On Wed, Feb 03, 2021 at 05:15:48PM +0100, Greg Kurz wrote: > On Tue, 2 Feb 2021 15:13:09 +1100 > David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > The platform specific details of mechanisms for implementing > > confidential guest support may require setup at various points during > > initialization. Thus, it's not really feasible to have a single cgs > > initialization hook, but instead each mechanism needs its own > > initialization calls in arch or machine specific code. > > > > However, to make it harder to have a bug where a mechanism isn't > > properly initialized under some circumstances, we want to have a > > common place, late in boot, where we verify that cgs has been > > initialized if it was requested. > > > > This patch introduces a ready flag to the ConfidentialGuestSupport > > base type to accomplish this, which we verify in > > qemu_machine_creation_done(). > > > > Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> > > --- > > include/exec/confidential-guest-support.h | 24 +++++++++++++++++++++++ > > softmmu/vl.c | 10 ++++++++++ > > target/i386/sev.c | 2 ++ > > 3 files changed, 36 insertions(+) > > > > diff --git a/include/exec/confidential-guest-support.h b/include/exec/confidential-guest-support.h > > index 3db6380e63..5dcf602047 100644 > > --- a/include/exec/confidential-guest-support.h > > +++ b/include/exec/confidential-guest-support.h > > @@ -27,6 +27,30 @@ OBJECT_DECLARE_SIMPLE_TYPE(ConfidentialGuestSupport, CONFIDENTIAL_GUEST_SUPPORT) > > > > struct ConfidentialGuestSupport { > > Object parent; > > + > > + /* > > + * ready: flag set by CGS initialization code once it's ready to > > + * start executing instructions in a potentially-secure > > + * guest > > + * > > + * The definition here is a bit fuzzy, because this is essentially > > + * part of a self-sanity-check, rather than a strict mechanism. > > + * > > + * It's not fasible to have a single point in the common machine > > s/fasible/feasible Fixed, thanks. > > Anyway, > > Reviewed-by: Greg Kurz <groug@xxxxxxxx> > > > + * init path to configure confidential guest support, because > > + * different mechanisms have different interdependencies requiring > > + * initialization in different places, often in arch or machine > > + * type specific code. It's also usually not possible to check > > + * for invalid configurations until that initialization code. > > + * That means it would be very easy to have a bug allowing CGS > > + * init to be bypassed entirely in certain configurations. > > + * > > + * Silently ignoring a requested security feature would be bad, so > > + * to avoid that we check late in init that this 'ready' flag is > > + * set if CGS was requested. If the CGS init hasn't happened, and > > + * so 'ready' is not set, we'll abort. > > + */ > > + bool ready; > > }; > > > > typedef struct ConfidentialGuestSupportClass { > > diff --git a/softmmu/vl.c b/softmmu/vl.c > > index 1b464e3474..1869ed54a9 100644 > > --- a/softmmu/vl.c > > +++ b/softmmu/vl.c > > @@ -101,6 +101,7 @@ > > #include "qemu/plugin.h" > > #include "qemu/queue.h" > > #include "sysemu/arch_init.h" > > +#include "exec/confidential-guest-support.h" > > > > #include "ui/qemu-spice.h" > > #include "qapi/string-input-visitor.h" > > @@ -2497,6 +2498,8 @@ static void qemu_create_cli_devices(void) > > > > static void qemu_machine_creation_done(void) > > { > > + MachineState *machine = MACHINE(qdev_get_machine()); > > + > > /* Did we create any drives that we failed to create a device for? */ > > drive_check_orphaned(); > > > > @@ -2516,6 +2519,13 @@ static void qemu_machine_creation_done(void) > > > > qdev_machine_creation_done(); > > > > + if (machine->cgs) { > > + /* > > + * Verify that Confidential Guest Support has actually been initialized > > + */ > > + assert(machine->cgs->ready); > > + } > > + > > if (foreach_device_config(DEV_GDB, gdbserver_start) < 0) { > > exit(1); > > } > > diff --git a/target/i386/sev.c b/target/i386/sev.c > > index 590cb31fa8..f9e9b5d8ae 100644 > > --- a/target/i386/sev.c > > +++ b/target/i386/sev.c > > @@ -737,6 +737,8 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) > > qemu_add_machine_init_done_notifier(&sev_machine_done_notify); > > qemu_add_vm_change_state_handler(sev_vm_state_change, sev); > > > > + cgs->ready = true; > > + > > return 0; > > err: > > sev_guest = NULL; > -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature