The SEV LAUNCH_UPDATE command is used to encrypt the guest memory region. For more information see [1], section 6.2
[1] http://support.amd.com/TechDocs/55766_SEV-KM%20API_Spec.pdf The following KVM RFC patches defines and implements this command http://marc.info/?l=kvm&m=147190852423972&w=2 http://marc.info/?l=kvm&m=147190859023996&w=2 Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/sysemu/sev.h | 9 +++++++++ sev.c | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index b8a7afa..b58a9d7 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -30,5 +30,14 @@ int sev_init(KVMState *kvm_state); */ int kvm_sev_guest_start(void); +/** + * kvm_sev_guest_update - encrypt the memory region. + * @address: host virtual address of memory region (must be 16-byte aligned) + * @len: length of memory region (must be 16-byte aligned). + * + * Returns: 0 on success, or 1 on failure. + */ +int kvm_sev_guest_update(uint8_t *address, uint32_t len); + #endif diff --git a/sev.c b/sev.c index 40a126a..a451dc0 100644 --- a/sev.c +++ b/sev.c @@ -304,6 +304,28 @@ static int sev_launch_start(void) return 0; } +static int sev_launch_update(uint8_t *addr, uint32_t len) +{ + int ret; + SEVInfo *s = sev_info; + struct kvm_sev_issue_cmd input; + struct kvm_sev_launch_update *update = s->launch_update; + + update->address = (uint64_t) addr; + update->length = len; + input.cmd = KVM_SEV_LAUNCH_UPDATE; + input.opaque = (unsigned long)update; + ret = kvm_vm_ioctl(kvm_state, KVM_SEV_ISSUE_CMD, &input); + if (ret) { + fprintf(stderr, "SEV: launch_update failed ret=%d (%#010x)\n", + ret, input.ret_code); + exit(EXIT_FAILURE); + } + + DPRINTF("SEV: LAUNCH update [%#lx+0x%x]\n", (uint64_t)addr, len); + return 0; +} + int kvm_sev_guest_start(void) { SEVInfo *s = sev_info; @@ -335,3 +357,17 @@ int kvm_sev_guest_start(void) return 1; } +int kvm_sev_guest_update(uint8_t *addr, uint32_t len) +{ + SEVInfo *s = sev_info; + + if (!s) { + return 1; + } + + if (s->state == SEV_LAUNCH_START) { + return sev_launch_update(addr, len); + } + + return 1; +}