[Qemu-devel] [PATCH v9 12/29] sev/i386: register the guest memory range which may contain encrypted data

memory regions. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- target/i386/sev.c| 41 + targe

[Qemu-devel] [PATCH v9 20/29] hw/i386: set ram_debug_ops when memory encryption is enabled

e.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Cc: "Michael S. Tsirkin" <m...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/i386/pc.c | 9 + hw/i386/pc_sysfw.c | 6 ++ 2 files changed, 15 insertions(+) diff --git a/hw/i38

[Qemu-devel] [PATCH v9 03/29] exec: add debug version of physical memory read and write API

...@twiddle.net> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> --- exec.c| 40 include/exec/cpu-common.h | 15 +++ 2 files changed, 55 insertions(+) diff

[Qemu-devel] [PATCH v9 06/29] kvm: update kvm.h to include memory encryption ioctls

Updates kmv.h to include memory encryption ioctls and SEV commands. Cc: Christian Borntraeger <borntrae...@de.ibm.com> Cc: Cornelia Huck <cornelia.h...@de.ibm.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- linux-

[Qemu-devel] [PATCH v9 05/29] machine: add -memory-encryption property

an Hajnoczi <stefa...@gmail.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/core/machine.c | 22 ++ include/hw/boards.h | 1 + qemu-options.hx | 2 ++ 3 files changed, 25 insertions(+) diff --git a/hw/core/machine.c b/hw/core/machine.c in

[Qemu-devel] [PATCH v9 01/29] memattrs: add debug attribute

om> Cc: Richard Henderson <richard.hender...@linaro.org> Cc: Paolo Bonzini <pbonz...@redhat.com> Reviewed-by: "Edgar E. Iglesias" <edgar.igles...@xilinx.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/exec/memattrs.h | 2 ++ 1 file changed, 2 inse

[Qemu-devel] [PATCH v9 00/29] x86: Secure Encrypted Virtualization (AMD)

SEV memory encrytion object without modifying interfaces. - Drop patch to load OS image at fixed location. - updated LAUNCH_FINISH command structure. Now the structure contains just 'measurement' field. Other fields are not used and will also be removed from newer SEV firmware API spec. Brijesh Si

[Qemu-devel] [PATCH v9 02/29] exec: add ram_debug_ops support

; ops.write = mem_write; memory_region_init_ram(mem, NULL, "memory", size, NULL); memory_region_set_ram_debug_ops(mem, ops); Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Peter Crosthwaite <crosthwaite.pe...@gmail.com> Cc: Richard Henderson <r...@twiddle.net> Signed-off-b

Re: [Qemu-devel] [PATCH v8 05/28] target/i386: add memory encryption feature cpuid support

On Mon, Feb 12, 2018 at 3:19 PM, Borislav Petkov <b...@suse.de> wrote: > On Mon, Feb 12, 2018 at 03:07:26PM -0600, Brijesh Singh wrote: > > In current implementation, when -cpu ...,+sev is passed without > > appropriate SEV configuration then we populate the Fn8000_00

Re: [Qemu-devel] [PATCH v8 05/28] target/i386: add memory encryption feature cpuid support

On 2/12/18 12:38 PM, Eduardo Habkost wrote: > On Mon, Feb 12, 2018 at 09:36:52AM -0600, Brijesh Singh wrote: >> AMD EPYC processors support memory encryption feature. The feature >> is reported through CPUID 8000_001F[EAX]. >> >> Fn8000_001F [EAX]: >> Bit

Re: [Qemu-devel] [PATCH v8 13/28] qmp: add query-sev command

On 2/12/18 11:27 AM, Eric Blake wrote: > On 02/12/2018 09:37 AM, Brijesh Singh wrote: >> The QMP query command can used to retrieve the SEV information when >> memory encryption is enabled on AMD platform. >> >> Cc: "Daniel P. Berrangé" <berra...@re

[Qemu-devel] [PATCH v8 25/28] sev/i386: add support to KVM_SEV_GUEST_STATUS

The command is used to query the current SEV guest status. We use this command to query the guest policy for QMP query-sev command. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh

