or SEV-ES. Even so, it
would be convenient if the CSP could ask QEMU/libvirt for the expected
hashes via the same interface that it gets the measurement. The CSP will
have to report the real launch measurement to the KBS. It would be handy
if the debug measurement were available at the same time with no extra
bookkeeping.
-Tobin
e than
one vCPU in the mirror. For instance we might want to use multiple MH
vCPUs to increase throughput.
-Tobin
> The disadvantage is that, as you point out, in the future some of the
> infrastructure you introduce might be useful for VMPL0 operation on
> SEV-SNP. My proposal above might
that aren't allowed to migrate won't be provisioned with
transport key to encrypt pages. A non-migrateable guest could also be
booted with OvmfPkg firmware, which does not contain the migration handler.
-Tobin
Dave
James
On 8/19/21 4:22 AM, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.ibm.com) wrote:
On 8/18/21 3:04 PM, Dr. David Alan Gilbert wrote:
Are you relying on the target firmware to be *identical* or purely for
it to be *compatible* ? It's normal for a migration
On 8/18/21 3:04 PM, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.ibm.com) wrote:
On 8/17/21 6:04 PM, Steve Rutherford wrote:
Ahh, It sounds like you are looking into sidestepping the existing
AMD-SP flows for migration. I assume the idea is to spin up a VM on
the target
On 8/17/21 6:04 PM, Steve Rutherford wrote:
On Tue, Aug 17, 2021 at 1:50 PM Tobin Feldman-Fitzthum
wrote:
This is essentially what we do in our prototype, although we have an
even simpler approach. We have a 1:1 mapping that maps an address to
itself with the cbit set. During Migration QEMU
ld use the PSP for this.
-Tobin
What do you think?
Paolo
rror. We have some support
code that runs in the main VM and sets up the migration handler entry
point. QEMU starts the mirror pointing to this entry point, which does
some more setup (like switching to long mode) and jumps to the migration
handler.
-Tobin
> Addtionally this still requires C
On 2020-10-30 16:02, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.ibm.com) wrote:
Hello,
Dov Murik, James Bottomley, Hubertus Franke, and I have been working
on a
plan for fast live migration with SEV and SEV-ES. We just posted an
RFC
about it to the edk2 list
around the end of the year. For now,
check out our other post, which has a lot more information and let me
know if you have any thoughts.
-Tobin
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU facilitates the injection
On 2020-10-27 09:35, Eduardo Habkost wrote:
On Thu, Oct 22, 2020 at 01:39:09AM -0400, to...@linux.ibm.com wrote:
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU facilitates the injection
On 2020-10-22 00:16, to...@linux.ibm.com wrote:
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU facilitates the injection
hard-coded
as 1, so adding the check isn't going to break anything.
Would you like me to resubmit with this tweak?
-Tobin
st char *secret,
- uint64_t gpa)
+ uint64_t gpa, Error *errp)
Oops. Fixing up the fixup:
Thanks Eduardo.
-Tobin
---
diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
index 62a2587e7b..e4e60d9a7d 100644
--- a/target/i386/sev-stub.c
+++ b/target/i386/sev-stub.c
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU facilitates the injection
On 2020-10-14 11:42, Brijesh Singh wrote:
On 10/14/20 10:17 AM, to...@linux.ibm.com wrote:
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU facilitates the injection
On 2020-10-12 12:49, Daniel P. Berrangé wrote:
On Mon, Oct 12, 2020 at 05:21:15PM +0100, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
> AMD SEV allows a guest owner to inject a secret blob
> into the memory of a virtual machine. The
On 2020-09-21 15:16, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed
On 2020-07-06 17:54, Tobin Feldman-Fitzthum wrote:
Not sure if v3 is necessary, but here it is.
Fixed the 32-bit issues and removed the checks
on header and secret length. I agree with Brijesh
that those are best left to the PSP, which
returns somewhat helpful errors if either are incorrect
the secret.
Signed-off-by: Tobin Feldman-Fitzthum
---
include/monitor/monitor.h | 3 ++
include/sysemu/sev.h | 2 ++
monitor/misc.c| 8 ++---
qapi/misc-target.json | 18 +++
target/i386/monitor.c | 9 ++
target/i386/sev-stub.c| 5 +++
target/i386/sev.c
On 2020-07-03 09:25, Brijesh Singh wrote:
On 7/3/20 6:11 AM, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU faciliates the injection of the
launch
On 2020-07-02 11:53, Dr. David Alan Gilbert wrote:
* Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU faciliates the injection of the
launch
requires the user to provide the guest
physical address where the secret will be injected via QMP.
Tobin Feldman-Fitzthum (1):
sev: add sev-inject-launch-secret
include/monitor/monitor.h | 3 ++
include/sysemu/sev.h | 2 ++
monitor/misc.c| 8 ++---
qapi/misc-target.json
On 2020-05-28 17:00, James Bottomley wrote:
On Thu, 2020-05-28 at 16:51 -0400, Tobin Feldman-Fitzthum wrote:
--- a/qapi/misc-target.json
+++ b/qapi/misc-target.json
@@ -200,6 +200,26 @@
{ 'command': 'query-sev-capabilities', 'returns': 'SevCapability',
'if': 'defined(TARGET_I386
On 2020-05-28 17:42, Eric Blake wrote:
On 5/28/20 3:51 PM, Tobin Feldman-Fitzthum wrote:
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity
This patchset contains two patches. The first enables QEMU
to facilitate the injection of a secret blob into the guest
memory.
The second enables QEMU to parse the guest ROM to determine
the address at which the secret should be injected.
Tobin Feldman-Fitzthum (2):
sev: add sev-inject-launch
From: Tobin Feldman-Fitzthum
AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU faciliates the injection of the
launch
From: Tobin Feldman-Fitzthum
In addition to using QMP to provide the guest memory address
that the launch secret blob will be injected into, the
secret address can also be specified in the guest ROM. This
patch adds sev_find_secret_gpa, which scans the ROM page by
page to find a launch secret
*** This bug is a duplicate of bug 1033727 ***
https://bugs.launchpad.net/bugs/1033727
** This bug has been marked a duplicate of bug 1033727
USB passthrough doesn't work anymore with qemu-kvm 1.1.1
--
You received this bug notification because you are a member of qemu-
devel-ml, which
35 matches
Mail list logo