[kvm-unit-tests PATCH v2] x86/efi: Allow specifying AMD SEV/SEV-ES guest launch policy to run

Varad Gautam <varad.gautam@xxxxxxxx> · Wed, 9 Feb 2022 17:42:54 +0100

Make x86/efi/run check for AMDSEV envvar and set corresponding
SEV/SEV-ES parameters on the qemu cmdline, to make it convenient
to launch SEV/SEV-ES tests.

Since the C-bit position depends on the runtime host, fetch it
via cpuid before guest launch.

AMDSEV can be set to `sev` or `sev-es`.

Signed-off-by: Varad Gautam <varad.gautam@xxxxxxxx>
---
 x86/efi/README.md |  5 +++++
 x86/efi/run       | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/x86/efi/README.md b/x86/efi/README.md
index a39f509..1222b30 100644
--- a/x86/efi/README.md
+++ b/x86/efi/README.md
@@ -30,6 +30,11 @@ the env variable `EFI_UEFI`:
 
     EFI_UEFI=/path/to/OVMF.fd ./x86/efi/run ./x86/msr.efi
 
+To run the tests under AMD SEV/SEV-ES, set env variable `AMDSEV=sev` or
+`AMDSEV=sev-es`. This adds the desired guest policy to qemu command line.
+
+    AMDSEV=sev-es EFI_UEFI=/path/to/OVMF.fd ./x86/efi/run ./x86/amd_sev.efi
+
 ## Code structure
 
 ### Code from GNU-EFI
diff --git a/x86/efi/run b/x86/efi/run
index ac368a5..9bf0dc8 100755
--- a/x86/efi/run
+++ b/x86/efi/run
@@ -43,6 +43,43 @@ fi
 mkdir -p "$EFI_CASE_DIR"
 cp "$EFI_SRC/$EFI_CASE.efi" "$EFI_CASE_BINARY"
 
+amdsev_opts=
+if [ -n "$AMDSEV" ]; then
+	# Guest policy bits, used to form QEMU command line.
+	readonly AMDSEV_POLICY_NODBG=$(( 1 << 0 ))
+	readonly AMDSEV_POLICY_ES=$(( 1 << 2 ))
+
+	gcc -x c -o getcbitpos - <<EOF
+	/* CPUID Fn8000_001F_EBX bits 5:0 */
+	int get_cbit_pos(void)
+	{
+		int ebx;
+		__asm__("mov \$0x8000001f , %eax\n\t");
+		__asm__("cpuid\n\t");
+		__asm__("mov %%ebx, %0\n\t":"=r" (ebx));
+		return (ebx & 0x3f);
+	}
+	int main(void)
+	{
+		return get_cbit_pos();
+	}
+EOF
+
+	cbitpos=$(./getcbitpos ; echo $?) || rm ./getcbitpos
+	policy=
+	if [ "$AMDSEV" = "sev" ]; then
+		policy="$(( $AMDSEV_POLICY_NODBG ))"
+	elif [ "$AMDSEV" = "sev-es" ]; then
+		policy="$(( $AMDSEV_POLICY_NODBG | $AMDSEV_POLICY_ES ))"
+	else
+		echo "Cannot set AMDSEV policy. AMDSEV must be one of 'sev', 'sev-es'."
+		exit 2
+	fi
+
+	amdsev_opts="-object sev-guest,id=sev0,cbitpos=${cbitpos},reduced-phys-bits=1,policy=${policy} \
+		     -machine memory-encryption=sev0"
+fi
+
 # Run test case with 256MiB QEMU memory. QEMU default memory size is 128MiB.
 # After UEFI boot up and we call `LibMemoryMap()`, the largest consecutive
 # memory region is ~42MiB. Although this is sufficient for many test cases to
@@ -61,4 +98,5 @@ cp "$EFI_SRC/$EFI_CASE.efi" "$EFI_CASE_BINARY"
 	-nographic \
 	-m 256 \
 	"$@" \
+	$amdsev_opts \
 	-smp "$EFI_SMP"
-- 
2.34.1