[Qemu-devel] [PATCH v8 23/28] include: add psp-sev.h header file

The header file provide the ioctl command and structure to communicate with /dev/sev device. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> ---

[Qemu-devel] [PATCH v8 22/28] target/i386: clear C-bit when walking SEV guest page table

In SEV-enabled guest the pte entry will have C-bit set, we need to clear the C-bit when walking the page table. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <

[Qemu-devel] [PATCH v8 20/28] hw/i386: set ram_debug_ops when memory encryption is enabled

e.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Cc: "Michael S. Tsirkin" <m...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/i386/pc.c | 9 + hw/i386/pc_sysfw.c | 6 ++ 2 files changed, 15 insertions(+) diff --git a/hw/i38

[Qemu-devel] [PATCH v8 27/28] tests/qmp-test: blacklist query-sev-launch-measure command

; <dgilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- tests/qmp-test.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/qmp-test.c b/tests/qmp-test.c index 908f9b981f6e..d8720798ad0b 100644 --- a/tests

[Qemu-devel] [PATCH v8 18/28] sev/i386: add support to LAUNCH_MEASURE command

correctly by the firmware. VM management tools like libvirt can query the measurement using query-sev-launch-measure QMP command. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh

[Qemu-devel] [PATCH v8 28/28] sev/i386: add migration blocker

SEV guest migration is not implemented yet. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> Reviewed-by: Dr. David Alan Gilbert <dgilb...@redhat.com> --- target/i386/sev.c | 13 + 1 file changed, 13 insertions(+) diff --git a/target/i386/sev.c b/target/i386

[Qemu-devel] [PATCH v8 26/28] qmp: add query-sev-launch-measure command

ilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- qapi-schema.json | 29 + qmp.c| 17 + 2 files changed, 46 insertions(+) diff --git a/qapi-schema.json b/qapi-

[Qemu-devel] [PATCH v8 19/28] sev/i386: finalize the SEV guest launch flow

SEV launch flow requires us to issue LAUNCH_FINISH command before guest is ready to run. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com>

[Qemu-devel] [PATCH v8 15/28] sev/i386: add command to create launch memory encryption context

bkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/sysemu/sev.h | 10 + target/i386/sev.c| 99 target/i386/trace-events | 2 + 3 files changed, 111 insertions(+) diff --git a/includ

[Qemu-devel] [PATCH v8 17/28] target/i386: encrypt bios rom

SEV requires that guest bios must be encrypted before booting the guest. Cc: "Michael S. Tsirkin" <m...@redhat.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Br

[Qemu-devel] [PATCH v8 16/28] sev/i386: add command to encrypt guest memory region

The KVM_SEV_LAUNCH_UPDATE_DATA command is used to encrypt a guest memory region using the VM Encryption Key created using LAUNCH_START. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off

[Qemu-devel] [PATCH v8 06/28] machine: add -memory-encryption property

an Hajnoczi <stefa...@gmail.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/core/machine.c | 22 ++ include/hw/boards.h | 1 + qemu-options.hx | 2 ++ 3 files changed, 25 insertions(+) diff --git a/hw/core/machine.c b/hw/core/machine.c in

[Qemu-devel] [PATCH v8 21/28] sev/i386: add debug encrypt and decrypt commands

bkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/kvm-all.c | 1 + include/sysemu/sev.h | 1 + stubs/sev.c | 4 +++ target/i386/sev.c| 72 target/i386/trace-events |

[Qemu-devel] [PATCH v8 14/28] hmp: add 'info sev' command

The command can be used to show the SEV information when memory encryption is enabled on AMD platform. Cc: "Daniel P. Berrangé" <berra...@redhat.com> Cc: "Dr. David Alan Gilbert" <dgilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Signed-off-by

[Qemu-devel] [PATCH v8 07/28] kvm: update kvm.h to include memory encryption ioctls

Updates kmv.h to include memory encryption ioctls and SEV commands. Cc: Christian Borntraeger <borntrae...@de.ibm.com> Cc: Cornelia Huck <cornelia.h...@de.ibm.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- linux-

[Qemu-devel] [PATCH v8 08/28] docs: add AMD Secure Encrypted Virtualization (SEV)

Create a documentation entry to describe the AMD Secure Encrypted Virtualization (SEV) feature. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/amd-memory-encryption.txt | 92 ++ 1 file

[Qemu-devel] [PATCH v8 11/28] sev/i386: register the guest memory range which may contain encrypted data

memory regions. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- target/i386/sev.c| 41 + targe

[Qemu-devel] [PATCH v8 13/28] qmp: add query-sev command

The QMP query command can used to retrieve the SEV information when memory encryption is enabled on AMD platform. Cc: "Daniel P. Berrangé" <berra...@redhat.com> Cc: "Dr. David Alan Gilbert" <dgilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Si

[Qemu-devel] [PATCH v8 05/28] target/i386: add memory encryption feature cpuid support

com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- target/i386/cpu.c | 36 target/i386/cpu.h | 3 +++ 2 files changed, 39 insertions(+) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index b5e431e769da..475d98a44880 100644 --- a/target

[Qemu-devel] [PATCH v8 10/28] sev/i386: add command to initialize the memory encryption context

by the SEV firmware. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/kvm-all.c | 15 + include/sysemu/sev.h | 16 ++

[Qemu-devel] [PATCH v8 03/28] exec: add debug version of physical memory read and write API

...@twiddle.net> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> --- exec.c| 40 include/exec/cpu-common.h | 15 +++ 2 files changed, 55 insertions(+) diff

[Qemu-devel] [PATCH v8 12/28] kvm: introduce memory encryption APIs

Inorder to integerate the Secure Encryption Virtualization (SEV) support add few high-level memory encryption APIs which can be used for encrypting the guest memory region. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si..

[Qemu-devel] [PATCH v8 02/28] exec: add ram_debug_ops support

; ops.write = mem_write; memory_region_init_ram(mem, NULL, "memory", size, NULL); memory_region_set_ram_debug_ops(mem, ops); Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Peter Crosthwaite <crosthwaite.pe...@gmail.com> Cc: Richard Henderson <r...@twiddle.net> Signed-off-b

[Qemu-devel] [PATCH v8 09/28] target/i386: add Secure Encrypted Virtulization (SEV) object

firmware. e.g to launch SEV guest # $QEMU \ -object sev-guest,id=sev0 \ -machine ,memory-encryption=sev0 Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <

[Qemu-devel] [PATCH v8 04/28] monitor/i386: use debug APIs when accessing guest memory

com> Cc: Markus Armbruster <arm...@redhat.com> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- cpus.c| 2 +- disas.c | 2 +- monitor.c | 6 +++--- target/i386/hel

[Qemu-devel] [PATCH v8 01/28] memattrs: add debug attribute

om> Cc: Richard Henderson <richard.hender...@linaro.org> Cc: Paolo Bonzini <pbonz...@redhat.com> Reviewed-by: "Edgar E. Iglesias" <edgar.igles...@xilinx.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/exec/memattrs.h | 2 ++ 1 file changed, 2 inse

[Qemu-devel] [PATCH v8 00/28] x86: Secure Encrypted Virtualization (AMD)

and structure. Now the structure contains just 'measurement' field. Other fields are not used and will also be removed from newer SEV firmware API spec. Brijesh Singh (28): memattrs: add debug attribute exec: add ram_debug_ops support exec: add debug version of physical memory read and write

Re: [Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom

On 2/9/18 12:28 PM, Dr. David Alan Gilbert wrote: > * Brijesh Singh (brijesh.si...@amd.com) wrote: >> SEV requires that guest bios must be encrypted before booting the guest. > I'm curious; is it just the main BIOS that needs encryption - what about > things like device/PXE ro

