On 11/16/21 3:23 AM, Daniel P. Berrangé wrote:
> On Thu, Aug 26, 2021 at 05:26:15PM -0500, Michael Roth wrote:
>> These patches implement SEV-SNP along with CPUID enforcement support for
>> QEMU,
>> and are also available at:
>>
>>
>> https://nam11.safelinks.protection.outlook.com/?url=https%
On 11/25/21 7:59 AM, Dov Murik wrote:
[+cc Tom, Brijesh]
On 25/11/2021 15:42, Daniel P. Berrangé wrote:
On Thu, Nov 25, 2021 at 02:44:51PM +0200, Dov Murik wrote:
[+cc jejb, tobin, jim, hubertus]
On 25/11/2021 9:14, Sergio Lopez wrote:
On Wed, Nov 24, 2021 at 06:29:07PM +, Dr. David
On 11/29/21 8:29 AM, Brijesh Singh wrote:
On 11/25/21 7:59 AM, Dov Murik wrote:
[+cc Tom, Brijesh]
On 25/11/2021 15:42, Daniel P. Berrangé wrote:
On Thu, Nov 25, 2021 at 02:44:51PM +0200, Dov Murik wrote:
[+cc jejb, tobin, jim, hubertus]
On 25/11/2021 9:14, Sergio Lopez wrote:
On Wed
On 1/17/22 1:34 AM, Dov Murik wrote:
> [+cc Tom, Brijesh, Ashish - see SEV-related changes in this series]
>
>
> On 13/01/2022 18:55, Daniel P. Berrangé wrote:
>> The AMD SEV build of EDK2 only emits a single file, intended to be
>>
>> mapped readonly. There is explicitly no separate writable VAR
well?
Thanks for looping me in, I can confirm that SEV virtio-fs device
support was *broken* on the latest qemu, and your patch fixes it.
Tested-by: Brijesh Singh
Regards,
Halil
On Tue, 25 Jan 2022 11:21:12 +0100
Halil Pasic wrote:
ping
On Mon, 17 Jan 2022 13:02:38 +0100
Halil Pasic
> Tom Lendacky and Brijesh Singh reported two issues with launching SEV
> guests with the -kernel QEMU option when an old [1] or wrongly configured [2]
> OVMF images are used.
>
> The fixes in patches 1 and 2 allow such guests to boot by skipping the
> kernel/initrd/cmdline hashes additi
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel, initrd and cmdline unconditionally for
any of the SEV guest launches. This requires anyone wanting
On 11/3/21 9:08 AM, Dr. David Alan Gilbert wrote:
* Brijesh Singh (brijesh.si...@amd.com) wrote:
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel
On 11/5/21 1:32 PM, Dov Murik wrote:
On 02/11/2021 16:48, Brijesh Singh wrote:
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel, initrd and
On 11/8/21 7:48 AM, Dov Murik wrote:
Tom Lendacky and Brijesh Singh reported two issues with launching SEV
guests with the -kernel QEMU option when an old [1] or wrongly configured [2]
OVMF images are used.
To fix these issues, these series "hides" the whole kernel hashes
addition
Hi Dov,
Sorry for coming a bit late on it but I am seeing another issue with
this patch. The hash build logic looks for a SEV_HASH_TABLE_RV_GUID in
the GUID list. If found, it uses the base address to store the hash'es.
Looking at the OVMF, it seems that base address for this GUID is zero.
It
On 10/6/21 11:55 AM, Philippe Mathieu-Daudé wrote:
> On 10/4/21 10:19, Paolo Bonzini wrote:
>> On 02/10/21 14:53, Philippe Mathieu-Daudé wrote:
>>> Only declare sev_enabled() and sev_es_enabled() when CONFIG_SEV is
>>> set, to allow the compiler to elide unused code. Remove unnecessary
>>> stubs.
Add a new memory debug attribute, this attribute should be set when
memory read or write access is performed for debugging purposes.
Signed-off-by: Brijesh Singh
---
include/exec/memattrs.h |4
1 file changed, 4 insertions(+)
diff --git a/include/exec/memattrs.h b/include/exec
;
memory_region_init_ram(mem, NULL, "memory", size, NULL);
memory_region_set_ram_debug_ops(mem, ops);
Signed-off-by: Brijesh Singh
---
exec.c| 55 -
include/exec/memory.h | 25 ++
2 files changed, 65
restore code path.
- virtio support in SEV guest.
- Integrate SEV SEND and RECEIVE command in live migration.
Brijesh Singh (18):
memattrs: add debug attrs
exec: add guest RAM read and write ops
exec: add debug version of physical memory read and write apis
monitor: use debug v
APIs then in future
we can define some kind of global debug policy to control debug behavior.
Signed-off-by: Brijesh Singh
Reviewed-by: Paolo Bonzini
---
exec.c| 32
include/exec/cpu-common.h | 15 +++
2 files changed, 47
Add APIs to provide guest memory encryption support.
Signed-off-by: Brijesh Singh
---
include/sysemu/kvm.h |8 ++
kvm-all.c| 64 ++
2 files changed, 72 insertions(+)
diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
updates hmp monitor to use debug version of memory access apis when
accessing the guest memory.
Signed-off-by: Brijesh Singh
---
cpus.c|2 +-
disas.c |2 +-
monitor.c |2 +-
target-i386/helper.c | 14 +++---
target-i386/monitor.c
ey created
during launch start process will be used to encrypt the guest memory.
Signed-off-by: Brijesh Singh
---
sev.c | 81 +
1 file changed, 81 insertions(+)
diff --git a/sev.c b/sev.c
index 487dba6..2fbab2f 100644
--- a/s
=mypolicy \
-machine ...,security-policy=mypolicy
Signed-off-by: Brijesh Singh
---
exec.c |7 ++
hw/core/Makefile.objs|1
hw/core/machine.c| 22 +
hw/core/security-policy.c| 166
update 'info kvm' to display the memory encryption support.
(qemu) info kvm
kvm support: enabled
memory encryption: disabled
Signed-off-by: Brijesh Singh
---
hmp.c|2 ++
qapi-schema.json |5 -
qmp.c|1 +
3 files changed, 7 insertions(+),
from unencrypted boot images
# $QEMU \
-object sev-launch-info,id=launch0,nonce=abcd,pub-dh-qx=1234 \
-object sev-guest,id,sev0 \
-object security-policy,id=secure0,memory-encryption=sev0 \
-machine ,security-policy=secure0
Signed-off-by: Brijesh Singh
---
Makefile.target
The command is used to finalize the SEV guest launch process.
The command returns a measurement value of the data encrypted through
the LAUNCH_UPDATE command. This measurement can be handed to the guest
owner to verify that the guest was launched into SEV-enabled mode.
Signed-off-by: Brijesh
Snapshot, Restore and Migration is not implemented in first phase.
Return error when user tries to perform any of these operations.
Signed-off-by: Brijesh Singh
---
migration/migration.c |7 +++
migration/savevm.c| 11 +++
2 files changed, 18 insertions(+)
diff --git a
go through the
encryption routines which will encrypt the data as it copies into guest
memory. Similarly after we are done with copying destory the encryption
context.
Signed-off-by: Brijesh Singh
---
hw/core/loader.c | 22 ++
1 file changed, 22 insertions(+)
diff --git a
The command is used to encrypt a guest memory region using the VM Encryption
Key (VEK) created by LAUNCH_START command. The firmware will also update
the measurement with the contents of the memory region. This measurement
can be retrieved by calling LAUNCH_FINISH command.
Signed-off-by: Brijesh
Signed-off-by: Brijesh Singh
---
sev.c | 28 +---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/sev.c b/sev.c
index ff9266a..f690a86 100644
--- a/sev.c
+++ b/sev.c
@@ -329,6 +329,28 @@ err:
}
static int
+sev_debug_decrypt(SEVState *s, uint8_t *dst
Fn8000_001f cpuid provides the memory encryption (aka C-bit) location
in a page table for the SEV-enabled guest.
Signed-off-by: Brijesh Singh
---
target-i386/cpu.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 83998a8..9dc7b4f 100644
sev_debug_encrypt
Signed-off-by: Brijesh Singh
---
sev.c | 29 ++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/sev.c b/sev.c
index f690a86..1a579ca 100644
--- a/sev.c
+++ b/sev.c
@@ -351,18 +351,41 @@ sev_debug_decrypt(SEVState *s, uint8_t *dst, const
uint8_t
ion routines to
decrypt/encrypt the guest RAM regions.
