Re: [PATCH v3 05/22] target/i386/monitor: Return QMP error when SEV is disabled in build

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Philippe Mathieu-Daudé (philmd@xxxxxxxxxx) wrote:
> On 10/4/21 10:11, Paolo Bonzini wrote:
> > On 02/10/21 14:53, Philippe Mathieu-Daudé wrote:
> >> If the management layer tries to inject a secret, it gets an empty
> >> response in case the binary built without SEV:
> >>
> >>    { "execute": "sev-inject-launch-secret",
> >>      "arguments": { "packet-header": "mypkt", "secret": "mypass",
> >> "gpa": 4294959104 }
> >>    }
> >>    {
> >>        "return": {
> >>        }
> >>    }
> >>
> >> Make it clearer by returning an error, mentioning the feature is
> >> disabled:
> >>
> >>    { "execute": "sev-inject-launch-secret",
> >>      "arguments": { "packet-header": "mypkt", "secret": "mypass",
> >> "gpa": 4294959104 }
> >>    }
> >>    {
> >>        "error": {
> >>            "class": "GenericError",
> >>            "desc": "this feature or command is not currently supported"
> >>        }
> >>    }
> >>
> >> Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
> >> Reviewed-by: Connor Kuehl <ckuehl@xxxxxxxxxx>
> >> Signed-off-by: Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>
> >> ---
> >>   target/i386/monitor.c | 5 +++++
> >>   1 file changed, 5 insertions(+)
> >>
> >> diff --git a/target/i386/monitor.c b/target/i386/monitor.c
> >> index 196c1c9e77f..a9f85acd473 100644
> >> --- a/target/i386/monitor.c
> >> +++ b/target/i386/monitor.c
> >> @@ -28,6 +28,7 @@
> >>   #include "monitor/hmp-target.h"
> >>   #include "monitor/hmp.h"
> >>   #include "qapi/qmp/qdict.h"
> >> +#include "qapi/qmp/qerror.h"
> >>   #include "sysemu/kvm.h"
> >>   #include "sysemu/sev.h"
> >>   #include "qapi/error.h"
> >> @@ -743,6 +744,10 @@ void qmp_sev_inject_launch_secret(const char
> >> *packet_hdr,
> >>                                     bool has_gpa, uint64_t gpa,
> >>                                     Error **errp)
> >>   {
> >> +    if (!sev_enabled()) {
> >> +        error_setg(errp, QERR_UNSUPPORTED);
> >> +        return;
> >> +    }
> >>       if (!has_gpa) {
> >>           uint8_t *data;
> >>           struct sev_secret_area *area;
> >>
> > 
> > This should be done in the sev_inject_launch_secret stub instead, I
> > think.  Or if you do it here, you can remove the "if (!sev_guest)"
> > conditional in the non-stub version.
> 
> This part is not related to SEV builtin; what we want to avoid here
> is management layer to try to inject secret while the guest hasn't
> been started with SEV (IOW 'no memory encryption requested for KVM).
> 
> Maybe this error message is more explicit?
> 
>   error_setg(errp, "Guest is not using memory encryption");
> 
> Or:
> 
>   error_setg(errp, "Guest is not using SEV");

This is better; there's a separate feature called memory encryption, so
we don't want to confuse things.

Dave

> 
-- 
Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux