@@ -2526,6 +2526,88 @@ static int cgs_get_mem_map_entry(int index,
return 0;
}
+static int cgs_set_guest_policy(ConfidentialGuestPolicyType policy_type,
+ uint64_t policy, void *policy_data1,
+ uint32_t policy_data1_size, void *policy_data2,
+ uint32_t policy_data2_size, Error **errp)
+{
+ if (policy_type != GUEST_POLICY_SEV) {
+ error_setg(errp, "%s: Invalid guest policy type provided for SEV: %d",
+ __func__, policy_type);
+ return -1;
+ }
+ /*
+ * SEV-SNP handles policy differently. The policy flags are defined in
+ * kvm_start_conf.policy and an ID block and ID auth can be provided.
+ */
+ if (sev_snp_enabled()) {
+ SevSnpGuestState *sev_snp_guest =
+ SEV_SNP_GUEST(MACHINE(qdev_get_machine())->cgs);
+ struct kvm_sev_snp_launch_finish *finish =
+ &sev_snp_guest->kvm_finish_conf;
+
+ /*
+ * The policy consists of flags in 'policy' and optionally an ID block
+ * and ID auth in policy_data1 and policy_data2 respectively. The ID
+ * block and auth are optional so clear any previous ID block and auth
+ * and set them if provided, but always set the policy flags.
+ */
+ g_free(sev_snp_guest->id_block);
+ g_free((guchar *)finish->id_block_uaddr);
+ g_free(sev_snp_guest->id_auth);
+ g_free((guchar *)finish->id_auth_uaddr);
+ sev_snp_guest->id_block = NULL;
+ finish->id_block_uaddr = 0;
+ sev_snp_guest->id_auth = NULL;
+ finish->id_auth_uaddr = 0;
+
+ if (policy_data1_size > 0) {
+ struct sev_snp_id_authentication *id_auth =
+ (struct sev_snp_id_authentication *)policy_data2;
+
+ if (policy_data1_size != KVM_SEV_SNP_ID_BLOCK_SIZE) {
+ error_setg(errp, "%s: Invalid SEV-SNP ID block: incorrect size",
+ __func__);
+ return -1;
+ }
+ if (policy_data2_size != KVM_SEV_SNP_ID_AUTH_SIZE) {
+ error_setg(errp,
+ "%s: Invalid SEV-SNP ID auth block: incorrect size",
+ __func__);
+ return -1;
+ }
+ assert(policy_data1 != NULL);
+ assert(policy_data2 != NULL);
+
+ finish->id_block_uaddr =
+ (__u64)g_memdup2(policy_data1, KVM_SEV_SNP_ID_BLOCK_SIZE);
+ finish->id_auth_uaddr =
+ (__u64)g_memdup2(policy_data2, KVM_SEV_SNP_ID_AUTH_SIZE);
+
+ /*
+ * Check if an author key has been provided and use that to flag
+ * whether the author key is enabled. The first of the author key
+ * must be non-zero to indicate the key type, which will currently
+ * always be 2.
+ */
+ sev_snp_guest->kvm_finish_conf.auth_key_en =
+ id_auth->author_key[0] ? 1 : 0;
+ finish->id_block_en = 1;
+ }
+ sev_snp_guest->kvm_start_conf.policy = policy;
+ } else {
+ SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs);
+ /* Only the policy flags are supported for SEV and SEV-ES */
+ if ((policy_data1_size > 0) || (policy_data2_size > 0) || !sev_guest) {
+ error_setg(errp, "%s: An ID block/ID auth block has been provided "
+ "but SEV-SNP is not enabled", __func__);
+ return -1;
+ }
+ sev_guest->policy = policy;
+ }
+ return 0;
+}
+
static void
sev_common_class_init(ObjectClass *oc, void *data)
{
@@ -2564,6 +2646,7 @@ sev_common_instance_init(Object *obj)
cgs->check_support = cgs_check_support;
cgs->set_guest_state = cgs_set_guest_state;
cgs->get_mem_map_entry = cgs_get_mem_map_entry;
+ cgs->set_guest_policy = cgs_set_guest_policy;
QTAILQ_INIT(&sev_common->launch_vmsa);
}
@@ -157,6 +157,18 @@ struct QEMU_PACKED sev_es_save_area {
uint8_t fpreg_ymm[256];
};
+struct QEMU_PACKED sev_snp_id_authentication {
+ uint32_t id_key_alg;
+ uint32_t auth_key_algo;
+ uint8_t reserved[56];
+ uint8_t id_block_sig[512];
+ uint8_t id_key[1028];
+ uint8_t reserved2[60];
+ uint8_t id_key_sig[512];
+ uint8_t author_key[1028];
+ uint8_t reserved3[892];
+};
+
#ifdef CONFIG_SEV
bool sev_enabled(void);
bool sev_es_enabled(void);