From patchwork Thu Sep 14 16:33:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834469 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=iFnh0aOo; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpQc3BDgz1yhn for ; Fri, 15 Sep 2023 06:12:40 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgL-0002Ht-Bc; Thu, 14 Sep 2023 16:11:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKc-00059U-Bd for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:36:43 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKY-0000g9-2s for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:36:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709396; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yhhRFK0ZCoglrBy3GmbzRXf2oYIiYOmczFpn9U0TMwE=; b=iFnh0aOogDIUv3coMoHFKnemw9W0gQl9kNRdMIzI/fzvIywYa8zCjDXH5HmUZJA4KO9gLh Hhz+aoeU46GtsvUN52EtIDEJMzyqtLSpB2IO0+//rKovwWKrdeBP6GocNPEyW9FDlhxjRf rnFHv58BvD28z3Np8OfrR9BMX0ScgyA= Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-605-lAThMdrQNXmCCNicjvREuQ-1; Thu, 14 Sep 2023 12:35:25 -0400 X-MC-Unique: lAThMdrQNXmCCNicjvREuQ-1 Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-76f0b7e3879so142967385a.0 for ; Thu, 14 Sep 2023 09:35:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709324; x=1695314124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yhhRFK0ZCoglrBy3GmbzRXf2oYIiYOmczFpn9U0TMwE=; b=KXG1bBrl479tHoYLDAuZ583DPEBmAJ+GTrBA8A8xFIHrtgPNCJRvC7oCF314vRJY1k G67GgATHDtcVeGCeex7ca/DvYa9Skr9GFq0uGrYcPCaSAo5uu35giqoyQyRxHd9Yr+QJ p4ld6hJhr2g1QjzVPwCJT/xn8bowuAEIy18L1SyIpYZxvQVWQKoH/Skl2KdA9cCN7vmy Rl3N4nMH/S6c+G8fYfehlyAuvuAU7SriRY8P2JF3mF1Aa0UJWCNm42HfsjSGngqJxBal m6C3dAlnof0qWU9wlbGyqOBvQEiZo5pAfiCmPPteQmhtPdWwraZcAshpAp91/Dfbay7w eCdw== X-Gm-Message-State: AOJu0YxE4oVUVDHqykdebQJz7CXucYvm66CfmdWGjddeZydgXEfZloQv Y3qudkzDV7Sv7FysDDLszqBasQOe4UfeIEMKc5ET85xG/r6qKml+zGmckNqN/8QZHL2tKmsYE4D pD1kMLgCKZBc2/fLpZ4+Qy7+X2lvjvHuIcykoadXvAIlgzt91lvN//1V71scpZTWH1lwzFLoqzA T3jw== X-Received: by 2002:a05:620a:2149:b0:76d:bda0:e48e with SMTP id m9-20020a05620a214900b0076dbda0e48emr5515517qkm.46.1694709324080; Thu, 14 Sep 2023 09:35:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGa85foIWgmCsMyuYDCV97RHpX1sf4f941F9dtYta3JHHR3DTLIavbYmmAN6BJzq9s30XWQcw== X-Received: by 2002:a05:620a:2149:b0:76d:bda0:e48e with SMTP id m9-20020a05620a214900b0076dbda0e48emr5515502qkm.46.1694709323823; Thu, 14 Sep 2023 09:35:23 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:22 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 1/8] Add SEV Rust library as dependency with CONFIG_SEV Date: Thu, 14 Sep 2023 12:33:52 -0400 Message-Id: <20230914163358.379957-2-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.129.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:06 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The Rust sev library provides a type-safe implementation of the AMD Secure Encrypted Virtualization (SEV) APIs. Signed-off-by: Tyler Fanelli --- meson.build | 7 +++++++ meson_options.txt | 2 ++ scripts/meson-buildoptions.sh | 3 +++ target/i386/meson.build | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build index 5150a74831..7114a4a2b9 100644 --- a/meson.build +++ b/meson.build @@ -1079,6 +1079,12 @@ if targetos == 'linux' and (have_system or have_tools) method: 'pkg-config', required: get_option('libudev')) endif +sev = not_found +if not get_option('sev').auto() + sev = dependency('sev', version: '1.2.1', + method: 'pkg-config', + required: get_option('sev')) +endif mpathlibs = [libudev] mpathpersist = not_found @@ -4283,6 +4289,7 @@ summary_info += {'PAM': pam} summary_info += {'iconv support': iconv} summary_info += {'virgl support': virgl} summary_info += {'blkio support': blkio} +summary_info += {'sev support': sev} summary_info += {'curl support': curl} summary_info += {'Multipath support': mpathpersist} summary_info += {'Linux AIO support': libaio} diff --git a/meson_options.txt b/meson_options.txt index f82d88b7c6..c57d542c0b 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -134,6 +134,8 @@ option('cap_ng', type : 'feature', value : 'auto', description: 'cap_ng support') option('blkio', type : 'feature', value : 'auto', description: 'libblkio block device driver') +option('sev', type : 'feature', value : 'auto', + description: 'SEV Rust library') option('bpf', type : 'feature', value : 'auto', description: 'eBPF support') option('cocoa', type : 'feature', value : 'auto', diff --git a/scripts/meson-buildoptions.sh b/scripts/meson-buildoptions.sh index e1d178370c..d7deb50bda 100644 --- a/scripts/meson-buildoptions.sh +++ b/scripts/meson-buildoptions.sh @@ -83,6 +83,7 @@ meson_options_help() { printf "%s\n" ' avx512bw AVX512BW optimizations' printf "%s\n" ' avx512f AVX512F optimizations' printf "%s\n" ' blkio libblkio block device driver' + printf "%s\n" ' sev SEV Rust library' printf "%s\n" ' bochs bochs image format support' printf "%s\n" ' bpf eBPF support' printf "%s\n" ' brlapi brlapi character device driver' @@ -227,6 +228,8 @@ _meson_option_parse() { --disable-lto) printf "%s" -Db_lto=false ;; --enable-blkio) printf "%s" -Dblkio=enabled ;; --disable-blkio) printf "%s" -Dblkio=disabled ;; + --enable-sev) printf "%s" -Dsev=enabled ;; + --disable-sev) printf "%s" -Dsev=disabled ;; --block-drv-ro-whitelist=*) quote_sh "-Dblock_drv_ro_whitelist=$2" ;; --block-drv-rw-whitelist=*) quote_sh "-Dblock_drv_rw_whitelist=$2" ;; --enable-block-drv-whitelist-in-tools) printf "%s" -Dblock_drv_whitelist_in_tools=true ;; diff --git a/target/i386/meson.build b/target/i386/meson.build index 6f1036d469..18450dc134 100644 --- a/target/i386/meson.build +++ b/target/i386/meson.build @@ -6,7 +6,7 @@ i386_ss.add(files( 'xsave_helper.c', 'cpu-dump.c', )) -i386_ss.add(when: 'CONFIG_SEV', if_true: files('host-cpu.c')) +i386_ss.add(when: 'CONFIG_SEV', if_true: [sev, files('host-cpu.c')]) # x86 cpu type i386_ss.add(when: 'CONFIG_KVM', if_true: files('host-cpu.c')) From patchwork Thu Sep 14 16:33:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834464 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ghLSFwx8; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpPc5hT7z1yh0 for ; Fri, 15 Sep 2023 06:11:48 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgJ-0002FE-0R; Thu, 14 Sep 2023 16:11:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKc-00059S-10 for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:36:43 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKY-0000g7-2U for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:36:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709396; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5VBskaJXZziliJm4qr2RVmqGx7fudPW2YJcT+hAMbW0=; b=ghLSFwx82CyX0EI+xDzYnW1WgiHoQL644f790BX9JjUbDHG+t2c9pifonMDnJm7cGQzTG4 43SAD55VHvfffsInLGTxU3qgfNNRwt0M3YzW8/fgVNTrkqAVOKsp0CEMUOjURrRwUihgNi DtNSTdpBcyE4ULhyL0z/SNAwTG8eWWU= Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-436-_NlEfQKfPkqDroKc4RSaAQ-1; Thu, 14 Sep 2023 12:35:27 -0400 X-MC-Unique: _NlEfQKfPkqDroKc4RSaAQ-1 Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-77055ad7aa8so144509085a.2 for ; Thu, 14 Sep 2023 09:35:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709326; x=1695314126; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5VBskaJXZziliJm4qr2RVmqGx7fudPW2YJcT+hAMbW0=; b=PxJXDIxPNidJtWyh+y3e8uqqtFFxdIoo376yBYfmsRSM50PfZxwstta2MDNPsVrUaT 07iSdA3HR7eIcd+KZ9JnAoO2vCGJX8L+N9ogE6CwS7k0mmfG8dCqsrkCzbaMrY+yLdZo WgdZ17X4dY/K+Qldv8XFJa8JecxOD7Re1kMaPBgD6XcEoJ4AKc1YEmeNHHJSpQThI3FR 2tI8gStryMb+zXqprXfLl8EgKDxYIeEw7znlo2YtOcv6YkXZ51a4Oh3rN+WECw6XWwSj O7vmPyoP0erxYTmnq8ydOT7w98n5lGtzwXuPuRUqFhVqeS+gVIVVtHtKDW/alS1IzYVc NLJg== X-Gm-Message-State: AOJu0YzLfv3fd47c9zdynS2w5V4K/8uxdSBiYZ9hwB/Jnc0ULDHpq4pQ yTDD9SqwWvrTuXTttrPoL7Dkf01rdaY/A5i2zTNNaBNymCAzT2ZnqT2Jt5lEV7aQZLmJOANfAut QdIU0ZwLfi7+TqogxnebceteFyKzrFU/A/I36Vk1K9grfi6fM8mm/MLXUIdksK2gj/CnNCUS8tR za8A== X-Received: by 2002:a05:620a:4555:b0:76d:aa66:f7b4 with SMTP id u21-20020a05620a455500b0076daa66f7b4mr8296655qkp.11.1694709326438; Thu, 14 Sep 2023 09:35:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHM2Zom4nf3jj4jWOd4J6g//BybRoS0Lvau5hA2ltJfW/O/m+zePoXwAiIoIhmzNQHfKThUwA== X-Received: by 2002:a05:620a:4555:b0:76d:aa66:f7b4 with SMTP id u21-20020a05620a455500b0076daa66f7b4mr8296633qkp.11.1694709326177; Thu, 14 Sep 2023 09:35:26 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:24 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 2/8] i386/sev: Replace INIT and ES_INIT ioctls with sev library equivalents Date: Thu, 14 Sep 2023 12:33:53 -0400 Message-Id: <20230914163358.379957-3-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.133.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The sev library offers APIs for SEV_INIT and SEV_ES_INIT, both taking the file descriptors of the encrypting VM and /dev/sev as input. If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 14 +++++++++----- target/i386/trace-events | 1 + 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index fe2144c038..f0fd291e68 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -18,6 +18,8 @@ #include +#include + #include "qapi/error.h" #include "qom/object_interfaces.h" #include "qemu/base64.h" @@ -27,6 +29,7 @@ #include "crypto/hash.h" #include "sysemu/kvm.h" #include "sev.h" +#include "sysemu/kvm_int.h" #include "sysemu/sysemu.h" #include "sysemu/runstate.h" #include "trace.h" @@ -911,10 +914,11 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) SevGuestState *sev = (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); char *devname; - int ret, fw_error, cmd; + int ret, fw_error; uint32_t ebx; uint32_t host_cbitpos; struct sev_user_data_status status = {}; + KVMState *s = kvm_state; if (!sev) { return 0; @@ -990,13 +994,13 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) __func__); goto err; } - cmd = KVM_SEV_ES_INIT; + trace_kvm_sev_es_init(); + ret = sev_es_init(s->vmfd, sev->sev_fd, &fw_error); } else { - cmd = KVM_SEV_INIT; + trace_kvm_sev_init(); + ret = sev_init(s->vmfd, sev->sev_fd, &fw_error); } - trace_kvm_sev_init(); - ret = sev_ioctl(sev->sev_fd, cmd, NULL, &fw_error); if (ret) { error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'", __func__, ret, fw_error, fw_error_to_str(fw_error)); diff --git a/target/i386/trace-events b/target/i386/trace-events index 2cd8726eeb..2dca4ee117 100644 --- a/target/i386/trace-events +++ b/target/i386/trace-events @@ -2,6 +2,7 @@ # sev.c kvm_sev_init(void) "" +kvm_sev_es_init(void) "" kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%zx" kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%zx" kvm_sev_change_state(const char *old, const char *new) "%s -> %s" From patchwork Thu Sep 14 