From: Venu Busireddy <venu.busireddy@oracle.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: qemu-devel@nongnu.org, kvm@vger.kernel.org,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Richard Henderson <rth@twiddle.net>,
Connor Kuehl <ckuehl@redhat.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Jiri Slaby <jslaby@suse.cz>,
Marcelo Tosatti <mtosatti@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Peter Maydell <peter.maydell@linaro.org>,
Aurelien Jarno <aurelien@aurel32.net>,
Jiaxun Yang <jiaxun.yang@flygoat.com>,
Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>,
David Gibson <david@gibson.dropbear.id.au>,
David Hildenbrand <david@redhat.com>
Subject: Re: [PATCH v6 4/6] sev/i386: Don't allow a system reset under an SEV-ES guest
Date: Fri, 29 Jan 2021 11:44:45 -0600 [thread overview]
Message-ID: <20210129174445.GD231819@dt> (raw)
In-Reply-To: <1ac39c441b9a3e970e9556e1cc29d0a0814de6fd.1611682609.git.thomas.lendacky@amd.com>
On 2021-01-26 11:36:47 -0600, Tom Lendacky wrote:
> From: Tom Lendacky <thomas.lendacky@amd.com>
>
> An SEV-ES guest does not allow register state to be altered once it has
> been measured. When an SEV-ES guest issues a reboot command, Qemu will
> reset the vCPU state and resume the guest. This will cause failures under
> SEV-ES. Prevent that from occuring by introducing an arch-specific
> callback that returns a boolean indicating whether vCPUs are resettable.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Aurelien Jarno <aurelien@aurel32.net>
> Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
> Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
> Cc: David Gibson <david@gibson.dropbear.id.au>
> Cc: David Hildenbrand <david@redhat.com>
> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Venu Busireddy <venu.busireddy@oracle.com>
> ---
> accel/kvm/kvm-all.c | 5 +++++
> include/sysemu/cpus.h | 2 ++
> include/sysemu/hw_accel.h | 5 +++++
> include/sysemu/kvm.h | 10 ++++++++++
> softmmu/cpus.c | 5 +++++
> softmmu/runstate.c | 3 +++
> target/arm/kvm.c | 5 +++++
> target/i386/kvm/kvm.c | 6 ++++++
> target/mips/kvm.c | 5 +++++
> target/ppc/kvm.c | 5 +++++
> target/s390x/kvm.c | 5 +++++
> 11 files changed, 56 insertions(+)
>
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 410879cf94..6c099a3869 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -2414,6 +2414,11 @@ void kvm_flush_coalesced_mmio_buffer(void)
> s->coalesced_flush_in_progress = false;
> }
>
> +bool kvm_cpu_check_are_resettable(void)
> +{
> + return kvm_arch_cpu_check_are_resettable();
> +}
> +
> static void do_kvm_cpu_synchronize_state(CPUState *cpu, run_on_cpu_data arg)
> {
> if (!cpu->vcpu_dirty) {
> diff --git a/include/sysemu/cpus.h b/include/sysemu/cpus.h
> index e8156728c6..1cb4f9dbeb 100644
> --- a/include/sysemu/cpus.h
> +++ b/include/sysemu/cpus.h
> @@ -57,6 +57,8 @@ extern int icount_align_option;
> /* Unblock cpu */
> void qemu_cpu_kick_self(void);
>
> +bool cpus_are_resettable(void);
> +
> void cpu_synchronize_all_states(void);
> void cpu_synchronize_all_post_reset(void);
> void cpu_synchronize_all_post_init(void);
> diff --git a/include/sysemu/hw_accel.h b/include/sysemu/hw_accel.h
> index ffed6192a3..61672f9b32 100644
> --- a/include/sysemu/hw_accel.h
> +++ b/include/sysemu/hw_accel.h
> @@ -22,4 +22,9 @@ void cpu_synchronize_post_reset(CPUState *cpu);
> void cpu_synchronize_post_init(CPUState *cpu);
> void cpu_synchronize_pre_loadvm(CPUState *cpu);
>
> +static inline bool cpu_check_are_resettable(void)
> +{
> + return kvm_enabled() ? kvm_cpu_check_are_resettable() : true;
> +}
> +
> #endif /* QEMU_HW_ACCEL_H */
> diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
> index 875ca101e3..3e265cea3d 100644
> --- a/include/sysemu/kvm.h
> +++ b/include/sysemu/kvm.h
> @@ -573,4 +573,14 @@ int kvm_get_max_memslots(void);
