From: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
To: tobin@linux.ibm.com
Cc: thomas.lendacky@amd.com, brijesh.singh@amd.com,
ehabkost@redhat.com, jejb@linux.ibm.com, tobin@ibm.com,
qemu-devel@nongnu.org, dgilbert@redhat.com, berrange@redhat.com,
pbonzini@redhat.com
Subject: Re: [PATCH v6] sev: add sev-inject-launch-secret
Date: Thu, 22 Oct 2020 01:37:13 -0400 [thread overview]
Message-ID: <ad82ca2244ec0c5d00fb0346da8c289b@linux.vnet.ibm.com> (raw)
In-Reply-To: <20201022041630.33690-1-tobin@linux.ibm.com>
On 2020-10-22 00:16, tobin@linux.ibm.com wrote:
> From: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
>
> AMD SEV allows a guest owner to inject a secret blob
> into the memory of a virtual machine. The secret is
> encrypted with the SEV Transport Encryption Key and
> integrity is guaranteed with the Transport Integrity
> Key. Although QEMU facilitates the injection of the
> launch secret, it cannot access the secret.
>
> Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
> include/monitor/monitor.h | 3 ++
> include/sysemu/sev.h | 2 ++
> monitor/misc.c | 13 +++++---
> qapi/misc-target.json | 18 +++++++++++
> target/i386/monitor.c | 7 +++++
> target/i386/sev-stub.c | 5 +++
> target/i386/sev.c | 65 +++++++++++++++++++++++++++++++++++++++
> target/i386/trace-events | 1 +
> 8 files changed, 110 insertions(+), 4 deletions(-)
>
> diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
> index 348bfad3d5..af3887bb71 100644
> --- a/include/monitor/monitor.h
> +++ b/include/monitor/monitor.h
> @@ -4,6 +4,7 @@
> #include "block/block.h"
> #include "qapi/qapi-types-misc.h"
> #include "qemu/readline.h"
> +#include "include/exec/hwaddr.h"
>
> typedef struct MonitorHMP MonitorHMP;
> typedef struct MonitorOptions MonitorOptions;
> @@ -37,6 +38,8 @@ void monitor_flush(Monitor *mon);
> int monitor_set_cpu(Monitor *mon, int cpu_index);
> int monitor_get_cpu_index(Monitor *mon);
>
> +void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error
> **errp);
> +
> void monitor_read_command(MonitorHMP *mon, int show_prompt);
> int monitor_read_password(MonitorHMP *mon, ReadLineFunc
> *readline_func,
> void *opaque);
> diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
> index 98c1ec8d38..7ab6e3e31d 100644
> --- a/include/sysemu/sev.h
> +++ b/include/sysemu/sev.h
> @@ -18,4 +18,6 @@
>
> void *sev_guest_init(const char *id);
> int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
> +int sev_inject_launch_secret(const char *hdr, const char *secret,
> + uint64_t gpa, Error **errp);
> #endif
> diff --git a/monitor/misc.c b/monitor/misc.c
> index 4a859fb24a..dd148be5da 100644
> --- a/monitor/misc.c
> +++ b/monitor/misc.c
> @@ -667,10 +667,10 @@ static void hmp_physical_memory_dump(Monitor
> *mon, const QDict *qdict)
> memory_dump(mon, count, format, size, addr, 1);
> }
>
> -static void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, Error **errp)
> +void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error
> **errp)
> {
> MemoryRegionSection mrs = memory_region_find(get_system_memory(),
> - addr, 1);
> + addr, size);
>
> if (!mrs.mr) {
> error_setg(errp, "No memory is mapped at address 0x%"
> HWADDR_PRIx, addr);
> @@ -683,6 +683,11 @@ static void *gpa2hva(MemoryRegion **p_mr, hwaddr
> addr, Error **errp)
> return NULL;
> }
>
> + if (mrs.size < size) {
> + error_setg(errp, "Size of memory region at 0x%" HWADDR_PRIx
> + " exceeded.", addr);
> + }
> +
Forgot to return :( Will update.
> *p_mr = mrs.mr;
> return qemu_map_ram_ptr(mrs.mr->ram_block,
> mrs.offset_within_region);
> }
> @@ -694,7 +699,7 @@ static void hmp_gpa2hva(Monitor *mon, const QDict
> *qdict)
> MemoryRegion *mr = NULL;
> void *ptr;
>
> - ptr = gpa2hva(&mr, addr, &local_err);
> + ptr = gpa2hva(&mr, addr, 1, &local_err);
> if (local_err) {
> error_report_err(local_err);
> return;
> @@ -770,7 +775,7 @@ static void hmp_gpa2hpa(Monitor *mon, const QDict
> *qdict)
> void *ptr;
> uint64_t physaddr;
>
> - ptr = gpa2hva(&mr, addr, &local_err);
> + ptr = gpa2hva(&mr, addr, 1, &local_err);
> if (local_err) {
> error_report_err(local_err);
> return;
> diff --git a/qapi/misc-target.json b/qapi/misc-target.json
> index 1e561fa97b..4486a543ae 100644
> --- a/qapi/misc-target.json
> +++ b/qapi/misc-target.json
> @@ -201,6 +201,24 @@
> { 'command': 'query-sev-capabilities', 'returns': 'SevCapability',
> 'if': 'defined(TARGET_I386)' }
>
> +##
> +# @sev-inject-launch-secret:
> +#
> +# This command injects a secret blob into memory of SEV guest.
> +#
> +# @packet-header: the launch secret packet header encoded in base64
> +#
> +# @secret: the launch secret data to be injected encoded in base64
> +#
> +# @gpa: the guest physical address where secret will be injected.
> +#
> +# Since: 5.2
> +#
> +##
> +{ 'command': 'sev-inject-launch-secret',
> + 'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': 'uint64'
> },
> + 'if': 'defined(TARGET_I386)' }
> +
> ##
> # @dump-skeys:
> #
> diff --git a/target/i386/monitor.c b/target/i386/monitor.c
> index 7abae3c8df..f9d4951465 100644
> --- a/target/i386/monitor.c
> +++ b/target/i386/monitor.c
> @@ -728,3 +728,10 @@ SevCapability *qmp_query_sev_capabilities(Error
> **errp)
> {
> return sev_get_capabilities(errp);
> }
> +
> +void qmp_sev_inject_launch_secret(const char *packet_hdr,
> + const char *secret, uint64_t gpa,
> + Error **errp)
> +{
> + sev_inject_launch_secret(packet_hdr, secret, gpa, errp);
> +}
> diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
> index 88e3f39a1e..c1fecc2101 100644
> --- a/target/i386/sev-stub.c
> +++ b/target/i386/sev-stub.c
> @@ -49,3 +49,8 @@ SevCapability *sev_get_capabilities(Error **errp)
> error_setg(errp, "SEV is not available in this QEMU");
> return NULL;
> }
> +int sev_inject_launch_secret(const char *hdr, const char *secret,
> + uint64_t gpa, Error **errp)
> +{
> + return 1;
> +}
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 93c4d60b82..1546606811 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -29,6 +29,8 @@
> #include "trace.h"
> #include "migration/blocker.h"
> #include "qom/object.h"
> +#include "exec/address-spaces.h"
> +#include "monitor/monitor.h"
>
> #define TYPE_SEV_GUEST "sev-guest"
> OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST)
> @@ -785,6 +787,69 @@ sev_encrypt_data(void *handle, uint8_t *ptr,
> uint64_t len)
> return 0;
> }
>
> +int sev_inject_launch_secret(const char *packet_hdr, const char
> *secret,
> + uint64_t gpa, Error **errp)
> +{
> + struct kvm_sev_launch_secret input;
> + g_autofree guchar *data = NULL, *hdr = NULL;
> + int error, ret = 1;
> + void *hva;
> + gsize hdr_sz = 0, data_sz = 0;
> + MemoryRegion *mr = NULL;
> +
> + if (!sev_guest) {
> + error_setg(errp, "SEV: SEV not enabled.");
> + return 1;
> + }
> +
> + /* secret can be injected only in this state */
> + if (!sev_check_state(sev_guest, SEV_STATE_LAUNCH_SECRET)) {
> + error_setg(errp, "SEV: Not in correct state. (LSECRET) %x",
> + sev_guest->state);
> + return 1;
> + }
> +
> + hdr = g_base64_decode(packet_hdr, &hdr_sz);
> + if (!hdr || !hdr_sz) {
> + error_setg(errp, "SEV: Failed to decode sequence header");
> + return 1;
> + }
> +
> + data = g_base64_decode(secret, &data_sz);
> + if (!data || !data_sz) {
> + error_setg(errp, "SEV: Failed to decode data");
> + return 1;
> + }
> +
> + hva = gpa2hva(&mr, gpa, data_sz, errp);
> + if (!hva) {
> + error_prepend(errp, "SEV: Failed to calculate guest address:
> ");
> + return 1;
> + }
> +
> + input.hdr_uaddr = (uint64_t)(unsigned long)hdr;
> + input.hdr_len = hdr_sz;
> +
> + input.trans_uaddr = (uint64_t)(unsigned long)data;
> + input.trans_len = data_sz;
> +
> + input.guest_uaddr = (uint64_t)(unsigned long)hva;
> + input.guest_len = data_sz;
> +
> + trace_kvm_sev_launch_secret(gpa, input.guest_uaddr,
> + input.trans_uaddr, input.trans_len);
> +
> + ret = sev_ioctl(sev_guest->sev_fd, KVM_SEV_LAUNCH_SECRET,
> + &input, &error);
> + if (ret) {
> + error_setg(errp, "SEV: failed to inject secret ret=%d
> fw_error=%d '%s'",
> + ret, error, fw_error_to_str(error));
> + return ret;
> + }
> +
> + return 0;
> +}
> +
> static void
> sev_register_types(void)
> {
> diff --git a/target/i386/trace-events b/target/i386/trace-events
> index 789c700d4a..9f299e94a2 100644
> --- a/target/i386/trace-events
> +++ b/target/i386/trace-events
> @@ -15,3 +15,4 @@ kvm_sev_launch_start(int policy, void *session, void
> *pdh) "policy 0x%x session
> kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%"
> PRIu64
> kvm_sev_launch_measurement(const char *value) "data %s"
> kvm_sev_launch_finish(void) ""
> +kvm_sev_launch_secret(uint64_t hpa, uint64_t hva, uint64_t secret,
> int len) "hpa 0x%" PRIx64 " hva 0x%" PRIx64 " data 0x%" PRIx64 " len
> %d"
prev parent reply other threads:[~2020-10-22 5:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-22 4:16 [PATCH v6] sev: add sev-inject-launch-secret tobin
2020-10-22 5:37 ` Tobin Feldman-Fitzthum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad82ca2244ec0c5d00fb0346da8c289b@linux.vnet.ibm.com \
--to=tobin@linux.ibm.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).