ernel image clobber setup_data"), this was changed to
the cmdline file instead, with the sev_enabled() check left out.
Fixes: eac7a7791bb6 ("x86: don't let decompressed kernel image clobber
setup_data")
Reported-by: Tom Lendacky
Signed-off-by: Dov Murik
Signed-off-by: Jason A.
On 2/7/23 17:24, Jason A. Donenfeld wrote:
Hi Tom,
On Tue, Feb 7, 2023 at 8:21 PM Tom Lendacky wrote:
On 2/7/23 15:45, Michael S. Tsirkin wrote:
On Tue, Feb 07, 2023 at 08:41:16AM +, Dov Murik wrote:
Recent feature to supply RNG seed to the guest kernel modifies the
kernel command-line
not break
anything assuming you also have some other randomness source.
If you don't then you have other problems.
Disable the RNG seed feature in SEV guests.
Fixes: eac7a7791bb6 ("x86: don't let decompressed kernel image clobber
setup_data")
Reported-by: Tom Lendacky
Signed-off-by:
On 9/30/22 10:14, Tom Lendacky wrote:
This patch series fixes up and tries to remove some confusion around the
SEV reduced-phys-bits parameter.
Based on the "AMD64 Architecture Programmer's Manual Volume 2: System
Programming", section "15.34.6 Page Table Support" [1], a gu
specially to support the previously
documented value of 5, allow the full range of values from 1 to 63
(0 was never allowed).
- Update the setting of CPUID 0x801F_EBX to limit the values to the
field width that they are setting as an additional safeguard.
[1] https://www.amd.com/system/files/Tec
, by allowing a value greater
than 1 (so that the previously documented value of 5 still works), but not
allowing anything over 63.
Fixes: d8575c6c02 ("sev/i386: add command to initialize the memory encryption
context")
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 17 ++-
Update the setting of CPUID 0x801F EBX to clearly document the ranges
associated with fields being set.
Fixes: 6cb8f2a663 ("cpu/i386: populate CPUID 0x8000_001F when SEV is active")
Signed-off-by: Tom Lendacky
---
target/i386/cpu.c | 4 ++--
1 file changed, 2 insertions(+), 2
A guest only ever experiences, at most, 1 bit of reduced physical
addressing. Update the documentation to reflect this as well as change
the example value on the reduced-phys-bits option.
Fixes: a9b4942f48 ("target/i386: add Secure Encrypted Virtualization (SEV)
object")
Signed-o
A guest only ever experiences, at most, 1 bit of reduced physical
addressing. Change the query-sev-capabilities json comment to use 1.
Fixes: 31dd67f684 ("sev/i386: qmp: add query-sev-capabilities command")
Signed-off-by: Tom Lendacky
---
qapi/misc-target.json | 2 +-
1 file
On 6/30/22 03:14, Daniel P. Berrangé wrote:
On Wed, Jun 29, 2022 at 07:37:01PM +, Dionna Glaze wrote:
For SEV-SNP, an OS is "SEV-SNP capable" without supporting this UEFI
v2.9 memory type. In order for OVMF to be able to avoid pre-validating
potentially hundreds of gibibytes of data before
On 6/15/22 10:19, Xiaoyao Li wrote:
On 6/15/2022 8:46 AM, Xu, Min M wrote:
I would like to add more engineers (Confidential Computing Reviewers in
EDK2 community and Intel's QEMU engineers) in this mail thread.
-Original Message-
From: Dionna Amalie Glaze
Sent: Wednesday, June 15,
ng warning will be
displayed during VM launch:
qemu-system-x86_64: warning: SEV: kernel specified but OVMF has no hash
table guid
Signed-off-by: Dov Murik
Reported-by: Tom Lendacky
Just a few minor comments/questions below, otherwise:
Acked-by: Tom Lendacky
---
target/i386/sev.c | 2 +-
1 file
On 10/19/21 1:18 AM, Dov Murik wrote:
On 18/10/2021 21:02, Tom Lendacky wrote:
On 9/30/21 12:49 AM, Dov Murik wrote:
...
+/*
+ * Add the hashes of the linux kernel/initrd/cmdline to an encrypted
guest page
+ * which is included in SEV's initial memory measurement.
+ */
+bool
On 9/30/21 12:49 AM, Dov Murik wrote:
...
+/*
+ * Add the hashes of the linux kernel/initrd/cmdline to an encrypted guest page
+ * which is included in SEV's initial memory measurement.
+ */
+bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
+{
+uint8_t *data;
+
On 7/9/21 4:55 PM, Brijesh Singh wrote:
> SEV-SNP builds upon existing SEV and SEV-ES functionality while adding
> new hardware-based memory protections. SEV-SNP adds strong memory integrity
> protection to help prevent malicious hypervisor-based attacks like data
> replay, memory re-mapping and
oding style prefer not initializing the bool to false since
it will default to that? Otherwise,
Reviewed-by: Tom Lendacky
> ---
> hw/i386/pc_sysfw.c | 7 ++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
> index 6
On 6/29/21 2:11 AM, Philippe Mathieu-Daudé wrote:
> On 6/29/21 7:56 AM, Dov Murik wrote:
>> On 29/06/2021 1:03, Tom Lendacky wrote:
>>> On 6/22/21 7:58 AM, Dov Murik wrote:
>>
>> (a) add a 'static bool ovmf_table_parsed' which will be set to true at
>> the beg
On 6/22/21 7:58 AM, Dov Murik wrote:
> +cc: Tom Lendacky
>
> On 22/06/2021 15:47, Philippe Mathieu-Daudé wrote:
>> On 6/22/21 2:44 PM, Dov Murik wrote:
>>> Suggested-by: Philippe Mathieu-Daudé
>>> Signed-off-by: Dov Murik
>>> ---
>>> hw/i386
Just a quick ping on this series...
Thanks,
Tom
On 4/23/21 3:08 PM, Tom Lendacky wrote:
> From: Tom Lendacky
>
> Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
> file. No new information added.
>
> Signed-off-by: Tom Lendacky
> ---
> docs/a
On 4/22/21 9:09 AM, Laszlo Ersek wrote:
> On 04/21/21 21:31, Tom Lendacky wrote:
>> On 4/21/21 2:12 PM, Tom Lendacky wrote:
>>> From: Tom Lendacky
>>>
>>> Update the amd-memory-encryption.txt file with information about SEV-ES,
>>> inc
From: Tom Lendacky
Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differences
between SEV and SEV-ES guests in regards to launching and measuring the
guest.
Signed-off-by: Tom Lendacky
---
docs/amd-memory
From: Tom Lendacky
Create an enum definition, '@amd-sev-es', for SEV-ES and add documention
for the new enum. Add an example that shows some of the requirements for
SEV-ES, including not having SMM support and the requirement for an
X64-only build.
Signed-off-by: Tom Lendacky
---
docs/interop
From: Tom Lendacky
Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
file. No new information added.
Signed-off-by: Tom Lendacky
---
docs/amd-memory-encryption.txt | 59 +-
1 file changed, 29 insertions(+), 30 deletions(-)
diff --git
On 4/21/21 2:12 PM, Tom Lendacky wrote:
> From: Tom Lendacky
>
> Update the amd-memory-encryption.txt file with information about SEV-ES,
> including how to launch an SEV-ES guest and some of the differences
> between SEV and SEV-ES guests in regards to launching and measur
From: Tom Lendacky
Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differences
between SEV and SEV-ES guests in regards to launching and measuring the
guest.
Signed-off-by: Tom Lendacky
---
docs/amd-memory
On 4/21/21 4:54 AM, Laszlo Ersek wrote:
> Hi Brijesh, Tom,
Hi Laszlo,
>
> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
> has a constant called @amd-sev. We should introduce an @amd-sev-es
> constant as well, minimally for the following reason:
>
> AMD document
nd the SevGuestProperties type
> unconditionally to avoid the issue. We do not expect to have
> many target-dependent user-creatable classes, so it is not
> particularly problematic.
>
> Reported-by: Tom Lendacky
> Signed-off-by: Paolo Bonzini
I'm once again able to launch SEV
On 3/25/21 1:51 PM, Brijesh Singh wrote:
> Hi All,
>
> It seems creating the sev-guest object is broken rc0 tag. The following
> command is no longer able to create the sev-guest object
>
> $QEMU \
>
> -machine ...,confidential-guest-support=sev0 \
>
> -object sev-guest,id=sev0,policy=0x1 \
On 2/8/21 10:31 AM, Paolo Bonzini wrote:
On 08/02/21 16:48, Tom Lendacky wrote:
Queued, thanks.
It looks like David Gibson's patches for the memory encryption rework
went into the main tree before mine. So, I think I'm going to have to
rework my patches. Let me look into it.
I
On 2/5/21 4:59 AM, Paolo Bonzini wrote:
On 26/01/21 18:36, Tom Lendacky wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
...
Queued, thanks.
It looks like David Gibson's patches for the memory encryption rework went
into the main tree
On 1/29/21 11:44 AM, Venu Busireddy wrote:
On 2021-01-26 11:36:46 -0600, Tom Lendacky wrote:
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Dr
From: Tom Lendacky
SMM is not currently supported for an SEV-ES guest by KVM. Change the SMM
capability check from a KVM-wide check to a per-VM check in order to have
a finer-grained SMM capability check.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Suggested-by: Sean
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When an SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES. Prevent that from occuring by introducing an arch
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Dr. David Alan Gilbert
Signed-off-by: Tom Lendacky
---
target/i386
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: S
On 1/26/21 10:49 AM, Tom Lendacky wrote:
> On 1/26/21 10:21 AM, Paolo Bonzini wrote:
>> On 25/09/20 21:03, Tom Lendacky wrote:
>>> From: Tom Lendacky
>>>
>>> This patch series provides support for launching an SEV-ES guest.
>>>
>
> ...
>
On 1/26/21 10:21 AM, Paolo Bonzini wrote:
> On 25/09/20 21:03, Tom Lendacky wrote:
>> From: Tom Lendacky
>>
>> This patch series provides support for launching an SEV-ES guest.
>>
...
>>
>
> Looks good! Please fix the nit in patch 4 and rebase, I'll t
On 1/26/21 10:16 AM, Paolo Bonzini wrote:
> On 25/09/20 21:03, Tom Lendacky wrote:
>>
>> {
>> - if (no_reboot && reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
>> + if (!cpus_are_resettable()) {
>> + error_report("cpus are not resettable,
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: S
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When an SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES. Prevent that from occuring by introducing an arch
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Dr
From: Tom Lendacky
SMM is not currently supported for an SEV-ES guest by KVM. Change the SMM
capability check from a KVM-wide check to a per-VM check in order to have
a finer-grained SMM capability check.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Suggested-by: Sean
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 6 ++
1 file changed, 6
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part
On 12/11/20 4:45 PM, James Bottomley wrote:
On Fri, 2020-12-11 at 16:00 -0600, Tom Lendacky wrote:
On 12/9/20 11:23 AM, James Bottomley wrote:
So for this one I'm not checking the length, which argues it wouldn't
be subject to the added length new data rule and I'd have to use a new
guid
On 12/9/20 11:23 AM, James Bottomley wrote:
If the gpa isn't specified, it's value is extracted from the OVMF
properties table located below the reset vector (and if this doesn't
exist, an error is returned). OVMF has defined the GUID for the SEV
secret area as
On 11/16/20 12:09 PM, Paolo Bonzini wrote:
> On 16/11/20 18:02, Tom Lendacky wrote:
>> From: Tom Lendacky
>>
>> Currently, the nested state format is hardcoded to VMX. This will result
>> in kvm_put_nested_state() returning an error because the KVM SVM support
>
From: Tom Lendacky
Currently, the nested state format is hardcoded to VMX. This will result
in kvm_put_nested_state() returning an error because the KVM SVM support
checks for the nested state to be KVM_STATE_NESTED_FORMAT_SVM. As a
result, kvm_arch_put_registers() errors out early.
Update
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: S
On 9/25/20 2:03 PM, Tom Lendacky wrote:
> From: Tom Lendacky
>
> This patch series provides support for launching an SEV-ES guest.
>
> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
> SEV support to protect the guest register state from the hyperv
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Reviewed-by: Dr. David Alan Gilbert
Signed-off-by: Tom Lendacky
---
target
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
From: Tom Lendacky
SMM is not currently supported for an SEV-ES guest by KVM. Change the SMM
capability check from a KVM-wide check to a per-VM check in order to have
a finer-grained SMM capability check.
Suggested-by: Sean Christopherson
Signed-off-by: Tom Lendacky
---
target/i386/kvm.c | 2
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When an SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES. Prevent that from occuring by introducing an arch
On 9/21/20 3:33 PM, Tobin Feldman-Fitzthum wrote:
> On 2020-09-21 15:16, Dr. David Alan Gilbert wrote:
>> * Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
>>> AMD SEV allows a guest owner to inject a secret blob
>>> into the memory of a virtual machine. The secret is
>>> encrypted with
On 9/21/20 6:48 AM, Dr. David Alan Gilbert wrote:
> * Tom Lendacky (thomas.lenda...@amd.com) wrote:
>> On 9/18/20 5:00 AM, Dr. David Alan Gilbert wrote:
>>> * Tom Lendacky (thomas.lenda...@amd.com) wrote:
>>>> On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
>
On 9/21/20 1:45 AM, Dov Murik wrote:
> On 16/09/2020 0:29, Tom Lendacky wrote:
>> From: Tom Lendacky
>>
>> Provide initial support for SEV-ES. This includes creating a function to
>> indicate the guest is an SEV-ES guest (which will return false until all
>>
On 9/18/20 5:00 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure
On 9/17/20 10:40 PM, Sean Christopherson wrote:
On Thu, Sep 17, 2020 at 01:56:21PM -0500, Tom Lendacky wrote:
On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES
On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest
On 9/17/20 12:01 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume
On 9/17/20 11:46 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request
On 9/17/20 10:34 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set
On 9/17/20 11:07 AM, Tom Lendacky wrote:
On 9/17/20 10:34 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV
On 9/16/20 4:23 AM, Laszlo Ersek wrote:
> Hi Tom,
Hi Laszlo,
>
> sorry for the random feedback -- I haven't followed (and don't really
> intend to follow) the QEMU side of the feature. Just one style idea:
>
> On 09/15/20 23:29, Tom Lendacky wrote:
>> From: Tom Len
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: S
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 4 +++-
1 file changed, 3
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES, so prevent that from occurring.
Signed-off-by: Tom
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: S
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES, so prevent that from occurring.
Signed-off-by: Tom
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 4 +++-
1 file changed, 3
On 8/25/20 2:05 PM, Tom Lendacky wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
I've made the changes associated with the checkpatch script output. I'll
wait a few more days for other feedback before submitting a v2.
Sorry about the miss
On 8/26/20 2:07 PM, Connor Kuehl wrote:
On 8/25/20 2:05 PM, Tom Lendacky wrote:
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV
On 8/26/20 2:07 PM, Connor Kuehl wrote:
On 8/25/20 2:05 PM, Tom Lendacky wrote:
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: S
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 4 +++-
1 file changed, 3
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES, so prevent that from occurring.
Signed-off-by: Tom
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part
On 5/28/20 3:51 PM, Tobin Feldman-Fitzthum wrote:
From: Tobin Feldman-Fitzthum
In addition to using QMP to provide the guest memory address
that the launch secret blob will be injected into, the
secret address can also be specified in the guest ROM. This
patch adds sev_find_secret_gpa, which
On 2/27/20 7:02 AM, Halil Pasic wrote:
> On Wed, 26 Feb 2020 11:52:26 -0500
> "Michael S. Tsirkin" wrote:
>
>> On Wed, Feb 26, 2020 at 04:36:18PM +0100, Halil Pasic wrote:
>>> On Wed, 26 Feb 2020 08:37:13 -0500
>>> "Michael S. Tsirkin" wrote:
>>>
On Wed, Feb 26, 2020 at 02:28:39PM +0100,
On 6/6/2018 9:20 AM, Daniel P. Berrangé wrote:
> On Tue, Jun 05, 2018 at 08:31:41AM -0500, Tom Lendacky wrote:
>> On 6/4/2018 3:07 PM, Eduardo Habkost wrote:
>>> On Fri, Jun 01, 2018 at 11:38:08AM -0400, Konrad Rzeszutek Wilk wrote:
>>>> AMD future CPUs expose _
On 6/4/2018 3:07 PM, Eduardo Habkost wrote:
> On Fri, Jun 01, 2018 at 11:38:08AM -0400, Konrad Rzeszutek Wilk wrote:
>> AMD future CPUs expose _two_ ways to utilize the Intel equivalant
>> of the Speculative Store Bypass Disable. The first is via
>> the virtualized VIRT_SPEC CTRL MSR (0xC001_011f)
Fix a race condition where qemu finds that there are not enough virtio
ring buffers available and the guest make more buffers available before
qemu can enable notifications.
Signed-off-by: Tom Lendacky t...@us.ibm.com
Signed-off-by: Anthony Liguori aligu...@us.ibm.com
hw/virtio-net.c | 10
There's been some discussion of this already in the kvm list, but I want to
summarize what I've found and also include the qemu-devel list in an effort to
find a solution to this problem.
Running a netperf test between two kvm guests results in the guest's network
interface shutting down. I
96 matches
Mail list logo