From patchwork Wed Feb 7 16:06:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 870505 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=amdcloud.onmicrosoft.com header.i=@amdcloud.onmicrosoft.com header.b="xMfFrqlM"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zc6Kh2vgsz9s7F for ; Thu, 8 Feb 2018 03:31:52 +1100 (AEDT) Received: from localhost ([::1]:56234 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejSdS-0007fL-DL for incoming@patchwork.ozlabs.org; Wed, 07 Feb 2018 11:31:50 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51627) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejSFk-0005u4-OI for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ejSFg-0006u2-4E for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:20 -0500 Received: from mail-by2nam01on0076.outbound.protection.outlook.com ([104.47.34.76]:63904 helo=NAM01-BY2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ejSFf-0006tb-NM for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mCzzZdVPqPjiNANh3dw8HN22ro2xb7fqTXAw/PLD8q8=; b=xMfFrqlMugcb3s8dQpIanxaknEx8DpzEx5o81ndEB6bfD5QaQgefuo2h0zcyvlwsvAbqC3LK21YH3Mv6f/qVQ+IyTX4tulJy79nFg3sDPmze9/aEcn74XWRPL33U2B+w9lTjisiO+A7TtQSmvFTxIbjYSXLanMFZcM4Sa1IQ0mE= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by CY1PR12MB0152.namprd12.prod.outlook.com (10.161.173.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.11; Wed, 7 Feb 2018 16:07:11 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Date: Wed, 7 Feb 2018 10:06:21 -0600 Message-Id: <20180207160638.98872-9-brijesh.singh@amd.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180207160638.98872-1-brijesh.singh@amd.com> References: <20180207160638.98872-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: DM3PR12CA0071.namprd12.prod.outlook.com (10.161.151.143) To CY1PR12MB0152.namprd12.prod.outlook.com (10.161.173.22) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: fb62a996-adef-4eda-9bc4-08d56e44d912 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603307)(7153060)(7193020); SRVR:CY1PR12MB0152; X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 3:9AGPzV9tx17TN2eoealGSKRR7nvYnLmS0Nh2FdQXVbo/FM/SDXzuM9FEjDHnsDDwmBvM3gojYi1Gz+R4A+y8E0w8F2s0IhJPljS/ToI9hzvaLr0eCGfgxkJSa87tbEGn8CqpBoQ89jqJ2pvaFCgi2/qCjfVD/knKlpWBeMGVw8HrwOcRUk53hIXWsCBAG3fnxoMOwTXa6AE/cLKgEe30CtNI1Ltk5yrKDCdq2+PZdJPpYO6p1v4hGsAU3xC83DH4; 25:G7QVNRQQdHAhtZMsTNgRkqW/JMZqbd4X4DyFjynkTuYj8LuTFPrUcj6LNVot4AO3HY1+bRWXv2WdxDOlOrjLAqlfpcCCvAUuXD3CBfYw0AiUhqbDkEaXC1gHeG0a+0u6dq47pMtiIp0Ji5uJFAv6B0fdf97sTY+RK/xI//O9LdHqxLUmbHIWujeK3i/ecMqv/iWMa9KeSCkyCByC/xCMFHS485kwOhaX9IVqjmeqHjAOSDwoDRWY98rcCv4AARMoMdHP7KgIZrJ+5PZaw0pEmdSNvYWKgA27pMbP/u21RidUTGvoTfOxt4xODttaNI+ueKUyMsiefUUadjMceybVbQ==; 31:BalKmPzWIFsOGhF6Vdgu6CNGTKd3sNmk0mGDsPA4uTM7423/03FUXgUUite/zvImWLaeD5pliHega6IMedPIzTQtOWZ+khVdJuBIUP9aENVwaeLs9pJvECs8lRhrygtA5LCi35/eAX6feX4a7he6gel1mM2yg66dylvSRNpu+AqTsswYLDRVOJJogU+Rsp7wcHrd6652Ziy3zLqrjYH3bEEaye3grb58ArMMKkXt5kg= X-MS-TrafficTypeDiagnostic: CY1PR12MB0152: X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 20:L19S3GiLTiQbIJmvSClYB0cmQh4HaT8tRvkYMr9SQ4D2J03ALJHjEjfrCLMZBCNaa44QRKAJONS4HFQsRR7OPIq/f5rcV1NbH8Qq8YGXUnsm62YnpvCaUOTzfiozYHCEE3bqXgm2Pk+ApaqYaUutUdm2WB3G+flVAdBK59K8mjSuvLdUWDFVXR9jgzauvA6oCuDF4T13VIh8MYUbd4GPnoOx3yFA4UYBVMiSxrJPJtYNwNhOiXRWdQAIkMrE8nD7+kNpXjWuhfKJ8HByNk4vSsopZXmVinOuVoB2PSVMc8fspw29cSvIVekZG8vGlRRO1l7c3GOwAOewI3/21GzWkLRIq4BmE+tGDFOQaBoSHeo5I73hy6x/2FSjqxuxWK29/txd7qxX7ewKCSDKhEV+Y9WDKByEblpike3GWfaazzQs3Qyd1wfDonHKAW0Slqc8uUp1VfQRLhpsaO76OjucK/Vje4O10hfXK2cg7VPh8ZWigP8QX8dYuwIvINWZ/WNv; 