From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Cc: Alistair Francis <alistair.francis@xilinx.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
"Daniel P . Berrange" <berrange@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Eric Blake <eblake@redhat.com>,
kvm@vger.kernel.org, Marcel Apfelbaum <marcel@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Crosthwaite <crosthwaite.peter@gmail.com>,
Peter Maydell <peter.maydell@linaro.org>,
Richard Henderson <richard.henderson@linaro.org>,
Stefan Hajnoczi <stefanha@gmail.com>,
Thomas Lendacky <Thomas.Lendacky@amd.com>,
Borislav Petkov <bp@suse.de>, Alexander Graf <agraf@suse.de>,
Bruce Rogers <brogers@suse.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Richard Henderson <rth@twiddle.net>
Subject: [Qemu-devel] [PATCH v10 27/28] sev/i386: add sev_get_capabilities()
Date: Wed, 28 Feb 2018 15:10:27 -0600 [thread overview]
Message-ID: <20180228211028.83970-28-brijesh.singh@amd.com> (raw)
In-Reply-To: <20180228211028.83970-1-brijesh.singh@amd.com>
The function can be used to get the current SEV capabilities.
The capabilities include platform diffie-hellman key (pdh) and certificate
chain. The key can be provided to the external entities which wants to
establish a trusted channel between SEV firmware and guest owner.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
target/i386/monitor.c | 10 ++++++-
target/i386/sev-stub.c | 5 ++++
target/i386/sev.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/sev_i386.h | 1 +
4 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 1b55dd0fff88..b914915d9171 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -740,5 +740,13 @@ SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp)
SevCapability *qmp_query_sev_capabilities(Error **errp)
{
- return NULL;
+ SevCapability *data;
+
+ data = sev_get_capabilities();
+ if (!data) {
+ error_setg(errp, "SEV feature is not available");
+ return NULL;
+ }
+
+ return data;
}
diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
index 2f61c32ec975..59a003a4ebe6 100644
--- a/target/i386/sev-stub.c
+++ b/target/i386/sev-stub.c
@@ -44,3 +44,8 @@ char *sev_get_launch_measurement(void)
{
return NULL;
}
+
+SevCapability *sev_get_capabilities(void)
+{
+ return NULL;
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index ad94eeace1b0..20279177cdcd 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -421,6 +421,84 @@ sev_get_info(void)
return info;
}
+static int
+sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
+ size_t *cert_chain_len)
+{
+ guchar *pdh_data, *cert_chain_data;
+ struct sev_user_data_pdh_cert_export export = {};
+ int err, r;
+
+ /* query the certificate length */
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ if (err != SEV_RET_INVALID_LEN) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ return 1;
+ }
+ }
+
+ pdh_data = g_new(guchar, export.pdh_cert_len);
+ cert_chain_data = g_new(guchar, export.cert_chain_len);
+ export.pdh_cert_address = (unsigned long)pdh_data;
+ export.cert_chain_address = (unsigned long)cert_chain_data;
+
+ r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
+ if (r < 0) {
+ error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
+ r, err, fw_error_to_str(err));
+ goto e_free;
+ }
+
+ *pdh = pdh_data;
+ *pdh_len = export.pdh_cert_len;
+ *cert_chain = cert_chain_data;
+ *cert_chain_len = export.cert_chain_len;
+ return 0;
+
+e_free:
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+ return 1;
+}
+
+SevCapability *
+sev_get_capabilities(void)
+{
+ SevCapability *cap;
+ guchar *pdh_data, *cert_chain_data;
+ size_t pdh_len = 0, cert_chain_len = 0;
+ uint32_t ebx;
+ int fd;
+
+ fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
+ if (fd < 0) {
+ error_report("%s: Failed to open %s '%s'", __func__,
+ DEFAULT_SEV_DEVICE, strerror(errno));
+ return NULL;
+ }
+
+ if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
+ &cert_chain_data, &cert_chain_len)) {
+ return NULL;
+ }
+
+ cap = g_new0(SevCapability, 1);
+ cap->pdh = g_base64_encode(pdh_data, pdh_len);
+ cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
+
+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+ cap->cbitpos = ebx & 0x3f;
+ cap->reduced_phys_bits = (ebx >> 6) & 0x3f;
+
+ g_free(pdh_data);
+ g_free(cert_chain_data);
+
+ close(fd);
+ return cap;
+}
+
static int
sev_read_file_base64(const char *filename, guchar **data, gsize *len)
{
diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
index 2ecca66f6e64..cc89e273ccf6 100644
--- a/target/i386/sev_i386.h
