From patchwork Thu Mar 8 12:49:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brijesh Singh X-Patchwork-Id: 883139 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=2001:4830:134:3::11; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=amd.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=amdcloud.onmicrosoft.com header.i=@amdcloud.onmicrosoft.com header.b="OgUnpXIb"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zxrk43qnPz9s3v for ; Fri, 9 Mar 2018 00:20:59 +1100 (AEDT) Received: from localhost ([::1]:38819 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1etvTc-0007DX-8h for incoming@patchwork.ozlabs.org; Thu, 08 Mar 2018 08:20:56 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59198) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1etv0J-0005qD-2B for qemu-devel@nongnu.org; Thu, 08 Mar 2018 07:50:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1etv0F-0004PM-2t for qemu-devel@nongnu.org; Thu, 08 Mar 2018 07:50:39 -0500 Received: from mail-cys01nam02on0041.outbound.protection.outlook.com ([104.47.37.41]:28960 helo=NAM02-CY1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1etv0E-0004Oo-PY for qemu-devel@nongnu.org; Thu, 08 Mar 2018 07:50:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=c4q+F53EvtT0/Q6OTgMmnOWY868D+ixZbU8ypuZRMpo=; b=OgUnpXIbE+z23ttATitwtpD+luXQ8yqbkcrEdcwxGwMfJciUIW5bzpzSnrGCgE52X8RmDUqokKoeSvlGooDYbKpXUM4mop29VWUiujjr3Ty1pKgzdZN1TSvGn/vwJJO0jqVOAeNW70O21OXjX5cCoUtEIYJ47nlROwvyqlzGl+o= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by DM2PR12MB0156.namprd12.prod.outlook.com (2a01:111:e400:50ce::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Thu, 8 Mar 2018 12:50:29 +0000 From: Brijesh Singh To: qemu-devel@nongnu.org Date: Thu, 8 Mar 2018 06:49:00 -0600 Message-Id: <20180308124901.83533-28-brijesh.singh@amd.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180308124901.83533-1-brijesh.singh@amd.com> References: <20180308124901.83533-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: BN6PR14CA0031.namprd14.prod.outlook.com (2603:10b6:404:13f::17) To DM2PR12MB0156.namprd12.prod.outlook.com (2a01:111:e400:50ce::19) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 681a106d-4ac8-4bce-2db7-08d584f32d6e X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM2PR12MB0156; X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156; 3:TfPwYLT5+gnYaPsYhatPm7qSuRbUQhgcMZP8quHZQv7SWUYfDh3NB4fTGMRuyr1aZSWIddGzAEi3ZeETz7M3MyLW70SXqELjsxeqhxGcDj2dTs0qSu49XX2iP14Hs+VqOCUy/LnXVDZ0BuyCvzkw5rAYvabHZrA19IVxRoJA9G7BOr/tWuefK2pDlz4JaBNQ6TWwZHIKdkFiVhEl6hefesDCKleW+2/ywSaCeLzkmyeWOBQ6FzUThu/EuT7Dxoqq; 25:kVRySm2eG61BMqz4ENBu6PQWY9TInhHK1m7L2iNwTkXJtKpViDh+i+2WamLE40lr6AZhDW/lJoOesb4DaKMPWzNLh52JJ1ani24yAR2UUhdyjKWd9UCo9dVarb9D2mmxdT2Sd+fA1IfD9lpe/hCItB5r6/eLA54p7Cu2LIyf+8FRD0a5bVksnTNMG49iKBB8SxWAFZvbnP6i0G7mrPMmvkddlmZ7KM79Kg91piLnu9lKzwZ2u9JXgxZ0j50ICn/1fXNsqfsHVahZ4DG1EiUSCVsCsTA2hjT83pY6rHC5JZG6QiEHWxhDKXOaQB1ojLDR1wcRmLFxdGSOiXFl17MyqA==; 31:PNejDorWMRdV5zw2a+QytfIfooAbwniXbdJYhKsPubAEeUf/cWsoTGFbNgwpmShgQnAlKUF5OLy7fFT9HsUCMVX7CtlA6CvUgfIA+P7YMZ+x3hmRAuwCMqwnq5fctvSjgHUv253qY8BfJOw4G4jRNq03FhS1Ugt9LVvdA7n7dFnDqZ5fdVc+iF6slWVbCSVQGWmJr+HIH3S1swkPmOBjWU4Eh8oKLONM6BVytKfOKq4= X-MS-TrafficTypeDiagnostic: DM2PR12MB0156: X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156; 20:LjByn4gaQ3qxbp3v0jH++kTu1IDIpwff342bYQXPwlbi6uX8oz3fprX0M6ZKgSTT24tyaPMIn7reL1+01dVNsIX6tFQYXHAkVhwhrMqTI8NUT+SqFjCfHMlthqAnuwFpxxfWBVIDvk5J6kdUuII7r4KSzIHy0JqHLX8EVn4P9q0VbTxtbZfmuptLVrIubCPvfNmAHmXlIMBvnHtrvz4L9G30ErNorrNyNXdfQ+lJJNunJIlA85xADuN8Eg+xPfFq9o7qoLgJHyipOlGj/C69YnwTo0O2/gSRm2Lhjgaq9PK8+kWTetfVdzITCZ4LjK8JRQ4tQofxNKv+YsvAojXOYLT9WVxUegPWzMD30psJ3lI6/0MG2/VXzcaXXAMkzQ3gKI7U6YyqTDeyKbsW99KrRw1BeFN9CdHQaOTJwLGj/myDzjdGWmi7M7oXWoWUXM2poeQumXrQseHnM9mlsqqmlJTy6vT7escGNlC/FlV4zzFsULg0+G3QsqPi76+fCsPX; 4:xZZYho1EMAxH6SQjZYe1SSgET+SvYvzoFqPYw0tD4W0k1E+6CDa0Sl8hF8HyqKYhtn/3yHn9DHGZlqYbKqvS/8jgAHsT95tAa1ks6ALrtvaGjMM6fQjZFwl3CsqUiZO0Hg8KL85d8t77YRdR/97GUKSLM/hL4H58t1/x8HQoq0hXPP1GknJGZat1yPzAkKteCAprx75hq74tgemoGT78dmLqqxHNOuqpRJzHshvL7SdiFJuuXCELh10np2ESyFUNyKU7pV2fn6u2Oc6JzZYYop5mdE5sAhRmjcWu3llVxV5f+WkflAORHB85Mr+GYu4o X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(3002001)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:DM2PR12MB0156; BCL:0; PCL:0; RULEID:; SRVR:DM2PR12MB0156; X-Forefront-PRVS: 060503E79B X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(1496009)(39380400002)(39860400002)(376002)(396003)(346002)(366004)(199004)(189003)(50226002)(53936002)(2950100002)(6916009)(2906002)(2361001)(6666003)(2351001)(106356001)(81156014)(53416004)(8676002)(81166006)(7736002)(36756003)(305945005)(8936002)(105586002)(48376002)(50466002)(68736007)(97736004)(47776003)(66066001)(25786009)(4326008)(39060400002)(6486002)(7416002)(5660300001)(3846002)(478600001)(76176011)(51416003)(7696005)(52116002)(6116002)(16586007)(16526019)(186003)(26005)(1076002)(8656006)(386003)(54906003)(86362001)(575784001)(316002)(59450400001)(8666007); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR12MB0156; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM2PR12MB0156; 23:HU375NfSXSosxpZLlkXD+B2vzjtjErodx1yhGFA53?= GY9Ro+InC1RItFwlhTaAvNq/WWwRYe3VsJYMNdGvVO9gNhNZFIyv+XPuliL/LsWlILgYGD3LjYfI+sDzdK8DA7iDbNjRn0XcB6v5QXno0O1w7KdIfDsAYQTwqCMJdiyzFhJpzi3FZ5YHWtTODnlSdKSDSqLxBPC4bsQhrR+L1tqZgCKVUavXe2ZDwpUe17L3iRsutv8OB3DUKjG9kTXzJxK9f+JT9HgP0qx7MeDW/K2d3wd16kJevhMb8d4kdLAgIxp9uiY9dP/Zbwqz37TDMy0Lp7vojE6Nez8zsDhQZdRe6w7UtfY2QcVbAMs47Knx43wf1H1vkEVEVJRp7/dD6pcNuPe04K010cVHUCnQAwqLoUKVkgQ2Qvdf6l8JMGUP53LpFOzKxuCdlFgrMtHHyLJsWtaWRi68/pbPsi0NRyhc+jMhNkSeLVhNWDKXcA+aDtK/VkL2E3EnXZ0kXv8yPs2vaoL/IOfvXrB+1l8mxltfRVFqdAnl9Y55cxNR/pBtPxf+Wy9lY5NlzD0EzWy+WZzMIe5UwTSiBf61Z+uMz5gax62DJLp3/u4+h7idwPreLbOAb2sz/7HQuhYiZYnSkHXhzSZvt4yHPI/wfgfzzNz8Kpl/RwbAsVoKDPzXITNDHekt7xkhO1ETsA6GyAlwuaobwclqk6sGqiWqB8ZqH6MiNgWc3LFBE4oBfmssiOTFk2UsvtyEpFhqz59K9b6A+qtv3PW7f4p1m+0AF+sbhXNC4TZ2qpU5qgTnaMYhs8jhqmk2915p1ALmYBSXtuZzfTjENPRKKj4/Mf43JSKrHjYByi4FU80BHuTFTCAKZdRe/gp0tPdH+ETRs6MNdx+rP8VkC8MK+T6fifFrr6j7QDBxiOcF8JH+ITVpvnX7PN6EgeKoStEd8JXJliSBjW09IOV5YmLpqi9l1HoQdkJludl5ce7z8Gd0FLYvov/ixtcmveZZ8/Ztzsy61HcvMg1ekqtknLZ8hJz4pi7IqywNZie/adgniFNBbUFC/xmHpC2I5YGq5SJQRJc6xmTuEH7S1fKA9lrxNc0WqnEG4pMgoJCgxTS8LqP01gHBI4pj6CNEYiaFO9bEm6pS7D5FtRnaYe5yxsrxeteUD097PNyQNpx65l5i9VB3yqXqX2DnjPun0I13CKLv5+8J80ErsoPMMcLisRSDd3ner5aJ3nutdHK4RQqtdlVg81RmsU6CKhPfIiZpSF/LRb5doDqmC/7bfQ6+pMgGPKKRIUr+8mmKmS+jm7bek3Uh7EkXLfdct0MJ176PJVDkNhfXCct05V3XGEF X-Microsoft-Antispam-Message-Info: dKGbLxQoiiiAapM1jSOwhG8KHnf9sALYvQcXiccRQ0/LfIo6lAKxXBwTUOeH4VEzyyTs0PQI6pZj7t3TWhAFjr9MUsUCL3ev3G2m5bF2+DdQHxwyTaxxqQk0ikeiXYHG2ANcUOpw1+bCPr5vquaCfkcKwM3SpkeRMEd7sHoduOJGjZp97ohq8QfZ7jpOCRkD X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156; 6:d45CtgRlMSUIsQuqtydSTXtX6yqnBMCPLJcKlBKaHwrl7d/hKj+Y/Q7BElrf0vbIhRQHxeOoONS1U5k6Zh8XGo6rzaVRjYsFgvN73EAZvAR2T+FU2aiuDPgiJebPVZSQLabhc+w7RzPwvuAKJgVxnoDKJCvp3y2m+kMQAikAYufzxbBrBwFaifEs9c03lr1AUAj+NeqnD/LuO6AmvJ/QFS9nK4P4gewGfSu2ORUeJV8rB8BPbX/Y2ajARc+x7ryIVuGgrjcnuuwRyzVNHkZ6KuL1oDwyScDyjJK5LAxMaWaPYVFO/nYtAmqL+EjJgeFBVOZP4/GeQuvy6E0W8OHzuIk00yYt07iLEs48CdPdmKc=; 5:ycHT4xRSd990QkbhbRpWq5nVbXEBizAZT79dcW1fMYOACs08ePp6uZ7D/Ex62tImOxzRUN1dGELwxuMfPcwkTH38TJwsPYf/n2elMnRKANsuweNUoGhPJaFRngeJ65z2eyxPPASq2xGdXbOtQV3HOU0mHQTSUotZpNiUkpcU3mI=; 24:gHbA1kgIbmiN5ptgkFCG1Km0O7KJmwM2iINcB6yDSSwcpdxHx6VeWYnLlQL7I7n0lWi0v82Zog94fbZfnPf1Qwp41i1QB10kAimEFh7mGac=; 7:LP0xs2SUTiStJrpmm4yoAwfMOCecaTdb/kAp9jNfm9UEyJnc0eXt3GcjHbzrIAVDtdBSGvsITVsNSZaZWde7C338UKUomDhT9DS2ThZOr7fQ9c7xYXojm0lMJpR0fsTxF/PxG9FEqtztxP6/HpMFk/N4PGrKc+n4eTCMPYx56EjLvIg/1wG3rGKnYI2Y8sOj1w4G+fjmyu0jiQkGbO9fhc7HT1KgLqSY3q6BqYswgKISVAmdokITpkCxvcIkOWcq SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0156; 