From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Roy Hopkins <roy.hopkins@randomman.co.uk>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Stefano Garzarella <sgarzare@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
Cornelia Huck <cohuck@redhat.com>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Sergio Lopez <slp@redhat.com>,
Eduardo Habkost <eduardo@habkost.net>,
Alistair Francis <alistair@alistair23.me>,
Peter Xu <peterx@redhat.com>,
David Hildenbrand <david@redhat.com>,
Igor Mammedov <imammedo@redhat.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Michael Roth <michael.roth@amd.com>,
Ani Sinha <anisinha@redhat.com>, Gerd Hoffman <kraxel@redhat.com>,
Pankaj Gupta <pankaj.gupta@amd.com>,
Joerg Roedel <joro@8bytes.org>
Subject: Re: [PATCH v9 08/16] i386/sev: Refactor setting of reset vector and initial CPU state
Date: Tue, 8 Jul 2025 16:28:36 +0100 [thread overview]
Message-ID: <aG05JAMHDmfbpg_E@redhat.com> (raw)
In-Reply-To: <aG04W_upzY6p7M1H@redhat.com>
On Tue, Jul 08, 2025 at 04:25:25PM +0100, Daniel P. Berrangé wrote:
> On Thu, Jul 03, 2025 at 04:31:59PM +0100, Roy Hopkins wrote:
> > When an SEV guest is started, the reset vector and state are
> > extracted from metadata that is contained in the firmware volume.
> >
> > In preparation for using IGVM to setup the initial CPU state,
> > the code has been refactored to populate vmcb_save_area for each
> > CPU which is then applied during guest startup and CPU reset.
> >
> > Signed-off-by: Roy Hopkins <roy.hopkins@randomman.co.uk>
> > Acked-by: Michael S. Tsirkin <mst@redhat.com>
> > Acked-by: Stefano Garzarella <sgarzare@redhat.com>
> > Acked-by: Gerd Hoffman <kraxel@redhat.com>
> > Reviewed-by: Pankaj Gupta <pankaj.gupta@amd.com>
> > ---
> > target/i386/sev.c | 322 +++++++++++++++++++++++++++++++++++++++++-----
> > target/i386/sev.h | 110 ++++++++++++++++
> > 2 files changed, 399 insertions(+), 33 deletions(-)
> >
> > diff --git a/target/i386/sev.c b/target/i386/sev.c
> > index a84f5f5d28..a13f91e615 100644
> > --- a/target/i386/sev.c
> > +++ b/target/i386/sev.c
>
>
> > +static void sev_apply_cpu_context(CPUState *cpu)
> > +{
> > + SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
> > + X86CPU *x86;
> > + CPUX86State *env;
> > + struct SevLaunchVmsa *launch_vmsa;
> > +
> > + /* See if an initial VMSA has been provided for this CPU */
> > + QTAILQ_FOREACH(launch_vmsa, &sev_common->launch_vmsa, next)
> > + {
> > + if (cpu->cpu_index == launch_vmsa->cpu_index) {
> > + x86 = X86_CPU(cpu);
> > + env = &x86->env;
> > +
> > + /*
> > + * Ideally we would provide the VMSA directly to kvm which would
> > + * ensure that the resulting initial VMSA measurement which is
> > + * calculated during KVM_SEV_LAUNCH_UPDATE_VMSA is calculated from
> > + * exactly what we provide here. Currently this is not possible so
> > + * we need to copy the parts of the VMSA structure that we currently
> > + * support into the CPU state.
> > + */
>
> Are there any parts of the VMSA described in the IGVM that we are
> unable to handle here ?
>
> If so, what happens if those parts are set in the IGVM and their
> value doesn't match KVM's default ? Presumably that would become
> a measurement failure ?
Never mind, this is answered by the following patch.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-07-08 21:21 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-03 14:59 [PATCH v9 00/16] Introduce support for IGVM files Roy Hopkins
2025-07-03 15:00 ` [PATCH v9 01/16] meson: Add optional dependency on IGVM library Roy Hopkins
2025-07-03 15:03 ` [PATCH v9 02/16] backends/confidential-guest-support: Add functions to support IGVM Roy Hopkins
2025-07-08 15:07 ` Daniel P. Berrangé
2025-07-11 5:47 ` Ani Sinha
2025-07-03 15:10 ` [PATCH v9 03/16] backends/igvm: Add IGVM loader and configuration Roy Hopkins
2025-07-03 15:11 ` [PATCH v9 04/16] hw/i386: Add igvm-cfg object and processing for IGVM files Roy Hopkins
2025-07-03 15:15 ` [PATCH v9 05/16] i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with IGVM Roy Hopkins
2025-07-03 15:21 ` [PATCH v9 06/16] sev: Update launch_update_data functions to use Error handling Roy Hopkins
2025-07-03 15:31 ` [PATCH v9 07/16] target/i386: Allow setting of R_LDTR and R_TR with cpu_x86_load_seg_cache() Roy Hopkins
2025-07-03 15:31 ` [PATCH v9 08/16] i386/sev: Refactor setting of reset vector and initial CPU state Roy Hopkins
2025-07-08 15:25 ` Daniel P. Berrangé
2025-07-08 15:28 ` Daniel P. Berrangé [this message]
2025-07-03 15:34 ` [PATCH v9 09/16] i386/sev: Implement ConfidentialGuestSupport functions for SEV Roy Hopkins
2025-07-03 15:41 ` [PATCH v9 10/16] docs/system: Add documentation on support for IGVM Roy Hopkins
2025-07-03 16:02 ` [PATCH v9 11/16] docs/interop/firmware.json: Add igvm to FirmwareDevice Roy Hopkins
2025-07-03 16:02 ` [PATCH v9 12/16] backends/confidential-guest-support: Add set_guest_policy() function Roy Hopkins
2025-07-03 16:18 ` [PATCH v9 13/16] backends/igvm: Process initialization sections in IGVM file Roy Hopkins
2025-07-03 16:21 ` [PATCH v9 14/16] backends/igvm: Handle policy for SEV guests Roy Hopkins
2025-07-03 16:21 ` [PATCH v9 15/16] i386/sev: Add implementation of CGS set_guest_policy() Roy Hopkins
2025-07-03 16:21 ` [PATCH v9 16/16] sev: Provide sev_features flags from IGVM VMSA to KVM_SEV_INIT2 Roy Hopkins
2025-07-08 13:28 ` [PATCH v9 00/16] Introduce support for IGVM files Stefano Garzarella
2025-07-08 15:32 ` Daniel P. Berrangé
2025-07-08 17:11 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aG05JAMHDmfbpg_E@redhat.com \
--to=berrange@redhat.com \
--cc=alistair@alistair23.me \
--cc=anisinha@redhat.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=eduardo@habkost.net \
--cc=imammedo@redhat.com \
--cc=joro@8bytes.org \
--cc=kraxel@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pankaj.gupta@amd.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=roy.hopkins@randomman.co.uk \
--cc=sgarzare@redhat.com \
--cc=slp@redhat.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.