+++ b/target/i386/sev_i386.h
@@ -43,6 +43,7 @@ extern SevInfo *sev_get_info(void);
extern uint32_t sev_get_cbit_position(void);
extern uint32_t sev_get_reduced_phys_bits(void);
extern char *sev_get_launch_measurement(void);
+extern SevCapability *sev_get_capabilities(void);
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
--
2.14.3
next prev parent reply other threads:[~2018-02-28 21:11 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-28 21:10 [Qemu-devel] [PATCH v10 00/29] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 01/28] memattrs: add debug attribute Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 02/28] exec: add ram_debug_ops support Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 03/28] exec: add debug version of physical memory read and write API Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 04/28] monitor/i386: use debug APIs when accessing guest memory Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 05/28] machine: add -memory-encryption property Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 06/28] kvm: update kvm.h to include memory encryption ioctls Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 07/28] docs: add AMD Secure Encrypted Virtualization (SEV) Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 08/28] target/i386: add Secure Encrypted Virtulization (SEV) object Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 09/28] qmp: add query-sev command Brijesh Singh
2018-03-01 20:09 ` Eric Blake
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 10/28] include: add psp-sev.h header file Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 11/28] sev/i386: add command to initialize the memory encryption context Brijesh Singh
2018-03-05 13:37 ` Laszlo Ersek
2018-03-07 13:19 ` Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 12/28] sev/i386: register the guest memory range which may contain encrypted data Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 13/28] kvm: introduce memory encryption APIs Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 14/28] hmp: add 'info sev' command Brijesh Singh
2018-03-02 11:31 ` Dr. David Alan Gilbert
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 15/28] sev/i386: add command to create launch memory encryption context Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 16/28] sev/i386: add command to encrypt guest memory region Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 17/28] target/i386: encrypt bios rom Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 18/28] sev/i386: add support to LAUNCH_MEASURE command Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 19/28] sev/i386: finalize the SEV guest launch flow Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 20/28] hw/i386: set ram_debug_ops when memory encryption is enabled Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 21/28] sev/i386: add debug encrypt and decrypt commands Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 22/28] target/i386: clear C-bit when walking SEV guest page table Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 23/28] qmp: add query-sev-launch-measure command Brijesh Singh
2018-03-01 20:11 ` Eric Blake
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 24/28] sev/i386: add migration blocker Brijesh Singh
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 25/28] cpu/i386: populate CPUID 0x8000_001F when SEV is active Brijesh Singh
2018-03-06 12:39 ` Eduardo Habkost
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 26/28] qmp: add query-sev-capabilities command Brijesh Singh
2018-03-01 20:13 ` Eric Blake
2018-03-05 17:35 ` Brijesh Singh
2018-02-28 21:10 ` Brijesh Singh [this message]
2018-02-28 21:10 ` [Qemu-devel] [PATCH v10 28/28] tests/qmp-test: blacklist sev specific qmp commands Brijesh Singh
2018-02-28 21:43 ` [Qemu-devel] [PATCH v10 00/29] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180228211028.83970-28-brijesh.singh@amd.com \
--to=brijesh.singh@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=agraf@suse.de \
--cc=alistair.francis@xilinx.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@suse.de \
--cc=brogers@suse.com \
--cc=cornelia.huck@de.ibm.com \
--cc=crosthwaite.peter@gmail.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=edgar.iglesias@xilinx.com \
--cc=ehabkost@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=marcel@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=rth@twiddle.net \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).