Hi,
> Maybe not from the user's point of view, but surely for the vmfwupdate
> interface design and for the launch measurement calculations.
>
> When using igvm parameters for the kernel hashes we need to pass on (at
> least) two items via vmfwupdate API: The igvm image itself and the
> kernel hashes, so the VMM can fill the parameters for launch.
>
> I tend to think it makes sense to keep the region list, so we can
> actually pass on multiple items if needed, and simply add region flags
> to declare that a region is an IGVM image.
Went over the interface spec today, here it is. Changes:
- Moved descriptions into source code comments.
- Added leftovers noticed in recent discussions, such as cpuid page.
- Added capability flags and region flags for IGVM.
Open questions:
- Does the idea to use igvm parameters for the kernel hashes makes
sense? Are parameters part of the launch measurement?
- Do we want actually keep the complete interface (and the functional
overlap with igvm)?
take care,
Gerd
------------------------- cut here ---------------------------------
/*
* Mar 2025 vmfwupdate interface rewrite
*/
struct vmfwupdate {
// VMM capabilities, see VMFWUPDATE_CAP_*, read-only.
uint64_t capabilities;
// firmware storage size (below 4G on x86), read-only.
uint64_t firmware_size;
// address of opaque blob, the guest can use this to pass on information,
// for example which memory region the linux kernel has been loaded to.
// writable, will be kept intact on firmware update.
uint64_t opaque_addr;
// regions (see vmfwupdate_regions struct), memory location and length of
// the list. writable, will be cleared on firmware update and reset.
uint64_t regions_addr;
uint16_t regions_count;
// control bits, see VMFWUPDATE_CTL_*
// - disable bit can be set by the guest.
// - disable bit can only be cleared by reset.
uint16_t control;
};
// --- 'capabilities' field bits ---
// vmm supports resizing of firmware memory
#define VMFWUPDATE_CAP_BIOS_RESIZE (1 << 0)
// vmm supports loading igvm images
#define VMFWUPDATE_CAP_IGVM_IMAGES (2 << 0)
// --- 'control' field bits ---
// disable vmfwupdate interface
#define VMFWUPDATE_CTL_DISABLE (1 << 0)
// 'regions_addr' field points to an array of this structure
struct vmfwupdate_regions {
uint64_t size; // size of the region
uint64_t src_addr; // source address (before update)
uint64_t dst_addr; // destination address (after update)
uint64_t flags; // control bits
};
// --- 'flags' field bits ---
// data must be copied
#define VMFWUPDATE_REGION_FLAG_COPY (1 << 0)
// dest must be filled with zeros (src is not used)
#define VMFWUPDATE_REGION_FLAG_ZERO (1 << 1)
// region must be measured
#define VMFWUPDATE_REGION_FLAG_MEASURE (1 << 2)
// region must be (pre-)validated
#define VMFWUPDATE_REGION_FLAG_VALIDATE (1 << 3)
// region contains igvm image
#define VMFWUPDATE_REGION_FLAG_IGVM_IMAGE (1 << 8)
// region contains igvm parameters (TODO: details)
#define VMFWUPDATE_REGION_FLAG_IGVM_PARAM (1 << 9)
// region is sev cpuid page
#define VMFWUPDATE_REGION_FLAG_SEV_CPUID (1 << 16)
// region is sev secrets page
#define VMFWUPDATE_REGION_FLAG_SEV_SECRETS (1 << 17)