16:33:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834467 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Od6iGU1a; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpQS3XLjz1yh0 for ; Fri, 15 Sep 2023 06:12:32 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgM-0002NF-OP; Thu, 14 Sep 2023 16:11:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpL4-0005e6-Rb for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpL3-0000lr-6m for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709428; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2sK9qSi08IdhuNBweHKbDKawtZ28B4JO2EvdjNn6LOA=; b=Od6iGU1aw4qAx/rxOkEhiS15wB9VR0nY+XNES95mpP/TBFTPiZAdwBliJB3LoDZNlJOPhP oM+ImyCn6HhN5HXixVHUDYz7Hgphv0zQ85JRUaqXHaOKhb8yAG5oT791xuZ0bohGAHkJKC 9QNxsIJUA7gcmGiXFVAlE5HRbemaY1I= Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-124-Vv8eU2sSMeKLSWnQNeU3pw-1; Thu, 14 Sep 2023 12:35:30 -0400 X-MC-Unique: Vv8eU2sSMeKLSWnQNeU3pw-1 Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-770f1f0e2a7so143475885a.2 for ; Thu, 14 Sep 2023 09:35:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709328; x=1695314128; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2sK9qSi08IdhuNBweHKbDKawtZ28B4JO2EvdjNn6LOA=; b=aN8e1kRnDwRfoIgw14sKjlL8fnm8B/qBJhVEdgpRaSvIvaHvmAhTlHUkdSkiubcpdd UHNzLT1NJsLkaniLmYLqsfOStwDOROdPRQAFXuw1D/GBcGhg7+5VjduzimOu1fHmhJUF vbJGxMP9OjsIRWSoqZUyf0XZhulZ0KdrSyLoslawQLipBHmjUPP7rRl4S358wDKo51Ti jHdO29ivUje4pTQ8c6vKpyDWm8rwqQ2HEtX9czyg6rknj4ecDhFdrW3BmxNALA5zFA/L hE/RzA+9td9XWs5k2Q6UDz5h4nlucSeNGf2OaJBm1jm5Lw1rt+aLOMdp7OHtSa5dUgbc AbJg== X-Gm-Message-State: AOJu0Yx21ea+4lrtAS6YDPm/xqcze9T4mQhq0dw9tzIt56CEOjqHaLY1 ZW63UrDX5aWTsQOV1/Qf57ukpCkVS2umkUuLrRDofYDS/+jCOB2iWF39mhXnxNWHIbkklBOvr3T Aki2Id3NHnxfGz6A0TnQ3Hyx8QFdlQQDED62+QjYEpiqGZF8Rric8ty2FyNajSIs3FJHeydiQz/ urtw== X-Received: by 2002:a05:620a:11b7:b0:76e:ef17:d37e with SMTP id c23-20020a05620a11b700b0076eef17d37emr4836696qkk.71.1694709328489; Thu, 14 Sep 2023 09:35:28 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFyNZnww/4D+om/YapBtyZAMFJtbkHdCeimc3UDhxxExL2KeBfhUQll/1+POnL+WCcAQcVMXQ== X-Received: by 2002:a05:620a:11b7:b0:76e:ef17:d37e with SMTP id c23-20020a05620a11b700b0076eef17d37emr4836677qkk.71.1694709328200; Thu, 14 Sep 2023 09:35:28 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:26 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 3/8] i386/sev: Replace LAUNCH_START ioctl with sev library equivalent Date: Thu, 14 Sep 2023 12:33:54 -0400 Message-Id: <20230914163358.379957-4-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.129.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The sev library offers an equivalent API for SEV_LAUNCH_START. The library contains some internal state for each VM it's currently running, and organizes the internal state for each VM via it's file descriptor. Therefore, the VM's file descriptor must be provided as input. If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 80 ++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 50 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index f0fd291e68..49be072cbc 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -715,51 +715,6 @@ sev_read_file_base64(const char *filename, guchar **data, gsize *len) return 0; } -static int -sev_launch_start(SevGuestState *sev) -{ - gsize sz; - int ret = 1; - int fw_error, rc; - struct kvm_sev_launch_start start = { - .handle = sev->handle, .policy = sev->policy - }; - guchar *session = NULL, *dh_cert = NULL; - - if (sev->session_file) { - if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) { - goto out; - } - start.session_uaddr = (unsigned long)session; - start.session_len = sz; - } - - if (sev->dh_cert_file) { - if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) { - goto out; - } - start.dh_uaddr = (unsigned long)dh_cert; - start.dh_len = sz; - } - - trace_kvm_sev_launch_start(start.policy, session, dh_cert); - rc = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_START, &start, &fw_error); - if (rc < 0) { - error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'", - __func__, ret, fw_error, fw_error_to_str(fw_error)); - goto out; - } - - sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE); - sev->handle = start.handle; - ret = 0; - -out: - g_free(session); - g_free(dh_cert); - return ret; -} - static int sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len) { @@ -913,11 +868,13 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) { SevGuestState *sev = (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); + gsize sz; char *devname; - int ret, fw_error; + int ret = -1, fw_error; uint32_t ebx; uint32_t host_cbitpos; struct sev_user_data_status status = {}; + guchar *session = NULL, *dh_cert = NULL; KVMState *s = kvm_state; if (!sev) { @@ -1007,23 +964,46 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) goto err; } - ret = sev_launch_start(sev); + if (!sev->session_file || !sev->dh_cert_file) { + goto err; + } + + if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) { + goto err; + } + + if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) { + goto err; + } + + ret = sev_launch_start(s->vmfd, sev->policy, (void *) dh_cert, + (void *) session, &fw_error); if (ret) { - error_setg(errp, "%s: failed to create encryption context", __func__); + error_setg(errp, "%s: LAUNCH_START ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); goto err; } + sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE); + ram_block_notifier_add(&sev_ram_notifier); qemu_add_machine_init_done_notifier(&sev_machine_done_notify); qemu_add_vm_change_state_handler(sev_vm_state_change, sev); cgs->ready = true; - return 0; + ret = 0; + goto out; + err: sev_guest = NULL; ram_block_discard_disable(false); - return -1; +out: + g_free(session); + g_free(dh_cert); + + return ret; + } int From patchwork Thu Sep 14 16:33:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834470 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=h6y8akyh; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpQh2mz5z1yh0 for ; Fri, 15 Sep 2023 06:12:44 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgK-0002Gr-Pj; Thu, 14 Sep 2023 16:11:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpL4-0005e5-Nj for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpL3-0000lq-6i for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709428; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fc30G/UJj9VkKOdSEvlN0aV0jjSWQajqBHdMdcHorNc=; b=h6y8akyhbfWPfETGe5yN/SQLAXMF1kjXVnVlpDFcBmugJOsn7iTv4qZkfofFiEuba3hkA7 2x2PO7/DIFyPmRqh1AD0Xhxqd3ntdSdIs72+t8f4y2mWGh1eEC8TZ6yNVoh3lWITwRQ6Pv f/+QztFdpbS8fsAJZe8lqaBUNF3zOaw= Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-407-HyZm7vntOnSKU6yXdKppEQ-1; Thu, 14 Sep 2023 12:35:32 -0400 X-MC-Unique: HyZm7vntOnSKU6yXdKppEQ-1 Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-76f31a228beso141867885a.1 for ; Thu, 14 Sep 2023 09:35:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709330; x=1695314130; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fc30G/UJj9VkKOdSEvlN0aV0jjSWQajqBHdMdcHorNc=; b=kqJQ7e0IRnjTSxscNVhp0dvvhaLAXDJ98BQSfMBAUL+Za6vsAsfMVcVaq+RAN0+OeR v8ntVmcIKaRWq8rugwriq1xa6Q8+V0k7m6wCQiMSefW6+Pgs9eE96uhcALqkpV4oEQK7 v6oygSz/YtEx1HdU8oRwu+F1c0XUXwrZ7kpfn9L5riOlnPooZULf6Isy+NK+7Je9G8y8 2DkWI2KZaEabWL9f+m0gdcLhll1JewHOUMtudwjKjymeusBpH4IFTXAG0kH4+Cx6ShgZ tRAv1Yz3aAJUP/K9n9npcl32pHUaEO31ioB+A5Hz0K3nySgAPrv+G6eGuBc/oQJ7YTAy dKtg== X-Gm-Message-State: AOJu0Yx1Sbj9pYVgndddn4tBaA9pFQ4ZOzW+mLUUdFHXS8boGULzMFl5 w39ciUdFCmnYzN9OYTQp+/I4BqWenjTTYsHrYUXXF+brB7Si8pthp9s6jiUt4MR9ocEQF6xQKH2 tttdGQGuRW0z8gJYhw78xA96o4VAxiQlmcjQdWdOg9bSkba3q0z99osY2RjM/9Rkk4TgngFLHYq ztYw== X-Received: by 2002:a05:620a:d82:b0:76f:1eac:e720 with SMTP id q2-20020a05620a0d8200b0076f1eace720mr5755592qkl.25.1694709330593; Thu, 14 Sep 2023 09:35:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE+ltOfNya/PA1payaovYuWjA0frKgdkbQiWQpJhGzSrzdN+jA5343N4jMUUeno2SbcvxT80g== X-Received: by 2002:a05:620a:d82:b0:76f:1eac:e720 with SMTP id q2-20020a05620a0d8200b0076f1eace720mr5755575qkl.25.1694709330310; Thu, 14 Sep 2023 09:35:30 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:28 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 4/8] i386/sev: Replace UPDATE_DATA ioctl with sev library equivalent Date: Thu, 14 Sep 2023 12:33:55 -0400 Message-Id: <20230914163358.379957-5-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.129.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org UPDATE_DATA takes the VM's file descriptor, a guest memory region to be encrypted, as well as the size of the aforementioned guest memory region. If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 31 ++++++------------------------- 1 file changed, 6 insertions(+), 25 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 49be072cbc..615021a1a3 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -715,29 +715,6 @@ sev_read_file_base64(const char *filename, guchar **data, gsize *len) return 0; } -static int -sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len) -{ - int ret, fw_error; - struct kvm_sev_launch_update_data update; - - if (!addr || !len) { - return 1; - } - - update.uaddr = (__u64)(unsigned long)addr; - update.len = len; - trace_kvm_sev_launch_update_data(addr, len); - ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA, - &update, &fw_error); - if (ret) { - error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'", - __func__, ret, fw_error, fw_error_to_str(fw_error)); - } - - return ret; -} - static int sev_launch_update_vmsa(SevGuestState *sev) { @@ -1009,15 +986,19 @@ out: int sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp) { + KVMState *s = kvm_state; + int fw_error; + if (!sev_guest) { return 0; } /* if SEV is in update state then encrypt the data else do nothing */ if (sev_check_state(sev_guest, SEV_STATE_LAUNCH_UPDATE)) { - int ret = sev_launch_update_data(sev_guest, ptr, len); + int ret = sev_launch_update_data(s->vmfd, (__u64) ptr, len, &fw_error); if (ret < 0) { - error_setg(errp, "SEV: Failed to encrypt pflash rom"); + error_setg(errp, "SEV: Failed to encrypt pflash rom fw_err=%d", + fw_error); return ret; } } From patchwork Thu Sep 14 16:33:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834463 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=AlZpGDut; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpP86fj1z1yhn for ; Fri, 15 Sep 2023 06:11:24 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgC-000292-Da; Thu, 14 Sep 2023 16:11:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKe-0005BO-Va for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:36:45 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKd-0000hu-Fi