From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: michael.roth@amd.com, zixchen@redhat.com
Subject: [RFC PATCH 0/2] target/i386: SEV: allow running SNP guests with "-cpu host"
Date: Wed, 3 Jul 2024 13:01:32 +0200 [thread overview]
Message-ID: <20240703110134.1645979-1-pbonzini@redhat.com> (raw)
Some CPUID features may be provided by KVM for some guests, independent of
processor support, for example TSC deadline or TSC adjust. They are not going
to be present in named models unless the vendor implements them in hardware,
but they will be present in "-cpu host".
If these bits are not supported by the confidential computing firmware,
however, the guest will fail to start, and indeed this is a problem when
you run SNP guests with "-cpu host". This series fixes the issue.
However, I am marking this as RFC because it's not future proof.
If in the future AMD processors do provide any of these bits, this is
going to break (tsc_deadline and tsc_adjust are the most likely one).
Including the bits if they are present in host CPUID is not super safe
either, since the firmware might not be updated to follow suit.
Michael, any ideas? Is there a way for the host to retrieve the supported
CPUID bits for SEV-SNP guests?
One possibility is to set up a fake guest---either in QEMU or when KVM
starts---to do a LAUNCH_UPDATE for the CPUID page, but even that is not
perfect. For example, I got
> function 0x7, index: 0x0 provided: edx: 0xbc000010, expected: edx: 0x00000000
even though the FSRM bit (0x10) is supported. That might be just a
firmware bug however.
Paolo
Based-on: <20240627140628.1025317-1-pbonzini@redhat.com>
Paolo Bonzini (4):
target/i386: add support for masking CPUID features in confidential
guests
target/i386/SEV: implement mask_cpuid_features
target/i386/confidential-guest.h | 24 ++++++++++++++++++++++++
target/i386/cpu.c | 9 +++++++++
target/i386/cpu.h | 4 ++++
target/i386/kvm/kvm.c | 5 +++++
target/i386/sev.c | 33 +++++++++++++++++++++++++++++++++
5 files changed, 75 insertions(+)
--
2.45.2
next reply other threads:[~2024-07-03 11:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-03 11:01 Paolo Bonzini [this message]
2024-07-03 11:01 ` [RFC PATCH 1/2] target/i386: add support for masking CPUID features in confidential guests Paolo Bonzini
2024-07-03 11:01 ` [RFC PATCH 2/2] target/i386/SEV: implement mask_cpuid_features Paolo Bonzini
2024-07-04 0:26 ` [RFC PATCH 0/2] target/i386: SEV: allow running SNP guests with "-cpu host" Michael Roth
2024-07-04 5:46 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240703110134.1645979-1-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=michael.roth@amd.com \
--cc=qemu-devel@nongnu.org \
--cc=zixchen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).