20:7R/eS40mCbg/w4TCJHhoZ0e7Q8UymAbSXwwr+Hr1KhsLDcGypwfhAjFCqGo4tJUZHIB7ZJJ+JOtVKzvIccm+It0514MdrWnndqjoThEcrGaO+U/b2JaTpiIIYlA7x3/SqxKIrcVPwL6N2g+1iq7Scb6ti966CllssWI7b02osp4WgHrSOIOY1pqGicop0/O9Or5LFR7SBeGitY1OzQnIjogBlcEUepe/9JXQTi26HSOlrGQem1UM+wV6edj3HCUb X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Mar 2018 12:50:29.6595 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 681a106d-4ac8-4bce-2db7-08d584f32d6e X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR12MB0156 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 104.47.37.41 Subject: [Qemu-devel] [PATCH v12 27/28] sev/i386: add sev_get_capabilities() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Brijesh Singh , kvm@vger.kernel.org, "Michael S. Tsirkin" , Stefan Hajnoczi , Alexander Graf , "Edgar E. Iglesias" , Markus Armbruster , Bruce Rogers , Christian Borntraeger , Marcel Apfelbaum , Borislav Petkov , Thomas Lendacky , Eduardo Habkost , Richard Henderson , "Dr. David Alan Gilbert" , Alistair Francis , Cornelia Huck , Richard Henderson , Peter Crosthwaite , Paolo Bonzini Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" The function can be used to get the current SEV capabilities. The capabilities include platform diffie-hellman key (pdh) and certificate chain. The key can be provided to the external entities which wants to establish a trusted channel between SEV firmware and guest owner. Cc: Paolo Bonzini Cc: Richard Henderson Cc: Eduardo Habkost Signed-off-by: Brijesh Singh --- target/i386/monitor.c | 11 +++++-- target/i386/sev-stub.c | 5 +++ target/i386/sev.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++ target/i386/sev_i386.h | 1 + 4 files changed, 98 insertions(+), 2 deletions(-) diff --git a/target/i386/monitor.c b/target/i386/monitor.c index 33e6bade693b..79fa9bd7a3e3 100644 --- a/target/i386/monitor.c +++ b/target/i386/monitor.c @@ -740,6 +740,13 @@ SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp) SevCapability *qmp_query_sev_capabilities(Error **errp) { - error_setg(errp, "SEV feature is not available"); - return NULL; + SevCapability *data; + + data = sev_get_capabilities(); + if (!data) { + error_setg(errp, "SEV feature is not available"); + return NULL; + } + + return data; } diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c index 2f61c32ec975..59a003a4ebe6 100644 --- a/target/i386/sev-stub.c +++ b/target/i386/sev-stub.c @@ -44,3 +44,8 @@ char *sev_get_launch_measurement(void) { return NULL; } + +SevCapability *sev_get_capabilities(void) +{ + return NULL; +} diff --git a/target/i386/sev.c b/target/i386/sev.c index b9bfce95246a..1d0cb8435e0f 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -427,6 +427,89 @@ sev_get_info(void) return