diff mbox series

[kvm-unit-tests,RFC,06/13] x86 AMD SEV-SNP: Add tests for presence of confidential computing blob

Message ID 20240419125759.242870-7-papaluri@amd.com (mailing list archive)
State New, archived
Headers show
Series Introduce SEV-SNP Support | expand

Commit Message

Paluri, PavanKumar April 19, 2024, 12:57 p.m. UTC
Add support to enable search for confidential computing blob in the EFI
system configuration table for KVM-Unit-Tests.

The SEV-SNP Confidential Computing (CC) blob (GHCB spec, Table-5) contains
metadata that needs to remain accessible during the guest's lifetime.
The metadata contains information on SNP reserved pages such as pointers
to SNP secrets page and SNP CPUID table.

Having access to SNP CPUID table aids in providing CPUID #VC handler
support. Also, Determining the presence of SNP CC blob in KUT guest
verfies whether OVMF has properly provided the CC blob to the guest via
the system configuration table.

Put out a warning message in case the CC blob is not found.

Import the definitions of CC_BLOB_SEV_HDR_MAGIC and cc_blob_sev_info
structure from upstream linux (arch/x86/include/asm/sev.h).

Signed-off-by: Pavan Kumar Paluri <papaluri@amd.com>
---
 lib/linux/efi.h   |  1 +
 lib/x86/amd_sev.h | 18 ++++++++++++++++++
 x86/amd_sev.c     | 30 ++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)
diff mbox series

Patch

diff --git a/lib/linux/efi.h b/lib/linux/efi.h
index 8fa23ad078ce..64323ff498f5 100644
--- a/lib/linux/efi.h
+++ b/lib/linux/efi.h
@@ -69,6 +69,7 @@  typedef guid_t efi_guid_t;
 #define DEVICE_TREE_GUID EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5,  0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0)
 
 #define LOADED_IMAGE_PROTOCOL_GUID EFI_GUID(0x5b1b31a1, 0x9562, 0x11d2,  0x8e, 0x3f, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
+#define EFI_CC_BLOB_GUID EFI_GUID(0x067b1f5f, 0xcf26, 0x44c5, 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42)
 
 #define EFI_LOAD_FILE2_PROTOCOL_GUID EFI_GUID(0x4006c0c1, 0xfcb3, 0x403e,  0x99, 0x6d, 0x4a, 0x6c, 0x87, 0x24, 0xe0, 0x6d)
 #define LINUX_EFI_INITRD_MEDIA_GUID EFI_GUID(0x5568e427, 0x68fc, 0x4f3d,  0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68)
diff --git a/lib/x86/amd_sev.h b/lib/x86/amd_sev.h
index 4c58e761c4af..70f3763fe231 100644
--- a/lib/x86/amd_sev.h
+++ b/lib/x86/amd_sev.h
@@ -106,6 +106,24 @@  struct es_em_ctxt {
 	struct es_fault_info fi;
 };
 
+/*
+ * AMD SEV Confidential computing blob structure. The structure is
+ * defined in OVMF UEFI firmware header:
+ * https://github.com/tianocore/edk2/blob/master/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h
+ */
+#define CC_BLOB_SEV_HDR_MAGIC	0x45444d41
+struct cc_blob_sev_info {
+	u32 magic;
+	u16 version;
+	u16 reserved;
+	u64 secrets_phys;
+	u32 secrets_len;
+	u32 rsvd1;
+	u64 cpuid_phys;
+	u32 cpuid_len;
+	u32 rsvd2;
+} __packed;
+
 /*
  * AMD Programmer's Manual Volume 3
  *   - Section "Function 8000_0000h - Maximum Extended Function Number and Vendor String"
diff --git a/x86/amd_sev.c b/x86/amd_sev.c
index 241e1472e333..23f6e3490546 100644
--- a/x86/amd_sev.c
+++ b/x86/amd_sev.c
@@ -69,14 +69,44 @@  static void test_sev_es_activation(void)
 	}
 }
 
+/* Check to find if SEV-SNP's Confidential Computing Blob is present */
+static efi_status_t find_cc_blob_efi(void)
+{
+	struct cc_blob_sev_info *snp_cc_blob;
+	efi_status_t status;
+
+	status = efi_get_system_config_table(EFI_CC_BLOB_GUID,
+					     (void **)&snp_cc_blob);
+
+	if (status != EFI_SUCCESS)
+		return status;
+
+	if (!snp_cc_blob) {
+		printf("SEV-SNP CC blob not found\n");
+		return EFI_NOT_FOUND;
+	}
+
+	if (snp_cc_blob->magic != CC_BLOB_SEV_HDR_MAGIC) {
+		printf("SEV-SNP CC blob header/signature mismatch");
+		return EFI_UNSUPPORTED;
+	}
+
+	return EFI_SUCCESS;
+}
+
 static void test_sev_snp_activation(void)
 {
+	efi_status_t status;
+
 	if (!(rdmsr(MSR_SEV_STATUS) & SEV_SNP_ENABLED_MASK)) {
 		report_skip("SEV-SNP is not enabled");
 		return;
 	}
 
 	report_info("SEV-SNP is enabled");
+
+	status = find_cc_blob_efi();
+	report(status == EFI_SUCCESS, "SEV-SNP CC-blob presence");
 }
 
 static void test_stringio(void)