Re: [PATCH 0/4] KVM: SVM: kbuild test robot warning fixes

2018-02-23 Thread Paolo Bonzini
es on kvm/queue branch. > > Cc: Paolo Bonzini <pbonz...@redhat.com> > Cc: "Radim Krčmář" <rkrc...@redhat.com> > Cc: Borislav Petkov <b...@suse.de> > Cc: Herbert Xu <herb...@gondor.apana.org.au> > Cc: Gary Hook <gary.h...@amd.com> > Cc: Tom

Re: [Part2 PATCH v9 00/38] x86: Secure Encrypted Virtualization (AMD)

2018-01-11 Thread Paolo Bonzini
On 05/12/2017 02:04, Brijesh Singh wrote: > This part of Secure Encrypted Virtualization (SEV) patch series focuses on KVM > changes required to create and manage SEV guests. > > SEV is an extension to the AMD-V architecture which supports running encrypted > virtual machine (VMs) under the

Re: [Part2 PATCH v9 00/38] x86: Secure Encrypted Virtualization (AMD)

2017-12-21 Thread Paolo Bonzini
gt; > Complete tree is available at: > repo: https://github.com/codomania/kvm.git > branch: sev-v9-p2 > > TODO: > * Add SEV guest migration command support > > Cc: Thomas Gleixner <t...@linutronix.de> > Cc: Ingo Molnar <mi...@redhat.com> > Cc: "H. Peter A

Re: [RFC PATCH v2 16/32] x86: kvm: Provide support to create Guest and HV shared per-CPU variables

2017-03-29 Thread Paolo Bonzini
On 28/03/2017 20:39, Borislav Petkov wrote: >> 2) Since the encryption attributes works on PAGE_SIZE hence add some extra >> padding to 'struct kvm-steal-time' to make it PAGE_SIZE and then at runtime >> clear the encryption attribute of the full PAGE. The downside of this was >> now we need to

Re: [RFC PATCH v2 29/32] kvm: svm: Add support for SEV DEBUG_DECRYPT command

2017-03-17 Thread Paolo Bonzini
On 16/03/2017 19:41, Brijesh Singh wrote: >> >> Please do add it, it doesn't seem very different from what you're doing >> in LAUNCH_UPDATE_DATA. There's no need for a separate >> __sev_dbg_decrypt_page function, you can just pin/unpin here and do a >> per-page loop as in LAUNCH_UPDATE_DATA. >

Re: [RFC PATCH v2 14/32] x86: mm: Provide support to use memblock when spliting large pages

2017-03-16 Thread Paolo Bonzini
On 10/03/2017 23:41, Brijesh Singh wrote: >> Maybe there's a reason this fires: >> >> WARNING: modpost: Found 2 section mismatch(es). >> To see full details build your kernel with: >> 'make CONFIG_DEBUG_SECTION_MISMATCH=y' >> >> WARNING: vmlinux.o(.text+0x48edc): Section mismatch in reference

Re: [RFC PATCH v2 14/32] x86: mm: Provide support to use memblock when spliting large pages

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:15, Brijesh Singh wrote: > > __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, > -struct page *base) > + pte_t *pbase, unsigned long new_pfn) > { > - pte_t *pbase = (pte_t *)page_address(base); Just one comment and

Re: [RFC PATCH v2 16/32] x86: kvm: Provide support to create Guest and HV shared per-CPU variables

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:15, Brijesh Singh wrote: > Some KVM specific MSR's (steal-time, asyncpf, avic_eio) allocates per-CPU > variable at compile time and share its physical address with hypervisor. > It presents a challege when SEV is active in guest OS. When SEV is active, > guest memory is

Re: [RFC PATCH v2 30/32] kvm: svm: Add support for SEV DEBUG_ENCRYPT command

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:18, Brijesh Singh wrote: > + data = (void *) get_zeroed_page(GFP_KERNEL); The page does not need to be zeroed, does it? > + > + if ((len & 15) || (dst_addr & 15)) { > + /* if destination address and length are not 16-byte > + * aligned then: >

Re: [RFC PATCH v2 29/32] kvm: svm: Add support for SEV DEBUG_DECRYPT command

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:18, Brijesh Singh wrote: > +static int __sev_dbg_decrypt_page(struct kvm *kvm, unsigned long src, > + void *dst, int *error) > +{ > + inpages = sev_pin_memory(src, PAGE_SIZE, ); > + if (!inpages) { > + ret = -ENOMEM; > + goto err_1; >

Re: [RFC PATCH v2 26/32] kvm: svm: Add support for SEV LAUNCH_UPDATE_DATA command

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:17, Brijesh Singh wrote: > +static struct page **sev_pin_memory(unsigned long uaddr, unsigned long ulen, > + unsigned long *n) > +{ > + struct page **pages; > + int first, last; > + unsigned long npages, pinned; > + > + /* Get