for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:36:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709402; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u2NK0kTh0JhgbuxHuwB20u7hC6VkkacylDJv8O/TVLI=; b=AlZpGDutNz/d4dMaTLWjvqgFz6sz6M+yKUrHpTV87JUs8NDrmK/ZLapbxR53pUJrWSIvHU lmYIcoYcT1f9oserR9NkZNbTtMpCwinmtZ0ztqOPdNrf41JfHzMydjFolwp2MlOgOfB9IR EYhbVzljjEfJNUExzRWTJMz8zoMQEx8= Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-341-9pzypvL_M2qAMA92tdOiNw-1; Thu, 14 Sep 2023 12:35:34 -0400 X-MC-Unique: 9pzypvL_M2qAMA92tdOiNw-1 Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-76ef4ff3aecso138573785a.1 for ; Thu, 14 Sep 2023 09:35:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709333; x=1695314133; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u2NK0kTh0JhgbuxHuwB20u7hC6VkkacylDJv8O/TVLI=; b=bVWF0HoYrlUtKEbZGKDtZ4Wm8zFT5cCfESH+u1sT5dLiFbvEEd0/TSl1CSi2G0vlf6 cBA9T97csG3L/cspRvK9NuZrqSq9HSipQvSj4wJFr3BAW1N/4yIddujuADBggXgRJPi/ lbYlaxSHr7xDwndjk/rW4ST1sHWQtDiCjO41l4o/pSuc611A9x3NnVpqMc8gBHSDR1CU u+vEJOl5HG5F/VsQoVlZjHAQGczKy3rUnygcxsQqOsYK32POCgw8YE0Qn5J6mOrixzOS wsBVs4RHDGjTbYncI3sSIKxRkNmdIEPm2/CYMccnObyzcteTF4IqS2vKbMB9dyQs55Ok ajpg== X-Gm-Message-State: AOJu0YxBcsWuVq+RaIrNmMlzIQab/QxKwBcJGoWlzgg52rEvkt4aJdTw XVRUcOnsyfkhUKrJG0q36yhdl0Ecoo1ITqRlFtP/D8ZZJel2x9w8u4x75bnNW94P+BQ0+/hXTMs B35+Cmr3RqpednkFlRVpuftfYWzyJjJk6KpxYZF2TVrt95dr2oQxTUR3RfyH7WcbPMoqpaI/k31 L1MQ== X-Received: by 2002:a05:620a:1590:b0:76f:2214:e2c3 with SMTP id d16-20020a05620a159000b0076f2214e2c3mr5650541qkk.64.1694709332794; Thu, 14 Sep 2023 09:35:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG/RUQfyYwpOI3s5M6Cw9SiaHPPnHvFFkpRt1oq9wIseUtMNFnTFClG2ZW3/wE6FcN/3KKoPw== X-Received: by 2002:a05:620a:1590:b0:76f:2214:e2c3 with SMTP id d16-20020a05620a159000b0076f2214e2c3mr5650521qkk.64.1694709332496; Thu, 14 Sep 2023 09:35:32 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:30 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 5/8] i386/sev: Replace LAUNCH_UPDATE_VMSA ioctl with sev library equivalent Date: Thu, 14 Sep 2023 12:33:56 -0400 Message-Id: <20230914163358.379957-6-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.129.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The LAUNCH_UPDATE_VMSA API takes the VM's file descriptor, as well as a field for any firmware errors as input. If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 29 +++++++++-------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 615021a1a3..adb35291e8 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -715,27 +715,14 @@ sev_read_file_base64(const char *filename, guchar **data, gsize *len) return 0; } -static int -sev_launch_update_vmsa(SevGuestState *sev) -{ - int ret, fw_error; - - ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_VMSA, NULL, &fw_error); - if (ret) { - error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'", - __func__, ret, fw_error, fw_error_to_str(fw_error)); - } - - return ret; -} - static void sev_launch_get_measure(Notifier *notifier, void *unused) { SevGuestState *sev = sev_guest; - int ret, error; + int ret, fw_error; g_autofree guchar *data = NULL; struct kvm_sev_launch_measure measurement = {}; + KVMState *s = kvm_state; if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) { return; @@ -743,18 +730,20 @@ sev_launch_get_measure(Notifier *notifier, void *unused) if (sev_es_enabled()) { /* measure all the VM save areas before getting launch_measure */ - ret = sev_launch_update_vmsa(sev); + ret = sev_launch_update_vmsa(s->vmfd, &fw_error); if (ret) { + error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); exit(1); } } /* query the measurement blob length */ ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, - &measurement, &error); + &measurement, &fw_error); if (!measurement.len) { error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", - __func__, ret, error, fw_error_to_str(errno)); + __func__, ret, fw_error, fw_error_to_str(fw_error)); return; } @@ -763,10 +752,10 @@ sev_launch_get_measure(Notifier *notifier, void *unused) /* get the measurement blob */ ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, - &measurement, &error); + &measurement, &fw_error); if (ret) { error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", - __func__, ret, error, fw_error_to_str(errno)); + __func__, ret, fw_error, fw_error_to_str(fw_error)); return; } From patchwork Thu Sep 14 16:33:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834468 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=T1DuV0/j; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpQc2jmtz1yh0 for ; Fri, 15 Sep 2023 06:12:40 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgK-0002Fj-DV; Thu, 14 Sep 2023 16:11:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKx-0005JA-7n for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:03 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKv-0000ki-LD for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709420; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ug4FqkMiYbFT/Zpgx7iTP8cWdhAiF2GO+LZBA3MJDko=; b=T1DuV0/jkDaGIE41Ke0YOdamd0OqA7y/+cL0xrU4iOzZRZDME1ndiJYyWWwU4cz0yZkv4C JNClI/EXPTWVxbYFA8+yUD3Hl0LoZ2eHw3HtrfXXMPx5kBoFMZz2CYXJ3fw+PB/Mdnas/o aVJFe15PHim0+9OCtHWOXBHDDD6aJ/o= Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-356-WUX1kJuSPUSEJFx9GGir_Q-1; Thu, 14 Sep 2023 12:35:36 -0400 X-MC-Unique: WUX1kJuSPUSEJFx9GGir_Q-1 Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-76f04a5b09eso144812385a.1 for ; Thu, 14 Sep 2023 09:35:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709335; x=1695314135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ug4FqkMiYbFT/Zpgx7iTP8cWdhAiF2GO+LZBA3MJDko=; b=UiRWERe7oXRwiwM3b0Bk5zLC6+yYxPVhDqO4CPFhExcc6qoi1Uf4fa8HViWHE1et2V x1nC6GLBsEEORCrYYY2wb1ZUH35VQiv7FeG7D2QMfgQXOymeCs9XLq8rwbMqYBJpkLjI HskWCwQFLM9dt6W2zWbUn+Oim9YBUTK9XRfVUdtP01pEsX0BrgOGeHlx4oHbc//uWW9i acamfYUwGREqs41S0p3q/N5vmvTuzxL2Yi6Wo/5SQmHMHn8LkuOmoi3zFFbMbw0PKMCe lhO4876sIdE0/B2qB+t1wQUVrrjod1nHtjZsHS2taUt2byq//WvrUMhyjE2nOjOOO1io AL+Q== X-Gm-Message-State: AOJu0YyHCK9FZLrN2WxdoO+iQPqBiYUpEkdHWgzmPfdXVCRE7W5D0QDX bQP58xrW4mVmdWmkGiMeGomlFutkMVSAXHx4quk6+eCbjHvTlI4ehQ7SLbCVJ7W279fxUExgc65 4azRy7IrTgETH6JHxGj7/9YaVd4rjw8W1ZGU/wKsrsCrMKrAxWa3hhWNvJGarvpkiJWgXRdVCTv EDJQ== X-Received: by 2002:a05:620a:bc9:b0:76f:f0b:a1b8 with SMTP id s9-20020a05620a0bc900b0076f0f0ba1b8mr6427224qki.25.1694709334979; Thu, 14 Sep 2023 09:35:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH75C5Q5uA5WM1MDTG8PbBfwpZlXUubIvHrhso+GJfQx7c6/nFva2jXLmQGbmYqJxTEyiImjg== X-Received: by 2002:a05:620a:bc9:b0:76f:f0b:a1b8 with SMTP id s9-20020a05620a0bc900b0076f0f0ba1b8mr6427201qki.25.1694709334707; Thu, 14 Sep 2023 09:35:34 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:32 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 6/8] i386/sev: Replace LAUNCH_MEASURE ioctl with sev library equivalent Date: Thu, 14 Sep 2023 12:33:57 -0400 Message-Id: <20230914163358.379957-7-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.133.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The LAUNCH_MEASURE API returns the measurement of the launched guest's memory pages (and VMCB save areas if ES is enabled). The caller is responsible for ensuring that the pointer (identified as the "data" argument) is a valid pointer that can hold the guest's measurement (a measurement in SEV is 48 bytes in size). If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 24 ++++++------------------ target/i386/sev.h | 2 ++ 2 files changed, 8 insertions(+), 18 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index adb35291e8..f53ff140e3 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -721,7 +721,6 @@ sev_launch_get_measure(Notifier *notifier, void *unused) SevGuestState *sev = sev_guest; int ret, fw_error; g_autofree guchar *data = NULL; - struct kvm_sev_launch_measure measurement = {}; KVMState *s = kvm_state; if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) { @@ -738,31 +737,20 @@ sev_launch_get_measure(Notifier *notifier, void *unused) } } - /* query the measurement blob length */ - ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, - &measurement, &fw_error); - if (!measurement.len) { - error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", - __func__, ret, fw_error, fw_error_to_str(fw_error)); - return; - } + data = g_malloc(SEV_MEASUREMENT_SIZE); - data = g_new0(guchar, measurement.len); - measurement.uaddr = (unsigned long)data; - - /* get the measurement blob */ - ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, - &measurement, &fw_error); + ret = sev_launch_measure(s->vmfd, data, &fw_error); if (ret) { - error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", - __func__, ret, fw_error, fw_error_to_str(fw_error)); + error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", __func__, + ret, fw_error, fw_error_to_str(fw_error)); + return; } sev_set_guest_state(sev, SEV_STATE_LAUNCH_SECRET); /* encode the measurement value and emit the event */ - sev->measurement = g_base64_encode(data, measurement.len); + sev->measurement = g_base64_encode(data, SEV_MEASUREMENT_SIZE); trace_kvm_sev_launch_measurement(sev->measurement); } diff --git a/target/i386/sev.h b/target/i386/sev.h index e7499c95b1..acb181358e 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -38,6 +38,8 @@ typedef struct SevKernelLoaderContext { size_t cmdline_size; } SevKernelLoaderContext; +#define SEV_MEASUREMENT_SIZE 48 + #ifdef CONFIG_SEV bool sev_enabled(void); bool sev_es_enabled(void); From patchwork Thu Sep 14 16:33:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834462 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=QMXNXru/; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpP74crnz1yh0 for ; Fri, 15 Sep 2023 06:11:23 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgE-000291-6b; Thu, 14 Sep 2023 16:11:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKy-0005Jh-P5 for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:04 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKx-0000kx-1v for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3fu8ktLm0OkYnObZYuT5ndv2RWlsc6KNoxE7MI7M9Gk=; b=QMXNXru/K++ePBnNziVKrE8DFRpMZfYbbGhz155aDhoKQyc6Oo6UEp9hCeWNLPsUteE+31 gbKTpvC44fOR1iCKUIcKgqFTwualJHtwTJ7NR2oCwOdlZuJbhIVCgVXXi6eZi9A9ztGxBp rscYsvIq1AZkFga+HnnqDneFizPX0LY= Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-83-aYjBZBp2PRO-QTvDvQM1hQ-1; Thu, 14 Sep 2023 12:35:39 -0400 X-MC-Unique: aYjBZBp2PRO-QTvDvQM1hQ-1 Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-1d5b1fd98c6so1728341fac.3 for ; Thu, 14 Sep 2023 