Hi Michael and Paolo,

On 09/13/2016 01:37 PM, Michael S. Tsirkin wrote:
On Tue, Sep 13, 2016 at 10:49:29AM -0400, Brijesh Singh wrote:
Typically linux kernel, initrd and cmdline are build and loaded
into guest memory through linux optionrom. The linux optionrom is
probed and executed by SeaBIOS. This method will not work for
SEV-enabled guest.

In SEV-enabled guest all the code and data must be copied using SEV
launch command prior to starting the guest (i.e before first vmrun).
The data copied using SEV launch command will be encrypted using guest
owner's key. This patch loads kernel, initrd and cmdline blobs at fixed
location into guest memory and builds etc/sev_cfg config file. The cfg
file provide the below structure

struct sev_cfg {
        u32 kernel_addr, initrd_addr, cmdline_addr;
        u32 kernel_size, initrd_size, cmdline_size;

The config file can be used by SeaBIOS to locate OS images into guest
RAM and build linux boot entry code.

Signed-off-by: Brijesh Singh <brijesh.si...@amd.com>

I don't think we want to give users this kind of
control over how we manage memory internally
for what is essentially a debugging feature at this point.

Isn't there a way to first launch guest, and then have it
encrypt itself once it's running?

If not, I guess it's not too bad if -kernel does not
work with sev debug feature - just load kernel from disk.

I'm working on v2 and getting ready for another review but not sure how to address this feedback. For now, I can drop this patch from the series and get other patches reviewed. But I would like to get some direction on how do I go about adding -kernel support for SEV guest.

Looking through -kernel option code, I see that qemu uses optionrom (linuxboot.bin or linuxboot_dma.bin) to load kernel specified through -kernel option.

- linuxboot optionrom uses "rep ins" instruction to fetch the kernel and initrd images into guest memory. SEV does not support string I/O, so this method will not work for SEV. But we can consider unrolling the string I/O operation into a loop, something similar to this KVM patch [1].

- linuxboot_dma - as name suggests it uses DMA. On SEV guest DMA should to be done on shared pages and since SeaBIOS runs into non-PAE mode hence it will not able to create a shared pages for this to work.

please let me know your thoughts on the following approaches:

- update linuxboot.S to unroll the string I/O instruction into a loop for SEV guest. This may work but the boot will be very slow, fetching kernel and initrd via 'inb' will increase the boot time significantly.


- Create a SEV specific linuxboot rom. The ROM will use a special port to communicate kernel and initrd load address to qemu. In qemu when we see the request on special port we map the pre-encrypted kernel and initrd at the requested location. This maybe similar to linuxboot_dma with exception that instead of copying the data into guest memory we somehow map the pre-encrypted image. I have not looked into much detail and not sure if we can do something like this. If possible then this seems like a bit better approach.

[1] http://marc.info/?l=kvm&m=147191048324519&w=2

Reply via email to