4:ID2o+XQi2hKCaZ19Pf6H7ydYVeaPyWY4AX1N7nnhPBtkmLsdnI4dFPBUIbW2FKRLwBcYA1w3rAZK7ujp2O/Cm8ZukgKfbnqC01O7swSNM7FcBdeeCPshd1VKUHiRw3fa5858Rf1uKH5gxLdLEgtdNsZ/kXX9imWCXonCqba58/Mi51Jk4gl303sjU0q+dOIKUDPA0z+crUuLK4CHCubUJ84lVzCQMFWqTtp/sZ9c0UvgwwLYe+ad4uEYmDp1yOAqx6n+e1Hzzy2Qpti+izJQKQ+7FtgNiz9qEgGydGrjQoe5oVZYcV5aB5V3N606E5kiWcVC65O2vfMtvBrOGVUehQ== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(17755550239193); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231101)(2400082)(944501161)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:CY1PR12MB0152; BCL:0; PCL:0; RULEID:; SRVR:CY1PR12MB0152; X-Forefront-PRVS: 0576145E86 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(39380400002)(346002)(396003)(376002)(199004)(189003)(50226002)(68736007)(8666007)(51416003)(6916009)(7696005)(16526019)(1076002)(50466002)(6486002)(53416004)(7736002)(575784001)(305945005)(53936002)(8656006)(8936002)(8676002)(7416002)(86362001)(4326008)(81156014)(81166006)(52116002)(6666003)(2950100002)(478600001)(2351001)(66066001)(16586007)(2906002)(54906003)(5660300001)(106356001)(2361001)(47776003)(48376002)(105586002)(3846002)(59450400001)(6116002)(36756003)(386003)(316002)(39060400002)(26005)(97736004)(186003)(76176011)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR12MB0152; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR12MB0152; 23:jZRdnIKeXVjDNcI6+Em0kmNs5UFz8ueHxn1av90v0?= tvd93IxMwtIrxFNRIGH9fEdHZ6eYhciM4Bys7gSSNXCqPtfvBp4EP4AEC5sCf5cTPH3TbImGNt1Gv3OButkDGmayp1SoVgMZwdrwdhb7mEscnyn+hHskfIOui7ZxNQuMFlq9G2A4tnzFiDY2Usadzou7IsuH9TOdr9MW42ruEXJERnN9e+VUJVLvcUASEcY0C+p2esLTMSuMC4WsqGcyJTowjUraK1bQLrVyad/DsSTbahrqd16tk2Mq5ca9Aun4YVmBYoDiTXu04mtDNR9HzZ5ueaf/uljxuPakRka3JOOYrXK6z5+jKriF/WHuTZqayysGhqcSKIMCQaWyGvK63S81kt/bZx1BR06vFFTCwLy9GpbTWDGYJcdklJeEW19WRay6VftUs9nOpbiGixoaJYrvYkg6jIHN+AQAGBHaZx3Au+wEkf101X8jCa6kZBlS2dno1l34aVfA2+Vih1WcWHM5w2zJEe/TpSOEgfTACP9IfA/9EIJvk6+Nykah587cyHiFpMlVq0+n3JLTU3CzDYJDEE18M7+d15K+dLF5bBXjOhgFMiTJnTh7MBSNRtqZzBghBEbmwwYAt6HrTUIcP06Ycg3sciu8cRoZ8KLy9SDie6kfZBisQdJUSxNEft8Yg+v00AIk1dmQY02R68rwNtKJ6RYn2WlSqaTm62xeslBVUTQuRnu+rsQhEPiFSfMBZT6krFU8msACvebtaR1gapb2Kcy8RXtMKsad+2IohuBoNSOJ9vIUrVn0EvNY585wSUzW7o/KP6H1WHukuY2PJzfQ3dxtbj6nQkrGEjRas7TOTXj7XJw+NoQ2V9nHXuf9OL7iQETwoHoKJ2ExmilPu0u6BH7P89Dx53fpChwbNK8sEixl4tGtFKvQCdRVau8EvEc6gYFaeexdChndMTMLWuKPqnN11R16J/ov62HU/Ar4dStjelvVhvO1bCxTkxCaf9734RGL6OAIeblUGBM/YHgCoVK25eqNfRHQ6wOKPepR/+1KgpdGE+pN0BK+RlAtPJpzFVauP+Exwj6XYMOUAG619UpqyArtmh7LrS/mprwvG7LRbXRHFdxDK7Tf86fG+sG8i9eVguLHcK8UWkJik78DZGngfsIJP0UtiRW3yFSd0Eq2S4U7QEqxcGUIW+oQiVurZcwe7kgEk+V14cCai+BcCNP2DxuM1TMsonObDjlKwCm2EujCGj9MCYJFOUxKsvtOIi8pCNQvWlnTXPWed/xW8754grSH5dJdPqByqUAWWcyFjr4Qo2AvD46zASu714= X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 6:Jv2hoZwWn3t8TjUb/xO+4qpyTedHdu/XmdL2sV9TsKA037QiNQkjJGo6MpS/8OOcDGmfUW+l331QV4qSYFEwWDz7YQq+Cgp2/CrdGgaoQ6X06d2pGF+lhGLs6/GqVDIUCvwSrqyaSj+DlJw/i4X6ywHq190Pg4ywnS+eCa2Cfk0nRIENaKbIEPhQMrR5EeSvE5LT/m78OLALTxRRyfgiBQBq4Uzbs3dwnxH90746pwVCBzztF60apgEuRZKPqk46DgqM2mm975jJzgvJsipCtbxsvciFwAx+BMEJ0YxJh8O92zMNPD2SjA2+1tZsMGSrNqvAYdiSWtrbn3t9v1rXS4t1fpsgFqcijCyVCA4TRe8=; 5:HXcfArSDiC7Y2JYIAo/OeRulvunOimEv7lqo7EoqYg7fS0D449xcoFNZh+TWLtXAHKu+KrcQCjG/IQ9NpZbM1ywh4ZJFsVPVxEZXu9AfTrRo/SL/ceSyQ4QUnyUUzLuHJncO2Zh45RaO4LC9Z6IICNT52db4fG0Q7kXjGhRLIHU=; 