwQhaJnwKJAnjT/A+v5dMMjhUKzKYhD7C8ypiH6+/jHfSN2XTDcqSqAy1r6+XQhwUbAA6qL2zJphnJaTLp8iAifRPLeoTQD+4MslnPVdS8zIc43+dJ4Y2cAzcUTs5MQ5/ejqxhivnKZkvPZ6H86O+Ow/0Go1I0QwN2uWCANMxJb3NK7aqj8SqWwdXhKCUY=; 5:1MJWQqCvSQ8vcBVeluooe3qErvcpP3xB/f12zRpZb1E+mKdxKEjWkdAgDmgZ94E7L8iD1+AIfa+w3DZk55unZCNiHZtfhbJSNNZtRPU8r0Onikf+QwLmkn0nbCqw6Dbm6v7e9WRyTc3nR8X5zLXPFsZTPE8Q/AA3ONwwLBE5Teg=; 24:4xo6FT3dpwFbpvQgAoro5tbMcfmV3inH3iGzooi/QF5Q8Q9eg2t+99VicLqU+i1P7B0DOzuxdzuIUYJ67XJrVrCmKdQuPb6tjas0wopYvog=; 7:EYC4rWfPzROORPqfgwX3B8YTsXVvcTz6hQM2wU4wBe+FHoSQ7dz0m8W40MvtjotX3aVubvAyrn4MuO7uhPEU4dCmo9R7yiUNkl3lnym7hVcaA7/lq0fO6DHhe6n+PjMIaNsSbTlQcX7b9XJ/HkJhD+by8GI0aa7GndQ/EpcUUgbFU2vF1Dys588tLZwhn8jT4I5Gt2Of6jJKbBAEk8LH7WfoLqlOSLBem3ffrhRbtx4p0K1XhdxsT4sXD9P6TpQB SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 20:bgWyyu2TSp9xdSJb3Ucr+AXfYPNCXvW+NLN13M3El7/mckjty67ZAELcd13c7XI5vXKJpgpBInIpHvwYfoArEd/ELeuEir0t02TiiC78OOWwsYdYN6Ov5N/UF/NLESTEE2EZLVIlNOzQCPZ2cXkKHagkw9gcajK+EzT5uZMfiQ4EgOJI6tO0zt5frLtoqjScIrBZOVFNy0h8M+gqL0eyoWPW054i8QEHBySlzIqlr2bxhjHTGojS78Xm8nSdrwJA X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2018 16:07:20.1345 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 55e206f3-8738-4e6e-2855-08d56e44dea9 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB0152 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 104.47.42.82 Subject: [Qemu-devel] [PATCH v7 15/26] sev: add command to create launch memory encryption context X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Edgar E. Iglesias" , Peter Maydell , Eduardo Habkost , kvm@vger.kernel.org, "Michael S. Tsirkin" , Marcel Apfelbaum , Markus Armbruster , Peter Crosthwaite , Richard Henderson , "Dr. David Alan Gilbert" , Alistair Francis , Christian Borntraeger , Brijesh Singh , Stefan Hajnoczi , Cornelia Huck , Paolo Bonzini , Thomas Lendacky , Borislav Petkov Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK). The encryption key created with the command will be used for encrypting the bootstrap images (such as guest bios). Cc: Paolo Bonzini Cc: kvm@vger.kernel.org Signed-off-by: Brijesh Singh --- accel/kvm/sev.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++ accel/kvm/trace-events | 2 + include/sysemu/sev.h | 10 +++++ 3 files changed, 111 insertions(+) diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c index 2c4bbba3c367..2ecc6a1d1ad3 100644 --- a/accel/kvm/sev.c +++ b/accel/kvm/sev.c @@ -29,6 +29,17 @@ static int sev_fd; #define SEV_FW_MAX_ERROR 0x17 +static SevGuestState current_sev_guest_state = SEV_STATE_UNINIT; + +static const char *const sev_state_str[] = { + "uninit", + "lupdate", + "secret", + "running", + "supdate", + "rupdate", +}; + static const char *const sev_fw_errlist[] = { "", "Platform state is invalid", @@ -86,6 +97,16 @@ fw_error_to_str(int code) return sev_fw_errlist[code]; } +static void +sev_set_guest_state(SevGuestState new_state) +{ + assert(new_state < SEV_STATE_MAX); + + trace_kvm_sev_change_state(sev_state_str[current_sev_guest_state], + sev_state_str[new_state]); + current_sev_guest_state = new_state; +} + static void sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size) { @@ -337,6 +358,7 @@ sev_get_me_mask(void) void sev_get_current_state(char **state) { + *state = g_strdup(sev_state_str[current_sev_guest_state]); } bool @@ -355,6 +377,76 @@ sev_get_policy(uint32_t *policy) { } +static int +sev_read_file_base64(const char *filename, guchar **data, gsize *len) +{ + gsize sz; + gchar *base64; + GError *error = NULL; + + if (!g_file_get_contents(filename, &base64, &sz, &error)) { + error_report("failed to read '%s' (%s)", filename, error->message); + return -1; + } + + *data = g_base64_decode(base64, len); + return 0; +} + +static int +sev_launch_start(SEVState *s) +{ + gsize sz; + int ret = 1; + int fw_error; + QSevGuestInfo *sev = s->sev_info; + struct kvm_sev_launch_start *start; + guchar *session = NULL, *dh_cert = NULL; + + start = g_malloc0(sizeof(*start)); + if (!start) { + return 1; + } + + start->handle = object_property_get_int(OBJECT(sev), "handle", + &error_abort); + start->policy = object_property_get_int(OBJECT(sev), "policy", + &error_abort); + if (sev->session_file) { + if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) { + return 1; + } + start->session_uaddr = (unsigned long)session; + start->session_len = sz; + } + + if (sev->dh_cert_file) { + if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) { + return 1; + } + start->dh_uaddr = (unsigned long)dh_cert; + start->dh_len = sz; + } + + trace_kvm_sev_launch_start(start->policy, session, dh_cert); + ret = sev_ioctl(KVM_SEV_LAUNCH_START, start, &fw_error); + if (ret < 0) { + error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); + return 1; + } + + object_property_set_int(OBJECT(sev), start->handle, "handle", + &error_abort); + sev_set_guest_state(SEV_STATE_LUPDATE); + + g_free(start); + g_free(session); + g_free(dh_cert); + + return 0; +} + void * sev_guest_init(const char *id) { @@ -398,6 +490,13 @@ sev_guest_init(const char *id) goto err; } + ret = sev_launch_start(s); + if (ret) { + error_report("%s: failed to create encryption context", __func__); + goto err; + } + + sev_active = true; ram_block_notifier_add(&sev_ram_notifier); diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events index 364c84bd7a73..5d993ca08e5f 100644 --- a/accel/kvm/trace-events +++ b/accel/kvm/trace-events @@ -17,3 +17,5 @@ kvm_irqchip_release_virq(int virq) "virq %d" kvm_sev_init(void) "" kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu" kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu" +kvm_sev_change_state(const char *old, const char *new) "%s -> %s" +kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p" diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index 121e7e4aa44c..08014a9c94ff 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -58,6 +58,16 @@ struct QSevGuestInfoClass { ObjectClass parent_class; }; +typedef enum { + SEV_STATE_UNINIT = 0, + SEV_STATE_LUPDATE, + SEV_STATE_SECRET, + SEV_STATE_RUNNING, + SEV_STATE_SUPDATE, + SEV_STATE_RUPDATE, + SEV_STATE_MAX +} SevGuestState; + struct SEVState { QSevGuestInfo *sev_info; };