A sequence looks like:
cpu_phyiscal_memory_rw_debug
cpu_phyiscal_memory_rw_debug_internal
memory_encryption->write
Signed-off-by: Brijesh Singh
---
hw/i386/pc.c |7 +++
hw/i386/pc_sysfw.c |4
2 files chang
In SEV-enabled guest the physical addresses in page table will
have C-bit set, we need to clear the C-bit when walking the page table.
The C-bit position should be available in cpuid Fn8000_001f[EBX]
Signed-off-by: Brijesh Singh
---
target-i386/helper.c | 37
hen
we can create/set special sev specific MemTxAttrs to indicate that
RAM access is for debugg purposes and use SEV debug commands to
read and write guest memory for debug purposes.
Signed-off-by: Brijesh Singh
---
exec.c| 10 ++
include/exec/cpu-commo
mp;m=147190861124032&w=2
http://marc.info/?l=kvm&m=147190861124032&w=2
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h | 10 ++
sev.c| 23 +++
2 files changed, 33 insertions(+)
diff --git a/include/sysemu/sev.h b/include/sysemu/sev
%20API_Spec.pdf
The following KVM RFC patches defines and implements this command
http://marc.info/?l=kvm&m=147190852423972&w=2
http://marc.info/?l=kvm&m=147190856623987&w=2
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h | 17 +-
sev.c
;
memory_region_init_ram(mem, NULL, "memory", size, NULL);
memory_region_set_ram_ops(mem, ops);
Signed-off-by: Brijesh Singh
---
exec.c| 304 +++--
include/exec/memory.h | 25
2 files changed, 266 insertions(+), 63 deletion
&w=2
http://marc.info/?l=kvm&m=147190859023996&w=2
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h |9 +
sev.c| 36
2 files changed, 45 insertions(+)
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index
This patch updates hmp monitor to use cpu_physical_memory_read_debug()
when accessing the guest memory for debug dumps.
Signed-off-by: Brijesh Singh
---
disas.c |2 +-
monitor.c |2 +-
target-i386/monitor.c | 18 ++
3 files changed, 12
The patch implements kvm_sev_get_ram_ops() which provides guest RAM
read/write callback. Depending on the memory attributes and guest launch
state, the callback will use SEV launch update or SEV debug commands
to read/write into guest memory.
Signed-off-by: Brijesh Singh
---
include/sysemu
patches defines and implements this command
http://marc.info/?l=kvm&m=147190852423972&w=2
http://marc.info/?l=kvm&m=147191068524579&w=2
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h | 10 ++
sev.c| 23 +++
2 files change
Update the 'info kvm' monitor command to display the SEV status.
(qemu) info kvm
kvm support: enabled
sev support: enabled (running)
Signed-off-by: Brijesh Singh
---
hmp.c| 14 ++
qapi-schema.json |4 +++-
qmp.c|1 +
3 files changed, 18
In SEV-enabled guest the physical addresses in page table will
have C-bit set, we need to clear the C-bit when walking the page table.
The C-bit position should be available in cpuid Fn8000_001f[EBX]
Signed-off-by: Brijesh Singh
---
target-i386/helper.c | 36
abcdef"
dh_pub_qy = "0123456789abcdef0123456789abcdef"
nonce = "0123456789abcdef"
vcpu_count = "1"
vcpu_length = "30"
vcpu_mask = "00ab"
Signed-off-by: Brijesh Singh
---
Makefile.target |2
include/sysemu
The patch adds sev_debug_mode attribute in MemTxAttrs. This attribute
will be set when debug version of memory read/write API's are used in
SEV-enabled guest.
Signed-off-by: Brijesh Singh
---
include/exec/memattrs.h |4
1 file changed, 4 insertions(+)
diff --git a/include
DEBUG DECRYPT/ENCRYPT commands
to read/write into guest memory.
Signed-off-by: Brijesh Singh
---
exec.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/exec.c b/exec.c
index 604bd05..b1df25d 100644
--- a/exec.c
+++ b/exec.c
@@ -3773,7 +3773,11 @@ void
In SEV-enabled guest dma should be performed on shared pages. Since
the SeaBIOS executes in non PAE mode and does not have access to C-bit
to create a shared page hence disable the dma operation when reading
from fw_cfg interface.
Signed-off-by: Brijesh Singh
---
hw/nvram/fw_cfg.c |6
Fn8000_001f cpuid provides the memory encryption (aka C-bit)
Signed-off-by: Brijesh Singh
---
target-i386/cpu.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 6a1afab..e039c08 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
callback will allow us to hook the SEV launch START and FINISH
commands into qemu_system_reset() handlder to start and finalize the SEV
guest launch process.
Signed-off-by: Brijesh Singh
---
include/hw/hw.h |2 ++
sev.c | 14 ++
vl.c| 45
If guest is launched into SEV-enabled mode then read/write to the
BIOS and RAM memory regions should be performed using the SEV commands.
Signed-off-by: Brijesh Singh
---
hw/i386/pc.c |5 +
hw/i386/pc_sysfw.c |6 ++
2 files changed, 11 insertions(+)
diff --git a/hw/i386
In SEV-enabled mode we need to reload the BIOS image on loader reset, this
will ensure that BIOS image gets encrypted and included as part of launch
meausrement on guest reset.
Signed-off-by: Brijesh Singh
---
hw/core/loader.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff
[1] http://marc.info/?l=kvm&m=147191038624432&w=2
---
TODO:
- send seabios RFC's on seabios mailing list
- implement SEV guest migration command support
- implement SEV snapshotting command support
- virtio support in SEV guest
Brijesh Singh (22):
exec: add guest RAM read/write op
EV RECEIVE commands before starting the guest.
$ qemu -sev type=encrypted config=guest_02.conf
The config file will contains various parameters (e.g key , policy)
required during guest launch process.
Signed-off-by: Brijesh Singh
---
qemu-options.hx |6 ++
vl.c
w=2
http://marc.info/?l=kvm&m=147190852423972&w=2
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h | 18 ++
sev.c| 34 ++
2 files changed, 52 insertions(+)
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index a505d75
/55766_SEV-KM%20API_Spec.pdf
The following kvm RFC patches defines and implements this command
http://marc.info/?l=kvm&m=147190852423972&w=2
http://marc.info/?l=kvm&m=147190946024236&w=2
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h |7 ++
sev.c
Hi Eduardo,
On 09/13/2016 10:58 AM, Eduardo Habkost wrote:
A typical SEV config file looks like this:
Are those config options documented somewhere?
Various commands and parameters are documented [1]
[1] http://support.amd.com/TechDocs/55766_SEV-KM%20API_Spec.pdf
[sev-launch]
f
Hi Michael,
On 09/13/2016 01:39 PM, Michael S. Tsirkin wrote:
On Tue, Sep 13, 2016 at 10:50:06AM -0400, Brijesh Singh wrote:
In SEV-enabled guest dma should be performed on shared pages. Since
the SeaBIOS executes in non PAE mode and does not have access to C-bit
to create a shared page hence
On 09/13/2016 09:28 PM, Michael S. Tsirkin wrote:
On Tue, Sep 13, 2016 at 10:48:27AM -0400, Brijesh Singh wrote:
The SEV DEBUG_DECRYPT command is used for decrypting a guest memory
for the debugging purposes. Note that debugging is permitting only
when guest policy allows it.
When wouldn
Hi Eric,
Thanks for feedback.
# @present: true if KVM acceleration is built into this executable
#
+# @sev: true if SEV is active
Worth expanding what the acronym stands for. Also needs a '(since 2.8)'
designator.
will fix in v2.
+#
# Since: 0.14.0
##
-{ 'struct': 'KvmInfo', 'data':
Various commands and parameters are documented [1]
[1] http://support.amd.com/TechDocs/55766_SEV-KM%20API_Spec.pdf
If I understand correctly, the docs describe the firmware
interface. The interface provided by QEMU is not the same thing,
and needs to be documented as well (even if it contains
Hi Paolo,
On 09/13/2016 05:47 PM, Paolo Bonzini wrote:
On 13/09/2016 16:50, Brijesh Singh wrote:
This patch adds methods to register a callback in qemu_system_reset().
