* David Gibson (david@xxxxxxxxxxxxxxxxxxxxx) wrote:
> The platform specific details of mechanisms for implementing
> confidential guest support may require setup at various points during
> initialization. Thus, it's not really feasible to have a single cgs
> initialization hook, but instead each mechanism needs its own
> initialization calls in arch or machine specific code.
>
> However, to make it harder to have a bug where a mechanism isn't
> properly initialized under some circumstances, we want to have a
> common place, late in boot, where we verify that cgs has been
> initialized if it was requested.
>
> This patch introduces a ready flag to the ConfidentialGuestSupport
> base type to accomplish this, which we verify in
> qemu_machine_creation_done().
>
> Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
> ---
> include/exec/confidential-guest-support.h | 24 +++++++++++++++++++++++
> softmmu/vl.c | 10 ++++++++++
> target/i386/sev.c | 2 ++
> 3 files changed, 36 insertions(+)
>
> diff --git a/include/exec/confidential-guest-support.h b/include/exec/confidential-guest-support.h
> index 3db6380e63..5dcf602047 100644
> --- a/include/exec/confidential-guest-support.h
> +++ b/include/exec/confidential-guest-support.h
> @@ -27,6 +27,30 @@ OBJECT_DECLARE_SIMPLE_TYPE(ConfidentialGuestSupport, CONFIDENTIAL_GUEST_SUPPORT)
>
> struct ConfidentialGuestSupport {
> Object parent;
> +
> + /*
> + * ready: flag set by CGS initialization code once it's ready to
> + * start executing instructions in a potentially-secure
> + * guest
> + *
> + * The definition here is a bit fuzzy, because this is essentially
> + * part of a self-sanity-check, rather than a strict mechanism.
> + *
> + * It's not fasible to have a single point in the common machine
> + * init path to configure confidential guest support, because
> + * different mechanisms have different interdependencies requiring
> + * initialization in different places, often in arch or machine
> + * type specific code. It's also usually not possible to check
> + * for invalid configurations until that initialization code.
> + * That means it would be very easy to have a bug allowing CGS
> + * init to be bypassed entirely in certain configurations.
> + *
> + * Silently ignoring a requested security feature would be bad, so
> + * to avoid that we check late in init that this 'ready' flag is
> + * set if CGS was requested. If the CGS init hasn't happened, and
> + * so 'ready' is not set, we'll abort.
> + */
> + bool ready;
> };
>
> typedef struct ConfidentialGuestSupportClass {
> diff --git a/softmmu/vl.c b/softmmu/vl.c
> index 1b464e3474..1869ed54a9 100644
> --- a/softmmu/vl.c
> +++ b/softmmu/vl.c
> @@ -101,6 +101,7 @@
> #include "qemu/plugin.h"
> #include "qemu/queue.h"
> #include "sysemu/arch_init.h"
> +#include "exec/confidential-guest-support.h"
>
> #include "ui/qemu-spice.h"
> #include "qapi/string-input-visitor.h"
> @@ -2497,6 +2498,8 @@ static void qemu_create_cli_devices(void)
>
> static void qemu_machine_creation_done(void)
> {
> + MachineState *machine = MACHINE(qdev_get_machine());
> +
> /* Did we create any drives that we failed to create a device for? */
> drive_check_orphaned();
>
> @@ -2516,6 +2519,13 @@ static void qemu_machine_creation_done(void)
>
> qdev_machine_creation_done();
>
> + if (machine->cgs) {
> + /*
> + * Verify that Confidential Guest Support has actually been initialized
> + */
> + assert(machine->cgs->ready);
> + }
> +
> if (foreach_device_config(DEV_GDB, gdbserver_start) < 0) {
> exit(1);
> }
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 590cb31fa8..f9e9b5d8ae 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -737,6 +737,8 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
> qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
> qemu_add_vm_change_state_handler(sev_vm_state_change, sev);
>
> + cgs->ready = true;
> +
> return 0;
> err:
> sev_guest = NULL;
> --
> 2.29.2
>
--
Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK
