[libvirt] libvirt/QEMU/SEV interaction

Hi All, (sorry for the long message) CPUs from AMD EPYC family supports Secure Encrypted Virtualization (SEV) feature - the feature allows running encrypted VMs. To enable the feature, I have been submitting patches to Linux kernel [1], Qemu [2] and OVMF [3]. We have been making some good

Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction

Hi Daniel, On 09/08/2017 09:52 AM, Daniel P. Berrange wrote: On Fri, Sep 08, 2017 at 01:45:06PM +, Relph, Richard wrote: A few answers in line… On 9/8/17, 8:16 AM, "Daniel P. Berrange" <berra...@redhat.com> wrote: On Fri, Sep 08, 2017 at 06:57:30AM -0500, Bri

Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction

On 09/08/2017 10:51 AM, Daniel P. Berrange wrote: On Fri, Sep 08, 2017 at 10:48:10AM -0500, Brijesh Singh wrote: So I could see a flow like the following: The flow looks good 1. mgmt tool calls virConnectGetCapabilities. This returns an XML document that includes

Re: [libvirt] [PATCH] cpu: Add new EPYC CPU model

On Wed, Sep 6, 2017 at 7:08 AM, Jiri Denemark wrote: > > > We list model's features sorted by name. > > ACK with the issues fixed. > > However, it would be nice to add some CPUID data to our test suite. > Luckily enough I have such data so I'll just resend [1] a fixed

Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction

On 9/29/17 4:58 PM, Laszlo Ersek wrote: ... > The expansion ROMs (containing UEFI drivers) of emulated PCI devices, > and the same of assigned physical PCI devices, constitute another > channel through which code enters the guest from the outside (i.e., from > the Cloud Provider). The ROM BARs

Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction

Hi Laszlo, On 10/01/2017 04:56 AM, Laszlo Ersek wrote: On 10/01/17 11:17, Laszlo Ersek wrote: (3) Implement SEV encryption for pflash. A pflash chip can be in one of two modes: (a) it reads and executes as ROM, or (b) it behaves like a programmable (r/w) device with MMIO registers. Switching

[libvirt] [PATCH] cpu: Add new EPYC CPU model

ed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/cpu/cpu_map.xml | 74 + 1 file changed, 74 insertions(+) diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml index 8e7ac49..522d66b 100644 --- a/src/cpu/cpu_map.xml +++ b/src/cpu/cpu_map.x

Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction

Hi Michael, On 09/26/2017 09:36 AM, Michael S. Tsirkin wrote: ... 8. libvirt launches the guest with "-S" 9. While creating the SEV guest qemu does the following i) create encryption context using GO's DH, session-info and guest policy (LAUNCH_START) ii) encrypts the guest bios

[libvirt] [PATCH v6 7/9] remote: implement the remote protocol for launch security

Add remote support for launch security info. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/remote/remote_daemon_dispatch.c | 47 + src/remote/remote_driver.c | 42 - src/remote/remote_prot

[libvirt] [PATCH v6 4/9] qemu/cgroup: add /dev/sev in shared devices list

QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev in the list of devices allowed to be accessed by the QEMU. Signed-off-by: Brijesh Singh <<brijesh.si...@amd.com>> --- docs/drvqemu.html.in | 1 + src/qemu/qemu.conf | 2

[libvirt] [PATCH v6 5/9] qemu: add support to launch SEV guest

ev0,cbitpos=47,reduced-phys-bits=5 ...\ -machine memory-encryption=sev0 \ Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/qemu/qemu_command.c | 41 src/qemu/qemu_process.c | 62 + tests/qemuxml

[libvirt] [PATCH v6 0/9] x86: Secure Encrypted Virtualization (AMD)

reported with 'make check' and 'make syntax-check' The complete git tree is available at: https://github.com/codomania/libvirt/tree/v6 Brijesh Singh (9): qemu: provide support to query the SEV capability qemu: introduce SEV feature in hypervisor capabilities conf: introduce launch-securit

[libvirt] [PATCH v6 6/9] libvirt: add new public API to get launch security info

The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/libvirt/libvirt-domain.h | 17 ++ src/

[libvirt] [PATCH v6 1/9] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/conf/domain_capab

[libvirt] [PATCH v6 2/9] qemu: introduce SEV feature in hypervisor capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomaincaps.html.in | 40 docs/schemas/domaincaps.rng

[libvirt] [PATCH v6 8/9] qemu: Add support to launch security info

This patch implements the internal driver API for launch event into qemu driver. When SEV is enabled, execute 'query-sev-launch-measurement' to get the measurement of memory encrypted through launch sequence. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/qemu/qemu_dr

[libvirt] [PATCH v6 3/9] conf: introduce launch-security element in domain

to unintelligible data. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomain.html.in | 115 ++ docs/schemas/domaincommon.rng | 39 ++ src/conf/domain_conf.c

[libvirt] [PATCH v6 9/9] virsh: implement new command for launch security

Add new 'launch-security' command, the command can be used to get or set the launch security information when booting encrypted VMs. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- tools/virsh-domain.c | 81 tools/virsh.pod

Re: [libvirt] [PATCH v9 00/11] x86: Secure Encrypted Virtualization (AMD)

Hi Erik, On 06/11/2018 09:10 AM, Erik Skultety wrote: On Fri, Jun 08, 2018 at 10:14:35AM -0500, Brijesh Singh wrote: Re: Jano's below comment (Also, some of the patches have double "<< >>" around your e-mail, how did that happen?) I am not sure what I am doing that

[libvirt] [PATCH v9 01/11] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/c

[libvirt] [PATCH v9 03/11] libvirt: Introduce virNodeGetSEVInfo public API

The API can be used by application to retrieve the Platform Diffie-Hellman Key and Platform Certificate chain. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- include/libvirt/libvirt-host.h | 42 src/driver-hypervisor.h| 6 ++ src

[libvirt] [PATCH v9 07/11] qemu/cgroup: add /dev/sev in shared devices list

QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev in the list of devices allowed to be accessed by the QEMU. Signed-off-by: Brijesh Singh <> Reviewed-by: Erik Skultety --- docs/drvqemu.html.in | 3 ++- src/qemu/qemu.conf | 2 +- sr

[libvirt] [PATCH v9 11/11] qemu: Implement the driver backend for virDomainGetLaunchSecurityInfo

This patch implements the internal driver API for launch event into qemu driver. When SEV is enabled, execute 'query-sev-launch-measurement' to get the measurement of memory encrypted through launch sequence. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/qemu/qemu_driver.c

[libvirt] [PATCH v9 02/11] conf: expose SEV feature in domain capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- docs/formatdomaincaps.html.in | 30 +++ docs/schemas/domaincaps.rng| 14 + src

[libvirt] [PATCH v9 06/11] conf: introduce launch-security element in domain

to unintelligible data. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- docs/formatdomain.html.in | 115 ++ docs/schemas/domaincommon.rng | 37 ++ src/conf/domain_conf.c | 133

[libvirt] [PATCH v9 04/11] remote: implement the remote protocol for virNodeGetSEVInfo()

Add remote support for virNodeGetSEVInfo(). Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/remote/remote_daemon_dispatch.c | 44 + src/remote/remote_driver.c | 40 + src/remote/remote_protocol.x

[libvirt] [PATCH v9 05/11] qemu: Implement the driver backend for virNodeGetSEVInfo()

Signed-off-by: Brijesh Singh <> --- src/qemu/qemu_capabilities.c | 7 src/qemu/qemu_capabilities.h | 4 +++ src/qemu/qemu_driver.c | 82 3 files changed, 93 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/sr

[libvirt] [PATCH v9 00/11] x86: Secure Encrypted Virtualization (AMD)

rted with 'make check' and 'make syntax-check' The complete git tree is available at: https://github.com/codomania/libvirt/tree/v9 Brijesh Singh (11): qemu: provide support to query the SEV capability conf: expose SEV feature in domain capabilities libvirt: Introduce virNodeGetSEVInfo publ

[libvirt] [PATCH v9 09/11] libvirt: Introduce virDomainGetLaunchSecurityInfo public API

The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- include/libvirt/libvirt-domain.h | 17 ++ src/driver

[libvirt] [PATCH v9 08/11] qemu: add support to launch SEV guest

pos=47,reduced-phys-bits=5 ...\ -machine memory-encryption=sev0 \ Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/qemu/qemu_command.c | 41 src/qemu/qemu_process.c | 62 + te

[libvirt] [PATCH v9 10/11] remote: implement the remote protocol for launch security

Add remote support for launch security info. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/remote/remote_daemon_dispatch.c | 47 + src/remote/remote_driver.c | 40 +++ src/remote/remote_protocol.x

Re: [libvirt] [PATCH v9 00/11] x86: Secure Encrypted Virtualization (AMD)

saw Jano note but it somehow happens again...I have no explanation on what is going on. Whoever commits the series, can you please remove one of the quote from the my email address, Or I can try fixing it and resend the series. Please let me know. thanks On 06/08/2018 09:40 AM, Brijesh Sing

Re: [libvirt] [PATCH v8 05/11] qemu: Add support to get the SEV info

On 06/07/2018 11:37 AM, Erik Skultety wrote: more verbose commit subject: qemu: Implement the driver backend for virNodeGetSEVInfo On Wed, Jun 06, 2018 at 12:50:11PM -0500, Brijesh Singh wrote: Signed-off-by: Brijesh Singh <> --- src/qemu/qemu_capabilities.c | 7 sr

Re: [libvirt] [PATCH v8 09/11] libvirt: add new public API to get launch security info

On 06/07/2018 11:46 AM, Erik Skultety wrote: Better commit subject would be: libvirt: Introduce virDomainGetLaunchSecurityInfo public API On Wed, Jun 06, 2018 at 12:50:15PM -0500, Brijesh Singh wrote: The API can be used outside the libvirt to get the launch security information. When SEV

[libvirt] [PATCH] nwfilter: fix build error when pcap-config is not present

nwfilter/nwfilter_learnipaddr.c:57:0: nwfilter/nwfilter_learnipaddr.h:38:5: note: previous declaration of 'virNWFilterLearnIPAddress' was here int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver, Signed-off-by: Brijesh Singh --- src/nwfilter/nwfilter_learnipaddr.c | 2 +- 1 file

Re: [libvirt] [PATCH 00/10] SEV: use camelCase in XMLs and other cleanups

instead of Sev in internal identifier names. Thanks for the series, In addition to looking at the changes I did a quick build and run tests. All seems to be working fine. thanks Reviewed-by: Brijesh Singh Tested-by: Brijesh Singh I did not touch virNodeGetSevInfoEnsureACL - not sure

[libvirt] [PATCH v7 3/9] expose virNodeGetSEVCapability API

The API can be used by application to query the SEV capability. Signed-off-by: Brijesh Singh <> --- include/libvirt/libvirt-host.h | 42 + src/driver-hypervisor.h | 6 +++ src/libvirt-host.c | 48 +++ src/libvirt_publi

[libvirt] [PATCH v7 4/9] conf: introduce launch-security element in domain

to unintelligible data. Signed-off-by: Brijesh Singh --- docs/formatdomain.html.in | 115 ++ docs/schemas/domaincommon.rng | 37 ++ src/conf/domain_conf.c | 133 + src/conf/domain_conf.h

[libvirt] [PATCH v7 1/9] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Signed-off-by: Brijesh Singh --- src/conf/domain_capabilitie

[libvirt] [PATCH v7 8/9] remote: implement the remote protocol for launch security

Add remote support for launch security info. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/remote/remote_daemon_dispatch.c | 47 + src/remote/remote_driver.c | 40 +++ src/remote/remote_protocol.x

[libvirt] [PATCH v7 9/9] qemu: Add support to launch security info

This patch implements the internal driver API for launch event into qemu driver. When SEV is enabled, execute 'query-sev-launch-measurement' to get the measurement of memory encrypted through launch sequence. Signed-off-by: Brijesh Singh --- src/qemu/qemu_driver.c | 69

[libvirt] [PATCH v7 0/9] x86: Secure Encrypted Virtualization (AMD)

security information * add test cases to validate newly added element * fix issues reported with 'make check' and 'make syntax-check' The complete git tree is available at: https://github.com/codomania/libvirt/tree/v7 Brijesh Singh (9): qemu: provide support to query the SEV capability conf: expose SE

[libvirt] [PATCH v7 6/9] qemu: add support to launch SEV guest

pos=47,reduced-phys-bits=5 ...\ -machine memory-encryption=sev0 \ Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/qemu/qemu_command.c | 41 src/qemu/qemu_process.c | 62 + te

[libvirt] [PATCH v7 5/9] qemu/cgroup: add /dev/sev in shared devices list

QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev in the list of devices allowed to be accessed by the QEMU. Signed-off-by: Brijesh Singh <> Reviewed-by: Erik Skultety --- docs/drvqemu.html.in | 1 + src/qemu/qemu.conf | 2 +- sr

[libvirt] [PATCH v7 7/9] libvirt: add new public API to get launch security info

The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off-by: Brijesh Singh --- include/libvirt/libvirt-domain.h | 17 ++ src/driver-hypervisor.h | 8

[libvirt] [PATCH v7 2/9] conf: expose SEV feature in domain capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Signed-off-by: Brijesh Singh --- docs/formatdomaincaps.html.in | 30 ++ docs/schemas/domaincaps.rng| 14 src/conf/domain_capabilities.c

[libvirt] [PATCH v7 3/9] libvirt-host: expose virNodeGetSEVCapability API

The API can be used by application to get the SEV capability (which includes platform certificate chain and other releated information) Signed-off-by: Brijesh Singh <> --- include/libvirt/libvirt-host.h | 42 + src/driver-hypervisor.h | 6 +++ src/libvirt-

Re: [libvirt] [PATCH v7 3/9] expose virNodeGetSEVCapability API

On 06/06/2018 03:45 AM, Erik Skultety wrote: On Tue, Jun 05, 2018 at 12:59:25PM -0500, Brijesh Singh wrote: The API can be used by application to query the SEV capability. Signed-off-by: Brijesh Singh <> --- include/libvirt/libvirt-host.h | 42 + src/

[libvirt] [PATCH v8 11/11] qemu: Add support to launch security info

This patch implements the internal driver API for launch event into qemu driver. When SEV is enabled, execute 'query-sev-launch-measurement' to get the measurement of memory encrypted through launch sequence. Signed-off-by: Brijesh Singh --- src/qemu/qemu_driver.c | 69

[libvirt] [PATCH v8 02/11] conf: expose SEV feature in domain capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Signed-off-by: Brijesh Singh --- docs/formatdomaincaps.html.in | 30 ++ docs/schemas/domaincaps.rng| 14 src/conf/domain_capabilities.c

[libvirt] [PATCH v8 08/11] qemu: add support to launch SEV guest

pos=47,reduced-phys-bits=5 ...\ -machine memory-encryption=sev0 \ Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/qemu/qemu_command.c | 41 src/qemu/qemu_process.c | 62 + te

[libvirt] [PATCH v8 01/11] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Signed-off-by: Brijesh Singh --- src/conf/domain_capabilitie

[libvirt] [PATCH v8 0/9] x86: Secure Encrypted Virtualization (AMD)

virt/tree/v8 Brijesh Singh (11): qemu: provide support to query the SEV capability conf: expose SEV feature in domain capabilities libvirt: add new public API to get SEV Info remote: implement the remote protocol for virNodeSEVInfo() qemu: Add support to get the SEV info conf: introduce lau

[libvirt] [PATCH v8 03/11] libvirt: add new public API to get SEV Info

The API can be used by application to retrieve the Platform Diffie-Hellman Key and Platform Certificate chain. Signed-off-by: Brijesh Singh <> --- include/libvirt/libvirt-host.h | 42 + src/driver-hypervisor.h| 6 ++ src/libvirt-

[libvirt] [PATCH v8 09/11] libvirt: add new public API to get launch security info

The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off-by: Brijesh Singh --- include/libvirt/libvirt-domain.h | 17 ++ src/driver-hypervisor.h | 8

[libvirt] [PATCH v8 07/11] qemu/cgroup: add /dev/sev in shared devices list

QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev in the list of devices allowed to be accessed by the QEMU. Signed-off-by: Brijesh Singh <> Reviewed-by: Erik Skultety --- docs/drvqemu.html.in | 1 + src/qemu/qemu.conf | 2 +- sr

[libvirt] [PATCH v8 06/11] conf: introduce launch-security element in domain

to unintelligible data. Signed-off-by: Brijesh Singh --- docs/formatdomain.html.in | 115 ++ docs/schemas/domaincommon.rng | 37 ++ src/conf/domain_conf.c | 133 + src/conf/domain_conf.h

[libvirt] [PATCH v8 10/11] remote: implement the remote protocol for launch security

Add remote support for launch security info. Signed-off-by: Brijesh Singh Reviewed-by: Erik Skultety --- src/remote/remote_daemon_dispatch.c | 47 + src/remote/remote_driver.c | 40 +++ src/remote/remote_protocol.x

[libvirt] [PATCH v8 05/11] qemu: Add support to get the SEV info

Signed-off-by: Brijesh Singh <> --- src/qemu/qemu_capabilities.c | 7 src/qemu/qemu_capabilities.h | 4 ++ src/qemu/qemu_driver.c | 91 3 files changed, 102 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/sr

[libvirt] [PATCH v8 04/11] remote: implement the remote protocol for virNodeSEVInfo()

Add remote support for virNodeSEVInfo(). Signed-off-by: Brijesh Singh <> --- src/remote/remote_daemon_dispatch.c | 44 + src/remote/remote_driver.c | 40 + src/remote/remote_protocol.x

Re: [libvirt] [PATCH v6 1/9] qemu: provide support to query the SEV capability

On 05/28/2018 02:25 AM, Erik Skultety wrote: On Wed, May 23, 2018 at 04:18:26PM -0500, Brijesh Singh wrote: QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the

Re: [libvirt] [PATCH v6 3/9] conf: introduce launch-security element in domain

On 05/28/2018 05:57 AM, Erik Skultety wrote: On Wed, May 23, 2018 at 04:18:28PM -0500, Brijesh Singh wrote: The launch-security element can be used to define the security model to use when launching a domain. Currently we support 'sev'. When 'sev' is used, the VM will be launched with AMD

Re: [libvirt] [PATCH v6 0/9] x86: Secure Encrypted Virtualization (AMD)

On 05/28/2018 05:06 AM, Erik Skultety wrote: On Wed, May 23, 2018 at 04:18:25PM -0500, Brijesh Singh wrote: This patch series provides support for launching an encrypted guest using AMD's new Secure Encrypted Virtualization (SEV) feature. SEV is an extension to the AMD-V architecture which

Re: [libvirt] [PATCH v6 2/9] qemu: introduce SEV feature in hypervisor capabilities

