From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: qemu-devel@nongnu.org, kvm@vger.kernel.org,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Richard Henderson <rth@twiddle.net>,
Connor Kuehl <ckuehl@redhat.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Jiri Slaby <jslaby@suse.cz>,
Marcelo Tosatti <mtosatti@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Peter Maydell <peter.maydell@linaro.org>,
Aurelien Jarno <aurelien@aurel32.net>,
Jiaxun Yang <jiaxun.yang@flygoat.com>,
Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>,
David Gibson <david@gibson.dropbear.id.au>,
David Hildenbrand <david@redhat.com>
Subject: Re: [PATCH v5 4/6] sev/i386: Don't allow a system reset under an SEV-ES guest
Date: Mon, 25 Jan 2021 20:06:14 +0000 [thread overview]
Message-ID: <20210125200614.GT2925@work-vm> (raw)
In-Reply-To: <c1b45c0f74820dffbc28625c9c44f603f44b76ee.1610665956.git.thomas.lendacky@amd.com>
* Tom Lendacky (thomas.lendacky@amd.com) wrote:
> From: Tom Lendacky <thomas.lendacky@amd.com>
>
> An SEV-ES guest does not allow register state to be altered once it has
> been measured. When an SEV-ES guest issues a reboot command, Qemu will
> reset the vCPU state and resume the guest. This will cause failures under
> SEV-ES. Prevent that from occuring by introducing an arch-specific
> callback that returns a boolean indicating whether vCPUs are resettable.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Aurelien Jarno <aurelien@aurel32.net>
> Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
> Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
> Cc: David Gibson <david@gibson.dropbear.id.au>
> Cc: David Hildenbrand <david@redhat.com>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Thanks, that looks better than the earlier version.
Needs checking by one of the kvm guys, but I think:
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
> accel/kvm/kvm-all.c | 5 +++++
> include/sysemu/cpus.h | 2 ++
> include/sysemu/hw_accel.h | 5 +++++
> include/sysemu/kvm.h | 10 ++++++++++
> softmmu/cpus.c | 5 +++++
> softmmu/runstate.c | 7 +++++--
> target/arm/kvm.c | 5 +++++
> target/i386/kvm/kvm.c | 6 ++++++
> target/mips/kvm.c | 5 +++++
> target/ppc/kvm.c | 5 +++++
> target/s390x/kvm.c | 5 +++++
> 11 files changed, 58 insertions(+), 2 deletions(-)
>
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 9db74b465e..9ac44ad018 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -2411,6 +2411,11 @@ void kvm_flush_coalesced_mmio_buffer(void)
> s->coalesced_flush_in_progress = false;
> }
>
> +bool kvm_cpu_check_are_resettable(void)
> +{
> + return kvm_arch_cpu_check_are_resettable();
> +}
> +
> static void do_kvm_cpu_synchronize_state(CPUState *cpu, run_on_cpu_data arg)
> {
> if (!cpu->vcpu_dirty) {
> diff --git a/include/sysemu/cpus.h b/include/sysemu/cpus.h
> index e8156728c6..1cb4f9dbeb 100644
> --- a/include/sysemu/cpus.h
> +++ b/include/sysemu/cpus.h
> @@ -57,6 +57,8 @@ extern int icount_align_option;
> /* Unblock cpu */
> void qemu_cpu_kick_self(void);
>
> +bool cpus_are_resettable(void);
> +
> void cpu_synchronize_all_states(void);
> void cpu_synchronize_all_post_reset(void);
> void cpu_synchronize_all_post_init(void);
> diff --git a/include/sysemu/hw_accel.h b/include/sysemu/hw_accel.h
> index ffed6192a3..61672f9b32 100644
> --- a/include/sysemu/hw_accel.h
> +++ b/include/sysemu/hw_accel.h
> @@ -22,4 +22,9 @@ void cpu_synchronize_post_reset(CPUState *cpu);
> void cpu_synchronize_post_init(CPUState *cpu);
> void cpu_synchronize_pre_loadvm(CPUState *cpu);
>
> +static inline bool cpu_check_are_resettable(void)
> +{
> + return kvm_enabled() ? kvm_cpu_check_are_resettable() : true;
> +}
> +
> #endif /* QEMU_HW_ACCEL_H */
> diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
> index 875ca101e3..3e265cea3d 100644
> --- a/include/sysemu/kvm.h
> +++ b/include/sysemu/kvm.h
> @@ -573,4 +573,14 @@ int kvm_get_max_memslots(void);
> /* Notify resamplefd for EOI of specific interrupts. */
> void kvm_resample_fd_notify(int gsi);
>
> +/**
> + * kvm_cpu_check_are_resettable - return whether CPUs can be reset
> + *
> + * Returns: true: CPUs are resettable
> + * false: CPUs are not resettable
> + */
> +bool kvm_cpu_check_are_resettable(void);
> +
> +bool kvm_arch_cpu_check_are_resettable(void);
> +
> #endif
> diff --git a/softmmu/cpus.c b/softmmu/cpus.c
> index 1dc20b9dc3..89de46eae0 100644
> --- a/softmmu/cpus.c
> +++ b/softmmu/cpus.c
> @@ -194,6 +194,11 @@ void cpu_synchronize_pre_loadvm(CPUState *cpu)
> }
> }
>
> +bool cpus_are_resettable(void)
> +{
> + return cpu_check_are_resettable();
> +}
> +
> int64_t cpus_get_virtual_clock(void)
> {
> /*
> diff --git a/softmmu/runstate.c b/softmmu/runstate.c
> index 636aab0add..7b4f212d19 100644
> --- a/softmmu/runstate.c
> +++ b/softmmu/runstate.c
> @@ -523,8 +523,11 @@ void qemu_system_guest_crashloaded(GuestPanicInformation *info)
>
> void qemu_system_reset_request(ShutdownCause reason)
> {
> - if (reboot_action == REBOOT_ACTION_SHUTDOWN &&
> - reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
> + if (!cpus_are_resettable()) {
> + error_report("cpus are not resettable, terminating");
> + shutdown_requested = reason;
> + } else if (reboot_action == REBOOT_ACTION_SHUTDOWN &&
> + reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
> shutdown_requested = reason;
> } else {
> reset_requested = reason;
> diff --git a/target/arm/kvm.c b/target/arm/kvm.c
> index ffe186de8d..00e124c812 100644
> --- a/target/arm/kvm.c
> +++ b/target/arm/kvm.c
> @@ -1045,3 +1045,8 @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
> {
> return (data - 32) & 0xffff;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> index aaae79557d..bb6bfc19de 100644
> --- a/target/i386/kvm/kvm.c
> +++ b/target/i386/kvm/kvm.c
> @@ -27,6 +27,7 @@
> #include "sysemu/kvm_int.h"
> #include "sysemu/runstate.h"
> #include "kvm_i386.h"
> +#include "sev_i386.h"
> #include "hyperv.h"
> #include "hyperv-proto.h"
>
> @@ -4788,3 +4789,8 @@ bool kvm_has_waitpkg(void)
> {
> return has_msr_umwait;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return !sev_es_enabled();
> +}
> diff --git a/target/mips/kvm.c b/target/mips/kvm.c
> index 477692566a..a907c59c5e 100644
> --- a/target/mips/kvm.c
> +++ b/target/mips/kvm.c
> @@ -1289,3 +1289,8 @@ int mips_kvm_type(MachineState *machine, const char *vm_type)
>
> return -1;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index daf690a678..f45ed11058 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2947,3 +2947,8 @@ void kvmppc_svm_off(Error **errp)
> error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
> }
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index b8385e6b95..5c5ba801f1 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -2601,3 +2601,8 @@ void kvm_s390_stop_interrupt(S390CPU *cpu)
>
> kvm_s390_vcpu_interrupt(cpu, &irq);
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> --
> 2.30.0
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Eduardo Habkost <ehabkost@redhat.com>,
kvm@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
Connor Kuehl <ckuehl@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
David Hildenbrand <david@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>,
Jiri Slaby <jslaby@suse.cz>,
Aurelien Jarno <aurelien@aurel32.net>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [PATCH v5 4/6] sev/i386: Don't allow a system reset under an SEV-ES guest
Date: Mon, 25 Jan 2021 20:06:14 +0000 [thread overview]
Message-ID: <20210125200614.GT2925@work-vm> (raw)
In-Reply-To: <c1b45c0f74820dffbc28625c9c44f603f44b76ee.1610665956.git.thomas.lendacky@amd.com>
* Tom Lendacky (thomas.lendacky@amd.com) wrote:
> From: Tom Lendacky <thomas.lendacky@amd.com>
>
> An SEV-ES guest does not allow register state to be altered once it has
> been measured. When an SEV-ES guest issues a reboot command, Qemu will
> reset the vCPU state and resume the guest. This will cause failures under
> SEV-ES. Prevent that from occuring by introducing an arch-specific
> callback that returns a boolean indicating whether vCPUs are resettable.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Aurelien Jarno <aurelien@aurel32.net>
> Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
> Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
> Cc: David Gibson <david@gibson.dropbear.id.au>
> Cc: David Hildenbrand <david@redhat.com>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Thanks, that looks better than the earlier version.
Needs checking by one of the kvm guys, but I think:
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
> accel/kvm/kvm-all.c | 5 +++++
> include/sysemu/cpus.h | 2 ++
> include/sysemu/hw_accel.h | 5 +++++
> include/sysemu/kvm.h | 10 ++++++++++
> softmmu/cpus.c | 5 +++++
> softmmu/runstate.c | 7 +++++--
> target/arm/kvm.c | 5 +++++
> target/i386/kvm/kvm.c | 6 ++++++
> target/mips/kvm.c | 5 +++++
> target/ppc/kvm.c | 5 +++++
> target/s390x/kvm.c | 5 +++++
> 11 files changed, 58 insertions(+), 2 deletions(-)
>
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 9db74b465e..9ac44ad018 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -2411,6 +2411,11 @@ void kvm_flush_coalesced_mmio_buffer(void)
> s->coalesced_flush_in_progress = false;
> }
>
> +bool kvm_cpu_check_are_resettable(void)
> +{
> + return kvm_arch_cpu_check_are_resettable();
> +}
> +
> static void do_kvm_cpu_synchronize_state(CPUState *cpu, run_on_cpu_data arg)
> {
> if (!cpu->vcpu_dirty) {
> diff --git a/include/sysemu/cpus.h b/include/sysemu/cpus.h
> index e8156728c6..1cb4f9dbeb 100644
> --- a/include/sysemu/cpus.h
> +++ b/include/sysemu/cpus.h
> @@ -57,6 +57,8 @@ extern int icount_align_option;
> /* Unblock cpu */
> void qemu_cpu_kick_self(void);
>
> +bool cpus_are_resettable(void);
> +
> void cpu_synchronize_all_states(void);
> void cpu_synchronize_all_post_reset(void);
> void cpu_synchronize_all_post_init(void);
> diff --git a/include/sysemu/hw_accel.h b/include/sysemu/hw_accel.h
> index ffed6192a3..61672f9b32 100644
> --- a/include/sysemu/hw_accel.h
> +++ b/include/sysemu/hw_accel.h
> @@ -22,4 +22,9 @@ void cpu_synchronize_post_reset(CPUState *cpu);
> void cpu_synchronize_post_init(CPUState *cpu);
> void cpu_synchronize_pre_loadvm(CPUState *cpu);
>
> +static inline bool cpu_check_are_resettable(void)
> +{
> + return kvm_enabled() ? kvm_cpu_check_are_resettable() : true;
> +}
> +
> #endif /* QEMU_HW_ACCEL_H */
> diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
> index 875ca101e3..3e265cea3d 100644
> --- a/include/sysemu/kvm.h
> +++ b/include/sysemu/kvm.h
> @@ -573,4 +573,14 @@ int kvm_get_max_memslots(void);
> /* Notify resamplefd for EOI of specific interrupts. */
> void kvm_resample_fd_notify(int gsi);
>
> +/**
> + * kvm_cpu_check_are_resettable - return whether CPUs can be reset
> + *
> + * Returns: true: CPUs are resettable
> + * false: CPUs are not resettable
> + */
> +bool kvm_cpu_check_are_resettable(void);
> +
> +bool kvm_arch_cpu_check_are_resettable(void);
> +
> #endif
> diff --git a/softmmu/cpus.c b/softmmu/cpus.c
> index 1dc20b9dc3..89de46eae0 100644
> --- a/softmmu/cpus.c
> +++ b/softmmu/cpus.c
> @@ -194,6 +194,11 @@ void cpu_synchronize_pre_loadvm(CPUState *cpu)
> }
> }
>
> +bool cpus_are_resettable(void)
> +{
> + return cpu_check_are_resettable();
> +}
> +
> int64_t cpus_get_virtual_clock(void)
> {
> /*
> diff --git a/softmmu/runstate.c b/softmmu/runstate.c
> index 636aab0add..7b4f212d19 100644
> --- a/softmmu/runstate.c
> +++ b/softmmu/runstate.c
> @@ -523,8 +523,11 @@ void qemu_system_guest_crashloaded(GuestPanicInformation *info)
>
> void qemu_system_reset_request(ShutdownCause reason)
> {
> - if (reboot_action == REBOOT_ACTION_SHUTDOWN &&
> - reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
> + if (!cpus_are_resettable()) {
> + error_report("cpus are not resettable, terminating");
> + shutdown_requested = reason;
> + } else if (reboot_action == REBOOT_ACTION_SHUTDOWN &&
> + reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
