From: Dov Murik <dovmurik@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Juan Quintela <quintela@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
Jon Grimm <jon.grimm@amd.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Dov Murik <dovmurik@linux.vnet.ibm.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Hubertus Franke <frankeh@us.ibm.com>,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Subject: [RFC PATCH 13/26] migration: Add helpers to load confidential RAM
Date: Tue, 2 Mar 2021 15:48:09 -0500 [thread overview]
Message-ID: <20210302204822.81901-14-dovmurik@linux.vnet.ibm.com> (raw)
In-Reply-To: <20210302204822.81901-1-dovmurik@linux.vnet.ibm.com>
QEMU cannot write directly to the memory of memory-encrypted guests;
this breaks normal RAM-load in the migration target. Instead, QEMU
asks a migration helper running on an auxiliary vcpu in the guest to
restore encrypted pages as they were received from the source to a
specific GPA.
The migration helper running inside the guest can safely decrypt the
pages arrived from the source and load them into their proper location
in the guest's memory.
Loading pages uses the same shared (unencrypted) pages which both QEMU
and the guest can read from and write to.
Signed-off-by: Dov Murik <dovmurik@linux.vnet.ibm.com>
---
migration/confidential-ram.h | 2 ++
migration/confidential-ram.c | 37 ++++++++++++++++++++++++++++++++++++
migration/trace-events | 1 +
3 files changed, 40 insertions(+)
diff --git a/migration/confidential-ram.h b/migration/confidential-ram.h
index 0d49718d31..ebe4073bce 100644
--- a/migration/confidential-ram.h
+++ b/migration/confidential-ram.h
@@ -14,4 +14,6 @@ void cgs_mh_cleanup(void);
int cgs_mh_save_encrypted_page(QEMUFile *f, ram_addr_t src_gpa, uint32_t size,
uint64_t *bytes_sent);
+int cgs_mh_load_encrypted_page(QEMUFile *f, ram_addr_t dest_gpa);
+
#endif
diff --git a/migration/confidential-ram.c b/migration/confidential-ram.c
index 65a588e7f6..fe317ee74b 100644
--- a/migration/confidential-ram.c
+++ b/migration/confidential-ram.c
@@ -182,3 +182,40 @@ int cgs_mh_save_encrypted_page(QEMUFile *f, ram_addr_t src_gpa, uint32_t size,
return ret;
}
+
+int cgs_mh_load_encrypted_page(QEMUFile *f, ram_addr_t dest_gpa)
+{
+ int ret = 1;
+ uint32_t page_hdr_len, enc_page_len;
+
+ init_cgs_mig_helper_if_needed();
+
+ assert((dest_gpa & TARGET_PAGE_MASK) == dest_gpa);
+
+ /* Read page header */
+ page_hdr_len = qemu_get_be32(f);
+ if (page_hdr_len > 1024) {
+ error_report("confidential-ram: page header is too large (%d bytes) "
+ "when loading gpa %" PRIu64, page_hdr_len, dest_gpa);
+ return -EINVAL;
+ }
+ cmhs.io_page_hdr->len = page_hdr_len;
+ qemu_get_buffer(f, cmhs.io_page_hdr->data, page_hdr_len);
+
+ /* Read encrypted page */
+ enc_page_len = qemu_get_be32(f);
+ if (enc_page_len != TARGET_PAGE_SIZE) {
+ error_report("confidential-ram: encrypted page is too large (%d bytes) "
+ "when loading gpa %" PRIu64, enc_page_len, dest_gpa);
+ return -EINVAL;
+ }
+ qemu_get_buffer(f, cmhs.io_page, enc_page_len);
+
+ trace_encrypted_ram_load_page(page_hdr_len, enc_page_len, dest_gpa);
+ ret = send_command_to_cgs_mig_helper(CGS_MIG_HELPER_CMD_DECRYPT, dest_gpa);
+ if (ret) {
+ error_report("confidential-ram: failed loading page at dest_gpa "
+ "%" PRIu64 ": ret=%d", dest_gpa, ret);
+ }
+ return ret;
+}
diff --git a/migration/trace-events b/migration/trace-events
index 929de4ca98..ef31cf78cb 100644
--- a/migration/trace-events
+++ b/migration/trace-events