24:Ts+rVcniSii2atbY3vUcfn4/TsBh6gkevFAppFgPjbDwPuof+anrcVeRgZNvqrvghd2OS5odOKuSoB9hhepz9rPlbExb7eC1cIh1+evBtww=; 7:A8fH5/h0I+dPyZ7doaSld25njkk84aXTOI2nJF5L6A8b4Grqntay70H7NIcd1Wf8UJGDT3yGNChx3mKNGTe3jVg1BtRptDYRACeO02WwjAHCQg7kPV7LuYBSeRvJ3rFx5goDXudt0t4ShsDSLuEDH5EGuig0GQqfuugaqjhmnMvoZUIM67cmpPRyKQof7WT/mGAw+xLgrckmfCv7+Vuy7H3E+D9Xc4BRRmVZzmQPlRcCOfSt3Qmnccgz7Tkn+s6v SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152; 20:zhzRryt8BEaMnj1QQuPRJ9gRsqp7SZyh2svDImXwKUfw8fiaHSi4ppLgmdQKahYc03Y6JDIS4j+V2ci4TT8QxGBfxvdItTtnbWM5xnMXauVpWmXFOb3tLZ+3bnX1xq+5Uh0H3Hzz2nQ0sNFEy9eqCfcENKH7UU86wMoQU6Ph0Svh6wvViBlDWWDFASazYFj5peg6CZKlDZJJQqtFEsWwfqYsJ3ksI5GEwZ+9FT3ql+VHVwkLQ7+iwEcXYH0bP3NA X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2018 16:07:11.0249 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fb62a996-adef-4eda-9bc4-08d56e44d912 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB0152 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 104.47.34.76 Subject: [Qemu-devel] [PATCH v7 09/26] accel: add Secure Encrypted Virtulization (SEV) object X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Edgar E. Iglesias" , Peter Maydell , Eduardo Habkost , kvm@vger.kernel.org, "Michael S. Tsirkin" , Marcel Apfelbaum , Markus Armbruster , Peter Crosthwaite , Richard Henderson , "Dr. David Alan Gilbert" , Alistair Francis , Christian Borntraeger , Brijesh Singh , Stefan Hajnoczi , Cornelia Huck , Paolo Bonzini , Thomas Lendacky , Borislav Petkov Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" Add a new memory encryption object 'sev-guest'. The object will be used to create enrypted VMs on AMD EPYC CPU. The object provides the properties to pass guest owner's public Diffie-hellman key, guest policy and session information required to create the memory encryption context within the SEV firmware. e.g to launch SEV guest # $QEMU \ -object sev-guest,id=sev0 \ -machine ....,memory-encryption=sev0 Cc: Paolo Bonzini Signed-off-by: Brijesh Singh --- accel/kvm/Makefile.objs | 2 +- accel/kvm/sev.c | 214 +++++++++++++++++++++++++++++++++++++++++ docs/amd-memory-encryption.txt | 17 ++++ include/sysemu/sev.h | 54 +++++++++++ qemu-options.hx | 36 +++++++ 5 files changed, 322 insertions(+), 1 deletion(-) create mode 100644 accel/kvm/sev.c create mode 100644 include/sysemu/sev.h diff --git a/accel/kvm/Makefile.objs b/accel/kvm/Makefile.objs index 85351e7de7e8..666ceef3dae3 100644 --- a/accel/kvm/Makefile.objs +++ b/accel/kvm/Makefile.objs @@ -1 +1 @@ -obj-$(CONFIG_KVM) += kvm-all.o +obj-$(CONFIG_KVM) += kvm-all.o sev.o diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c new file mode 100644 index 000000000000..57e092a0bddd --- /dev/null +++ b/accel/kvm/sev.c @@ -0,0 +1,214 @@ +/* + * QEMU SEV support + * + * Copyright Advanced Micro Devices 2016-2018 + * + * Author: + * Brijesh Singh + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + * + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "qom/object_interfaces.h" +#include "qemu/base64.h" +#include "sysemu/kvm.h" +#include "sysemu/sev.h" +#include "sysemu/sysemu.h" + +#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ +#define DEFAULT_SEV_DEVICE "/dev/sev" + +static void +qsev_guest_finalize(Object *obj) +{ +} + +static char * +qsev_guest_get_session_file(Object *obj, Error **errp) +{ + QSevGuestInfo *s = QSEV_GUEST_INFO(obj); + + return s->session_file ? g_strdup(s->session_file) : NULL; +} + +static void +qsev_guest_set_session_file(Object *obj, const char *value, Error **errp) +{ + QSevGuestInfo *s = QSEV_GUEST_INFO(obj); + + s->session_file = g_strdup(value); +} + +static char * +qsev_guest_get_dh_cert_file(Object *obj, Error **errp) +{ + QSevGuestInfo *s = QSEV_GUEST_INFO(obj); + + return g_strdup(s->dh_cert_file); +} + +static void +qsev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp) +{ + QSevGuestInfo *s = QSEV_GUEST_INFO(obj); + + s->dh_cert_file = g_strdup(value); +} + +static char * +qsev_guest_get_sev_device(Object *obj, Error **errp) +{ + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + + return g_strdup(sev->sev_device); +} + +static void +qsev_guest_set_sev_device(Object *obj, const char *value, Error **errp) +{ + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + + sev->sev_device = g_strdup(value); +} + +static void +qsev_guest_class_init(ObjectClass *oc, void *data) +{ + object_class_property_add_str(oc, "sev-device", + qsev_guest_get_sev_device, + qsev_guest_set_sev_device, + NULL); + object_class_property_set_description(oc, "sev-device", + "SEV device to use", NULL); + object_class_property_add_str(oc, "dh-cert-file", + qsev_guest_get_dh_cert_file, + qsev_guest_set_dh_cert_file, + NULL); + object_class_property_set_description(oc, "dh-cert-file", + "guest owners DH certificate (encoded with base64)", NULL); + object_class_property_add_str(oc, "session-file", + qsev_guest_get_session_file, + qsev_guest_set_session_file, + NULL); + object_class_property_set_description(oc, "session-file", + "guest owners session parameters (encoded with base64)", NULL); +} + +static void +qsev_guest_set_handle(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + uint32_t value; + + visit_type_uint32(v, name, &value, errp); + sev->handle = value; +} + +static void +qsev_guest_set_policy(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + uint32_t value; + + visit_type_uint32(v, name, &value, errp); + sev->policy = value; +} + +static void +qsev_guest_set_cbitpos(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + uint32_t value; + + visit_type_uint32(v, name, &value, errp); + sev->cbitpos = value; +} + +static void +qsev_guest_get_policy(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value; + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + + value = sev->policy; + visit_type_uint32(v, name, &value, errp); +} + +static void +qsev_guest_get_handle(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value; + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + + value = sev->handle; + visit_type_uint32(v, name, &value, errp); +} + +static void +qsev_guest_get_cbitpos(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) +{ + uint32_t value; + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + + value = sev->cbitpos; + visit_type_uint32(v, name, &value, errp); +} + +static uint32_t +sev_get_host_cbitpos(void) +{ + uint32_t ebx; + + host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); + + return ebx & 0x3f; +} + +static void +qsev_guest_init(Object *obj) +{ + QSevGuestInfo *sev = QSEV_GUEST_INFO(obj); + + sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE); + sev->policy = DEFAULT_GUEST_POLICY; + sev->cbitpos = sev_get_host_cbitpos(); + object_property_add(obj, "policy", "uint32", qsev_guest_get_policy, + qsev_guest_set_policy, NULL, NULL, NULL); + object_property_add(obj, "handle", "uint32", qsev_guest_get_handle, + qsev_guest_set_handle, NULL, NULL, NULL); + object_property_add(obj, "cbitpos", "uint32", qsev_guest_get_cbitpos, + qsev_guest_set_cbitpos, NULL, NULL, NULL); +} + +/* sev