On 05/28/2018 05:28 AM, Erik Skultety wrote: On Wed, May 23, 2018 at 04:18:27PM -0500, Brijesh Singh wrote: Extend hypervisor capabilities to include sev feature. When available, hypervisor supports launching an encrypted VM on AMD platform. The sev feature tag provides additional details

Re: [libvirt] [PATCH v6 6/9] libvirt: add new public API to get launch security info

On 05/28/2018 09:36 AM, Erik Skultety wrote: On Wed, May 23, 2018 at 04:18:31PM -0500, Brijesh Singh wrote: The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off

Re: [libvirt] [PATCH v6 0/9] x86: Secure Encrypted Virtualization (AMD)

On 05/29/2018 10:28 AM, Brijesh Singh wrote: ... On 05/28/2018 05:06 AM, Erik Skultety wrote: On Wed, May 23, 2018 at 04:18:25PM -0500, Brijesh Singh wrote: This patch series provides support for launching an encrypted guest using AMD's new Secure Encrypted  Virtualization (SEV) feature

[libvirt] [PATCH 2/4] qemu: introduce SEV feature in hypervisor capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomaincaps.html.in | 31 +++ docs/schemas/domaincaps.rng| 10 ++ sr

[libvirt] [PATCH 4/4] libvirt-domain: add new virDomainGetSevVmMeasurement() API

booting the guest. Signed-off-by: Xiaogang Chen <xiaogang.c...@amd.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/libvirt/libvirt-domain.h | 4 +++ src/driver-hypervisor.h | 4 +++ src/libvirt-domain.c | 41 ++

[libvirt] [PATCH 0/4] x86: Secure Encrypted Virtualization (AMD)

devices. I am looking for some suggestions. Using these patches we have succesfully booted and tested a guest both with and without SEV enabled. SEV Firmware API spec is available at: https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf Brijesh Singh (4): qemu: provide support

[libvirt] [PATCH 1/4] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD X86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- QEMU SEV v9 p

[libvirt] [PATCH 3/4] conf: introduce sev element in domain

sev-guest' object which supports launching encrypted VMs. A typical command line # $QEMU ... \ -machine memory-encryption=sev0 \ -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=5 \ ... Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomain.htm

Re: [libvirt] [PATCH 0/4] Fix a SIGSEGV in libvirtd when querying AMD SEV info

snippet from BZ import libvirt conn = libvirt.open() conn.getSEVInfo() And I can confirm that getSEVInfo is able to get the PDH certificates etc. Tested-by: Brijesh Singh -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] CPU Support

On 7/18/18 8:49 AM, Eduardo Habkost wrote: > CCing the AMD people who worked on this. > > On Wed, Jul 18, 2018 at 12:18:45PM +0200, Pavel Hrdina wrote: >> On Wed, Jul 18, 2018 at 10:50:34AM +0100, Daniel P. Berrangé wrote: >>> On Wed, Jul 18, 2018 at 12:41:48PM +0300, Hetz Ben Hamo wrote:

Re: [libvirt] [PATCH v2 4/9] qemu: add support to launch SEV guest

On 03/12/2018 08:41 AM, Daniel P. Berrangé wrote: On Thu, Mar 08, 2018 at 11:12:03AM -0600, Brijesh Singh wrote: QEMU >= 2.12 provides 'sev-guest' object which is used to launch encrypted VMs on AMD platform using SEV feature. The various inputs required to launch SEV guest is provi

Re: [libvirt] [PATCH v2 1/9] qemu: provide support to query the SEV capability

On 03/12/2018 08:52 AM, Peter Krempa wrote: On Mon, Mar 12, 2018 at 13:31:23 +, Daniel Berrange wrote: On Thu, Mar 08, 2018 at 11:12:00AM -0600, Brijesh Singh wrote: QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encryp

Re: [libvirt] [PATCH v2 1/9] qemu: provide support to query the SEV capability

On 03/12/2018 08:31 AM, Daniel P. Berrangé wrote: On Thu, Mar 08, 2018 at 11:12:00AM -0600, Brijesh Singh wrote: QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to qu

Re: [libvirt] [PATCH v2 5/9] libvirt: add new public API to get launch security info

On 03/12/2018 07:01 AM, Daniel P. Berrangé wrote: On Thu, Mar 08, 2018 at 11:12:04AM -0600, Brijesh Singh wrote: The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off

Re: [libvirt] [PATCH v2 2/9] qemu: introduce SEV feature in hypervisor capabilities

On 03/12/2018 08:33 AM, Daniel P. Berrangé wrote: On Thu, Mar 08, 2018 at 11:12:01AM -0600, Brijesh Singh wrote: Extend hypervisor capabilities to include sev feature. When available, hypervisor supports launching an encrypted VM on AMD platform. The sev feature tag provides additional

Re: [libvirt] [PATCH 2/4] qemu: introduce SEV feature in hypervisor capabilities

On 02/27/2018 02:15 AM, Peter Krempa wrote: On Mon, Feb 26, 2018 at 11:53:34 -0600, Brijesh Singh wrote: Extend hypervisor capabilities to include sev feature. When available, hypervisor supports launching an encrypted VM on AMD platform. The sev feature tag provides additional details like

Re: [libvirt] [PATCH 3/4] conf: introduce sev element in domain

On 02/27/2018 05:10 AM, Daniel P. Berrangé wrote: On Mon, Feb 26, 2018 at 11:53:35AM -0600, Brijesh Singh wrote: Secure Encrypted Virtualization (sev) element is used to provide the guest owners input parameters used for creating an encrypted VM using AMD SEV feature. SEV feature supports

Re: [libvirt] [PATCH 3/4] conf: introduce sev element in domain

On 02/27/2018 11:15 AM, Daniel P. Berrangé wrote: On Tue, Feb 27, 2018 at 11:07:25AM -0600, Brijesh Singh wrote: On 02/27/2018 05:10 AM, Daniel P. Berrangé wrote: On Mon, Feb 26, 2018 at 11:53:35AM -0600, Brijesh Singh wrote: Secure Encrypted Virtualization (sev) element is used

Re: [libvirt] [PATCH 1/4] qemu: provide support to query the SEV capability

On 02/27/2018 02:09 AM, Peter Krempa wrote: On Mon, Feb 26, 2018 at 11:53:33 -0600, Brijesh Singh wrote: QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD X86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the

Re: [libvirt] [PATCH 4/4] libvirt-domain: add new virDomainGetSevVmMeasurement() API

On 02/27/2018 05:07 AM, Daniel P. Berrangé wrote: On Mon, Feb 26, 2018 at 11:53:36AM -0600, Brijesh Singh wrote: The virDomainGetSevVmMeasurement() can be used to retrieve the measurement of encrypted VM launched using AMD SEV feature. The measurement is a signature of the memory contents

Re: [libvirt] [PATCH 3/4] conf: introduce sev element in domain

On 02/27/2018 02:34 AM, Peter Krempa wrote: On Mon, Feb 26, 2018 at 11:53:35 -0600, Brijesh Singh wrote: Secure Encrypted Virtualization (sev) element is used to provide the guest owners input parameters used for creating an encrypted VM using AMD SEV feature. SEV feature supports running

[libvirt] [PATCH v2 6/9] remote: implement the remote protocol for launch security

Add remote support for launch security info. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/remote/remote_daemon_dispatch.c | 63 + src/remote/remote_driver.c | 52 +- src/remote/remote_protocol.x

[libvirt] [PATCH v2 9/9] tests: extend tests to include sev specific tag parsing

From: Xiaogang Chen Update qemuxml2xmltest, genericxml2xmltest and qemuxml2argvtest to include sev specific tag, a typical SEV specific tag looks like + foobar + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + +hvm + + + + destroy +