> /* Notify resamplefd for EOI of specific interrupts. */
> void kvm_resample_fd_notify(int gsi);
>
> +/**
> + * kvm_cpu_check_are_resettable - return whether CPUs can be reset
> + *
> + * Returns: true: CPUs are resettable
> + * false: CPUs are not resettable
> + */
> +bool kvm_cpu_check_are_resettable(void);
> +
> +bool kvm_arch_cpu_check_are_resettable(void);
> +
> #endif
> diff --git a/softmmu/cpus.c b/softmmu/cpus.c
> index 1dc20b9dc3..89de46eae0 100644
> --- a/softmmu/cpus.c
> +++ b/softmmu/cpus.c
> @@ -194,6 +194,11 @@ void cpu_synchronize_pre_loadvm(CPUState *cpu)
> }
> }
>
> +bool cpus_are_resettable(void)
> +{
> + return cpu_check_are_resettable();
> +}
> +
> int64_t cpus_get_virtual_clock(void)
> {
> /*
> diff --git a/softmmu/runstate.c b/softmmu/runstate.c
> index beee050815..1813691898 100644
> --- a/softmmu/runstate.c
> +++ b/softmmu/runstate.c
> @@ -527,6 +527,9 @@ void qemu_system_reset_request(ShutdownCause reason)
> if (reboot_action == REBOOT_ACTION_SHUTDOWN &&
> reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
> shutdown_requested = reason;
> + } else if (!cpus_are_resettable()) {
> + error_report("cpus are not resettable, terminating");
> + shutdown_requested = reason;
> } else {
> reset_requested = reason;
> }
> diff --git a/target/arm/kvm.c b/target/arm/kvm.c
> index ffe186de8d..00e124c812 100644
> --- a/target/arm/kvm.c
> +++ b/target/arm/kvm.c
> @@ -1045,3 +1045,8 @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
> {
> return (data - 32) & 0xffff;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> index aaae79557d..bb6bfc19de 100644
> --- a/target/i386/kvm/kvm.c
> +++ b/target/i386/kvm/kvm.c
> @@ -27,6 +27,7 @@
> #include "sysemu/kvm_int.h"
> #include "sysemu/runstate.h"
> #include "kvm_i386.h"
> +#include "sev_i386.h"
> #include "hyperv.h"
> #include "hyperv-proto.h"
>
> @@ -4788,3 +4789,8 @@ bool kvm_has_waitpkg(void)
> {
> return has_msr_umwait;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return !sev_es_enabled();
> +}
> diff --git a/target/mips/kvm.c b/target/mips/kvm.c
> index 84fb10ea35..123ec1be7e 100644
> --- a/target/mips/kvm.c
> +++ b/target/mips/kvm.c
> @@ -1290,3 +1290,8 @@ int mips_kvm_type(MachineState *machine, const char *vm_type)
>
> return -1;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index daf690a678..f45ed11058 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2947,3 +2947,8 @@ void kvmppc_svm_off(Error **errp)
> error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
> }
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index dc27fa36c9..7a892d663d 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -2599,3 +2599,8 @@ void kvm_s390_stop_interrupt(S390CPU *cpu)
>
> kvm_s390_vcpu_interrupt(cpu, &irq);
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> --
> 2.30.0
>
WARNING: multiple messages have this Message-ID (diff)
From: Venu Busireddy <venu.busireddy@oracle.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Eduardo Habkost <ehabkost@redhat.com>,
kvm@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
Connor Kuehl <ckuehl@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
David Hildenbrand <david@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>,
Jiri Slaby <jslaby@suse.cz>,
Aurelien Jarno <aurelien@aurel32.net>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [PATCH v6 4/6] sev/i386: Don't allow a system reset under an SEV-ES guest
Date: Fri, 29 Jan 2021 11:44:45 -0600 [thread overview]
Message-ID: <20210129174445.GD231819@dt> (raw)
In-Reply-To: <1ac39c441b9a3e970e9556e1cc29d0a0814de6fd.1611682609.git.thomas.lendacky@amd.com>
On 2021-01-26 11:36:47 -0600, Tom Lendacky wrote:
> From: Tom Lendacky <thomas.lendacky@amd.com>
>
> An SEV-ES guest does not allow register state to be altered once it has
> been measured. When an SEV-ES guest issues a reboot command, Qemu will