guest info */ +static const TypeInfo qsev_guest_info = { + .parent = TYPE_OBJECT, + .name = TYPE_QSEV_GUEST_INFO, + .instance_size = sizeof(QSevGuestInfo), + .instance_finalize = qsev_guest_finalize, + .class_size = sizeof(QSevGuestInfoClass), + .class_init = qsev_guest_class_init, + .instance_init = qsev_guest_init, + .interfaces = (InterfaceInfo[]) { + { TYPE_USER_CREATABLE }, + { } + } +}; + +static void +sev_register_types(void) +{ + type_register_static(&qsev_guest_info); +} + +type_init(sev_register_types); diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt index 72a92b6c6353..1527f603ea2a 100644 --- a/docs/amd-memory-encryption.txt +++ b/docs/amd-memory-encryption.txt @@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing several flags that restricts what can be done on running SEV guest. See KM Spec section 3 and 6.2 for more details. +The guest policy can be provided via the 'policy' property (see below) + +# ${QEMU} \ + sev-guest,id=sev0,policy=0x1...\ + Guest owners provided DH certificate and session parameters will be used to establish a cryptographic session with the guest owner to negotiate keys used for the attestation. +The DH certificate and session blob can be provided via 'dh-cert-file' and +'session-file' property (see below + +# ${QEMU} \ + sev-guest,id=sev0,dh-cert-file=,session-file= + LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context created via LAUNCH_START command. If required, this command can be called multiple times to encrypt different memory regions. The command also calculates @@ -59,6 +70,12 @@ context. See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the complete flow chart. +To launch a SEV guest + +# ${QEMU} \ + -machine ...,memory-encryption=sev0 \ + -object sev-guest,id=sev0 + Debugging ----------- Since memory contents of SEV guest is encrypted hence hypervisor access to the diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h new file mode 100644 index 000000000000..eed679653dbc --- /dev/null +++ b/include/sysemu/sev.h @@ -0,0 +1,54 @@ +/* + * QEMU Secure Encrypted Virutualization (SEV) support + * + * Copyright: Advanced Micro Devices, 2016-2018 + * + * Authors: + * Brijesh Singh + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + * + */ + +#ifndef QEMU_SEV_H +#define QEMU_SEV_H + +#include "qom/object.h" +#include "qapi/error.h" +#include "sysemu/kvm.h" +#include "qemu/error-report.h" + +#define TYPE_QSEV_GUEST_INFO "sev-guest" +#define QSEV_GUEST_INFO(obj) \ + OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO) + +typedef struct QSevGuestInfo QSevGuestInfo; +typedef struct QSevGuestInfoClass QSevGuestInfoClass; + +/** + * QSevGuestInfo: + * + * The QSevGuestInfo object is used for creating a SEV guest. + * + * # $QEMU \ + * -object sev-guest,id=sev0 \ + * -machine ...,memory-encryption=sev0 + */ +struct QSevGuestInfo { + Object parent_obj; + + char *sev_device; + uint32_t policy; + uint32_t handle; + char *dh_cert_file; + char *session_file; + uint32_t cbitpos; +}; + +struct QSevGuestInfoClass { + ObjectClass parent_class; +}; + +#endif + diff --git a/qemu-options.hx b/qemu-options.hx index 7defd929caa4..f34305de0d9a 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4282,6 +4282,42 @@ contents of @code{iv.b64} to the second secret data=$SECRET,iv=$(