From: Stefan Hajnoczi <stefanha@gmail.com>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: ehabkost@redhat.com, crosthwaite.peter@gmail.com,
armbru@redhat.com, mst@redhat.com, p.fedin@samsung.com,
qemu-devel@nongnu.org, lcapitulino@redhat.com,
pbonzini@redhat.com, rth@twiddle.net, Thomas.Lendacky@amd.com
Subject: Re: [Qemu-devel] [RFC PATCH v4 06/20] core: add new security-policy object
Date: Thu, 23 Mar 2017 11:35:17 +0000 [thread overview]
Message-ID: <20170323113517.GC12560@stefanha-x1.localdomain> (raw)
In-Reply-To: <148900632968.27090.15435012868487968230.stgit@brijesh-build-machine>
[-- Attachment #1: Type: text/plain, Size: 14077 bytes --]
On Wed, Mar 08, 2017 at 03:52:09PM -0500, Brijesh Singh wrote:
> The object can be used to define global security policy for the guest.
"security-policy" is very vague. Lots of parts of QEMU have security
related options (e.g. VNC display, networking, etc).
I'd prefer a
-machine memory-encryption=on|off,memory-encryption-debug=on|off
or -m encryption=on|off,encryption-debug=on|off switch instead of a new
security policy object with questionable scope.
> object provides two properties:
>
> 1) debug: can be used to disable guest memory access from hypervisor.
>
> e.g to disable guest memory debug accesses
>
> # $QEMU \
> -object security-policy,debug=false,id=mypolicy \
> -machine ...,security-policy=mypolicy
>
> 2) memory-encryption: if hypervisor supports memory encryption then this
> property can be used to define object for encryption.
>
> # $QEMU \
> -object sev-guest,id=sev0 \
> -object security-policy,id=memory-encryption=sev0,id=mypolicy \
s/id=memory-encryption=/id=mypolicy,memory-encryption=/
> -machine ...,security-policy=mypolicy
>
> The memory-encryption property will be used for enabling AMD's SEV feature.
>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
> exec.c | 7 ++
> hw/core/Makefile.objs | 1
> hw/core/machine.c | 22 +++++
> hw/core/security-policy.c | 165 ++++++++++++++++++++++++++++++++++++++
> include/hw/boards.h | 1
> include/sysemu/security-policy.h | 75 +++++++++++++++++
> qemu-options.hx | 21 +++++
> 7 files changed, 292 insertions(+)
> create mode 100644 hw/core/security-policy.c
> create mode 100644 include/sysemu/security-policy.h
>
> diff --git a/exec.c b/exec.c
> index 772a959..2c7c891 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -40,6 +40,7 @@
> #else /* !CONFIG_USER_ONLY */
> #include "hw/hw.h"
> #include "exec/memory.h"
> +#include "sysemu/security-policy.h"
> #include "exec/ioport.h"
> #include "sysemu/dma.h"
> #include "sysemu/numa.h"
> @@ -2926,6 +2927,12 @@ static inline void cpu_physical_memory_rw_debug_internal(AddressSpace *as,
> hwaddr addr1;
> MemoryRegion *mr;
>
> + /* Check if debug accesses is allowed */
> + if (attrs.debug &&
> + !security_policy_debug_allowed(current_machine->security_policy)) {
> + return;
> + }
> +
> rcu_read_lock();
> while (len > 0) {
> l = len;
> diff --git a/hw/core/Makefile.objs b/hw/core/Makefile.objs
> index 91450b2..3c413b1 100644
> --- a/hw/core/Makefile.objs
> +++ b/hw/core/Makefile.objs
> @@ -18,6 +18,7 @@ common-obj-$(CONFIG_SOFTMMU) += qdev-properties-system.o
> common-obj-$(CONFIG_SOFTMMU) += register.o
> common-obj-$(CONFIG_SOFTMMU) += or-irq.o
> common-obj-$(CONFIG_PLATFORM_BUS) += platform-bus.o
> +common-obj-$(CONFIG_SOFTMMU) += security-policy.o
>
> obj-$(CONFIG_SOFTMMU) += generic-loader.o
> obj-$(CONFIG_SOFTMMU) += null-machine.o
> diff --git a/hw/core/machine.c b/hw/core/machine.c
> index 0699750..c14f59c 100644
> --- a/hw/core/machine.c
> +++ b/hw/core/machine.c
> @@ -332,6 +332,23 @@ static bool machine_get_enforce_config_section(Object *obj, Error **errp)
> return ms->enforce_config_section;
> }
>
> +static char *machine_get_security_policy(Object *obj, Error **errp)
> +{
> + MachineState *ms = MACHINE(obj);
> +
> + return g_strdup(ms->security_policy);
> +}
> +
> +static void machine_set_security_policy(Object *obj,
> + const char *value, Error **errp)
> +{
> + MachineState *ms = MACHINE(obj);
> +
> + g_free(ms->security_policy);
> + ms->security_policy = g_strdup(value);
> +}
> +
> +
> static void error_on_sysbus_device(SysBusDevice *sbdev, void *opaque)
> {
> error_report("Option '-device %s' cannot be handled by this machine",
> @@ -493,6 +510,11 @@ static void machine_class_init(ObjectClass *oc, void *data)
> &error_abort);
> object_class_property_set_description(oc, "enforce-config-section",
> "Set on to enforce configuration section migration", &error_abort);
> +
> + object_class_property_add_str(oc, "security-policy",
> + machine_get_security_policy, machine_set_security_policy, NULL);
> + object_class_property_set_description(oc, "security-policy",
> + "Set the security policy for the machine", NULL);
> }
>
> static void machine_class_base_init(ObjectClass *oc, void *data)
> diff --git a/hw/core/security-policy.c b/hw/core/security-policy.c
> new file mode 100644
> index 0000000..4d4658e
> --- /dev/null
> +++ b/hw/core/security-policy.c
> @@ -0,0 +1,165 @@
> +/*
> + * QEMU security policy support
> + *
> + * Copyright (c) 2016 Advanced Micro Devices
> + *
> + * Author:
> + * Brijesh Singh <brijesh.singh@amd.com>
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qapi/error.h"
> +#include "qom/object_interfaces.h"
> +#include "qemu/base64.h"
> +
> +#include "sysemu/security-policy.h"
> +
> +static SecurityPolicy *
> +find_security_policy_obj(const char *name)
> +{
> + Object *obj;
> + SecurityPolicy *policy;
> +
> + if (!name) {
> + return NULL;
> + }
> +
> + obj = object_resolve_path_component(
> + object_get_objects_root(), name);
> + if (!obj) {
> + return NULL;
> + }
> +
> + policy = (SecurityPolicy *)
> + object_dynamic_cast(obj,
> + TYPE_SECURITY_POLICY);
> + if (!policy) {
> + return NULL;
> + }
> +
> + return policy;
> +}
> +
> +bool
> +security_policy_debug_allowed(const char *secure_policy_id)
> +{
> + SecurityPolicy *policy = find_security_policy_obj(secure_policy_id);
> +
> + /* if id is not a valid security policy then we return true */
> + return policy ? policy->debug : true;
> +}
> +
> +char *
> +security_policy_get_memory_encryption_id(const char *secure_policy_id)
> +{
> + SecurityPolicy *policy = find_security_policy_obj(secure_policy_id);
> +
> + return policy ? g_strdup(policy->memory_encryption) : NULL;
> +}
> +
> +static bool
> +security_policy_prop_get_debug(Object *obj,
> + Error **errp G_GNUC_UNUSED)
> +{
> + SecurityPolicy *policy = SECURITY_POLICY(obj);
> +
> + return policy->debug;
> +}
> +
> +
> +static void
> +security_policy_prop_set_debug(Object *obj,
> + bool value,
> + Error **errp G_GNUC_UNUSED)
> +{
> + SecurityPolicy *policy = SECURITY_POLICY(obj);
> +
> + policy->debug = value;
> +}
> +
> +static char *
> +sev_launch_get_memory_encryption(Object *obj, Error **errp)
> +{
> + SecurityPolicy *policy = SECURITY_POLICY(obj);
> +
> + return g_strdup(policy->memory_encryption);
> +}
> +
> +static void
> +sev_launch_set_memory_encryption(Object *obj, const char *value,
> + Error **errp)
> +{
> + SecurityPolicy *policy = SECURITY_POLICY(obj);
> +
> + policy->memory_encryption = g_strdup(value);
> +}
> +
> +static void
> +security_policy_init(Object *obj)
> +{
> + SecurityPolicy *policy = SECURITY_POLICY(obj);
> +
> + policy->debug = true;
> +}
> +
> +static void
> +security_policy_finalize(Object *obj)
> +{
> +}
> +
> +static void
> +security_policy_class_init(ObjectClass *oc, void *data)
> +{
> + object_class_property_add_bool(oc, "debug",
> + security_policy_prop_get_debug,
> + security_policy_prop_set_debug,
> + NULL);
> + object_class_property_set_description(oc, "debug",
> + "Set on/off if debugging is allowed on this guest (default on)",
> + NULL);
> + object_class_property_add_str(oc, "memory-encryption",
> + sev_launch_get_memory_encryption,
> + sev_launch_set_memory_encryption,
> + NULL);
> + object_class_property_set_description(oc, "memory-encryption",