Re: [RFC PATCH v2 32/32] x86: kvm: Pin the guest memory when SEV is active

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:18, Brijesh Singh wrote: > The SEV memory encryption engine uses a tweak such that two identical > plaintexts at different location will have a different ciphertexts. > So swapping or moving ciphertexts of two pages will not result in > plaintexts being swapped. Relocating (or

Re: [RFC PATCH v2 24/32] kvm: x86: prepare for SEV guest management API support

2017-03-16 Thread Paolo Bonzini
On 02/03/2017 16:17, Brijesh Singh wrote: > ASID management: > - Reserve asid range for SEV guest, SEV asid range is obtained through >CPUID Fn8000_001f[ECX]. A non-SEV guest can use any asid outside the SEV >asid range. How is backwards compatibility handled? > - SEV guest must have

Re: [RFC PATCH v2 23/32] kvm: introduce KVM_MEMORY_ENCRYPT_OP ioctl

2017-03-16 Thread Paolo Bonzini
/* Available with KVM_CAP_X86_SMM */ > #define KVM_SMI _IO(KVMIO, 0xb7) > +/* Memory Encryption Commands */ > +#define KVM_MEMORY_ENCRYPT_OP _IOWR(KVMIO, 0xb8, unsigned long) > > #define KVM_DEV_ASSIGN_ENABLE_IOMMU (1 << 0) > #define KVM_DEV_ASSIGN_PCI_2_3 (1 << 1) > Reviewed-by: Paolo Bonzini <pbonz...@redhat.com>

Re: [RFC PATCH v2 12/32] x86: Add early boot support when running with SEV active

2017-03-09 Thread Paolo Bonzini
On 09/03/2017 15:07, Borislav Petkov wrote: > + /* Check if running under a hypervisor */ > + eax = 0x4000; > + ecx = 0; > + native_cpuid(, , , ); This is not how you check if running under a hypervisor; you should check the HYPERVISOR bit, i.e. bit 31 of cpuid(1).ecx. This

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

2016-09-22 Thread Paolo Bonzini
On 22/09/2016 20:47, Tom Lendacky wrote: > > Because the firmware volume is written to high memory in encrypted form, > > and because the PEI phase runs in 32-bit mode, the firmware code will be > > encrypted; on the other hand, data that is placed in low memory for the > > kernel can be

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

2016-09-22 Thread Paolo Bonzini
On 22/09/2016 19:46, Tom Lendacky wrote: >> > Do you mean, it is encrypted here because we're in the guest kernel? > Yes, the idea is that the SEV guest will be running encrypted from the > start, including the BIOS/UEFI, and so all of the EFI related data will > be encrypted. Unless this is

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

2016-09-22 Thread Paolo Bonzini
On 22/09/2016 19:07, Borislav Petkov wrote: >> Which paragraph? > "Linux relies on BIOS to set this bit if BIOS has determined that the > reduction in the physical address space as a result of enabling memory > encryption..." > > Basically, you can enable SME in the BIOS and you're all set.

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

2016-09-22 Thread Paolo Bonzini
On 22/09/2016 16:59, Borislav Petkov wrote: > On Thu, Sep 22, 2016 at 04:45:51PM +0200, Paolo Bonzini wrote: >> The main difference between the SME and SEV encryption, from the point >> of view of the kernel, is that real-mode always writes unencrypted in >> SME and al

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

2016-09-22 Thread Paolo Bonzini
On 22/09/2016 16:35, Borislav Petkov wrote: >> > @@ -230,6 +230,10 @@ int __init efi_setup_page_tables(unsigned long >> > pa_memmap, unsigned num_pages) >> >efi_scratch.efi_pgt = (pgd_t *)__sme_pa(efi_pgd); >> >pgd = efi_pgd; >> > >> > + flags = _PAGE_NX | _PAGE_RW; >> > + if

single_task_running() vs. preemption warnings (was Re: [PATCH] kvm: fix preemption warnings in kvm_vcpu_block)

2015-09-17 Thread Paolo Bonzini
On 17/09/2015 18:27, Dominik Dingel wrote: > + preempt_disable(); > + solo = single_task_running(); > + preempt_enable(); > + > cur = ktime_get(); > - } while (single_task_running() && ktime_before(cur,

Re: Wrong system clock vs X.509 date specifiers

2012-09-25 Thread Paolo Bonzini
Il 25/09/2012 17:35, David Howells ha scritto: Alan Cox a...@lxorguk.ukuu.org.uk wrote: Generate a certificate that is valid from a few minutes before the wallclock time. It's a certificate policy question not a kernel hackery one. That doesn't seem to be possible with openssl req. What