- qemu_register_pre_reset() : function will be called just after
entering into qemu_system_reset
Hi Michael,
Yes policy is described in chapter 3, page 23. I am open to separate the
fields.
Let me know if something like this works
sev-launch-rule,flags.ks=0,policy.dbg=0,policy.ks=0,policy.nosend=0,...
My question is, does all of it have to be sev specific?
For example, add a generic fla
On 09/13/2016 05:59 PM, Paolo Bonzini wrote:
On 13/09/2016 16:50, Brijesh Singh wrote:
In SEV-enabled mode we need to reload the BIOS image on loader reset, this
will ensure that BIOS image gets encrypted and included as part of launch
meausrement on guest reset.
Just to check if I
*/
#define MEMTXATTRS_UNSPECIFIED ((MemTxAttrs) { .unspecified = 1 })
+/* Access the guest memory for debug purposes */
+#define MEMTXATTRS_SEV_DEBUG ((MemTxAttrs) { .sev_debug = 1 })
#endif
Just make it "debug" and MEMTXATTRS_DEBUG.
Thanks, will fix in v2.
Hi Paolo,
On 09/13/2016 06:05 PM, Paolo Bonzini wrote:
On 13/09/2016 16:49, Brijesh Singh wrote:
+/* Register SEV read/write ops for the guest RAM */
+if (kvm_sev_enabled())
+memory_region_set_ram_ops(ram, kvm_sev_get_ram_ops());
If you don't actually need this one e
On 09/14/2016 03:38 PM, Paolo Bonzini wrote:
On 14/09/2016 22:29, Brijesh Singh wrote:
Does the guest have to check the measured data (e.g. with a hash) too,
to check that it hasn't been tampered with outside the secure
processor's control? Of course this would result in garbage
On 09/14/2016 03:44 PM, Paolo Bonzini wrote:
On 14/09/2016 22:36, Michael S. Tsirkin wrote:
Specifically with debug, if you have debug then clearly you
can dump guest memory. This is what this feature is about.
If we want a hypervisor that can not dump guest memory, let's
add a flag like tha
On 09/14/2016 04:00 PM, Paolo Bonzini wrote:
On 14/09/2016 22:59, Brijesh Singh wrote:
I will look into hooking up the callback into ROM read/write ops. I was
thinking about adding a new argument in
cpu_physical_memory_write_rom_internal()
void cpu_physical_memory_write_rom(AddressSpace
On 09/14/2016 04:52 PM, Paolo Bonzini wrote:
On 14/09/2016 23:47, Brijesh Singh wrote:
On 09/14/2016 04:00 PM, Paolo Bonzini wrote:
On 14/09/2016 22:59, Brijesh Singh wrote:
I will look into hooking up the callback into ROM read/write ops. I was
thinking about adding a new argument in
So looking at code, i have impression that write will go through the
cpu_physical_memory_write_rom but the read will still go through
address_space_rw which will eventually invoke address_space_read.
Yes, you'd have to modify it a bit. Something like
Sure this will works, thanks for the snip
Hi Paolo,
typedef struct {
@@ -3568,6 +3578,7 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
int l;
hwaddr phys_addr;
target_ulong page;
+int mode = is_write ? WRITE_DATA : READ_DATA;
while (len > 0) {
int asidx;
@@ -3583,14 +3594,9 @@ int cpu_me
Hi Michael and Paolo,
On 09/13/2016 01:37 PM, Michael S. Tsirkin wrote:
On Tue, Sep 13, 2016 at 10:49:29AM -0400, Brijesh Singh wrote:
Typically linux kernel, initrd and cmdline are build and loaded
into guest memory through linux optionrom. The linux optionrom is
probed and executed by
Hi Paolo,
On 09/21/2016 10:58 AM, Paolo Bonzini wrote:
On 21/09/2016 17:55, Brijesh Singh wrote:
I'm working on v2 and getting ready for another review but not sure how
to address this feedback. For now, I can drop this patch from the series
and get other patches reviewed. But I would
Hi Paolo,
On 09/13/2016 06:07 PM, Paolo Bonzini wrote:
On 13/09/2016 16:49, Brijesh Singh wrote:
Fn8000_001f cpuid provides the memory encryption (aka C-bit)
Signed-off-by: Brijesh Singh
---
target-i386/cpu.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/target-i386/cpu.c b
Hi Michael,
Again it isn't clear how much value does attestation have,
we are assuming arbitrary restrictions on the attacker such
as inability to trigger exits at random times, why not
assume it can't attack guest during boot?