> + "Set memory encryption object id (if supported by hardware)",
> + NULL);
> +}
> +
> +static const TypeInfo security_policy_info = {
> + .parent = TYPE_OBJECT,
> + .name = TYPE_SECURITY_POLICY,
> + .instance_size = sizeof(SecurityPolicy),
> + .instance_init = security_policy_init,
> + .instance_finalize = security_policy_finalize,
> + .class_size = sizeof(SecurityPolicyClass),
> + .class_init = security_policy_class_init,
> + .interfaces = (InterfaceInfo[]) {
> + { TYPE_USER_CREATABLE },
> + { }
> + }
> +};
> +
> +
> +static void
> +security_policy_register_types(void)
> +{
> + type_register_static(&security_policy_info);
> +}
> +
> +
> +type_init(security_policy_register_types);
> diff --git a/include/hw/boards.h b/include/hw/boards.h
> index 269d0ba..a1c99a0 100644
> --- a/include/hw/boards.h
> +++ b/include/hw/boards.h
> @@ -153,6 +153,7 @@ struct MachineState {
> /*< public >*/
>
> char *accel;
> + char *security_policy;
> bool kernel_irqchip_allowed;
> bool kernel_irqchip_required;
> bool kernel_irqchip_split;
> diff --git a/include/sysemu/security-policy.h b/include/sysemu/security-policy.h
> new file mode 100644
> index 0000000..6d3789d
> --- /dev/null
> +++ b/include/sysemu/security-policy.h
> @@ -0,0 +1,75 @@
> +/*
> + * QEMU security policy support
> + *
> + * Copyright (c) 2016 Advanced Micro Devices
> + *
> + * Author:
> + * Brijesh Singh <brijesh.singh@amd.com>
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#ifndef SECURITY_POLICY_H
> +#define SECURITY_POLICY_H
> +
> +#include "qom/object.h"
> +
> +#define TYPE_SECURITY_POLICY "security-policy"
> +#define SECURITY_POLICY(obj) \
> + OBJECT_CHECK(SecurityPolicy, (obj), TYPE_SECURITY_POLICY)
> +
> +typedef struct SecurityPolicy SecurityPolicy;
> +typedef struct SecurityPolicyClass SecurityPolicyClass;
> +
> +/**
> + * SecurityPolicy:
> + *
> + * The SecurityPolicy object provides method to define
> + * various security releated policies for guest machine.
> + *
> + * e.g
> + * When launching QEMU, user can create a security policy
> + * to disallow memory dump and debug of guest
> + *
> + * # $QEMU \
> + * -object security-policy,id=mypolicy,debug=off \
> + * -machine ...,security-policy=mypolicy
> + *
> + * If hardware supports memory encryption then user can set
> + * encryption policy of guest
> + *
> + * # $QEMU \
> + * -object encrypt-policy,key=xxx,flags=xxxx,id=encrypt \
> + * -object security-policy,debug=off,memory-encryption=encrypt,id=mypolicy \
> + * -machine ...,security-policy=mypolicy
> + *
> + */
> +
> +struct SecurityPolicy {
> + Object parent_obj;
> +
> + bool debug;
> + char *memory_encryption;
> +};
> +
> +
> +struct SecurityPolicyClass {
> + ObjectClass parent_class;
> +};
> +
> +bool security_policy_debug_allowed(const char *name);
> +char *security_policy_get_memory_encryption_id(const char *name);
> +
> +#endif /* SECURITY_POLICY_H */
> diff --git a/qemu-options.hx b/qemu-options.hx
> index 2292438..536db1b 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -4140,6 +4140,27 @@ contents of @code{iv.b64} to the second secret
>
> @end table
>
> +@item -object security-policy,id=@var{id}[,debug=@var{bool}][,memory-encryption=@var{string}]
> +
> +Create a security policy object, which can be used to define guest security.
> +The id parameter is a unique ID that will be used to reference this
> +object when security-policy is applied via -machine argument.
> +
> +The 'debug' parameter can be defined to tell whether the debugging or memory
> +dump is allowed through qemu monitor console.
> +
> +e.g to disable the guest memory dump
> +@example
> + # $QEMU \
> + -object security-policy,id=secure0,debug=off \
> + -machine ...,security-policy=secure0
> +@end example
> +
> +if hardware support guest memory encrytion, then 'memory-encryption' parameter
> +can be set to the unquie ID of memory encryption object.
> +
> +On AMD processor, memory encryption is supported via 'sev-guest' object.