Re: [Qemu-devel] [PATCH v6 18/23] sev: emit the SEV_MEASUREMENT event

On Fri, Feb 2, 2018 at 9:16 AM, Daniel P. Berrangé <berra...@redhat.com> wrote: > On Fri, Feb 02, 2018 at 09:11:41AM -0600, Brijesh Singh wrote: > > > > > > On 02/01/2018 11:27 AM, Dr. David Alan Gilbert wrote: > > > * Brijesh Singh (brijesh.si...@amd.com) wr

Re: [Qemu-devel] [PATCH v7 02/26] exec: add ram_debug_ops support

On 02/07/2018 10:51 AM, Paolo Bonzini wrote: On 07/02/2018 17:06, Brijesh Singh wrote: @@ -3148,7 +3152,11 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, } else { /* RAM case */ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, , fa

Re: [Qemu-devel] [PATCH v7 05/26] target/i386: add memory encryption feature cpuid support

On 02/07/2018 10:54 AM, Paolo Bonzini wrote: On 07/02/2018 17:06, Brijesh Singh wrote: AMD EPYC processors support memory encryption feature. The feature is reported through CPUID 8000_001F[EAX]. Fn8000_001F [EAX]: Bit 0 Secure Memory Encryption (SME) supported Bit 1 Secure Encrypted

Re: [Qemu-devel] [PATCH v7 26/26] qmp: add query-sev-launch-measure command

On 02/07/2018 10:29 AM, Eric Blake wrote: ... +# +# Since: 2.12 +# +# Notes: If measurement is not available then a null measurement is returned. Null measurement, as in empty string?  Would it be better to have query-sev-launch-measure return an error instead of an SevLaunchMeasureInfo

Re: [Qemu-devel] [PATCH v7 02/26] exec: add ram_debug_ops support

On 2/7/18 10:19 AM, Eric Blake wrote: > On 02/07/2018 10:06 AM, Brijesh Singh wrote: >> Currently, the guest memory access for the debug purpose is performed >> using the memcpy(). Lets extend the 'struct MemoryRegion' to include >> ram_debug_ops callbacks. The ram_

Re: [Qemu-devel] [PATCH v7 13/26] qmp: add query-sev command

On 2/7/18 10:22 AM, Eric Blake wrote: >> +# >> +# @enabled: true if SEV is active >> +# >> +# @api_major: SEV API major version > > New QMP structures should prefer '-' over '_'; this should be > 'api-major'. I will fix it. thanks >> +## >> +# @query-sev: >> +# >> +# Returns information

[Qemu-devel] [PATCH v7 20/26] hw: i386: set ram_debug_ops when memory encryption is enabled

e.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Cc: "Michael S. Tsirkin" <m...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/i386/pc.c | 9 + hw/i386/pc_sysfw.c | 6 ++ 2 files changed, 15 insertions(+) diff --git a/hw/i38

[Qemu-devel] [PATCH v7 21/26] sev: add debug encrypt and decrypt commands

KVM_SEV_DBG_DECRYPT and KVM_SEV_DBG_ENCRYPT commands are used for decrypting and encrypting guest memory region. The command works only if the guest policy allows the debugging. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si..

[Qemu-devel] [PATCH v7 16/26] sev: add command to encrypt guest memory region

The KVM_SEV_LAUNCH_UPDATE_DATA command is used to encrypt a guest memory region using the VM Encryption Key created using LAUNCH_START. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/kvm-all.c| 2 ++ accel/kvm/sev.c

[Qemu-devel] [PATCH v7 23/26] include: add psp-sev.h header file

The header file provide the ioctl command and structure to communicate with /dev/sev device. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- linux-headers/linux/psp-sev.h | 142 +

[Qemu-devel] [PATCH v7 18/26] sev: add support to LAUNCH_MEASURE command

correctly by the firmware. VM management tools like libvirt can query the measurement using query-launch-measure QMP command. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/sev.c

[Qemu-devel] [PATCH v7 09/26] accel: add Secure Encrypted Virtulization (SEV) object

firmware. e.g to launch SEV guest # $QEMU \ -object sev-guest,id=sev0 \ -machine ,memory-encryption=sev0 Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/Makefile.objs| 2 +- accel/kvm/sev.c

[Qemu-devel] [PATCH v7 26/26] qmp: add query-sev-launch-measure command

ilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- qapi-schema.json | 30 ++ qmp.c| 14 ++ 2 files changed, 44 insertions(+) diff --git a/qapi-schema.json b/qapi-schema.

[Qemu-devel] [PATCH v7 17/26] target/i386: encrypt bios rom

SEV requires that guest bios must be encrypted before booting the guest. Cc: "Michael S. Tsirkin" <m...@redhat.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Br

[Qemu-devel] [PATCH v7 19/26] sev: Finalize the SEV guest launch flow

SEV launch flow requires us to issue LAUNCH_FINISH command before guest is ready to run. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/sev.c| 29 + accel/kvm/

[Qemu-devel] [PATCH v7 15/26] sev: add command to create launch memory encryption context

The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK). The encryption key created with the command will be used for encrypting the bootstrap images (such as guest bios). Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <b

[Qemu-devel] [PATCH v7 25/26] sev: add support to KVM_SEV_GUEST_STATUS

The command is used to query the current SEV guest status. We use this command to query the guest policy for QMP query-sev command. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/sev.c | 12

[Qemu-devel] [PATCH v7 05/26] target/i386: add memory encryption feature cpuid support

com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- target/i386/cpu.c | 36 target/i386/cpu.h | 6 ++ 2 files changed, 42 insertions(+) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index a49d2221adc9..4147eb6e18a9 100644 --- a/target

[Qemu-devel] [PATCH v7 10/26] sev: add command to initialize the memory encryption context

by the SEV firmware. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/kvm-all.c| 15 + accel/kvm/sev.c| 161 + accel/kvm/trace-events | 2 + accel/stubs/kvm-

[Qemu-devel] [PATCH v7 22/26] target/i386: clear C-bit when walking SEV guest page table

In SEV-enabled guest the pte entry will have C-bit set, we need to clear the C-bit when walking the page table. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <

[Qemu-devel] [PATCH v7 03/26] exec: add debug version of physical memory read and write API

...@twiddle.net> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> --- exec.c| 41 + include/exec/cpu-common.h | 15 +++ 2 files changed, 56 insertions(+) diff

[Qemu-devel] [PATCH v7 14/26] hmp: add 'info sev' command

The command can be used to show the SEV information when memory encryption is enabled on AMD platform. Cc: "Daniel P. Berrangé" <berra...@redhat.com> Cc: "Dr. David Alan Gilbert" <dgilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Signed-off-by

[Qemu-devel] [PATCH v7 07/26] kvm: update kvm.h to include memory encryption ioctls

Updates kmv.h to include memory encryption ioctls and SEV commands. Cc: Christian Borntraeger <borntrae...@de.ibm.com> Cc: Cornelia Huck <cornelia.h...@de.ibm.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- linux-

[Qemu-devel] [PATCH v7 08/26] docs: add AMD Secure Encrypted Virtualization (SEV)

Create a documentation entry to describe the AMD Secure Encrypted Virtualization (SEV) feature. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/amd-memory-encryption.txt | 92 ++ 1 file

[Qemu-devel] [PATCH v7 12/26] kvm: introduce memory encryption APIs

Inorder to integerate the Secure Encryption Virtualization (SEV) support add few high-level memory encryption APIs which can be used for encrypting the guest memory region. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si..

[Qemu-devel] [PATCH v7 02/26] exec: add ram_debug_ops support

; ops.write = mem_write; memory_region_init_ram(mem, NULL, "memory", size, NULL); memory_region_set_ram_debug_ops(mem, ops); Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Peter Crosthwaite <crosthwaite.pe...@gmail.com> Cc: Richard Henderson <r...@twiddle.net> Signed-off-b

[Qemu-devel] [PATCH v7 06/26] machine: add -memory-encryption property

an Hajnoczi <stefa...@gmail.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/core/machine.c | 22 ++ include/hw/boards.h | 1 + qemu-options.hx | 2 ++ 3 files changed, 25 insertions(+) diff --git a/hw/core/machine.c b/hw/core/machine.c in