IOW it seems reasonable to just ignore the need for attestation
com
.
Signed-off-by: Brijesh Singh
---
include/exec/memattrs.h |4
1 file changed, 4 insertions(+)
diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
index e601061..b802073 100644
--- a/include/exec/memattrs.h
+++ b/include/exec/memattrs.h
@@ -37,6 +37,8 @@ typedef struct
APIs then in future
we can define some kind of global debug policy to control debug behavior.
Signed-off-by: Brijesh Singh
Reviewed-by: Paolo Bonzini
---
exec.c| 32
include/exec/cpu-common.h | 15 +++
2 files changed, 47
=mypolicy \
-machine ...,security-policy=mypolicy
The memory-encryption property will be used for enabling AMD's SEV feature.
Signed-off-by: Brijesh Singh
---
exec.c |7 ++
hw/core/Makefile.objs|1
hw/core/machine.c| 22
unencrypted boot images
# $QEMU \
-object sev-launch-info,id=launch0 \
-object sev-guest,id=sev0 \
-object security-policy,id=secure0,memory-encryption=sev0 \
-machine ,security-policy=secure0
Signed-off-by: Brijesh Singh
---
Makefile.target|2
docs/amd
The command is used to encrypt a guest memory region using the VM Encryption
Key (VEK) created by LAUNCH_START command. The firmware will also update
the measurement with the contents of the memory region for attestation.
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h |2 +-
kvm
Updates kmv.h to include memory encryption ioctls and SEV command structure
introduced in KVM RFC [1]
[1] http://marc.info/?l=linux-mm&m=148846752931115&w=2
Signed-off-by: Brijesh Singh
---
linux-headers/linux/kvm.h | 100 +
1 file chan
If memory encryption is enabled then create memory encryption launch
context to ensure that bootstrap data (bios images) get encrypted. Also
release the encryption context after machine is succesfully created.
Signed-off-by: Brijesh Singh
---
vl.c | 15 +++
1 file changed, 15
n the boot
images (such as BIOS).
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h |1 +
kvm-all.c|1 +
sev.c| 55 ++
3 files changed, 57 insertions(+)
diff --git a/include/sysemu/sev.h b/include/sysemu/
update 'info kvm' to display the memory encryption support.
(qemu) info kvm
kvm support: enabled
memory encryption: disabled
Signed-off-by: Brijesh Singh
---
hmp.c|2 ++
qapi-schema.json |5 -
qmp.c|1 +
3 files changed, 7 insertions(+),
sev_debug_encrypt
Signed-off-by: Brijesh Singh
---
sev.c | 39 ---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/sev.c b/sev.c
index f8d822d..52b75e3 100644
--- a/sev.c
+++ b/sev.c
@@ -350,16 +350,49 @@ err:
}
static int
+sev_debug_encrypt(SEVState
;
memory_region_init_ram(mem, NULL, "memory", size, NULL);
memory_region_set_ram_debug_ops(mem, ops);
Signed-off-by: Brijesh Singh
---
exec.c| 55 -
include/exec/memory.h | 25 ++
2 files changed, 65
The command is used to retrieve status information about an SEV-enabled guest.
Signed-off-by: Brijesh Singh
---
include/sysemu/sev.h |9 +
sev.c| 28
2 files changed, 37 insertions(+)
diff --git a/include/sysemu/sev.h b/include/sysemu
updates hmp monitor to use debug version of memory access apis when
reading the guest memory.
Signed-off-by: Brijesh Singh
---
cpus.c|2 -
disas.c |2 -
monitor.c |2 -
target/i386/helper.c | 16 +++
target/i386/monitor.c | 114
The command is used to finalize the SEV guest launch process.