09:35:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709337; x=1695314137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3fu8ktLm0OkYnObZYuT5ndv2RWlsc6KNoxE7MI7M9Gk=; b=NYSHc/SvcVNkpbIAn9zVFNk2Lf+i/86zB/4yv67E3CH5xflRAzEwTq6GgDnjgVsMNj aUgUXcF+mXqnT4bfv8UfNDyPSa+s+YobKJTyQ63Yuy8vrI3X4ryghk0OMr3d6J9rA6YL DZJGewA9AkzH7l6rgIWZ3lVY+uIbHiHACF1MD+WCqOV06Md9g8HB3f3QIYUx8OJ1o6qM McqYUDurFZyJcGlx3uKLNQyPoZ5XtOTgdyIFe7v6ZAoot9sOv39iFGyZWz6ZGa5/v1cO SIHbxDJAZo0mBIvyjWfiV6S+WbOOdKYukxbb/UdZBh1T6vH23sIlqRJh3dMkS6OslrGb LX4A== X-Gm-Message-State: AOJu0YwBXSz3DMxuG8KXTeaRNc9PyRPEeaoSfFXhOqMrqe39T394NALU lCzdqn9FA/ppt0pM8dhLlkjONkInlmy82Ghxo48UWSS+mYS0ydT48y6PVVYXjlxD2ip0WbCndHN OlTS+V/f5SYtR3zwXcCH1yhYUcX9Hw5pbfBx5cSzwxS1n2l7MliOAPgN75Vdl1ADlFf2aX1s9aL JsCg== X-Received: by 2002:a05:6870:c152:b0:1be:dbd2:2bfa with SMTP id g18-20020a056870c15200b001bedbd22bfamr7003130oad.20.1694709337304; Thu, 14 Sep 2023 09:35:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFVrcmlLU2FcUggDqRidZDMLRmhoFWCAGB62xvDoEMGK7eDQFwAt7UrkgwHQQmyhwiLwDehSA== X-Received: by 2002:a05:6870:c152:b0:1be:dbd2:2bfa with SMTP id g18-20020a056870c15200b001bedbd22bfamr7003100oad.20.1694709336876; Thu, 14 Sep 2023 09:35:36 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:35 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 7/8] i386/sev: Replace LAUNCH_SECRET ioctl with sev library equivalent Date: Thu, 14 Sep 2023 12:33:58 -0400 Message-Id: <20230914163358.379957-8-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.133.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The LAUNCH_SECRET API can inject a secret into the VM once the measurement has been retrieved. If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 105 ++++++++++++++++------------------------------ target/i386/sev.h | 2 - 2 files changed, 36 insertions(+), 71 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index f53ff140e3..a4510b5437 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -983,88 +983,44 @@ sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp) return 0; } -int sev_inject_launch_secret(const char *packet_hdr, const char *secret, - uint64_t gpa, Error **errp) -{ - struct kvm_sev_launch_secret input; - g_autofree guchar *data = NULL, *hdr = NULL; - int error, ret = 1; - void *hva; - gsize hdr_sz = 0, data_sz = 0; - MemoryRegion *mr = NULL; - - if (!sev_guest) { - error_setg(errp, "SEV not enabled for guest"); - return 1; - } - - /* secret can be injected only in this state */ - if (!sev_check_state(sev_guest, SEV_STATE_LAUNCH_SECRET)) { - error_setg(errp, "SEV: Not in correct state. (LSECRET) %x", - sev_guest->state); - return 1; - } - - hdr = g_base64_decode(packet_hdr, &hdr_sz); - if (!hdr || !hdr_sz) { - error_setg(errp, "SEV: Failed to decode sequence header"); - return 1; - } - - data = g_base64_decode(secret, &data_sz); - if (!data || !data_sz) { - error_setg(errp, "SEV: Failed to decode data"); - return 1; - } - - hva = gpa2hva(&mr, gpa, data_sz, errp); - if (!hva) { - error_prepend(errp, "SEV: Failed to calculate guest address: "); - return 1; - } - - input.hdr_uaddr = (uint64_t)(unsigned long)hdr; - input.hdr_len = hdr_sz; - - input.trans_uaddr = (uint64_t)(unsigned long)data; - input.trans_len = data_sz; - - input.guest_uaddr = (uint64_t)(unsigned long)hva; - input.guest_len = data_sz; - - trace_kvm_sev_launch_secret(gpa, input.guest_uaddr, - input.trans_uaddr, input.trans_len); - - ret = sev_ioctl(sev_guest->sev_fd, KVM_SEV_LAUNCH_SECRET, - &input, &error); - if (ret) { - error_setg(errp, "SEV: failed to inject secret ret=%d fw_error=%d '%s'", - ret, error, fw_error_to_str(error)); - return ret; - } - - return 0; -} - #define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" struct sev_secret_area { uint32_t base; uint32_t size; }; -void qmp_sev_inject_launch_secret(const char *packet_hdr, - const char *secret, +void qmp_sev_inject_launch_secret(const char *hdr_b64, + const char *secret_b64, bool has_gpa, uint64_t gpa, Error **errp) { + int ret, fw_error = 0; + g_autofree guchar *hdr = NULL, *secret = NULL; + uint8_t *data = NULL; + KVMState *s = kvm_state; + gsize hdr_sz = 0, secret_sz = 0; + MemoryRegion *mr = NULL; + void *hva; + struct sev_secret_area *area = NULL; + if (!sev_enabled()) { error_setg(errp, "SEV not enabled for guest"); return; } - if (!has_gpa) { - uint8_t *data; - struct sev_secret_area *area; + hdr = g_base64_decode(hdr_b64, &hdr_sz); + if (!hdr || !hdr_sz) { + error_setg(errp, "SEV: Failed to decode sequence header"); + return; + } + + secret = g_base64_decode(secret_b64, &secret_sz); + if (!secret || !secret_sz) { + error_setg(errp, "SEV: Failed to decode secret"); + return; + } + + if (!has_gpa) { if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, NULL)) { error_setg(errp, "SEV: no secret area found in OVMF," " gpa must be specified."); @@ -1074,7 +1030,18 @@ void qmp_sev_inject_launch_secret(const char *packet_hdr, gpa = area->base; } - sev_inject_launch_secret(packet_hdr, secret, gpa, errp); + hva = gpa2hva(&mr, gpa, secret_sz, errp); + if (!hva) { + error_prepend(errp, "SEV: Failed to calculate guest address: "); + return; + } + + ret = sev_inject_launch_secret(s->vmfd, hdr, secret, secret_sz, + hva, &fw_error); + if (ret < 0) { + error_setg(errp, "%s: LAUNCH_SECRET ret=%d fw_error=%d '%s'", __func__, + ret, fw_error, fw_error_to_str(fw_error)); + } } static int diff --git a/target/i386/sev.h b/target/i386/sev.h index acb181358e..f1af28eca0 