[Qemu-devel] [PATCH v7 13/26] qmp: add query-sev command

The QMP query command can used to retrieve the SEV information when memory encryption is enabled on AMD platform. Cc: "Daniel P. Berrangé" <berra...@redhat.com> Cc: "Dr. David Alan Gilbert" <dgilb...@redhat.com> Cc: Markus Armbruster <arm...@redhat.com> Si

[Qemu-devel] [PATCH v7 01/26] memattrs: add debug attribute

om> Cc: Richard Henderson <richard.hender...@linaro.org> Cc: Paolo Bonzini <pbonz...@redhat.com> Reviewed-by: "Edgar E. Iglesias" <edgar.igles...@xilinx.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- include/exec/memattrs.h | 2 ++ 1 file changed, 2 inse

[Qemu-devel] [PATCH v7 11/26] sev: register the guest memory range which may contain encrypted data

memory regions. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/sev.c| 41 + accel/kvm/trace-events | 2 ++ 2 files changed, 43 insertions(+) diff --git a/accel/kvm/sev.c b/acc

[Qemu-devel] [PATCH v7 00/26] x86: Secure Encrypted Virtualization (AMD)

and structure. Now the structure contains just 'measurement' field. Other fields are not used and will also be removed from newer SEV firmware API spec. Brijesh Singh (26): memattrs: add debug attribute exec: add ram_debug_ops support exec: add debug version of physical memory read and write

[Qemu-devel] [PATCH v7 04/26] monitor/i386: use debug APIs when accessing guest memory

com> Cc: Markus Armbruster <arm...@redhat.com> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- cpus.c| 2 +- disas.c | 2 +- monitor.c | 8 --- target/i386/hel

Re: [Qemu-devel] [PATCH v6 00/23] x86: Secure Encrypted Virtualization (AMD)

On 2/6/18 9:51 AM, Bruce Rogers wrote: On 1/29/2018 at 10:41 AM, wrote: >> This patch series provides support for AMD's new Secure Encrypted >> Virtualization (SEV) feature. >> >> SEV is an extension to the AMD‑V architecture which supports running >> multiple VMs

Re: [Qemu-devel] [PATCH v6 18/23] sev: emit the SEV_MEASUREMENT event

On 02/01/2018 11:27 AM, Dr. David Alan Gilbert wrote: * Brijesh Singh (brijesh.si...@amd.com) wrote: On 1/30/18 2:08 PM, Dr. David Alan Gilbert wrote: * Brijesh Singh (brijesh.si...@amd.com) wrote: During machine creation we encrypted the guest bios image, the LAUNCH_MEASURE command can

Re: [Qemu-devel] [PATCH v6 13/23] hmp: display memory encryption support in 'info kvm'

On 2/2/18 7:08 AM, Daniel P. Berrangé wrote: > On Thu, Feb 01, 2018 at 08:04:43PM +, Dr. David Alan Gilbert wrote: >> * Brijesh Singh (brijesh.si...@amd.com) wrote: >>> >>> On 2/1/18 11:58 AM, Dr. David Alan Gilbert wrote: >>>> * Brijesh Singh (bri

Re: [Qemu-devel] [PATCH v6 13/23] hmp: display memory encryption support in 'info kvm'

On 2/1/18 11:58 AM, Dr. David Alan Gilbert wrote: > * Brijesh Singh (brijesh.si...@amd.com) wrote: >> update 'info kvm' to display the memory encryption support. >> >> (qemu) info kvm >> kvm support: enabled >> memory encryption: disabled > As Marku

Re: [Qemu-devel] [PATCH v6 10/23] sev: add command to initialize the memory encryption context

On 02/01/2018 06:13 AM, Dr. David Alan Gilbert wrote: * Brijesh Singh (brijesh.si...@amd.com) wrote: When memory encryption is enabled, KVM_SEV_INIT command is used to initialize the platform. The command loads the SEV related persistent data from non-volatile storage and initializes

