From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Brijesh Singh <brijesh.singh@amd.com>,
Richard Henderson <rth@twiddle.net>,
Eduardo Habkost <ehabkost@redhat.com>
Subject: [Qemu-devel] [PULL 22/22] sev/i386: add sev_get_capabilities()
Date: Tue, 13 Mar 2018 13:56:38 +0100 [thread overview]
Message-ID: <1520945798-50640-23-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1520945798-50640-1-git-send-email-pbonzini@redhat.com>
From: Brijesh Singh <brijesh.singh@amd.com>
The function can be used to get the current SEV capabilities.
The capabilities include platform diffie-hellman key (pdh) and certificate
chain. The key can be provided to the external entities which wants to
establish a trusted channel between SEV firmware and guest owner.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/monitor.c | 11 +++++--
target/i386/sev-stub.c | 5 +++
target/i386/sev.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/sev_i386.h | 1 +
4 files changed, 98 insertions(+), 2 deletions(-)
diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 8a786fb..011419e 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -717,6 +717,13 @@ SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp)
SevCapability *qmp_query_sev_capabilities(Error **errp)
{
- error_setg(errp, "SEV feature is not available");
- return NULL;
+ SevCapability *data;
+
+ data = sev_get_capabilities();
+ if (!data) {
+ error_setg(errp, "SEV feature is not available");
+ return NULL;
+ }
+
+ return data;
}
diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
index 2f61c32..59a003a4 100644
--- a/target/i386/sev-stub.c
+++ b/target/i386/sev-stub.c
@@ -44,3 +44,8 @@ char *sev_get_launch_measurement(void)
{
return NULL;
}
+
+SevCapability *sev_get_capabilities(void)
+{
+ return NULL;
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index bcf4f1e..34733f9 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -427,6 +427,89 @@ sev_get_info(void)
}
static int
+sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
+ size_t *cert_chain_len)
+{
+ guchar *pdh_data, *cert_chain_data;
+ struct sev_user_data_pdh_cert_export export = {};
+ int err, r;
+
+ /* query the certificate length */
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ if (err != SEV_RET_INVALID_LEN) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ return 1;
+ }
+ }
+
+ pdh_data = g_new(guchar, export.pdh_cert_len);
+ cert_chain_data = g_new(guchar, export.cert_chain_len);
+ export.pdh_cert_address = (unsigned long)pdh_data;
+ export.cert_chain_address = (unsigned long)cert_chain_data;
+
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ goto e_free;
+ }
+
+ *pdh = pdh_data;
+ *pdh_len = export.pdh_cert_len;
+ *cert_chain = cert_chain_data;
+ *cert_chain_len = export.cert_chain_len;
+ return 0;
+
+e_free:
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+ return 1;
+}
+
+SevCapability *
+sev_get_capabilities(void)
+{
+ SevCapability *cap;
+ guchar *pdh_data, *cert_chain_data;
+ size_t pdh_len = 0, cert_chain_len = 0;
+ uint32_t ebx;
+ int fd;
+
+ fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
+ if (fd < 0) {
+ error_report("%s: Failed to open %s '%s'", __func__,
+ DEFAULT_SEV_DEVICE, strerror(errno));
+ return NULL;
+ }
+
+ if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
+ &cert_chain_data, &cert_chain_len)) {
+ return NULL;
+ }
+
+ cap = g_new0(SevCapability, 1);
+ cap->pdh = g_base64_encode(pdh_data, pdh_len);
+ cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
+
+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+ cap->cbitpos = ebx & 0x3f;
+
+ /*
+ * When SEV feature is enabled, we loose one bit in guest physical
+ * addressing.
+ */
+ cap->reduced_phys_bits = 1;
+
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+
+ close(fd);
+ return cap;
+}
+
+static int
sev_read_file_base64(const char *filename, guchar **data, gsize *len)
{
gsize sz;
diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
index 6e37077..b8622df 100644
--- a/target/i386/sev_i386.h
+++ b/target/i386/sev_i386.h
@@ -38,6 +38,7 @@ extern SevInfo *sev_get_info(void);
extern uint32_t sev_get_cbit_position(void);
extern uint32_t sev_get_reduced_phys_bits(void);
extern char *sev_get_launch_measurement(void);
+extern SevCapability *sev_get_capabilities(void);
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
--
1.8.3.1
next prev parent reply other threads:[~2018-03-13 12:57 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 12:56 [Qemu-devel] [PULL 00/22] KVM patches for QEMU 2.12 soft freeze Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 01/22] update Linux headers to 4.16-rc5 Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 02/22] KVM: x86: Add support for save/load MSR_SMI_COUNT Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 03/22] machine: add memory-encryption option Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 04/22] docs: add AMD Secure Encrypted Virtualization (SEV) Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 05/22] kvm: add memory encryption context Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 06/22] kvm: introduce memory encryption APIs Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 07/22] target/i386: add Secure Encrypted Virtualization (SEV) object Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 08/22] sev/i386: qmp: add query-sev command Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 09/22] include: add psp-sev.h header file Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 10/22] sev/i386: add command to initialize the memory encryption context Paolo Bonzini
2018-04-27 13:01 ` Peter Maydell
2018-03-13 12:56 ` [Qemu-devel] [PULL 11/22] sev/i386: register the guest memory range which may contain encrypted data Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 12/22] sev/i386: add command to create launch memory encryption context Paolo Bonzini
2018-04-27 13:04 ` Peter Maydell
2018-03-13 12:56 ` [Qemu-devel] [PULL 13/22] sev/i386: add command to encrypt guest memory region Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 14/22] target/i386: encrypt bios rom Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 15/22] sev/i386: add support to LAUNCH_MEASURE command Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 16/22] sev/i386: finalize the SEV guest launch flow Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 17/22] sev/i386: add migration blocker Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 18/22] cpu/i386: populate CPUID 0x8000_001F when SEV is active Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 19/22] sev/i386: hmp: add 'info sev' command Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 20/22] sev/i386: qmp: add query-sev-launch-measure command Paolo Bonzini
2018-03-13 12:56 ` [Qemu-devel] [PULL 21/22] sev/i386: qmp: add query-sev-capabilities command Paolo Bonzini
2018-03-13 12:56 ` Paolo Bonzini [this message]
2018-04-27 12:53 ` [Qemu-devel] [PULL 22/22] sev/i386: add sev_get_capabilities() Peter Maydell
2018-03-13 16:29 ` [Qemu-devel] [PULL 00/22] KVM patches for QEMU 2.12 soft freeze Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520945798-50640-23-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=ehabkost@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).