Message ID | 20211210154332.11526-7-brijesh.singh@amd.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Add AMD Secure Nested Paging (SEV-SNP) Guest Support | expand |
On Fri, Dec 10, 2021 at 09:42:58AM -0600, Brijesh Singh wrote: > Version 2 of the GHCB specification added the advertisement of features > that are supported by the hypervisor. If hypervisor supports the SEV-SNP > then it must set the SEV-SNP features bit to indicate that the base > SEV-SNP is supported. > > Check the SEV-SNP feature while establishing the GHCB, if failed, > terminate the guest. > > Version 2 of GHCB specification adds several new NAEs, most of them are > optional except the hypervisor feature. Now that hypervisor feature NAE > is implemented, so bump the GHCB maximum support protocol version. > > While at it, move the GHCB protocol negotitation check from VC exception Unknown word [negotitation] in commit message, suggestions: ['negotiation', 'negotiator', 'negotiate', 'abnegation', 'vegetation'] > handler to sev_enable() so that all feature detection happens before > the first VC exception. > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > --- > arch/x86/boot/compressed/sev.c | 21 ++++++++++++++++----- > arch/x86/include/asm/sev-common.h | 6 ++++++ > arch/x86/include/asm/sev.h | 2 +- > arch/x86/include/uapi/asm/svm.h | 2 ++ > arch/x86/kernel/sev-shared.c | 20 ++++++++++++++++++++ > arch/x86/kernel/sev.c | 16 ++++++++++++++++ > 6 files changed, 61 insertions(+), 6 deletions(-) > > diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c > index 0b6cc6402ac1..a0708f359a46 100644 > --- a/arch/x86/boot/compressed/sev.c > +++ b/arch/x86/boot/compressed/sev.c > @@ -119,11 +119,8 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt, > /* Include code for early handlers */ > #include "../../kernel/sev-shared.c" > > -static bool early_setup_sev_es(void) > +static bool early_setup_ghcb(void) > { > - if (!sev_es_negotiate_protocol()) > - sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED); > - > if (set_page_decrypted((unsigned long)&boot_ghcb_page)) > return false; > > @@ -174,7 +171,7 @@ void do_boot_stage2_vc(struct pt_regs *regs, unsigned long exit_code) > struct es_em_ctxt ctxt; > enum es_result result; > > - if (!boot_ghcb && !early_setup_sev_es()) > + if (!boot_ghcb && !early_setup_ghcb()) > sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ); Can you setup the GHCB in sev_enable() too, after the protocol version negotiation succeeds? > vc_ghcb_invalidate(boot_ghcb); > @@ -247,5 +244,19 @@ void sev_enable(struct boot_params *bp) > if (!(sev_status & MSR_AMD64_SEV_ENABLED)) > return; > > + /* Negotiate the GHCB protocol version */ > + if (sev_status & MSR_AMD64_SEV_ES_ENABLED) > + if (!sev_es_negotiate_protocol()) > + sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED); > + > + /* > + * SNP is supported in v2 of the GHCB spec which mandates support for HV > + * features. If SEV-SNP is enabled, then check if the hypervisor supports > + * the SEV-SNP features. > + */ > + if (sev_status & MSR_AMD64_SEV_SNP_ENABLED && !(get_hv_features() & GHCB_HV_FT_SNP)) > + sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); > + > + ^ Superfluous newline. > sme_me_mask = BIT_ULL(ebx & 0x3f); ... > diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c > index 19ad09712902..a0cada8398a4 100644 > --- a/arch/x86/kernel/sev.c > +++ b/arch/x86/kernel/sev.c > @@ -43,6 +43,10 @@ static struct ghcb boot_ghcb_page __bss_decrypted __aligned(PAGE_SIZE); > */ > static struct ghcb __initdata *boot_ghcb; > > +/* Bitmap of SEV features supported by the hypervisor */ > +static u64 sev_hv_features; __ro_after_init > + > + > /* #VC handler runtime per-CPU data */ > struct sev_es_runtime_data { > struct ghcb ghcb_page; > @@ -766,6 +770,18 @@ void __init sev_es_init_vc_handling(void) > if (!sev_es_check_cpu_features()) > panic("SEV-ES CPU Features missing"); > > + /* > + * SNP is supported in v2 of the GHCB spec which mandates support for HV > + * features. If SEV-SNP is enabled, then check if the hypervisor supports s/SEV-SNP/SNP/g And please do that everywhere in sev-specific files. This file is called sev.c and there's way too many acronyms flying around so the simpler the better. Thx.
On 12/16/21 9:47 AM, Borislav Petkov wrote: >> >> - if (!boot_ghcb && !early_setup_sev_es()) >> + if (!boot_ghcb && !early_setup_ghcb()) >> sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ); > > Can you setup the GHCB in sev_enable() too, after the protocol version > negotiation succeeds? A good question; the GHCB page is needed only at the time of #VC. If the second stage VC handler is not called after the sev_enable() during the decompression stage, setting up the GHC page in sev_enable() is a waste. But in practice, the second stage VC handler will be called during decompression. It also brings a similar question for the kernel proper, should we do the same over there? Jorge did the initial ES support and may have other reasons he chose to set up GHCB page in the handler. I was trying to avoid the flow change. We can do this as a pre or post-SNP patch; let me know your thoughts? >> + * SNP is supported in v2 of the GHCB spec which mandates support for HV >> + * features. If SEV-SNP is enabled, then check if the hypervisor supports > > s/SEV-SNP/SNP/g > > And please do that everywhere in sev-specific files. > > This file is called sev.c and there's way too many acronyms flying > around so the simpler the better. > Noted. thanks
On Thu, Dec 16, 2021 at 10:28:45AM -0600, Brijesh Singh wrote: > A good question; the GHCB page is needed only at the time of #VC. If the > second stage VC handler is not called after the sev_enable() during the > decompression stage, setting up the GHC page in sev_enable() is a waste. It would be a waste if no #VC would fire. But we set up a #VC handler so we might just as well set up the GHCB for it too. > But in practice, the second stage VC handler will be called during > decompression. It also brings a similar question for the kernel > proper, should we do the same over there? I'd think so, yes. > Jorge did the initial ES support and may have other reasons he chose to set > up GHCB page in the handler. I was trying to avoid the flow change. We can > do this as a pre or post-SNP patch; let me know your thoughts? You can do a separate patch only with that change and if it causes trouble, we can always debug/delay it. Thx.
On 2021-12-10 09:42:58 -0600, Brijesh Singh wrote: > Version 2 of the GHCB specification added the advertisement of features > that are supported by the hypervisor. If hypervisor supports the SEV-SNP > then it must set the SEV-SNP features bit to indicate that the base > SEV-SNP is supported. > > Check the SEV-SNP feature while establishing the GHCB, if failed, > terminate the guest. > > Version 2 of GHCB specification adds several new NAEs, most of them are > optional except the hypervisor feature. Now that hypervisor feature NAE > is implemented, so bump the GHCB maximum support protocol version. > > While at it, move the GHCB protocol negotitation check from VC exception > handler to sev_enable() so that all feature detection happens before > the first VC exception. > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > --- > arch/x86/boot/compressed/sev.c | 21 ++++++++++++++++----- > arch/x86/include/asm/sev-common.h | 6 ++++++ > arch/x86/include/asm/sev.h | 2 +- > arch/x86/include/uapi/asm/svm.h | 2 ++ > arch/x86/kernel/sev-shared.c | 20 ++++++++++++++++++++ > arch/x86/kernel/sev.c | 16 ++++++++++++++++ > 6 files changed, 61 insertions(+), 6 deletions(-) > > diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c > index 0b6cc6402ac1..a0708f359a46 100644 > --- a/arch/x86/boot/compressed/sev.c > +++ b/arch/x86/boot/compressed/sev.c > @@ -119,11 +119,8 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt, > /* Include code for early handlers */ > #include "../../kernel/sev-shared.c" > > -static bool early_setup_sev_es(void) > +static bool early_setup_ghcb(void) > { > - if (!sev_es_negotiate_protocol()) > - sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED); Should the name sev_es_terminate() be changed to a more generic name, as we are simply terminating the guest, not SEV or ES as the name implies? Other than that... Reviewed-by: Venu Busireddy <venu.busireddy@oracle.com>
diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c index 0b6cc6402ac1..a0708f359a46 100644 --- a/arch/x86/boot/compressed/sev.c +++ b/arch/x86/boot/compressed/sev.c @@ -119,11 +119,8 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt, /* Include code for early handlers */ #include "../../kernel/sev-shared.c" -static bool early_setup_sev_es(void) +static bool early_setup_ghcb(void) { - if (!sev_es_negotiate_protocol()) - sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED); - if (set_page_decrypted((unsigned long)&boot_ghcb_page)) return false; @@ -174,7 +171,7 @@ void do_boot_stage2_vc(struct pt_regs *regs, unsigned long exit_code) struct es_em_ctxt ctxt; enum es_result result; - if (!boot_ghcb && !early_setup_sev_es()) + if (!boot_ghcb && !early_setup_ghcb()) sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ); vc_ghcb_invalidate(boot_ghcb); @@ -247,5 +244,19 @@ void sev_enable(struct boot_params *bp) if (!(sev_status & MSR_AMD64_SEV_ENABLED)) return; + /* Negotiate the GHCB protocol version */ + if (sev_status & MSR_AMD64_SEV_ES_ENABLED) + if (!sev_es_negotiate_protocol()) + sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED); + + /* + * SNP is supported in v2 of the GHCB spec which mandates support for HV + * features. If SEV-SNP is enabled, then check if the hypervisor supports + * the SEV-SNP features. + */ + if (sev_status & MSR_AMD64_SEV_SNP_ENABLED && !(get_hv_features() & GHCB_HV_FT_SNP)) + sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); + + sme_me_mask = BIT_ULL(ebx & 0x3f); } diff --git a/arch/x86/include/asm/sev-common.h b/arch/x86/include/asm/sev-common.h index 94f0ea574049..6f037c29a46e 100644 --- a/arch/x86/include/asm/sev-common.h +++ b/arch/x86/include/asm/sev-common.h @@ -60,6 +60,11 @@ /* GHCB Hypervisor Feature Request/Response */ #define GHCB_MSR_HV_FT_REQ 0x080 #define GHCB_MSR_HV_FT_RESP 0x081 +#define GHCB_MSR_HV_FT_RESP_VAL(v) \ + /* GHCBData[63:12] */ \ + (((u64)(v) & GENMASK_ULL(63, 12)) >> 12) + +#define GHCB_HV_FT_SNP BIT_ULL(0) #define GHCB_MSR_TERM_REQ 0x100 #define GHCB_MSR_TERM_REASON_SET_POS 12 @@ -77,6 +82,7 @@ #define SEV_TERM_SET_GEN 0 #define GHCB_SEV_ES_GEN_REQ 0 #define GHCB_SEV_ES_PROT_UNSUPPORTED 1 +#define GHCB_SNP_UNSUPPORTED 2 /* Linux-specific reason codes (used with reason set 1) */ #define SEV_TERM_SET_LINUX 1 diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 9b9c190e8c3b..17b75f6ee11a 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -13,7 +13,7 @@ #include <asm/sev-common.h> #define GHCB_PROTOCOL_MIN 1ULL -#define GHCB_PROTOCOL_MAX 1ULL +#define GHCB_PROTOCOL_MAX 2ULL #define GHCB_DEFAULT_USAGE 0ULL #define VMGEXIT() { asm volatile("rep; vmmcall\n\r"); } diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h index efa969325ede..b0ad00f4c1e1 100644 --- a/arch/x86/include/uapi/asm/svm.h +++ b/arch/x86/include/uapi/asm/svm.h @@ -108,6 +108,7 @@ #define SVM_VMGEXIT_AP_JUMP_TABLE 0x80000005 #define SVM_VMGEXIT_SET_AP_JUMP_TABLE 0 #define SVM_VMGEXIT_GET_AP_JUMP_TABLE 1 +#define SVM_VMGEXIT_HV_FEATURES 0x8000fffd #define SVM_VMGEXIT_UNSUPPORTED_EVENT 0x8000ffff /* Exit code reserved for hypervisor/software use */ @@ -218,6 +219,7 @@ { SVM_VMGEXIT_NMI_COMPLETE, "vmgexit_nmi_complete" }, \ { SVM_VMGEXIT_AP_HLT_LOOP, "vmgexit_ap_hlt_loop" }, \ { SVM_VMGEXIT_AP_JUMP_TABLE, "vmgexit_ap_jump_table" }, \ + { SVM_VMGEXIT_HV_FEATURES, "vmgexit_hypervisor_feature" }, \ { SVM_EXIT_ERR, "invalid_guest_state" } diff --git a/arch/x86/kernel/sev-shared.c b/arch/x86/kernel/sev-shared.c index 91105f5a02a8..4a876e684f67 100644 --- a/arch/x86/kernel/sev-shared.c +++ b/arch/x86/kernel/sev-shared.c @@ -48,6 +48,26 @@ static void __noreturn sev_es_terminate(unsigned int set, unsigned int reason) asm volatile("hlt\n" : : : "memory"); } +/* + * The hypervisor features are available from GHCB version 2 onward. + */ +static u64 get_hv_features(void) +{ + u64 val; + + if (ghcb_version < 2) + return 0; + + sev_es_wr_ghcb_msr(GHCB_MSR_HV_FT_REQ); + VMGEXIT(); + + val = sev_es_rd_ghcb_msr(); + if (GHCB_RESP_CODE(val) != GHCB_MSR_HV_FT_RESP) + return 0; + + return GHCB_MSR_HV_FT_RESP_VAL(val); +} + static bool sev_es_negotiate_protocol(void) { u64 val; diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c index 19ad09712902..a0cada8398a4 100644 --- a/arch/x86/kernel/sev.c +++ b/arch/x86/kernel/sev.c @@ -43,6 +43,10 @@ static struct ghcb boot_ghcb_page __bss_decrypted __aligned(PAGE_SIZE); */ static struct ghcb __initdata *boot_ghcb; +/* Bitmap of SEV features supported by the hypervisor */ +static u64 sev_hv_features; + + /* #VC handler runtime per-CPU data */ struct sev_es_runtime_data { struct ghcb ghcb_page; @@ -766,6 +770,18 @@ void __init sev_es_init_vc_handling(void) if (!sev_es_check_cpu_features()) panic("SEV-ES CPU Features missing"); + /* + * SNP is supported in v2 of the GHCB spec which mandates support for HV + * features. If SEV-SNP is enabled, then check if the hypervisor supports + * the SEV-SNP features. + */ + if (cc_platform_has(CC_ATTR_SEV_SNP)) { + sev_hv_features = get_hv_features(); + + if (!(sev_hv_features & GHCB_HV_FT_SNP)) + sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED); + } + /* Enable SEV-ES special handling */ static_branch_enable(&sev_es_enable_key);
Version 2 of the GHCB specification added the advertisement of features that are supported by the hypervisor. If hypervisor supports the SEV-SNP then it must set the SEV-SNP features bit to indicate that the base SEV-SNP is supported. Check the SEV-SNP feature while establishing the GHCB, if failed, terminate the guest. Version 2 of GHCB specification adds several new NAEs, most of them are optional except the hypervisor feature. Now that hypervisor feature NAE is implemented, so bump the GHCB maximum support protocol version. While at it, move the GHCB protocol negotitation check from VC exception handler to sev_enable() so that all feature detection happens before the first VC exception. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> --- arch/x86/boot/compressed/sev.c | 21 ++++++++++++++++----- arch/x86/include/asm/sev-common.h | 6 ++++++ arch/x86/include/asm/sev.h | 2 +- arch/x86/include/uapi/asm/svm.h | 2 ++ arch/x86/kernel/sev-shared.c | 20 ++++++++++++++++++++ arch/x86/kernel/sev.c | 16 ++++++++++++++++ 6 files changed, 61 insertions(+), 6 deletions(-)