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -53,8 +53,6 @@ uint32_t sev_get_reduced_phys_bits(void); bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp); int sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp); -int sev_inject_launch_secret(const char *hdr, const char *secret, - uint64_t gpa, Error **errp); int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size); void sev_es_set_reset_vector(CPUState *cpu); From patchwork Thu Sep 14 16:33:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Fanelli X-Patchwork-Id: 1834466 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=HwkWgNlv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmpQ83Cgnz1yh0 for ; Fri, 15 Sep 2023 06:12:16 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgsgJ-0002Ez-8Z; Thu, 14 Sep 2023 16:11:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKw-0005Ix-PW for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:02 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgpKv-0000kj-9Q for qemu-devel@nongnu.org; Thu, 14 Sep 2023 12:37:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694709420; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ubf6Ym3Oq8P1zXfUv1TaYbk1/ksNBIfco122yAwkkCU=; b=HwkWgNlvwcMEbODZr6uyLZyYLKI61Vs4e38i3zaVpwRsoFGiTFT6qYXX77NtkMD4/Iir8L O5F+oZVb4eu4Q0Y4GLSJoqkih2gEM3t2IEtJVst8SCieLKwq/BOOOg4z4fsu9jVAPQj+id UATEJWn+VQUp6LfCVdfXLb812svnQeo= Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-355-6KGUs6JIPTmLVLp7Q5ez_A-1; Thu, 14 Sep 2023 12:35:40 -0400 X-MC-Unique: 6KGUs6JIPTmLVLp7Q5ez_A-1 Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-76ef205d695so165717885a.0 for ; Thu, 14 Sep 2023 09:35:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694709338; x=1695314138; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ubf6Ym3Oq8P1zXfUv1TaYbk1/ksNBIfco122yAwkkCU=; b=NZzIZiFMynPv7NlIgxSSWqjCHwhfHA2Z0/5ce/pBLCPoMgPZx++RXeG6cGAHwMIqPo 3U2AAkoppATZu9inodQLrr5pKpgYTdiKKWsIhONzwBKU8fN6L5eNo4AvSpkI0+fQZvAo wg8DSwgNUi33KVms0a8Y+n4qd+fd7RqmEHXcQTKlGFmiAKkC5qgfgVZ2XpqQ/JY/yeer 8QEJoMxVHQhx4mvFdY8gBmRBBqftW6x+lrzbcTxwUvIXHjj7ociWtzL3X/0umZgl1FOZ lEUSI/jRXdL6OYrISD6uvpb64Wbr41Lqv6/Cxhq64quYBYdaWHmF9YBjTvVLV1jKXusf Puzg== X-Gm-Message-State: AOJu0Yxu0VR+649x7fBjacmmeNESIFFBnT6gcP3yTC4YmUbcrUGlsbx2 nQbDmX2gFwiPdhRdKLN0RAk1eKEAjjodIjeWkwpzIqtgEvgX1xjY0bFqlw1tmKc11D1vlT0Yawx uDM88CDyiNFQ1FRffZkPd+tKIZTTSY/YNjo4tTufGdWm6g0kyLKFv4+1qisiTI/xn+YaPDxg/ki cFgA== X-Received: by 2002:a05:620a:25d1:b0:76d:312a:e89a with SMTP id y17-20020a05620a25d100b0076d312ae89amr2796325qko.19.1694709338243; Thu, 14 Sep 2023 09:35:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH13uC8O5NCcnCjOIAmr7FJj9ogJcBC3IIm3A2bL8w6acFHJ1yern3oXoDcnPRP7xLfAKZq5g== X-Received: by 2002:a05:620a:25d1:b0:76d:312a:e89a with SMTP id y17-20020a05620a25d100b0076d312ae89amr2796302qko.19.1694709338005; Thu, 14 Sep 2023 09:35:38 -0700 (PDT) Received: from fedora.redhat.com ([2600:4040:7c46:e800:32a2:d966:1af4:8863]) by smtp.gmail.com with ESMTPSA id l11-20020ae9f00b000000b007677347e20asm577244qkg.129.2023.09.14.09.35.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 09:35:37 -0700 (PDT) From: Tyler Fanelli To: qemu-devel@nongnu.org Cc: pbonzini@redhat.com, mtosatti@redhat.com, stefanha@redhat.com, Tyler Fanelli Subject: [RFC PATCH 8/8] i386/sev: Replace LAUNCH_FINISH ioctl with sev library equivalent Date: Thu, 14 Sep 2023 12:33:59 -0400 Message-Id: <20230914163358.379957-9-tfanelli@redhat.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230914163358.379957-1-tfanelli@redhat.com> References: <20230914163358.379957-1-tfanelli@redhat.com> MIME-Version: 1.0 Received-SPF: pass client-ip=170.10.133.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Sep 2023 16:11:08 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The LAUNCH_FINISH ioctl finishes the guest launch flow and transitions the guest into a state ready to be run. If this API ioctl call fails, fw_error will be set accordingly. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index a4510b5437..e52dcc67c3 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -785,35 +785,29 @@ static Notifier sev_machine_done_notify = { .notify = sev_launch_get_measure, }; -static void -sev_launch_finish(SevGuestState *sev) -{ - int ret, error; - - trace_kvm_sev_launch_finish(); - ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error); - if (ret) { - error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'", - __func__, ret, error, fw_error_to_str(error)); - exit(1); - } - - sev_set_guest_state(sev, SEV_STATE_RUNNING); - - /* add migration blocker */ - error_setg(&sev_mig_blocker, - "SEV: Migration is not implemented"); - migrate_add_blocker(sev_mig_blocker, &error_fatal); -} - static void sev_vm_state_change(void *opaque, bool running, RunState state) { SevGuestState *sev = opaque; + int ret, fw_error; + KVMState *s = kvm_state; if (running) { if (!sev_check_state(sev, SEV_STATE_RUNNING)) { - sev_launch_finish(sev); + trace_kvm_sev_launch_finish(); + ret = sev_launch_finish(s->vmfd, &fw_error); + if (ret) { + error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, + fw_error_to_str(fw_error)); + exit(1); + } + + sev_set_guest_state(sev, SEV_STATE_RUNNING); + + // add migration blocker. + error_setg(&sev_mig_blocker, "SEV: Migration is not implemented"); + migrate_add_blocker(sev_mig_blocker, &error_fatal); } } }