> reset the vCPU state and resume the guest. This will cause failures under
> SEV-ES. Prevent that from occuring by introducing an arch-specific
> callback that returns a boolean indicating whether vCPUs are resettable.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Cc: Aurelien Jarno <aurelien@aurel32.net>
> Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
> Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
> Cc: David Gibson <david@gibson.dropbear.id.au>
> Cc: David Hildenbrand <david@redhat.com>
> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Venu Busireddy <venu.busireddy@oracle.com>
> ---
> accel/kvm/kvm-all.c | 5 +++++
> include/sysemu/cpus.h | 2 ++
> include/sysemu/hw_accel.h | 5 +++++
> include/sysemu/kvm.h | 10 ++++++++++
> softmmu/cpus.c | 5 +++++
> softmmu/runstate.c | 3 +++
> target/arm/kvm.c | 5 +++++
> target/i386/kvm/kvm.c | 6 ++++++
> target/mips/kvm.c | 5 +++++
> target/ppc/kvm.c | 5 +++++
> target/s390x/kvm.c | 5 +++++
> 11 files changed, 56 insertions(+)
>
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 410879cf94..6c099a3869 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -2414,6 +2414,11 @@ void kvm_flush_coalesced_mmio_buffer(void)
> s->coalesced_flush_in_progress = false;
> }
>
> +bool kvm_cpu_check_are_resettable(void)
> +{
> + return kvm_arch_cpu_check_are_resettable();
> +}
> +
> static void do_kvm_cpu_synchronize_state(CPUState *cpu, run_on_cpu_data arg)
> {
> if (!cpu->vcpu_dirty) {
> diff --git a/include/sysemu/cpus.h b/include/sysemu/cpus.h
> index e8156728c6..1cb4f9dbeb 100644
> --- a/include/sysemu/cpus.h
> +++ b/include/sysemu/cpus.h
> @@ -57,6 +57,8 @@ extern int icount_align_option;
> /* Unblock cpu */
> void qemu_cpu_kick_self(void);
>
> +bool cpus_are_resettable(void);
> +
> void cpu_synchronize_all_states(void);
> void cpu_synchronize_all_post_reset(void);
> void cpu_synchronize_all_post_init(void);
> diff --git a/include/sysemu/hw_accel.h b/include/sysemu/hw_accel.h
> index ffed6192a3..61672f9b32 100644
> --- a/include/sysemu/hw_accel.h
> +++ b/include/sysemu/hw_accel.h
> @@ -22,4 +22,9 @@ void cpu_synchronize_post_reset(CPUState *cpu);
> void cpu_synchronize_post_init(CPUState *cpu);
> void cpu_synchronize_pre_loadvm(CPUState *cpu);
>
> +static inline bool cpu_check_are_resettable(void)
> +{
> + return kvm_enabled() ? kvm_cpu_check_are_resettable() : true;
> +}
> +
> #endif /* QEMU_HW_ACCEL_H */
> diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
> index 875ca101e3..3e265cea3d 100644
> --- a/include/sysemu/kvm.h
> +++ b/include/sysemu/kvm.h
> @@ -573,4 +573,14 @@ int kvm_get_max_memslots(void);
> /* Notify resamplefd for EOI of specific interrupts. */
> void kvm_resample_fd_notify(int gsi);
>
> +/**
> + * kvm_cpu_check_are_resettable - return whether CPUs can be reset
> + *
> + * Returns: true: CPUs are resettable
> + * false: CPUs are not resettable
> + */
> +bool kvm_cpu_check_are_resettable(void);
> +
> +bool kvm_arch_cpu_check_are_resettable(void);
> +
> #endif
> diff --git a/softmmu/cpus.c b/softmmu/cpus.c
> index 1dc20b9dc3..89de46eae0 100644
> --- a/softmmu/cpus.c
> +++ b/softmmu/cpus.c
> @@ -194,6 +194,11 @@ void cpu_synchronize_pre_loadvm(CPUState *cpu)
> }
> }
>
> +bool cpus_are_resettable(void)
> +{
> + return cpu_check_are_resettable();
> +}
> +
> int64_t cpus_get_virtual_clock(void)
> {
> /*
> diff --git a/softmmu/runstate.c b/softmmu/runstate.c
> index beee050815..1813691898 100644
> --- a/softmmu/runstate.c
> +++ b/softmmu/runstate.c
> @@ -527,6 +527,9 @@ void qemu_system_reset_request(ShutdownCause reason)
> if (reboot_action == REBOOT_ACTION_SHUTDOWN &&
> reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
> shutdown_requested = reason;
> + } else if (!cpus_are_resettable()) {
> + error_report("cpus are not resettable, terminating");
> + shutdown_requested = reason;