> +
> ETEXI
>
>
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2017-03-23 11:35 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-08 20:51 [Qemu-devel] [RFC PATCH v4 00/20] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-03-08 20:51 ` [Qemu-devel] [RFC PATCH v4 01/20] kvm: update kvm.h header file Brijesh Singh
2017-03-08 20:51 ` [Qemu-devel] [RFC PATCH v4 02/20] memattrs: add debug attribute Brijesh Singh
2017-03-23 11:29 ` Stefan Hajnoczi
2017-03-23 18:14 ` Brijesh Singh
2017-03-24 15:36 ` Stefan Hajnoczi
2017-03-24 16:43 ` Brijesh Singh
2017-03-08 20:51 ` [Qemu-devel] [RFC PATCH v4 03/20] exec: add guest RAM read and write ops Brijesh Singh
2017-03-08 20:51 ` [Qemu-devel] [RFC PATCH v4 04/20] exec: add debug version of physical memory read and write api Brijesh Singh
2017-03-08 20:51 ` [Qemu-devel] [RFC PATCH v4 05/20] monitor/i386: use debug apis when accessing guest memory Brijesh Singh
2017-03-08 20:52 ` [Qemu-devel] [RFC PATCH v4 06/20] core: add new security-policy object Brijesh Singh
2017-03-23 11:35 ` Stefan Hajnoczi [this message]
2017-03-23 18:59 ` Brijesh Singh
2017-03-24 15:40 ` Stefan Hajnoczi
2017-03-24 19:42 ` Brijesh Singh
2017-03-27 12:04 ` Stefan Hajnoczi
2017-03-27 16:11 ` Brijesh Singh
2017-03-08 20:52 ` [Qemu-devel] [RFC PATCH v4 07/20] kvm: add memory encryption api support Brijesh Singh
2017-03-08 21:06 ` Eduardo Habkost
2017-03-08 20:52 ` [Qemu-devel] [RFC PATCH v4 08/20] sev: add Secure Encrypted Virtulization (SEV) support Brijesh Singh
2017-03-08 20:52 ` [Qemu-devel] [RFC PATCH v4 09/20] hmp: display memory encryption support in 'info kvm' Brijesh Singh
2017-03-08 21:43 ` Eric Blake
2017-03-08 20:52 ` [Qemu-devel] [RFC PATCH v4 10/20] vl: add memory encryption support Brijesh Singh
2017-03-08 20:53 ` [Qemu-devel] [RFC PATCH v4 11/20] sev: add LAUNCH_START command Brijesh Singh
2017-03-08 21:13 ` Eduardo Habkost
2017-03-08 21:39 ` Brijesh Singh
2017-03-08 20:53 ` [Qemu-devel] [RFC PATCH v4 12/20] SEV: add GUEST_STATUS command Brijesh Singh
2017-03-08 20:53 ` [Qemu-devel] [RFC PATCH v4 13/20] sev: add LAUNCH_UPDATE_DATA command Brijesh Singh
2017-03-08 20:53 ` [Qemu-devel] [RFC PATCH v4 14/20] sev: add LAUNCH_FINISH command Brijesh Singh
2017-03-08 20:53 ` [Qemu-devel] [RFC PATCH v4 15/20] sev: add DEBUG_DECRYPT command Brijesh Singh
2017-03-08 20:53 ` [Qemu-devel] [RFC PATCH v4 16/20] sev: add DEBUG_ENCRYPT command Brijesh Singh
2017-03-08 20:54 ` [Qemu-devel] [RFC PATCH v4 17/20] target/i386: encrypt bios rom when memory encryption is enabled Brijesh Singh
2017-03-08 20:54 ` [Qemu-devel] [RFC PATCH v4 18/20] target/i386: add cpuid Fn8000_001f Brijesh Singh
2017-03-08 21:29 ` Eduardo Habkost
2017-03-08 20:54 ` [Qemu-devel] [RFC PATCH v4 19/20] target/i386: clear memory encryption bit when walking SEV guest page table Brijesh Singh
2017-03-08 20:54 ` [Qemu-devel] [RFC PATCH v4 20/20] migration: disable save/restore and migration when SEV is active Brijesh Singh
2017-03-08 21:32 ` Eduardo Habkost
2017-03-08 21:40 ` Brijesh Singh
2017-03-08 21:27 ` [Qemu-devel] [RFC PATCH v4 00/20] x86: Secure Encrypted Virtualization (AMD) Eduardo Habkost
2017-03-08 21:37 ` Brijesh Singh
2017-03-08 22:29 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170323113517.GC12560@stefanha-x1.localdomain \
--to=stefanha@gmail.com \
--cc=Thomas.Lendacky@amd.com \
--cc=armbru@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=crosthwaite.peter@gmail.com \
--cc=ehabkost@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=mst@redhat.com \
--cc=p.fedin@samsung.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).