[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v5 14/23] sev: add command to create launch memory e
From: |
Brijesh Singh |
Subject: |
[Qemu-devel] [PATCH v5 14/23] sev: add command to create launch memory encryption context |
Date: |
Wed, 6 Dec 2017 14:03:37 -0600 |
The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK).
The encryption key created with the command will be used for encrypting
the bootstrap images (such as guest bios).
Cc: Paolo Bonzini <address@hidden>
Cc: address@hidden
Signed-off-by: Brijesh Singh <address@hidden>
---
accel/kvm/sev.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++
include/sysemu/sev.h | 11 +++++++
2 files changed, 97 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 7b5318993969..74eb67526bd0 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -22,6 +22,15 @@
#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
#define DEFAULT_SEV_DEVICE "/dev/sev"
+#define DEBUG_SEV
+#ifdef DEBUG_SEV
+#define DPRINTF(fmt, ...) \
+ do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) \
+ do { } while (0)
+#endif
+
static int sev_fd;
#define SEV_FW_MAX_ERROR 0x17
@@ -288,6 +297,77 @@ lookup_sev_guest_info(const char *id)
return info;
}
+static int
+sev_read_file_base64(const char *filename, guchar **data, gsize *len)
+{
+ gsize sz;
+ gchar *base64;
+ GError *error = NULL;
+
+ if (!g_file_get_contents(filename, &base64, &sz, &error)) {
+ error_report("failed to read '%s' (%s)", filename, error->message);
+ return -1;
+ }
+
+ *data = g_base64_decode(base64, len);
+ return 0;
+}
+
+static int
+sev_launch_start(SEVState *s)
+{
+ gsize sz;
+ int ret = 1;
+ int fw_error;
+ QSevGuestInfo *sev = s->sev_info;
+ struct kvm_sev_launch_start *start;
+ guchar *session = NULL, *dh_cert = NULL;
+
+ start = g_malloc0(sizeof(*start));
+ if (!start) {
+ return 1;
+ }
+
+ start->handle = object_property_get_int(OBJECT(sev), "handle",
+ &error_abort);
+ start->policy = object_property_get_int(OBJECT(sev), "policy",
+ &error_abort);
+ if (sev->session_file) {
+ if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) {
+ return 1;
+ }
+ start->session_uaddr = (unsigned long)session;
+ start->session_len = sz;
+ }
+
+ if (sev->dh_cert_file) {
+ if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) {
+ return 1;
+ }
+ start->dh_uaddr = (unsigned long)dh_cert;
+ start->dh_len = sz;
+ }
+
+ ret = sev_ioctl(KVM_SEV_LAUNCH_START, start, &fw_error);
+ if (ret < 0) {
+ error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
+ __func__, ret, fw_error, fw_error_to_str(fw_error));
+ return 1;
+ }
+
+ DPRINTF("SEV: LAUNCH_START\n");
+
+ object_property_set_int(OBJECT(sev), start->handle, "handle",
+ &error_abort);
+ s->cur_state = SEV_STATE_LUPDATE;
+
+ g_free(start);
+ g_free(session);
+ g_free(dh_cert);
+
+ return 0;
+}
+
void *
sev_guest_init(const char *id)
{
@@ -323,6 +403,12 @@ sev_guest_init(const char *id)
goto err;
}
+ ret = sev_launch_start(s);
+ if (ret) {
+ error_report("%s: failed to create encryption context", __func__);
+ goto err;
+ }
+
ram_block_notifier_add(&sev_ram_notifier);
return s;
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index f85517c0b5b5..45b464cc96f5 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -51,8 +51,19 @@ struct QSevGuestInfoClass {
ObjectClass parent_class;
};
+enum {
+ SEV_STATE_INVALID = 0,
+ SEV_STATE_LUPDATE,
+ SEV_STATE_SECRET,
+ SEV_STATE_RUNNING,
+ SEV_STATE_SENDING,
+ SEV_STATE_RECEIVING,
+ SEV_STATE_MAX
+};
+
struct SEVState {
QSevGuestInfo *sev_info;
+ int cur_state;
};
typedef struct SEVState SEVState;
--
2.9.5
- [Qemu-devel] [PATCH v5 05/23] target/i386: add memory encryption feature cpuid support, (continued)
- [Qemu-devel] [PATCH v5 05/23] target/i386: add memory encryption feature cpuid support, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 04/23] monitor/i386: use debug APIs when accessing guest memory, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 06/23] machine: add -memory-encryption property, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 07/23] kvm: update kvm.h to include memory encryption ioctls, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 08/23] docs: add AMD Secure Encrypted Virtualization (SEV), Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 09/23] accel: add Secure Encrypted Virtulization (SEV) object, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 10/23] sev: add command to initialize the memory encryption context, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 11/23] sev: register the guest memory range which may contain encrypted data, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 12/23] kvm: introduce memory encryption APIs, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 13/23] hmp: display memory encryption support in 'info kvm', Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 14/23] sev: add command to create launch memory encryption context,
Brijesh Singh <=
- [Qemu-devel] [PATCH v5 15/23] sev: add command to encrypt guest memory region, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 17/23] qapi: add SEV_MEASUREMENT event, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 16/23] target/i386: encrypt bios rom, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 18/23] sev: emit the SEV_MEASUREMENT event, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 19/23] sev: Finalize the SEV guest launch flow, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 20/23] hw: i386: set ram_debug_ops when memory encryption is enabled, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 21/23] sev: add debug encrypt and decrypt commands, Brijesh Singh, 2017/12/06
- [Qemu-devel] [PATCH v5 23/23] sev: add migration blocker, Brijesh Singh, 2017/12/06