Re: [Qemu-devel] [PATCH v6 17/23] qapi: add SEV_MEASUREMENT event

On 01/31/2018 11:45 AM, Markus Armbruster wrote: Brijesh Singh <brijesh.si...@amd.com> writes: Add SEV_MEASUREMENT event which can be used by libvirt to get the measurement of the memory regions encrypted through the SEV launch flow. The measurement value is base64 encoded. Cc: Da

Re: [Qemu-devel] [PATCH v6 13/23] hmp: display memory encryption support in 'info kvm'

On 01/31/2018 11:43 AM, Markus Armbruster wrote: Brijesh Singh <brijesh.si...@amd.com> writes: update 'info kvm' to display the memory encryption support. (qemu) info kvm kvm support: enabled memory encryption: disabled Cc: "Dr. David Alan Gilbert" <dgilb...@redhat.com&g

Re: [Qemu-devel] [PATCH v6 05/23] target/i386: add memory encryption feature cpuid support

On 01/31/2018 07:41 AM, Eduardo Habkost wrote: On Tue, Jan 30, 2018 at 03:46:45PM -0600, Brijesh Singh wrote: On 1/30/18 11:49 AM, Dr. David Alan Gilbert wrote: * Brijesh Singh (brijesh.si...@amd.com) wrote: AMD EPYC processors support memory encryption feature. The feature is reported

Re: [Qemu-devel] [PATCH v6 02/23] exec: add ram_debug_ops support

On 1/30/18 4:37 PM, Edgar E. Iglesias wrote: > On Tue, Jan 30, 2018 at 04:34:37PM -0600, Brijesh Singh wrote: >> >> On 1/30/18 3:59 PM, Edgar E. Iglesias wrote: >>> On Mon, Jan 29, 2018 at 11:41:11AM -0600, Brijesh Singh wrote: >>>> Currently, the guest

Re: [Qemu-devel] [PATCH v6 02/23] exec: add ram_debug_ops support

On 1/30/18 3:59 PM, Edgar E. Iglesias wrote: > On Mon, Jan 29, 2018 at 11:41:11AM -0600, Brijesh Singh wrote: >> Currently, the guest memory access for the debug purpose is performed >> using the memcpy(). Lets extend the 'struct MemoryRegion' to include >> ra

Re: [Qemu-devel] [PATCH v6 05/23] target/i386: add memory encryption feature cpuid support

On 1/30/18 3:46 PM, Brijesh Singh wrote: > > On 1/30/18 11:49 AM, Dr. David Alan Gilbert wrote: >> * Brijesh Singh (brijesh.si...@amd.com) wrote: >>> AMD EPYC processors support memory encryption feature. The feature >>> is reported through CPUID 8000_001F[

Re: [Qemu-devel] [PATCH v6 18/23] sev: emit the SEV_MEASUREMENT event

On 1/30/18 2:08 PM, Dr. David Alan Gilbert wrote: > * Brijesh Singh (brijesh.si...@amd.com) wrote: >> During machine creation we encrypted the guest bios image, the >> LAUNCH_MEASURE command can be used to retrieve the measurement of >> the encrypted memory region. Emit the

Re: [Qemu-devel] [PATCH v6 05/23] target/i386: add memory encryption feature cpuid support

On 1/30/18 11:49 AM, Dr. David Alan Gilbert wrote: > * Brijesh Singh (brijesh.si...@amd.com) wrote: >> AMD EPYC processors support memory encryption feature. The feature >> is reported through CPUID 8000_001F[EAX]. >> >> Fn8000_001F [EAX]: >> Bit 0 Secure

[Qemu-devel] [PATCH v6 15/23] sev: add command to encrypt guest memory region

The KVM_SEV_LAUNCH_UPDATE_DATA command is used to encrypt a guest memory region using the VM Encryption Key created using LAUNCH_START. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/kvm-all.c| 2 ++ accel/kvm/sev.c

[Qemu-devel] [PATCH v6 13/23] hmp: display memory encryption support in 'info kvm'

Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hmp.c| 2 ++ qapi-schema.json | 5 - qmp.c| 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/hmp.c b/hmp.c index 056bf70cf1e2..6ceb6b30af75 100644 --- a/

[Qemu-devel] [PATCH v6 11/23] sev: register the guest memory range which may contain encrypted data

memory regions. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/sev.c| 41 + accel/kvm/trace-events | 2 ++ 2 files changed, 43 insertions(+) diff --git a/accel/kvm/sev.c b/acc

[Qemu-devel] [PATCH v6 21/23] sev: add debug encrypt and decrypt commands

KVM_SEV_DBG_DECRYPT and KVM_SEV_DBG_ENCRYPT commands are used for decrypting and encrypting guest memory region. The command works only if the guest policy allows the debugging. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si..