@@ -345,4 +345,5 @@ migration_pagecache_init(int64_t max_num_items) "Setting cache buckets to %" PRI
migration_pagecache_insert(void) "Error allocating page"
# confidential-ram.c
+encrypted_ram_load_page(uint32_t hdr_len, uint32_t trans_len, uint64_t gpa) "hdr_len: %u, trans_len: %u, gpa: 0x%" PRIx64
encrypted_ram_save_page(uint32_t size, uint64_t gpa) "size: %u, gpa: 0x%" PRIx64
--
2.20.1
next prev parent reply other threads:[~2021-03-02 21:00 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-02 20:47 [RFC PATCH 00/26] Confidential guest live migration Dov Murik
2021-03-02 20:47 ` [RFC PATCH 01/26] linux-headers: Add definitions of KVM page encryption bitmap ioctls Dov Murik
2021-03-02 20:47 ` [RFC PATCH 02/26] kvm: add support to sync the page encryption state bitmap Dov Murik
2021-03-02 20:47 ` [RFC PATCH 03/26] machine: Add auxcpus=N suboption to -smp Dov Murik
2021-03-02 20:48 ` [RFC PATCH 04/26] hw/boards: Add aux flag to CPUArchId Dov Murik
2021-03-02 20:48 ` [RFC PATCH 05/26] hw/i386: Mark auxiliary vcpus in possible_cpus Dov Murik
2021-03-02 20:48 ` [RFC PATCH 06/26] hw/acpi: Don't include auxiliary vcpus in ACPI tables Dov Murik
2021-03-02 20:48 ` [RFC PATCH 07/26] cpu: Add boolean aux field to CPUState Dov Murik
2021-03-02 20:48 ` [RFC PATCH 08/26] hw/i386: Set CPUState.aux=true for auxiliary vcpus Dov Murik
2021-03-02 20:48 ` [RFC PATCH 09/26] softmmu: Don't sync aux vcpus in pre_loadvm Dov Murik
2021-03-02 20:48 ` [RFC PATCH 10/26] softmmu: Add cpu_synchronize_without_aux_post_init Dov Murik
2021-03-02 20:48 ` [RFC PATCH 11/26] softmmu: Add pause_all_vcpus_except_aux Dov Murik
2021-03-02 20:48 ` [RFC PATCH 12/26] migration: Add helpers to save confidential RAM Dov Murik
2021-03-02 20:48 ` Dov Murik [this message]
2021-03-02 20:48 ` [RFC PATCH 14/26] migration: Introduce gpa_inside_migration_helper_shared_area Dov Murik
2021-03-02 20:48 ` [RFC PATCH 15/26] migration: Save confidential guest RAM using migration helper Dov Murik
2021-03-02 20:48 ` [RFC PATCH 16/26] migration: Load " Dov Murik
2021-03-02 20:48 ` [RFC PATCH 17/26] migration: Stop VM after loading confidential RAM Dov Murik
2021-03-02 20:48 ` [RFC PATCH 18/26] migration: Stop non-aux vcpus before copying the last pages Dov Murik
2021-03-02 20:48 ` [RFC PATCH 19/26] migration: Don't sync vcpus when migrating confidential guests Dov Murik
2021-03-02 20:48 ` [RFC PATCH 20/26] migration: When starting target, don't sync auxiliary vcpus Dov Murik
2021-03-02 20:48 ` [RFC PATCH 21/26] migration: Call migration handler cleanup routines Dov Murik
2021-03-02 20:48 ` [RFC PATCH 22/26] hw/isa/lpc_ich9: Allow updating an already-running VM Dov Murik
2021-03-02 20:48 ` [RFC PATCH 23/26] target/i386: Re-sync kvm-clock after confidential guest migration Dov Murik
2021-03-02 20:48 ` [RFC PATCH 24/26] migration: Add start-migrate-incoming QMP command Dov Murik
2021-03-02 20:48 ` [RFC PATCH 25/26] target/i386: SEV: Allow migration unless there are no aux vcpus Dov Murik
2021-03-02 20:48 ` [RFC PATCH 26/26] docs: Add confidential guest live migration documentation Dov Murik
2021-03-02 21:24 ` [RFC PATCH 00/26] Confidential guest live migration no-reply
2021-03-03 8:08 ` Dov Murik
2021-03-04 9:10 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210302204822.81901-14-dovmurik@linux.vnet.ibm.com \
--to=dovmurik@linux.vnet.ibm.com \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=frankeh@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jon.grimm@amd.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).