[libvirt] [PATCH v2 7/9] qemu_driver: add support to launch security info

This patch implement the internal driver API for launch event into qemu driver. When SEV is enabled, execute 'query-sev-launch-measurement' to get the measurement of memory encrypted through launch sequence. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/qemu/qemu_dr

[libvirt] [PATCH v2 8/9] virsh: implement new command for launch security

Add new 'launch-security' command, the command can be used to get or set the launch security information when booting encrypted VMs. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- tools/virsh-domain.c | 93 1 file chang

[libvirt] [PATCH v2 0/9] x86: Secure Encrypted Virtualization (AMD)

ded element * fix issues reported with 'make check' and 'make syntax-check' The complete git tree is available at: https://github.com/codomania/libvirt/tree/v2 Brijesh Singh (8): qemu: provide support to query the SEV capability qemu: introduce SEV feature in hypervisor capabilities c

[libvirt] [PATCH v2 4/9] qemu: add support to launch SEV guest

pos=47,reduced-phys-bits=5 ...\ -machine memory-encryption=sev0 \ Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/qemu/qemu_command.c | 33 ++ src/qemu/qemu_process.c | 91 + 2 files changed, 124 insertions(+) d

[libvirt] [PATCH v2 1/9] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/conf/domain_capab

[libvirt] [PATCH v2 2/9] qemu: introduce SEV feature in hypervisor capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomaincaps.html.in | 40 docs/schemas/domaincaps.rng

[libvirt] [PATCH v2 3/9] conf: introduce launch-security element in domain

to unintelligible data. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomain.html.in | 120 ++ docs/schemas/domaincommon.rng | 39 ++ src/conf/domain_conf.c| 111 ++ sr

[libvirt] [PATCH v2 5/9] libvirt: add new public API to get launch security info

The API can be used outside the libvirt to get the launch security information. When SEV is enabled, the API can be used to get the measurement of the launch process. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/libvirt/libvirt-domain.h | 17 ++ src/

[libvirt] [PATCH v3 3/9] conf: introduce launch-security element in domain

to unintelligible data. Reviewed-by: "Daniel P. Berrangé" <berra...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdomain.html.in | 120 ++ docs/schemas/domaincommon.rng | 39 ++

[libvirt] [PATCH v3 1/9] qemu: provide support to query the SEV capability

QEMU version >= 2.12 provides support for launching an encrypted VMs on AMD x86 platform using Secure Encrypted Virtualization (SEV) feature. This patch adds support to query the SEV capability from the qemu. Reviewed-by: "Daniel P. Berrangé" <berra...@redhat.com> Signed-of

[libvirt] [PATCH v3 9/9] tests: extend tests to include sev specific tag parsing

From: Xiaogang Chen Update qemuxml2xmltest, genericxml2xmltest and qemuxml2argvtest to include sev specific tag, a typical SEV specific tag looks like + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219100 + 219100 + 1 + +hvm + + + + destroy +

[libvirt] [PATCH v3 4/9] qemu: add support to launch SEV guest

pos=47,reduced-phys-bits=5 ...\ -machine memory-encryption=sev0 \ Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- src/qemu/qemu_command.c | 35 + src/qemu/qemu_process.c | 58 + 2 files changed, 93 i

[libvirt] [PATCH v3 2/9] qemu: introduce SEV feature in hypervisor capabilities

a cryptographic session with the SEV firmware to negotiate keys used for attestation or to provide secret during launch. Reviewed-by: "Daniel P. Berrangé" <berra...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/formatdo

[libvirt] [PATCH v3 0/9] x86: Secure Encrypted Virtualization (AMD)

ded element * fix issues reported with 'make check' and 'make syntax-check' The complete git tree is available at: https://github.com/codomania/libvirt/tree/v3 Brijesh Singh (8): qemu: provide support to query the SEV capability qemu: introduce SEV feature in hypervisor capabilities c

  1   2   >