[Qemu-devel] [PATCH v6 10/23] sev: add command to initialize the memory encryption context

by the SEV firmware. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/kvm-all.c| 15 ++ accel/kvm/sev.c| 124 + accel/kvm/trace-events | 2 + include/sysemu/sev.h |

[Qemu-devel] [PATCH v6 23/23] sev: add migration blocker

SEV guest migration is not implemented yet. Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> Reviewed-by: Dr. David Alan Gilbert <dgilb...@redhat.com> --- accel/kvm/sev.c | 13 + 1 file changed, 13 insertions(+) diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c index

[Qemu-devel] [PATCH v6 09/23] accel: add Secure Encrypted Virtulization (SEV) object

firmware. e.g to launch SEV guest # $QEMU \ -object sev-guest,id=sev0 \ -machine ,memory-encryption=sev0 Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/Makefile.objs| 2 +- accel/kvm/sev.c

[Qemu-devel] [PATCH v6 20/23] hw: i386: set ram_debug_ops when memory encryption is enabled

e.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Cc: "Michael S. Tsirkin" <m...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- hw/i386/pc.c | 9 + hw/i386/pc_sysfw.c | 6 ++ 2 files changed, 15 insertions(+) diff --git a/hw/i38

[Qemu-devel] [PATCH v6 22/23] target/i386: clear C-bit when walking SEV guest page table

bkost <ehabk...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- target/i386/helper.c | 46 +++ target/i386/monitor.c | 86 --- 2 files changed, 94 insertions(+), 38 deletions(-) diff --git a/target/i38

[Qemu-devel] [PATCH v6 14/23] sev: add command to create launch memory encryption context

The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK). The encryption key created with the command will be used for encrypting the bootstrap images (such as guest bios). Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <b

[Qemu-devel] [PATCH v6 19/23] sev: Finalize the SEV guest launch flow

SEV launch flow requires us to issue LAUNCH_FINISH command before guest is ready to run. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- accel/kvm/sev.c| 29 + accel/kvm/

[Qemu-devel] [PATCH v6 08/23] docs: add AMD Secure Encrypted Virtualization (SEV)

Create a documentation entry to describe the AMD Secure Encrypted Virtualization (SEV) feature. Cc: Paolo Bonzini <pbonz...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- docs/amd-memory-encryption.txt | 92 ++ 1 file

[Qemu-devel] [PATCH v6 17/23] qapi: add SEV_MEASUREMENT event

bruster <arm...@redhat.com> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> --- qapi-schema.json | 13 + 1 file changed, 13 insertions(+) diff --git a/qapi-schema.json b/qapi-schema.json index 2046c96669bf..e1f5d14e2e3f 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -319

[Qemu-devel] [PATCH v6 16/23] target/i386: encrypt bios rom

SEV requires that guest bios must be encrypted before booting the guest. Cc: "Michael S. Tsirkin" <m...@redhat.com> Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: Richard Henderson <r...@twiddle.net> Cc: Eduardo Habkost <ehabk...@redhat.com> Signed-off-by: Br

[Qemu-devel] [PATCH v6 12/23] kvm: introduce memory encryption APIs

Inorder to integerate the Secure Encryption Virtualization (SEV) support add few high-level memory encryption APIs which can be used for encrypting the guest memory region. Cc: Paolo Bonzini <pbonz...@redhat.com> Cc: k...@vger.kernel.org Signed-off-by: Brijesh Singh <brijesh.si..

<    1   2   3   4   5   >