The command returns a measurement value of the data encrypted through
the LAUNCH_UPDATE command. This measurement can be handed to the guest
owner to verify that the guest was launched into SEV-enabled mode.
Signed-off-by: Brijesh
Fn8000_001f cpuid provides the memory encryption (aka C-bit) location
in a page table for the SEV-enabled guest.
Signed-off-by: Brijesh Singh
---
target/i386/cpu.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index fba9212..44662eb 100644
Add high level API's to provide guest memory encryption support.
Signed-off-by: Brijesh Singh
---
include/sysemu/kvm.h |7 +++
kvm-all.c| 52 ++
kvm-stub.c | 31 ++
3 files change
On 03/08/2017 03:27 PM, Eduardo Habkost wrote:
On Wed, Mar 08, 2017 at 03:51:07PM -0500, Brijesh Singh wrote:
This RFC series provides support for AMD's new Secure Encrypted
Virtualization (SEV) feature. This RFC is based KVM RFC [1].
SEV is an extension to the AMD-V architecture
Snapshot, Restore and Migration is not implemented yet. Return error when
user tries to perform any of these operations.
Signed-off-by: Brijesh Singh
---
migration/migration.c |7 +++
migration/savevm.c| 11 +++
2 files changed, 18 insertions(+)
diff --git a/migration
Signed-off-by: Brijesh Singh
---
sev.c | 36 +++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/sev.c b/sev.c
index d32391e..f8d822d 100644
--- a/sev.c
+++ b/sev.c
@@ -320,6 +320,36 @@ err_1:
}
static int
+sev_debug_decrypt(SEVState *s, uint8_t
In SEV-enabled guest the pte entry will have C-bit set, we need to
clear the C-bit when walking the page table. The C-bit position should be
available in cpuid Fn8000_001f[EBX]
Signed-off-by: Brijesh Singh
---
target/i386/helper.c | 39 ++-
target/i386/monitor.c | 83
plfash
type of device as well as passing the bios image via -bios option in qemu
command line.
Signed-off-by: Brijesh Singh
---
hw/i386/pc.c |7 +++
hw/i386/pc_sysfw.c | 30 +-
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/hw/i386/pc.c b/hw
On 03/08/2017 03:13 PM, Eduardo Habkost wrote:
On Wed, Mar 08, 2017 at 03:53:03PM -0500, Brijesh Singh wrote:
The command is used to bootstrap SEV guest from unencrypted boot images.
The command creates a new VM encryption key (VEK) using guest owner's public
DH certificate, and sec
On 03/08/2017 03:32 PM, Eduardo Habkost wrote:
On Wed, Mar 08, 2017 at 03:54:43PM -0500, Brijesh Singh wrote:
Snapshot, Restore and Migration is not implemented yet. Return error when
user tries to perform any of these operations.
Signed-off-by: Brijesh Singh
---
migration/migration.c
create mode 100644 include/sysemu/security-policy.h
create mode 100644 include/sysemu/sev.h
create mode 100644 sev.c
--
Brijesh Singh
Hi Eduardo,
On 08/15/2017 06:35 AM, Eduardo Habkost wrote:
Hi,
Thanks for the patch.
On Mon, Aug 14, 2017 at 10:52:17AM -0500, Brijesh Singh wrote:
Add a new base CPU model called 'EPYC' to model processors from AMD EPYC
family (which includes EPYC 76xx,75xx,74xx,73xx and 72xx).
fsgsbase, bmi1, avx2, smep, bmi2, rdseed, adx, smap, clfshopt, sha
xsaveopt, xsavec, xgetbv1, arat
Removed: xop, fma4, tbm
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Tom Lendacky
Signed-off-by: Brijesh Singh
---
Changes since v2:
* limit the xlevel to 0x800
Hi Wanpeng,
On 08/16/2017 10:55 PM, Wanpeng Li wrote:
Cc Chandu,
On 8/16/17 1:00 AM, Brijesh Singh wrote:
Add a new base CPU model called 'EPYC' to model processors from AMD EPYC
family (which includes EPYC 76xx,75xx,74xx, 73xx and 72xx).
The following features bits have been add
1 - 100 of 459 matches
Mail list logo