info; } +static int +sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain, + size_t *cert_chain_len) +{ + guchar *pdh_data, *cert_chain_data; + struct sev_user_data_pdh_cert_export export = {}; + int err, r; + + /* query the certificate length */ + r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err); + if (r < 0) { + if (err != SEV_RET_INVALID_LEN) { + error_report("failed to export PDH cert ret=%d fw_err=%d (%s)", + r, err, fw_error_to_str(err)); + return 1; + } + } + + pdh_data = g_new(guchar, export.pdh_cert_len); + cert_chain_data = g_new(guchar, export.cert_chain_len); + export.pdh_cert_address = (unsigned long)pdh_data; + export.cert_chain_address = (unsigned long)cert_chain_data; + + r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err); + if (r < 0) { + error_report("failed to export PDH cert ret=%d fw_err=%d (%s)", + r, err, fw_error_to_str(err)); + goto e_free; + } + + *pdh = pdh_data; + *pdh_len = export.pdh_cert_len; + *cert_chain = cert_chain_data; + *cert_chain_len = export.cert_chain_len; + return 0; + +e_free: + g_free(pdh_data); + g_free(cert_chain_data); + return 1; +} + +SevCapability * +sev_get_capabilities(void) +{ + SevCapability *cap; + guchar *pdh_data, *cert_chain_data; + size_t pdh_len = 0, cert_chain_len = 0; + uint32_t ebx; + int fd; + + fd = open(DEFAULT_SEV_DEVICE, O_RDWR); + if (fd < 0) { + error_report("%s: Failed to open %s '%s'", __func__, + DEFAULT_SEV_DEVICE, strerror(errno)); + return NULL; + } + + if (sev_get_pdh_info(fd, &pdh_data, &pdh_len, + &cert_chain_data, &cert_chain_len)) { + return NULL; + } + + cap = g_new0(SevCapability, 1); + cap->pdh = g_base64_encode(pdh_data, pdh_len); + cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len); + + host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); + cap->cbitpos = ebx & 0x3f; + + /* + * When SEV feature is enabled, we loose one bit in guest physical + * addressing. + */ + cap->reduced_phys_bits = 1; + + g_free(pdh_data); + g_free(cert_chain_data); + + close(fd); + return cap; +} + static int sev_read_file_base64(const char *filename, guchar **data, gsize *len) { diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h index 6e370775770e..b8622dfb1e49 100644 --- a/target/i386/sev_i386.h +++ b/target/i386/sev_i386.h @@ -38,6 +38,7 @@ extern SevInfo *sev_get_info(void); extern uint32_t sev_get_cbit_position(void); extern uint32_t sev_get_reduced_phys_bits(void); extern char *sev_get_launch_measurement(void); +extern SevCapability *sev_get_capabilities(void); typedef struct QSevGuestInfo QSevGuestInfo; typedef struct QSevGuestInfoClass QSevGuestInfoClass;