> shutdown_requested = reason;
> } else {
> reset_requested = reason;
> diff --git a/target/arm/kvm.c b/target/arm/kvm.c
> index ffe186de8d..00e124c812 100644
> --- a/target/arm/kvm.c
> +++ b/target/arm/kvm.c
> @@ -1045,3 +1045,8 @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
> {
> return (data - 32) & 0xffff;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> index aaae79557d..bb6bfc19de 100644
> --- a/target/i386/kvm/kvm.c
> +++ b/target/i386/kvm/kvm.c
> @@ -27,6 +27,7 @@
> #include "sysemu/kvm_int.h"
> #include "sysemu/runstate.h"
> #include "kvm_i386.h"
> +#include "sev_i386.h"
> #include "hyperv.h"
> #include "hyperv-proto.h"
>
> @@ -4788,3 +4789,8 @@ bool kvm_has_waitpkg(void)
> {
> return has_msr_umwait;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return !sev_es_enabled();
> +}
> diff --git a/target/mips/kvm.c b/target/mips/kvm.c
> index 477692566a..a907c59c5e 100644
> --- a/target/mips/kvm.c
> +++ b/target/mips/kvm.c
> @@ -1289,3 +1289,8 @@ int mips_kvm_type(MachineState *machine, const char *vm_type)
>
> return -1;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index daf690a678..f45ed11058 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2947,3 +2947,8 @@ void kvmppc_svm_off(Error **errp)
> error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
> }
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index b8385e6b95..5c5ba801f1 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -2601,3 +2601,8 @@ void kvm_s390_stop_interrupt(S390CPU *cpu)
>
> kvm_s390_vcpu_interrupt(cpu, &irq);
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> --
> 2.30.0
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2021-01-25 20:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-14 23:12 [PATCH v5 0/6] Qemu SEV-ES guest support Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
2021-01-14 23:12 ` [PATCH v5 1/6] sev/i386: Add initial support for SEV-ES Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
2021-01-25 18:34 ` Dr. David Alan Gilbert
2021-01-25 18:34 ` Dr. David Alan Gilbert
2021-01-14 23:12 ` [PATCH v5 2/6] sev/i386: Require in-kernel irqchip support for SEV-ES guests Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
2021-01-25 18:58 ` Dr. David Alan Gilbert
2021-01-25 18:58 ` Dr. David Alan Gilbert
2021-01-14 23:12 ` [PATCH v5 3/6] sev/i386: Allow AP booting under SEV-ES Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
2021-01-26 11:29 ` Dr. David Alan Gilbert
2021-01-26 11:29 ` Dr. David Alan Gilbert
2021-01-14 23:12 ` [PATCH v5 4/6] sev/i386: Don't allow a system reset under an SEV-ES guest Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
2021-01-25 20:06 ` Dr. David Alan Gilbert [this message]
2021-01-25 20:06 ` Dr. David Alan Gilbert
2021-01-14 23:12 ` [PATCH v5 5/6] kvm/i386: Use a per-VM check for SMM capability Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
2021-01-14 23:12 ` [PATCH v5 6/6] sev/i386: Enable an SEV-ES guest based on SEV policy Tom Lendacky
2021-01-14 23:12 ` Tom Lendacky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210125200614.GT2925@work-vm \
--to=dgilbert@redhat.com \
--cc=aleksandar.rikalo@syrmia.com \
--cc=aurelien@aurel32.net \
--cc=brijesh.singh@amd.com \
--cc=ckuehl@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jiaxun.yang@flygoat.com \
--cc=jslaby@suse.cz \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=seanjc@google.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.