From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Cc: Alistair Francis <alistair.francis@xilinx.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
"Daniel P . Berrange" <berrange@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Edgar E . Iglesias " <edgar.iglesias@xilinx.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Eric Blake <eblake@redhat.com>,
kvm@vger.kernel.org, Marcel Apfelbaum <marcel@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Crosthwaite <crosthwaite.peter@gmail.com>,
Peter Maydell <peter.maydell@linaro.org>,
Richard Henderson <richard.henderson@linaro.org>,
Richard Henderson <rth@twiddle.net>,
Stefan Hajnoczi <stefanha@gmail.com>,
Thomas Lendacky <Thomas.Lendacky@amd.com>,
Borislav Petkov <bp@suse.de>,
Brijesh Singh <brijesh.singh@amd.com>
Subject: [Qemu-devel] [PATCH v5 14/23] sev: add command to create launch memory encryption context
Date: Wed, 6 Dec 2017 14:03:37 -0600 [thread overview]
Message-ID: <20171206200346.116537-15-brijesh.singh@amd.com> (raw)
In-Reply-To: <20171206200346.116537-1-brijesh.singh@amd.com>
The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK).
The encryption key created with the command will be used for encrypting
the bootstrap images (such as guest bios).
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
accel/kvm/sev.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++
include/sysemu/sev.h | 11 +++++++
2 files changed, 97 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 7b5318993969..74eb67526bd0 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -22,6 +22,15 @@
#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
#define DEFAULT_SEV_DEVICE "/dev/sev"
+#define DEBUG_SEV
+#ifdef DEBUG_SEV
+#define DPRINTF(fmt, ...) \
+ do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) \
+ do { } while (0)
+#endif
+
static int sev_fd;
#define SEV_FW_MAX_ERROR 0x17
@@ -288,6 +297,77 @@ lookup_sev_guest_info(const char *id)
return info;
}
+static int
+sev_read_file_base64(const char *filename, guchar **data, gsize *len)
+{
+ gsize sz;
+ gchar *base64;
+ GError *error = NULL;
+
+ if (!g_file_get_contents(filename, &base64, &sz, &error)) {
+ error_report("failed to read '%s' (%s)", filename, error->message);
+ return -1;
+ }
+
+ *data = g_base64_decode(base64, len);
+ return 0;
+}
+
+static int
+sev_launch_start(SEVState *s)
+{
+ gsize sz;
+ int ret = 1;
+ int fw_error;
+ QSevGuestInfo *sev = s->sev_info;
+ struct kvm_sev_launch_start *start;
+ guchar *session = NULL, *dh_cert = NULL;
+
+ start = g_malloc0(sizeof(*start));
+ if (!start) {
+ return 1;
+ }
+
+ start->handle = object_property_get_int(OBJECT(sev), "handle",
+ &error_abort);
+ start->policy = object_property_get_int(OBJECT(sev), "policy",
+ &error_abort);
+ if (sev->session_file) {
+ if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) {
+ return 1;
+ }
+ start->session_uaddr = (unsigned long)session;
+ start->session_len = sz;
+ }
+
+ if (sev->dh_cert_file) {
+ if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) {
+ return 1;
+ }
+ start->dh_uaddr = (unsigned long)dh_cert;
+ start->dh_len = sz;
+ }
+
+ ret = sev_ioctl(KVM_SEV_LAUNCH_START, start, &fw_error);
+ if (ret < 0) {
+ error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
+ __func__, ret, fw_error, fw_error_to_str(fw_error));
+ return 1;
+ }
+
+ DPRINTF("SEV: LAUNCH_START\n");
+
+ object_property_set_int(OBJECT(sev), start->handle, "handle",
+ &error_abort);
+ s->cur_state = SEV_STATE_LUPDATE;
+
+ g_free(start);
+ g_free(session);
+ g_free(dh_cert);
+
+ return 0;
+}
+
void *
sev_guest_init(const char *id)
{
@@ -323,6 +403,12 @@ sev_guest_init(const char *id)
goto err;
}
+ ret = sev_launch_start(s);
+ if (ret) {
+ error_report("%s: failed to create encryption context", __func__);
+ goto err;
+ }
+
ram_block_notifier_add(&sev_ram_notifier);
return s;
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index f85517c0b5b5..45b464cc96f5 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -51,8 +51,19 @@ struct QSevGuestInfoClass {
ObjectClass parent_class;
};
+enum {
+ SEV_STATE_INVALID = 0,
+ SEV_STATE_LUPDATE,
+ SEV_STATE_SECRET,
+ SEV_STATE_RUNNING,
+ SEV_STATE_SENDING,
+ SEV_STATE_RECEIVING,
+ SEV_STATE_MAX
+};
+
struct SEVState {
QSevGuestInfo *sev_info;
+ int cur_state;
};
typedef struct SEVState SEVState;
--
2.9.5
next prev parent reply other threads:[~2017-12-06 20:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-06 20:03 [Qemu-devel] [PATCH v5 00/23] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 01/23] memattrs: add debug attribute Brijesh Singh
2017-12-06 22:03 ` Peter Maydell
2017-12-07 21:20 ` Brijesh Singh
2017-12-08 9:55 ` Peter Maydell
2017-12-08 10:24 ` Edgar E. Iglesias
2017-12-08 22:57 ` Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 02/23] exec: add ram_debug_ops support Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 03/23] exec: add debug version of physical memory read and write API Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 04/23] monitor/i386: use debug APIs when accessing guest memory Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 05/23] target/i386: add memory encryption feature cpuid support Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 06/23] machine: add -memory-encryption property Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 07/23] kvm: update kvm.h to include memory encryption ioctls Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 08/23] docs: add AMD Secure Encrypted Virtualization (SEV) Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 09/23] accel: add Secure Encrypted Virtulization (SEV) object Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 10/23] sev: add command to initialize the memory encryption context Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 11/23] sev: register the guest memory range which may contain encrypted data Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 12/23] kvm: introduce memory encryption APIs Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 13/23] hmp: display memory encryption support in 'info kvm' Brijesh Singh
2017-12-06 20:03 ` Brijesh Singh [this message]
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 15/23] sev: add command to encrypt guest memory region Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 16/23] target/i386: encrypt bios rom Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 17/23] qapi: add SEV_MEASUREMENT event Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 18/23] sev: emit the " Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 19/23] sev: Finalize the SEV guest launch flow Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 20/23] hw: i386: set ram_debug_ops when memory encryption is enabled Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 21/23] sev: add debug encrypt and decrypt commands Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 22/23] target/i386: clear C-bit when walking SEV guest page table Brijesh Singh
2017-12-06 20:03 ` [Qemu-devel] [PATCH v5 23/23] sev: add migration blocker Brijesh Singh
2017-12-07 11:03 ` Dr. David Alan Gilbert
2017-12-07 11:10 ` Peter Maydell
2017-12-07 11:27 ` Dr. David Alan Gilbert
2017-12-07 21:25 ` Brijesh Singh
2017-12-07 22:50 ` Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171206200346.116537-15-brijesh.singh@amd.com \
--to=brijesh.singh@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=alistair.francis@xilinx.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@suse.de \
--cc=cornelia.huck@de.ibm.com \
--cc=crosthwaite.peter@gmail.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=edgar.iglesias@xilinx.com \
--cc=ehabkost@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=marcel@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=rth@twiddle.net \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).