> } else {
> reset_requested = reason;
> }
> diff --git a/target/arm/kvm.c b/target/arm/kvm.c
> index ffe186de8d..00e124c812 100644
> --- a/target/arm/kvm.c
> +++ b/target/arm/kvm.c
> @@ -1045,3 +1045,8 @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
> {
> return (data - 32) & 0xffff;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> index aaae79557d..bb6bfc19de 100644
> --- a/target/i386/kvm/kvm.c
> +++ b/target/i386/kvm/kvm.c
> @@ -27,6 +27,7 @@
> #include "sysemu/kvm_int.h"
> #include "sysemu/runstate.h"
> #include "kvm_i386.h"
> +#include "sev_i386.h"
> #include "hyperv.h"
> #include "hyperv-proto.h"
>
> @@ -4788,3 +4789,8 @@ bool kvm_has_waitpkg(void)
> {
> return has_msr_umwait;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return !sev_es_enabled();
> +}
> diff --git a/target/mips/kvm.c b/target/mips/kvm.c
> index 84fb10ea35..123ec1be7e 100644
> --- a/target/mips/kvm.c
> +++ b/target/mips/kvm.c
> @@ -1290,3 +1290,8 @@ int mips_kvm_type(MachineState *machine, const char *vm_type)
>
> return -1;
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index daf690a678..f45ed11058 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2947,3 +2947,8 @@ void kvmppc_svm_off(Error **errp)
> error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
> }
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index dc27fa36c9..7a892d663d 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -2599,3 +2599,8 @@ void kvm_s390_stop_interrupt(S390CPU *cpu)
>
> kvm_s390_vcpu_interrupt(cpu, &irq);
> }
> +
> +bool kvm_arch_cpu_check_are_resettable(void)
> +{
> + return true;
> +}
> --
> 2.30.0
>
next prev parent reply other threads:[~2021-01-29 17:49 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-26 17:36 [PATCH v6 0/6] Qemu SEV-ES guest support Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-26 17:36 ` [PATCH v6 1/6] sev/i386: Add initial support for SEV-ES Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-29 17:39 ` Venu Busireddy
2021-01-29 17:39 ` Venu Busireddy
2021-01-26 17:36 ` [PATCH v6 2/6] sev/i386: Require in-kernel irqchip support for SEV-ES guests Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-29 17:41 ` Venu Busireddy
2021-01-29 17:41 ` Venu Busireddy
2021-01-26 17:36 ` [PATCH v6 3/6] sev/i386: Allow AP booting under SEV-ES Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-29 17:44 ` Venu Busireddy
2021-01-29 17:44 ` Venu Busireddy
2021-02-01 18:48 ` Tom Lendacky
2021-02-01 18:48 ` Tom Lendacky
2021-01-26 17:36 ` [PATCH v6 4/6] sev/i386: Don't allow a system reset under an SEV-ES guest Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-29 17:44 ` Venu Busireddy [this message]
2021-01-29 17:44 ` Venu Busireddy
2021-01-26 17:36 ` [PATCH v6 5/6] kvm/i386: Use a per-VM check for SMM capability Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-29 17:46 ` Venu Busireddy
2021-01-29 17:46 ` Venu Busireddy
2021-01-26 17:36 ` [PATCH v6 6/6] sev/i386: Enable an SEV-ES guest based on SEV policy Tom Lendacky
2021-01-26 17:36 ` Tom Lendacky
2021-01-29 17:46 ` Venu Busireddy
2021-01-29 17:46 ` Venu Busireddy
2021-02-05 10:59 ` [PATCH v6 0/6] Qemu SEV-ES guest support Paolo Bonzini
2021-02-05 10:59 ` Paolo Bonzini
2021-02-08 15:48 ` Tom Lendacky
2021-02-08 15:48 ` Tom Lendacky
2021-02-08 16:31 ` Paolo Bonzini
2021-02-08 16:31 ` Paolo Bonzini
2021-02-08 17:35 ` Tom Lendacky
2021-02-08 17:35 ` Tom Lendacky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210129174445.GD231819@dt \
--to=venu.busireddy@oracle.com \
--cc=aleksandar.rikalo@syrmia.com \
--cc=aurelien@aurel32.net \
--cc=brijesh.singh@amd.com \
--cc=ckuehl@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jiaxun.yang@flygoat.com \
--cc=jslaby@suse.cz \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=seanjc@google.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.