From patchwork Fri Jun 19 02:05:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613109 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0F3CB13A0 for ; Fri, 19 Jun 2020 02:06:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EB53F20773 for ; Fri, 19 Jun 2020 02:06:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="nJSanPg8" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727915AbgFSCGM (ORCPT ); Thu, 18 Jun 2020 22:06:12 -0400 Received: from bilbo.ozlabs.org ([203.11.71.1]:36545 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727911AbgFSCGK (ORCPT ); Thu, 18 Jun 2020 22:06:10 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GS1dYgz9sNR; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532368; bh=gLWD9Joj8IIB/tTWGt6QwLtKruFK1pcFHrhx6E7+hAA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nJSanPg8NeKsUcm7P+zX/JVyECFc0xANus0zN7ZXcMfswdMa7g4E9Y+wA81Bpfj3y +KrsONmNKbqxLTMakO/mYVlUf+9y/pUO96TnOtTv140aKrE7ioEdjqWS8fUOPnj4rj AAWfHyWIaUknWsxeYZWj/0V9n9jwPbvL5JTJx9BI= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com Subject: [PATCH v3 1/9] host trust limitation: Introduce new host trust limitation interface Date: Fri, 19 Jun 2020 12:05:54 +1000 Message-Id: <20200619020602.118306-2-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Several architectures have mechanisms which are designed to protect guest memory from interference or eavesdropping by a compromised hypervisor. AMD SEV does this with in-chip memory encryption and Intel has a similar mechanism. POWER's Protected Execution Framework (PEF) accomplishes a similar goal using an ultravisor and new memory protection features, instead of encryption. To (partially) unify handling for these, this introduces a new HostTrustLimitation QOM interface. Signed-off-by: David Gibson Acked-by: Dr. David Alan Gilbert Reviewed-by: Richard Henderson --- backends/Makefile.objs | 2 ++ backends/host-trust-limitation.c | 29 ++++++++++++++++++++++++ include/exec/host-trust-limitation.h | 33 ++++++++++++++++++++++++++++ include/qemu/typedefs.h | 1 + 4 files changed, 65 insertions(+) create mode 100644 backends/host-trust-limitation.c create mode 100644 include/exec/host-trust-limitation.h diff --git a/backends/Makefile.objs b/backends/Makefile.objs index 28a847cd57..af761c9ab1 100644 --- a/backends/Makefile.objs +++ b/backends/Makefile.objs @@ -21,3 +21,5 @@ common-obj-$(CONFIG_LINUX) += hostmem-memfd.o common-obj-$(CONFIG_GIO) += dbus-vmstate.o dbus-vmstate.o-cflags = $(GIO_CFLAGS) dbus-vmstate.o-libs = $(GIO_LIBS) + +common-obj-y += host-trust-limitation.o diff --git a/backends/host-trust-limitation.c b/backends/host-trust-limitation.c new file mode 100644 index 0000000000..96a381cd8a --- /dev/null +++ b/backends/host-trust-limitation.c @@ -0,0 +1,29 @@ +/* + * QEMU Host Trust Limitation interface + * + * Copyright: David Gibson, Red Hat Inc. 2020 + * + * Authors: + * David Gibson + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + * + */ + +#include "qemu/osdep.h" + +#include "exec/host-trust-limitation.h" + +static const TypeInfo host_trust_limitation_info = { + .name = TYPE_HOST_TRUST_LIMITATION, + .parent = TYPE_INTERFACE, + .class_size = sizeof(HostTrustLimitationClass), +}; + +static void host_trust_limitation_register_types(void) +{ + type_register_static(&host_trust_limitation_info); +} + +type_init(host_trust_limitation_register_types) diff --git a/include/exec/host-trust-limitation.h b/include/exec/host-trust-limitation.h new file mode 100644 index 0000000000..03887b1be1 --- /dev/null +++ b/include/exec/host-trust-limitation.h @@ -0,0 +1,33 @@ +/* + * QEMU Host Trust Limitation interface + * + * Copyright: David Gibson, Red Hat Inc. 2020 + * + * Authors: + * David Gibson + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + * + */ +#ifndef QEMU_HOST_TRUST_LIMITATION_H +#define QEMU_HOST_TRUST_LIMITATION_H + +#include "qom/object.h" + +#define TYPE_HOST_TRUST_LIMITATION "host-trust-limitation" +#define HOST_TRUST_LIMITATION(obj) \ + INTERFACE_CHECK(HostTrustLimitation, (obj), \ + TYPE_HOST_TRUST_LIMITATION) +#define HOST_TRUST_LIMITATION_CLASS(klass) \ + OBJECT_CLASS_CHECK(HostTrustLimitationClass, (klass), \ + TYPE_HOST_TRUST_LIMITATION) +#define HOST_TRUST_LIMITATION_GET_CLASS(obj) \ + OBJECT_GET_CLASS(HostTrustLimitationClass, (obj), \ + TYPE_HOST_TRUST_LIMITATION) + +typedef struct HostTrustLimitationClass { + InterfaceClass parent; +} HostTrustLimitationClass; + +#endif /* QEMU_HOST_TRUST_LIMITATION_H */ diff --git a/include/qemu/typedefs.h b/include/qemu/typedefs.h index ce4a78b687..f75c7eb2f2 100644 --- a/include/qemu/typedefs.h +++ b/include/qemu/typedefs.h @@ -51,6 +51,7 @@ typedef struct FWCfgIoState FWCfgIoState; typedef struct FWCfgMemState FWCfgMemState; typedef struct FWCfgState FWCfgState; typedef struct HostMemoryBackend HostMemoryBackend; +typedef struct HostTrustLimitation HostTrustLimitation; typedef struct I2CBus I2CBus; typedef struct I2SCodec I2SCodec; typedef struct IOMMUMemoryRegion IOMMUMemoryRegion; From patchwork Fri Jun 19 02:05:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613117 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E6A9013A0 for ; Fri, 19 Jun 2020 02:06:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C8CA32088E for ; Fri, 19 Jun 2020 02:06:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="Mm7MtGBT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730908AbgFSCG2 (ORCPT ); Thu, 18 Jun 2020 22:06:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729211AbgFSCGR (ORCPT ); Thu, 18 Jun 2020 22:06:17 -0400 Received: from ozlabs.org (bilbo.ozlabs.org [IPv6:2401:3900:2:1::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67E86C061794 for ; Thu, 18 Jun 2020 19:06:16 -0700 (PDT) Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GS2q6qz9sRk; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532368; bh=XEsRFDuyA9etU74BIO7+DftC/mG9MemHlS+RfUcqgWk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Mm7MtGBTWXfvAn9KUWFu1PSbCvov+j8g3pczK4fahDCG5dPcWIQ1oFVn0sbM+L3vj MPaMFJSiWnV5XQhIhAaAtRldSguNquShBVzHTuPrM8BPyOyf5r7IPIE3cRfUgGqRDb DbZiCB7nl8UBg2P0E5OoVjo4T8jHjyW6d11Q+ta8= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com, Richard Henderson Subject: [PATCH v3 2/9] host trust limitation: Handle memory encryption via interface Date: Fri, 19 Jun 2020 12:05:55 +1000 Message-Id: <20200619020602.118306-3-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org At the moment AMD SEV sets a special function pointer, plus an opaque handle in KVMState to let things know how to encrypt guest memory. Now that we have a QOM interface for handling things related to host trust limitation, use a QOM method on that interface, rather than a bare function pointer for this. Signed-off-by: David Gibson Reviewed-by: Richard Henderson --- accel/kvm/kvm-all.c | 38 ++++++--- accel/kvm/sev-stub.c | 7 +- include/exec/host-trust-limitation.h | 3 + include/sysemu/sev.h | 4 +- target/i386/sev.c | 117 +++++++++++---------------- 5 files changed, 79 insertions(+), 90 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index f24d7da783..1e43e27f45 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -39,12 +39,12 @@ #include "qemu/main-loop.h" #include "trace.h" #include "hw/irq.h" -#include "sysemu/sev.h" #include "sysemu/balloon.h" #include "qapi/visitor.h" #include "qapi/qapi-types-common.h" #include "qapi/qapi-visit-common.h" #include "sysemu/reset.h" +#include "exec/host-trust-limitation.h" #include "hw/boards.h" @@ -118,9 +118,8 @@ struct KVMState KVMMemoryListener memory_listener; QLIST_HEAD(, KVMParkedVcpu) kvm_parked_vcpus; - /* memory encryption */ - void *memcrypt_handle; - int (*memcrypt_encrypt_data)(void *handle, uint8_t *ptr, uint64_t len); + /* host trust limitation (e.g. by guest memory encryption) */ + HostTrustLimitation *htl; /* For "info mtree -f" to tell if an MR is registered in KVM */ int nr_as; @@ -222,7 +221,7 @@ int kvm_get_max_memslots(void) bool kvm_memcrypt_enabled(void) { - if (kvm_state && kvm_state->memcrypt_handle) { + if (kvm_state && kvm_state->htl) { return true; } @@ -231,10 +230,12 @@ bool kvm_memcrypt_enabled(void) int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len) { - if (kvm_state->memcrypt_handle && - kvm_state->memcrypt_encrypt_data) { - return kvm_state->memcrypt_encrypt_data(kvm_state->memcrypt_handle, - ptr, len); + HostTrustLimitation *htl = kvm_state->htl; + + if (htl) { + HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_GET_CLASS(htl); + + return htlc->encrypt_data(htl, ptr, len); } return 1; @@ -2180,13 +2181,24 @@ static int kvm_init(MachineState *ms) * encryption context. */ if (ms->memory_encryption) { - kvm_state->memcrypt_handle = sev_guest_init(ms->memory_encryption); - if (!kvm_state->memcrypt_handle) { + Object *obj = object_resolve_path_component(object_get_objects_root(), + ms->memory_encryption); + + if (object_dynamic_cast(obj, TYPE_HOST_TRUST_LIMITATION)) { + HostTrustLimitation *htl = HOST_TRUST_LIMITATION(obj); + HostTrustLimitationClass *htlc + = HOST_TRUST_LIMITATION_GET_CLASS(htl); + + ret = htlc->kvm_init(htl); + if (ret < 0) { + goto err; + } + + kvm_state->htl = htl; + } else { ret = -1; goto err; } - - kvm_state->memcrypt_encrypt_data = sev_encrypt_data; } ret = kvm_arch_init(ms, s); diff --git a/accel/kvm/sev-stub.c b/accel/kvm/sev-stub.c index 4f97452585..9c7c897593 100644 --- a/accel/kvm/sev-stub.c +++ b/accel/kvm/sev-stub.c @@ -15,12 +15,7 @@ #include "qemu-common.h" #include "sysemu/sev.h" -int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) -{ - abort(); -} - -void *sev_guest_init(const char *id) +HostTrustLimitation *sev_guest_init(const char *id) { return NULL; } diff --git a/include/exec/host-trust-limitation.h b/include/exec/host-trust-limitation.h index 03887b1be1..a19f12ae14 100644 --- a/include/exec/host-trust-limitation.h +++ b/include/exec/host-trust-limitation.h @@ -28,6 +28,9 @@ typedef struct HostTrustLimitationClass { InterfaceClass parent; + + int (*kvm_init)(HostTrustLimitation *); + int (*encrypt_data)(HostTrustLimitation *, uint8_t *, uint64_t); } HostTrustLimitationClass; #endif /* QEMU_HOST_TRUST_LIMITATION_H */ diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index 98c1ec8d38..a4aee6a87d 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -16,6 +16,6 @@ #include "sysemu/kvm.h" -void *sev_guest_init(const char *id); -int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len); +HostTrustLimitation *sev_guest_init(const char *id); + #endif diff --git a/target/i386/sev.c b/target/i386/sev.c index d273174ad3..052a05d15a 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -28,6 +28,7 @@ #include "sysemu/runstate.h" #include "trace.h" #include "migration/blocker.h" +#include "exec/host-trust-limitation.h" #define TYPE_SEV_GUEST "sev-guest" #define SEV_GUEST(obj) \ @@ -281,26 +282,6 @@ sev_guest_set_sev_device(Object *obj, const char *value, Error **errp) sev->sev_device = g_strdup(value); } -static void -sev_guest_class_init(ObjectClass *oc, void *data) -{ - object_class_property_add_str(oc, "sev-device", - sev_guest_get_sev_device, - sev_guest_set_sev_device); - object_class_property_set_description(oc, "sev-device", - "SEV device to use"); - object_class_property_add_str(oc, "dh-cert-file", - sev_guest_get_dh_cert_file, - sev_guest_set_dh_cert_file); - object_class_property_set_description(oc, "dh-cert-file", - "guest owners DH certificate (encoded with base64)"); - object_class_property_add_str(oc, "session-file", - sev_guest_get_session_file, - sev_guest_set_session_file); - object_class_property_set_description(oc, "session-file", - "guest owners session parameters (encoded with base64)"); -} - static void sev_guest_instance_init(Object *obj) { @@ -319,40 +300,6 @@ sev_guest_instance_init(Object *obj) OBJ_PROP_FLAG_READWRITE); } -/* sev guest info */ -static const TypeInfo sev_guest_info = { - .parent = TYPE_OBJECT, - .name = TYPE_SEV_GUEST, - .instance_size = sizeof(SevGuestState), - .instance_finalize = sev_guest_finalize, - .class_init = sev_guest_class_init, - .instance_init = sev_guest_instance_init, - .interfaces = (InterfaceInfo[]) { - { TYPE_USER_CREATABLE }, - { } - } -}; - -static SevGuestState * -lookup_sev_guest_info(const char *id) -{ - Object *obj; - SevGuestState *info; - - obj = object_resolve_path_component(object_get_objects_root(), id); - if (!obj) { - return NULL; - } - - info = (SevGuestState *) - object_dynamic_cast(obj, TYPE_SEV_GUEST); - if (!info) { - return NULL; - } - - return info; -} - bool sev_enabled(void) { @@ -670,23 +617,15 @@ sev_vm_state_change(void *opaque, int running, RunState state) } } -void * -sev_guest_init(const char *id) +static int sev_kvm_init(HostTrustLimitation *htl) { - SevGuestState *sev; + SevGuestState *sev = SEV_GUEST(htl); char *devname; int ret, fw_error; uint32_t ebx; uint32_t host_cbitpos; struct sev_user_data_status status = {}; - sev = lookup_sev_guest_info(id); - if (!sev) { - error_report("%s: '%s' is not a valid '%s' object", - __func__, id, TYPE_SEV_GUEST); - goto err; - } - sev_guest = sev; sev->state = SEV_STATE_UNINIT; @@ -748,16 +687,16 @@ sev_guest_init(const char *id) qemu_add_machine_init_done_notifier(&sev_machine_done_notify); qemu_add_vm_change_state_handler(sev_vm_state_change, sev); - return sev; + return 0; err: sev_guest = NULL; - return NULL; + return -1; } -int -sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) +static int +sev_encrypt_data(HostTrustLimitation *opaque, uint8_t *ptr, uint64_t len) { - SevGuestState *sev = handle; + SevGuestState *sev = SEV_GUEST(opaque); assert(sev); @@ -769,6 +708,46 @@ sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len) return 0; } +static void +sev_guest_class_init(ObjectClass *oc, void *data) +{ + HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_CLASS(oc); + + object_class_property_add_str(oc, "sev-device", + sev_guest_get_sev_device, + sev_guest_set_sev_device); + object_class_property_set_description(oc, "sev-device", + "SEV device to use"); + object_class_property_add_str(oc, "dh-cert-file", + sev_guest_get_dh_cert_file, + sev_guest_set_dh_cert_file); + object_class_property_set_description(oc, "dh-cert-file", + "guest owners DH certificate (encoded with base64)"); + object_class_property_add_str(oc, "session-file", + sev_guest_get_session_file, + sev_guest_set_session_file); + object_class_property_set_description(oc, "session-file", + "guest owners session parameters (encoded with base64)"); + + htlc->kvm_init = sev_kvm_init; + htlc->encrypt_data = sev_encrypt_data; +} + +/* sev guest info */ +static const TypeInfo sev_guest_info = { + .parent = TYPE_OBJECT, + .name = TYPE_SEV_GUEST, + .instance_size = sizeof(SevGuestState), + .instance_finalize = sev_guest_finalize, + .class_init = sev_guest_class_init, + .instance_init = sev_guest_instance_init, + .interfaces = (InterfaceInfo[]) { + { TYPE_HOST_TRUST_LIMITATION }, + { TYPE_USER_CREATABLE }, + { } + } +}; + static void sev_register_types(void) { From patchwork Fri Jun 19 02:05:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613125 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F3F8C13A0 for ; Fri, 19 Jun 2020 02:06:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DC0A82088E for ; Fri, 19 Jun 2020 02:06:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="PGXqGx5R" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729861AbgFSCGj (ORCPT ); Thu, 18 Jun 2020 22:06:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729434AbgFSCGQ (ORCPT ); Thu, 18 Jun 2020 22:06:16 -0400 Received: from ozlabs.org (ozlabs.org [IPv6:2401:3900:2:1::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD7B0C0613EF for ; Thu, 18 Jun 2020 19:06:15 -0700 (PDT) Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GS4KDyz9sSd; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532368; bh=lGpsXk4hQOTEwhOEzdOfxcKJ/9S5AvMOCy72WpLbGIs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PGXqGx5RFa3L9uIdDTvtmXRyY6YDD+lVZLisQAWzlHoo5MWeLRPbg1eWWMgalgcvp ahyA7amfii8AGl6FmYnMuEimB5axlVTM8oX0fronDxxIBf7enZM2BzAKR0V3ngIV8H TvMeielC5LaPUXpUerJOaDab/tCSPezlD3YxXcxo= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com, Richard Henderson Subject: [PATCH v3 3/9] host trust limitation: Move side effect out of machine_set_memory_encryption() Date: Fri, 19 Jun 2020 12:05:56 +1000 Message-Id: <20200619020602.118306-4-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org When the "memory-encryption" property is set, we also disable KSM merging for the guest, since it won't accomplish anything. We want that, but doing it in the property set function itself is thereoretically incorrect, in the unlikely event of some configuration environment that set the property then cleared it again before constructing the guest. More importantly, it makes some other cleanups we want more difficult. So, instead move this logic to machine_run_board_init() conditional on the final value of the property. Signed-off-by: David Gibson Reviewed-by: Richard Henderson --- hw/core/machine.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/hw/core/machine.c b/hw/core/machine.c index 1d80ab0e1d..fdc0c7e038 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -435,14 +435,6 @@ static void machine_set_memory_encryption(Object *obj, const char *value, g_free(ms->memory_encryption); ms->memory_encryption = g_strdup(value); - - /* - * With memory encryption, the host can't see the real contents of RAM, - * so there's no point in it trying to merge areas. - */ - if (value) { - machine_set_mem_merge(obj, false, errp); - } } static bool machine_get_nvdimm(Object *obj, Error **errp) @@ -1135,6 +1127,15 @@ void machine_run_board_init(MachineState *machine) } } + if (machine->memory_encryption) { + /* + * With host trust limitation, the host can't see the real + * contents of RAM, so there's no point in it trying to merge + * areas. + */ + machine_set_mem_merge(OBJECT(machine), false, &error_abort); + } + machine_class->init(machine); } From patchwork Fri Jun 19 02:05:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613111 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6291213A0 for ; Fri, 19 Jun 2020 02:06:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4AABD2088E for ; Fri, 19 Jun 2020 02:06:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="drqFS3tp" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729228AbgFSCGO (ORCPT ); Thu, 18 Jun 2020 22:06:14 -0400 Received: from bilbo.ozlabs.org ([203.11.71.1]:43839 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728125AbgFSCGL (ORCPT ); Thu, 18 Jun 2020 22:06:11 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GS51gdz9sSf; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532368; bh=Tyfc+G1PqLXR9Edr87dtqwm5FYWBIwO1iB0LtB7dWSM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=drqFS3tpsGIz2+f7bAqa/NyDDVa8fH74EB+evMxQBZ+GKXjKVqjxhls6+I8ngzm4X aYxiIo3goBkbOVNhJO3Kxp/sVaSHSc8Yn/BFhn0ZiluUUAP7vKlkigQ70pu7WuRso9 DHGoeXqhC1s5d09Esffgc94vIW1vDMUjWYMAEf6g= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com Subject: [PATCH v3 4/9] host trust limitation: Rework the "memory-encryption" property Date: Fri, 19 Jun 2020 12:05:57 +1000 Message-Id: <20200619020602.118306-5-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Currently the "memory-encryption" property is only looked at once we get to kvm_init(). Although protection of guest memory from the hypervisor isn't something that could really ever work with TCG, it's not conceptually tied to the KVM accelerator. In addition, the way the string property is resolved to an object is almost identical to how a QOM link property is handled. So, create a new "host-trust-limitation" link property which sets this QOM interface link directly in the machine. For compatibility we keep the "memory-encryption" property, but now implemented in terms of the new property. Signed-off-by: David Gibson Reviewed-by: Richard Henderson --- accel/kvm/kvm-all.c | 23 +++++++---------------- hw/core/machine.c | 41 ++++++++++++++++++++++++++++++++++++----- include/hw/boards.h | 2 +- 3 files changed, 44 insertions(+), 22 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 1e43e27f45..d8e8fa345e 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -2180,25 +2180,16 @@ static int kvm_init(MachineState *ms) * if memory encryption object is specified then initialize the memory * encryption context. */ - if (ms->memory_encryption) { - Object *obj = object_resolve_path_component(object_get_objects_root(), - ms->memory_encryption); - - if (object_dynamic_cast(obj, TYPE_HOST_TRUST_LIMITATION)) { - HostTrustLimitation *htl = HOST_TRUST_LIMITATION(obj); - HostTrustLimitationClass *htlc - = HOST_TRUST_LIMITATION_GET_CLASS(htl); - - ret = htlc->kvm_init(htl); - if (ret < 0) { - goto err; - } + if (ms->htl) { + HostTrustLimitationClass *htlc = + HOST_TRUST_LIMITATION_GET_CLASS(ms->htl); - kvm_state->htl = htl; - } else { - ret = -1; + ret = htlc->kvm_init(ms->htl); + if (ret < 0) { goto err; } + + kvm_state->htl = ms->htl; } ret = kvm_arch_init(ms, s); diff --git a/hw/core/machine.c b/hw/core/machine.c index fdc0c7e038..a71792bc16 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -27,6 +27,7 @@ #include "hw/pci/pci.h" #include "hw/mem/nvdimm.h" #include "migration/vmstate.h" +#include "exec/host-trust-limitation.h" GlobalProperty hw_compat_5_0[] = { { "virtio-balloon-device", "page-poison", "false" }, @@ -425,16 +426,37 @@ static char *machine_get_memory_encryption(Object *obj, Error **errp) { MachineState *ms = MACHINE(obj); - return g_strdup(ms->memory_encryption); + if (ms->htl) { + return object_get_canonical_path_component(OBJECT(ms->htl)); + } + + return NULL; } static void machine_set_memory_encryption(Object *obj, const char *value, Error **errp) { - MachineState *ms = MACHINE(obj); + Object *htl = + object_resolve_path_component(object_get_objects_root(), value); + + if (!htl) { + error_setg(errp, "No such memory encryption object '%s'", value); + return; + } - g_free(ms->memory_encryption); - ms->memory_encryption = g_strdup(value); + object_property_set_link(obj, htl, "host-trust-limitation", errp); +} + +static void machine_check_host_trust_limitation(const Object *obj, + const char *name, + Object *new_target, + Error **errp) +{ + /* + * So far the only constraint is that the target has the + * TYPE_HOST_TRUST_LIMITATION interface, and that's checked by the + * QOM core + */ } static bool machine_get_nvdimm(Object *obj, Error **errp) @@ -855,6 +877,15 @@ static void machine_class_init(ObjectClass *oc, void *data) object_class_property_set_description(oc, "enforce-config-section", "Set on to enforce configuration section migration"); + object_class_property_add_link(oc, "host-trust-limitation", + TYPE_HOST_TRUST_LIMITATION, + offsetof(MachineState, htl), + machine_check_host_trust_limitation, + OBJ_PROP_LINK_STRONG); + object_class_property_set_description(oc, "host-trust-limitation", + "Set host trust limitation object to use"); + + /* For compatibility */ object_class_property_add_str(oc, "memory-encryption", machine_get_memory_encryption, machine_set_memory_encryption); object_class_property_set_description(oc, "memory-encryption", @@ -1127,7 +1158,7 @@ void machine_run_board_init(MachineState *machine) } } - if (machine->memory_encryption) { + if (machine->htl) { /* * With host trust limitation, the host can't see the real * contents of RAM, so there's no point in it trying to merge diff --git a/include/hw/boards.h b/include/hw/boards.h index 18815d9be2..a9f8444729 100644 --- a/include/hw/boards.h +++ b/include/hw/boards.h @@ -277,7 +277,7 @@ struct MachineState { bool suppress_vmdesc; bool enforce_config_section; bool enable_graphics; - char *memory_encryption; + HostTrustLimitation *htl; char *ram_memdev_id; /* * convenience alias to ram_memdev_id backend memory region From patchwork Fri Jun 19 02:05:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613119 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C3B5F13A0 for ; Fri, 19 Jun 2020 02:06:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A782320888 for ; Fri, 19 Jun 2020 02:06:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="cBvMriuf" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728125AbgFSCGb (ORCPT ); Thu, 18 Jun 2020 22:06:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729456AbgFSCGR (ORCPT ); Thu, 18 Jun 2020 22:06:17 -0400 Received: from ozlabs.org (bilbo.ozlabs.org [IPv6:2401:3900:2:1::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5FD1C0613EE for ; Thu, 18 Jun 2020 19:06:15 -0700 (PDT) Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GT1nx6z9sSg; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532369; bh=T8XqkWK5JYfur3/pmkkptr+wA0TMGxmdlb99ZrpmXZk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cBvMriufB9iG+tUu4tP1QPH2DHnINBGfgG58DZp8rqgZKdt7GFlHSdgv2cbCxtmxY 64vPS+bMDu4WjEraFgPx/XClkpfn2dYIukR9dAIGrInHf3xTwu3qOmrgZTJ4qjpqjK 2KZR9fPhMiGpVYa/el8HATHhqCc3ofYY+tgMm7Pk= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com, Richard Henderson Subject: [PATCH v3 5/9] host trust limitation: Decouple kvm_memcrypt_*() helpers from KVM Date: Fri, 19 Jun 2020 12:05:58 +1000 Message-Id: <20200619020602.118306-6-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org The kvm_memcrypt_enabled() and kvm_memcrypt_encrypt_data() helper functions don't conceptually have any connection to KVM (although it's not possible in practice to use them without it). They also rely on looking at the global KVMState. But the same information is available from the machine, and the only existing callers have natural access to the machine state. Therefore, move and rename them to helpers in host-trust-limitation.h, taking an explicit machine parameter. Signed-off-by: David Gibson Reviewed-by: Richard Henderson --- accel/kvm/kvm-all.c | 27 --------------------- accel/stubs/kvm-stub.c | 10 -------- hw/i386/pc_sysfw.c | 6 +++-- include/exec/host-trust-limitation.h | 36 ++++++++++++++++++++++++++++ include/sysemu/kvm.h | 17 ------------- 5 files changed, 40 insertions(+), 56 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index d8e8fa345e..9645271ca5 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -118,9 +118,6 @@ struct KVMState KVMMemoryListener memory_listener; QLIST_HEAD(, KVMParkedVcpu) kvm_parked_vcpus; - /* host trust limitation (e.g. by guest memory encryption) */ - HostTrustLimitation *htl; - /* For "info mtree -f" to tell if an MR is registered in KVM */ int nr_as; struct KVMAs { @@ -219,28 +216,6 @@ int kvm_get_max_memslots(void) return s->nr_slots; } -bool kvm_memcrypt_enabled(void) -{ - if (kvm_state && kvm_state->htl) { - return true; - } - - return false; -} - -int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len) -{ - HostTrustLimitation *htl = kvm_state->htl; - - if (htl) { - HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_GET_CLASS(htl); - - return htlc->encrypt_data(htl, ptr, len); - } - - return 1; -} - /* Called with KVMMemoryListener.slots_lock held */ static KVMSlot *kvm_get_free_slot(KVMMemoryListener *kml) { @@ -2188,8 +2163,6 @@ static int kvm_init(MachineState *ms) if (ret < 0) { goto err; } - - kvm_state->htl = ms->htl; } ret = kvm_arch_init(ms, s); diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c index 82f118d2df..78b3eef117 100644 --- a/accel/stubs/kvm-stub.c +++ b/accel/stubs/kvm-stub.c @@ -104,16 +104,6 @@ int kvm_on_sigbus(int code, void *addr) return 1; } -bool kvm_memcrypt_enabled(void) -{ - return false; -} - -int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len) -{ - return 1; -} - #ifndef CONFIG_USER_ONLY int kvm_irqchip_add_msi_route(KVMState *s, int vector, PCIDevice *dev) { diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index ec2a3b3e7e..cab5ac5695 100644 --- a/hw/i386/pc_sysfw.c +++ b/hw/i386/pc_sysfw.c @@ -38,6 +38,7 @@ #include "sysemu/sysemu.h" #include "hw/block/flash.h" #include "sysemu/kvm.h" +#include "exec/host-trust-limitation.h" /* * We don't have a theoretically justifiable exact lower bound on the base @@ -196,10 +197,11 @@ static void pc_system_flash_map(PCMachineState *pcms, pc_isa_bios_init(rom_memory, flash_mem, size); /* Encrypt the pflash boot ROM */ - if (kvm_memcrypt_enabled()) { + if (host_trust_limitation_enabled(MACHINE(pcms))) { flash_ptr = memory_region_get_ram_ptr(flash_mem); flash_size = memory_region_size(flash_mem); - ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size); + ret = host_trust_limitation_encrypt(MACHINE(pcms), + flash_ptr, flash_size); if (ret) { error_report("failed to encrypt pflash rom"); exit(1); diff --git a/include/exec/host-trust-limitation.h b/include/exec/host-trust-limitation.h index a19f12ae14..fc30ea3f78 100644 --- a/include/exec/host-trust-limitation.h +++ b/include/exec/host-trust-limitation.h @@ -14,6 +14,7 @@ #define QEMU_HOST_TRUST_LIMITATION_H #include "qom/object.h" +#include "hw/boards.h" #define TYPE_HOST_TRUST_LIMITATION "host-trust-limitation" #define HOST_TRUST_LIMITATION(obj) \ @@ -33,4 +34,39 @@ typedef struct HostTrustLimitationClass { int (*encrypt_data)(HostTrustLimitation *, uint8_t *, uint64_t); } HostTrustLimitationClass; +/** + * host_trust_limitation_enabled - return whether guest memory is protected + * from hypervisor access (with memory + * encryption or otherwise) + * Returns: true guest memory is not directly accessible to qemu + * false guest memory is directly accessible to qemu + */ +static inline bool host_trust_limitation_enabled(MachineState *machine) +{ + return !!machine->htl; +} + +/** + * host_trust_limitation_encrypt: encrypt the memory range to make + * it guest accessible + * + * Return: 1 failed to encrypt the range + * 0 succesfully encrypted memory region + */ +static inline int host_trust_limitation_encrypt(MachineState *machine, + uint8_t *ptr, uint64_t len) +{ + HostTrustLimitation *htl = machine->htl; + + if (htl) { + HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_GET_CLASS(htl); + + if (htlc->encrypt_data) { + return htlc->encrypt_data(htl, ptr, len); + } + } + + return 1; +} + #endif /* QEMU_HOST_TRUST_LIMITATION_H */ diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h index b4174d941c..c7b9739609 100644 --- a/include/sysemu/kvm.h +++ b/include/sysemu/kvm.h @@ -231,23 +231,6 @@ int kvm_destroy_vcpu(CPUState *cpu); */ bool kvm_arm_supports_user_irq(void); -/** - * kvm_memcrypt_enabled - return boolean indicating whether memory encryption - * is enabled - * Returns: 1 memory encryption is enabled - * 0 memory encryption is disabled - */ -bool kvm_memcrypt_enabled(void); - -/** - * kvm_memcrypt_encrypt_data: encrypt the memory range - * - * Return: 1 failed to encrypt the range - * 0 succesfully encrypted memory region - */ -int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len); - - #ifdef NEED_CPU_H #include "cpu.h" From patchwork Fri Jun 19 02:05:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613115 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0C7EC14E3 for ; Fri, 19 Jun 2020 02:06:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E83D920773 for ; Fri, 19 Jun 2020 02:06:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="i+8S4y1n" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729523AbgFSCGT (ORCPT ); Thu, 18 Jun 2020 22:06:19 -0400 Received: from bilbo.ozlabs.org ([203.11.71.1]:59127 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729161AbgFSCGO (ORCPT ); Thu, 18 Jun 2020 22:06:14 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GT35rgz9sT8; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532369; bh=rKuvzP3I0zndPbCxEWAF/KYSFkgJfgyIKqNEdtPx2Aw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=i+8S4y1njyzLLozEwk54jAInltcAB7xtL2/XwnGGBQFN7qOQAQ0LZY3Evxk2yTYJd 6bUkAK3fV2KpkTo/COE+7OTMowzQkzMykiAVXGhU7yVD8isuUojgXeq1Qi3x0BZowU tubDnZmwDpkophHRr3f8elKyeKGTHw6YoExLu9ag= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Richard Henderson Subject: [PATCH v3 6/9] host trust limitation: Add Error ** to HostTrustLimitation::kvm_init Date: Fri, 19 Jun 2020 12:05:59 +1000 Message-Id: <20200619020602.118306-7-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org This allows failures to be reported richly and idiomatically. Signed-off-by: David Gibson Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson --- accel/kvm/kvm-all.c | 4 +++- include/exec/host-trust-limitation.h | 2 +- target/i386/sev.c | 31 ++++++++++++++-------------- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 9645271ca5..c236ebeae0 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -2158,9 +2158,11 @@ static int kvm_init(MachineState *ms) if (ms->htl) { HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_GET_CLASS(ms->htl); + Error *local_err = NULL; - ret = htlc->kvm_init(ms->htl); + ret = htlc->kvm_init(ms->htl, &local_err); if (ret < 0) { + error_report_err(local_err); goto err; } } diff --git a/include/exec/host-trust-limitation.h b/include/exec/host-trust-limitation.h index fc30ea3f78..d93b537280 100644 --- a/include/exec/host-trust-limitation.h +++ b/include/exec/host-trust-limitation.h @@ -30,7 +30,7 @@ typedef struct HostTrustLimitationClass { InterfaceClass parent; - int (*kvm_init)(HostTrustLimitation *); + int (*kvm_init)(HostTrustLimitation *, Error **); int (*encrypt_data)(HostTrustLimitation *, uint8_t *, uint64_t); } HostTrustLimitationClass; diff --git a/target/i386/sev.c b/target/i386/sev.c index 052a05d15a..829f78436a 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -617,7 +617,7 @@ sev_vm_state_change(void *opaque, int running, RunState state) } } -static int sev_kvm_init(HostTrustLimitation *htl) +static int sev_kvm_init(HostTrustLimitation *htl, Error **errp) { SevGuestState *sev = SEV_GUEST(htl); char *devname; @@ -633,14 +633,14 @@ static int sev_kvm_init(HostTrustLimitation *htl) host_cbitpos = ebx & 0x3f; if (host_cbitpos != sev->cbitpos) { - error_report("%s: cbitpos check failed, host '%d' requested '%d'", - __func__, host_cbitpos, sev->cbitpos); + error_setg(errp, "%s: cbitpos check failed, host '%d' requested '%d'", + __func__, host_cbitpos, sev->cbitpos); goto err; } if (sev->reduced_phys_bits < 1) { - error_report("%s: reduced_phys_bits check failed, it should be >=1," - " requested '%d'", __func__, sev->reduced_phys_bits); + error_setg(errp, "%s: reduced_phys_bits check failed, it should be >=1," + " requested '%d'", __func__, sev->reduced_phys_bits); goto err; } @@ -649,20 +649,19 @@ static int sev_kvm_init(HostTrustLimitation *htl) devname = object_property_get_str(OBJECT(sev), "sev-device", NULL); sev->sev_fd = open(devname, O_RDWR); if (sev->sev_fd < 0) { - error_report("%s: Failed to open %s '%s'", __func__, - devname, strerror(errno)); - } - g_free(devname); - if (sev->sev_fd < 0) { + error_setg(errp, "%s: Failed to open %s '%s'", __func__, + devname, strerror(errno)); + g_free(devname); goto err; } + g_free(devname); ret = sev_platform_ioctl(sev->sev_fd, SEV_PLATFORM_STATUS, &status, &fw_error); if (ret) { - error_report("%s: failed to get platform status ret=%d " - "fw_error='%d: %s'", __func__, ret, fw_error, - fw_error_to_str(fw_error)); + error_setg(errp, "%s: failed to get platform status ret=%d " + "fw_error='%d: %s'", __func__, ret, fw_error, + fw_error_to_str(fw_error)); goto err; } sev->build_id = status.build; @@ -672,14 +671,14 @@ static int sev_kvm_init(HostTrustLimitation *htl) trace_kvm_sev_init(); ret = sev_ioctl(sev->sev_fd, KVM_SEV_INIT, NULL, &fw_error); if (ret) { - error_report("%s: failed to initialize ret=%d fw_error=%d '%s'", - __func__, ret, fw_error, fw_error_to_str(fw_error)); + error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'", + __func__, ret, fw_error, fw_error_to_str(fw_error)); goto err; } ret = sev_launch_start(sev); if (ret) { - error_report("%s: failed to create encryption context", __func__); + error_setg(errp, "%s: failed to create encryption context", __func__); goto err; } From patchwork Fri Jun 19 02:06:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613123 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6554714E3 for ; Fri, 19 Jun 2020 02:06:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 448A320888 for ; Fri, 19 Jun 2020 02:06:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="Dh6czTEK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729497AbgFSCGi (ORCPT ); Thu, 18 Jun 2020 22:06:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729445AbgFSCGR (ORCPT ); Thu, 18 Jun 2020 22:06:17 -0400 Received: from ozlabs.org (bilbo.ozlabs.org [IPv6:2401:3900:2:1::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DCF30C0613F0 for ; Thu, 18 Jun 2020 19:06:15 -0700 (PDT) Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GT2LD1z9sT2; Fri, 19 Jun 2020 12:06:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532369; bh=qMsc309NrDU+kjkrkNdXuQ5jS6081SEdRvf2Ra68+0k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Dh6czTEKkpC3AwFZDUZjJ8VQHRUr7RcuJheAzLqBP5kPURdYs+0yGjCA/XT1zxs7D s1fb+ETwTqir/AVT8/Fg42F1EGeA4vLI/0GtfCdmqaPQ+UY6gkl6xNDVkQ5NE1MxKj c0LeubLAdqYb7kxaejnrpYAIiqHooNIW4j31udso= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com, Ram Pai Subject: [PATCH v3 7/9] spapr: Add PEF based host trust limitation Date: Fri, 19 Jun 2020 12:06:00 +1000 Message-Id: <20200619020602.118306-8-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Some upcoming POWER machines have a system called PEF (Protected Execution Facility) which uses a small ultravisor to allow guests to run in a way that they can't be eavesdropped by the hypervisor. The effect is roughly similar to AMD SEV, although the mechanisms are quite different. Most of the work of this is done between the guest, KVM and the ultravisor, with little need for involvement by qemu. However qemu does need to tell KVM to allow secure VMs. Because the availability of secure mode is a guest visible difference which depends on having the right hardware and firmware, we don't enable this by default. In order to run a secure guest you need to create a "pef-guest" object and set the host-trust-limitation machine property to point to it. Note that this just *allows* secure guests, the architecture of PEF is such that the guest still needs to talk to the ultravisor to enter secure mode. Qemu has no directly way of knowing if the guest is in secure mode, and certainly can't know until well after machine creation time. Signed-off-by: David Gibson Acked-by: Ram Pai --- target/ppc/Makefile.objs | 2 +- target/ppc/pef.c | 83 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 target/ppc/pef.c diff --git a/target/ppc/Makefile.objs b/target/ppc/Makefile.objs index e8fa18ce13..ac93b9700e 100644 --- a/target/ppc/Makefile.objs +++ b/target/ppc/Makefile.objs @@ -6,7 +6,7 @@ obj-y += machine.o mmu_helper.o mmu-hash32.o monitor.o arch_dump.o obj-$(TARGET_PPC64) += mmu-hash64.o mmu-book3s-v3.o compat.o obj-$(TARGET_PPC64) += mmu-radix64.o endif -obj-$(CONFIG_KVM) += kvm.o +obj-$(CONFIG_KVM) += kvm.o pef.o obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o obj-y += dfp_helper.o obj-y += excp_helper.o diff --git a/target/ppc/pef.c b/target/ppc/pef.c new file mode 100644 index 0000000000..53a6af0347 --- /dev/null +++ b/target/ppc/pef.c @@ -0,0 +1,83 @@ +/* + * PEF (Protected Execution Facility) for POWER support + * + * Copyright David Gibson, Redhat Inc. 2020 + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + * + */ + +#include "qemu/osdep.h" + +#include "qapi/error.h" +#include "qom/object_interfaces.h" +#include "sysemu/kvm.h" +#include "migration/blocker.h" +#include "exec/host-trust-limitation.h" + +#define TYPE_PEF_GUEST "pef-guest" +#define PEF_GUEST(obj) \ + OBJECT_CHECK(PefGuestState, (obj), TYPE_PEF_GUEST) + +typedef struct PefGuestState PefGuestState; + +/** + * PefGuestState: + * + * The PefGuestState object is used for creating and managing a PEF + * guest. + * + * # $QEMU \ + * -object pef-guest,id=pef0 \ + * -machine ...,host-trust-limitation=pef0 + */ +struct PefGuestState { + Object parent_obj; +}; + +static int pef_kvm_init(HostTrustLimitation *gmpo, Error **errp) +{ + if (!kvm_check_extension(kvm_state, KVM_CAP_PPC_SECURE_GUEST)) { + error_setg(errp, + "KVM implementation does not support Secure VMs (is an ultravisor running?)"); + return -1; + } else { + int ret = kvm_vm_enable_cap(kvm_state, KVM_CAP_PPC_SECURE_GUEST, 0, 1); + + if (ret < 0) { + error_setg(errp, + "Error enabling PEF with KVM"); + return -1; + } + } + + return 0; +} + +static void pef_guest_class_init(ObjectClass *oc, void *data) +{ + HostTrustLimitationClass *gmpc = HOST_TRUST_LIMITATION_CLASS(oc); + + gmpc->kvm_init = pef_kvm_init; +} + +static const TypeInfo pef_guest_info = { + .parent = TYPE_OBJECT, + .name = TYPE_PEF_GUEST, + .instance_size = sizeof(PefGuestState), + .class_init = pef_guest_class_init, + .interfaces = (InterfaceInfo[]) { + { TYPE_HOST_TRUST_LIMITATION }, + { TYPE_USER_CREATABLE }, + { } + } +}; + +static void +pef_register_types(void) +{ + type_register_static(&pef_guest_info); +} + +type_init(pef_register_types); From patchwork Fri Jun 19 02:06:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613121 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 55F7914E3 for ; Fri, 19 Jun 2020 02:06:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3427C20888 for ; Fri, 19 Jun 2020 02:06:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="IpLRJFPR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729375AbgFSCGP (ORCPT ); Thu, 18 Jun 2020 22:06:15 -0400 Received: from ozlabs.org ([203.11.71.1]:48353 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729164AbgFSCGN (ORCPT ); Thu, 18 Jun 2020 22:06:13 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GT40bYz9sT6; Fri, 19 Jun 2020 12:06:09 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532369; bh=oUlu8u5TiukpYL5YY0i+HjSckV5d3NnHfXBN6cEFoNM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IpLRJFPR1N23oZq2OQi5denxnJtl2OxBqOQnPDm3P9o+q4fZ5ysUcRMcPMD/rZTIM fgcPuCtC/xXL8TCuT3gP/WfwbsXGC9F3HeTX65JwHjfjT0DjaXNmyUmIY3q4H3J9uC BoMmZaz7l+Y+Dx4agziwde1pIyeDwdHvLvAaWS4k= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com Subject: [PATCH v3 8/9] spapr: PEF: block migration Date: Fri, 19 Jun 2020 12:06:01 +1000 Message-Id: <20200619020602.118306-9-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org We haven't yet implemented the fairly involved handshaking that will be needed to migrate PEF protected guests. For now, just use a migration blocker so we get a meaningful error if someone attempts this (this is the same approach used by AMD SEV). Signed-off-by: David Gibson --- target/ppc/pef.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/target/ppc/pef.c b/target/ppc/pef.c index 53a6af0347..6a50efd580 100644 --- a/target/ppc/pef.c +++ b/target/ppc/pef.c @@ -36,6 +36,8 @@ struct PefGuestState { Object parent_obj; }; +static Error *pef_mig_blocker; + static int pef_kvm_init(HostTrustLimitation *gmpo, Error **errp) { if (!kvm_check_extension(kvm_state, KVM_CAP_PPC_SECURE_GUEST)) { @@ -52,6 +54,10 @@ static int pef_kvm_init(HostTrustLimitation *gmpo, Error **errp) } } + /* add migration blocker */ + error_setg(&pef_mig_blocker, "PEF: Migration is not implemented"); + migrate_add_blocker(pef_mig_blocker, &error_abort); + return 0; } From patchwork Fri Jun 19 02:06:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 11613113 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 035A314E3 for ; Fri, 19 Jun 2020 02:06:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D506120888 for ; Fri, 19 Jun 2020 02:06:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.b="Vb47zuH8" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729386AbgFSCGP (ORCPT ); Thu, 18 Jun 2020 22:06:15 -0400 Received: from bilbo.ozlabs.org ([203.11.71.1]:46503 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729211AbgFSCGO (ORCPT ); Thu, 18 Jun 2020 22:06:14 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 49p2GT4QHRz9sT9; Fri, 19 Jun 2020 12:06:09 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1592532369; bh=mtzkVC37cD70gZZRJwitgnHn1rAt12wP3H2B7h801OA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Vb47zuH8AeY0Rt1D1epCfmen+R/9FWcG0PkfOkDWsRDehfFaIxDcwBec2zAstER0V /0Apuld5o9ZDSaPq1QqKcZbGISKS9FbMqq0/+k/lQLY+pNvSmSzjBGjQ64shXj9yHz +gVGN2ZqMpWC9V1jeUFXD56PQwZf68UyPuEhsKHE= From: David Gibson To: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com Cc: Marcel Apfelbaum , kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson , cohuck@redhat.com, pasic@linux.ibm.com, Eduardo Habkost , David Gibson , qemu-s390x@nongnu.org, david@redhat.com Subject: [PATCH v3 9/9] host trust limitation: Alter virtio default properties for protected guests Date: Fri, 19 Jun 2020 12:06:02 +1000 Message-Id: <20200619020602.118306-10-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200619020602.118306-1-david@gibson.dropbear.id.au> References: <20200619020602.118306-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org The default behaviour for virtio devices is not to use the platforms normal DMA paths, but instead to use the fact that it's running in a hypervisor to directly access guest memory. That doesn't work if the guest's memory is protected from hypervisor access, such as with AMD's SEV or POWER's PEF. So, if a host trust limitation mechanism is enabled, then apply the iommu_platform=on option so it will go through normal DMA mechanisms. Those will presumably have some way of marking memory as shared with the hypervisor or hardware so that DMA will work. Signed-off-by: David Gibson --- hw/core/machine.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hw/core/machine.c b/hw/core/machine.c index a71792bc16..8dfc1bb3f8 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -28,6 +28,8 @@ #include "hw/mem/nvdimm.h" #include "migration/vmstate.h" #include "exec/host-trust-limitation.h" +#include "hw/virtio/virtio.h" +#include "hw/virtio/virtio-pci.h" GlobalProperty hw_compat_5_0[] = { { "virtio-balloon-device", "page-poison", "false" }, @@ -1165,6 +1167,15 @@ void machine_run_board_init(MachineState *machine) * areas. */ machine_set_mem_merge(OBJECT(machine), false, &error_abort); + + /* + * Virtio devices can't count on directly accessing guest + * memory, so they need iommu_platform=on to use normal DMA + * mechanisms. That requires disabling legacy virtio support + * for virtio pci devices + */ + object_register_sugar_prop(TYPE_VIRTIO_PCI, "disable-legacy", "on"); + object_register_sugar_prop(TYPE_VIRTIO_DEVICE, "iommu_platform", "on"); } machine_class->init(machine);