On Wed, Mar 20, 2024 at 03:39:18AM -0500, Michael Roth wrote:
> From: Brijesh Singh <brijesh.singh@xxxxxxx>
>
> SEV-SNP support relies on a different set of properties/state than the
> existing 'sev-guest' object. This patch introduces the 'sev-snp-guest'
> object, which can be used to configure an SEV-SNP guest. For example,
> a default-configured SEV-SNP guest with no additional information
> passed in for use with attestation:
>
> -object sev-snp-guest,id=sev0
>
> or a fully-specified SEV-SNP guest where all spec-defined binary
> blobs are passed in as base64-encoded strings:
>
> -object sev-snp-guest,id=sev0, \
> policy=0x30000, \
> init-flags=0, \
> id-block=YWFhYWFhYWFhYWFhYWFhCg==, \
> id-auth=CxHK/OKLkXGn/KpAC7Wl1FSiisWDbGTEKz..., \
> auth-key-enabled=on, \
> host-data=LNkCWBRC5CcdGXirbNUV1OrsR28s..., \
> guest-visible-workarounds=AA==, \
>
> See the QAPI schema updates included in this patch for more usage
> details.
>
> In some cases these blobs may be up to 4096 characters, but this is
> generally well below the default limit for linux hosts where
> command-line sizes are defined by the sysconf-configurable ARG_MAX
> value, which defaults to 2097152 characters for Ubuntu hosts, for
> example.
>
> Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
> Co-developed-by: Michael Roth <michael.roth@xxxxxxx>
> Acked-by: Markus Armbruster <armbru@xxxxxxxxxx> (for QAPI schema)
> Signed-off-by: Michael Roth <michael.roth@xxxxxxx>
> ---
> docs/system/i386/amd-memory-encryption.rst | 78 ++++++-
> qapi/qom.json | 51 +++++
> target/i386/sev.c | 241 +++++++++++++++++++++
> target/i386/sev.h | 1 +
> 4 files changed, 369 insertions(+), 2 deletions(-)
>
> +##
> +# @SevSnpGuestProperties:
> +#
> +# Properties for sev-snp-guest objects. Most of these are direct arguments
> +# for the KVM_SNP_* interfaces documented in the linux kernel source
> +# under Documentation/virt/kvm/amd-memory-encryption.rst, which are in
> +# turn closely coupled with the SNP_INIT/SNP_LAUNCH_* firmware commands
> +# documented in the SEV-SNP Firmware ABI Specification (Rev 0.9).
> +#
> +# More usage information is also available in the QEMU source tree under
> +# docs/amd-memory-encryption.
> +#
> +# @policy: the 'POLICY' parameter to the SNP_LAUNCH_START command, as
> +# defined in the SEV-SNP firmware ABI (default: 0x30000)
> +#
> +# @guest-visible-workarounds: 16-byte, base64-encoded blob to report
> +# hypervisor-defined workarounds, corresponding
> +# to the 'GOSVW' parameter of the
> +# SNP_LAUNCH_START command defined in the
> +# SEV-SNP firmware ABI (default: all-zero)
> +#
> +# @id-block: 96-byte, base64-encoded blob to provide the 'ID Block'
> +# structure for the SNP_LAUNCH_FINISH command defined in the
> +# SEV-SNP firmware ABI (default: all-zero)
> +#
> +# @id-auth: 4096-byte, base64-encoded blob to provide the 'ID Authentication
> +# Information Structure' for the SNP_LAUNCH_FINISH command defined
> +# in the SEV-SNP firmware ABI (default: all-zero)
> +#
> +# @auth-key-enabled: true if 'id-auth' blob contains the 'AUTHOR_KEY' field
> +# defined SEV-SNP firmware ABI (default: false)
> +#
> +# @host-data: 32-byte, base64-encoded, user-defined blob to provide to the
> +# guest, as documented for the 'HOST_DATA' parameter of the
> +# SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI
> +# (default: all-zero)
> +#
> +# Since: 7.2
This will be 9.1 at the earliest now.
> +##
> +{ 'struct': 'SevSnpGuestProperties',
> + 'base': 'SevCommonProperties',
> + 'data': {
> + '*policy': 'uint64',
> + '*guest-visible-workarounds': 'str',
> + '*id-block': 'str',
> + '*id-auth': 'str',
> + '*auth-key-enabled': 'bool',
> + '*host-data': 'str' } }
> +
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 63a220de5e..7e6dab642a 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -42,6 +42,7 @@
>
> OBJECT_DECLARE_SIMPLE_TYPE(SevCommonState, SEV_COMMON)
> OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST)
> +OBJECT_DECLARE_SIMPLE_TYPE(SevSnpGuestState, SEV_SNP_GUEST)
>
> struct SevCommonState {
> X86ConfidentialGuest parent_obj;
> @@ -87,8 +88,22 @@ struct SevGuestState {
> bool kernel_hashes;
> };
>
> +struct SevSnpGuestState {
> + SevCommonState sev_common;
> +
> + /* configuration parameters */
> + char *guest_visible_workarounds;
> + char *id_block;
> + char *id_auth;
> + char *host_data;
> +
> + struct kvm_sev_snp_launch_start kvm_start_conf;
> + struct kvm_sev_snp_launch_finish kvm_finish_conf;
> +};
> +
> #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
> #define DEFAULT_SEV_DEVICE "/dev/sev"
> +#define DEFAULT_SEV_SNP_POLICY 0x30000
>
> #define SEV_INFO_BLOCK_GUID "00f771de-1a7e-4fcb-890e-68c77e2fb44e"
> typedef struct __attribute__((__packed__)) SevInfoBlock {
> @@ -1473,11 +1488,237 @@ static const TypeInfo sev_guest_info = {
> .class_init = sev_guest_class_init,
> +
> +static char *
> +sev_snp_guest_get_guest_visible_workarounds(Object *obj, Error **errp)
> +{
> + return g_strdup(SEV_SNP_GUEST(obj)->guest_visible_workarounds);
> +}
> +
> +static void
> +sev_snp_guest_set_guest_visible_workarounds(Object *obj, const char *value,
> + Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> + struct kvm_sev_snp_launch_start *start = &sev_snp_guest->kvm_start_conf;
> + g_autofree guchar *blob;
> + gsize len;
> +
> + if (sev_snp_guest->guest_visible_workarounds) {
> + g_free(sev_snp_guest->guest_visible_workarounds);
> + }
Redundant 'if' test - g_free is happy with NULL
> +
> + /* store the base64 str so we don't need to re-encode in getter */
> + sev_snp_guest->guest_visible_workarounds = g_strdup(value);
> +
> + blob = qbase64_decode(sev_snp_guest->guest_visible_workarounds, -1, &len, errp);
> + if (!blob) {
> + return;
> + }
> +
> + if (len > sizeof(start->gosvw)) {
The QAPI docs said this property must be '16 bytes', so I'd
suggest we do a strict equality test, rather than min size
test to catch a wider set of mistakes.
> + error_setg(errp, "parameter length of %lu exceeds max of %lu",
> + len, sizeof(start->gosvw));
> + return;
> + }
> +
> + memcpy(start->gosvw, blob, len);
> +}
> +
> +static char *
> +sev_snp_guest_get_id_block(Object *obj, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> +
> + return g_strdup(sev_snp_guest->id_block);
> +}
> +
> +static void
> +sev_snp_guest_set_id_block(Object *obj, const char *value, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> + struct kvm_sev_snp_launch_finish *finish = &sev_snp_guest->kvm_finish_conf;
> + gsize len;
> +
> + if (sev_snp_guest->id_block) {
> + g_free(sev_snp_guest->id_block);
> + g_free((guchar *)finish->id_block_uaddr);
> + }
Assuming 'id_block_uaddr' is also initialized to 0, when id_block
is NULL, then you can remove the 'if' conditional.
> +
> + /* store the base64 str so we don't need to re-encode in getter */
> + sev_snp_guest->id_block = g_strdup(value);
> +
> + finish->id_block_uaddr =
> + (uint64_t)qbase64_decode(sev_snp_guest->id_block, -1, &len, errp);
> +
> + if (!finish->id_block_uaddr) {
> + return;
> + }
> +
> + if (len > KVM_SEV_SNP_ID_BLOCK_SIZE) {
Again, lets do a strict equality test to match the documented
required size.
> + error_setg(errp, "parameter length of %lu exceeds max of %u",
> + len, KVM_SEV_SNP_ID_BLOCK_SIZE);
> + return;
> + }
> +
> + finish->id_block_en = (len) ? 1 : 0;
> +}
> +
> +static char *
> +sev_snp_guest_get_id_auth(Object *obj, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> +
> + return g_strdup(sev_snp_guest->id_auth);
> +}
> +
> +static void
> +sev_snp_guest_set_id_auth(Object *obj, const char *value, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> + struct kvm_sev_snp_launch_finish *finish = &sev_snp_guest->kvm_finish_conf;
> + gsize len;
> +
> + if (sev_snp_guest->id_auth) {
> + g_free(sev_snp_guest->id_auth);
> + g_free((guchar *)finish->id_auth_uaddr);
> + }
Same probably redundant 'if'
> +
> + /* store the base64 str so we don't need to re-encode in getter */
> + sev_snp_guest->id_auth = g_strdup(value);
> +
> + finish->id_auth_uaddr =
> + (uint64_t)qbase64_decode(sev_snp_guest->id_auth, -1, &len, errp);
> +
> + if (!finish->id_auth_uaddr) {
> + return;
> + }
> +
> + if (len > KVM_SEV_SNP_ID_AUTH_SIZE) {
Equality test.
> + error_setg(errp, "parameter length of %lu exceeds max of %u",
> + len, KVM_SEV_SNP_ID_AUTH_SIZE);
> + return;
> + }
> +}
> +
> +static bool
> +sev_snp_guest_get_auth_key_en(Object *obj, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> +
> + return !!sev_snp_guest->kvm_finish_conf.auth_key_en;
> +}
> +
> +static void
> +sev_snp_guest_set_auth_key_en(Object *obj, bool value, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> +
> + sev_snp_guest->kvm_finish_conf.auth_key_en = value;
> +}
> +
> +static char *
> +sev_snp_guest_get_host_data(Object *obj, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> +
> + return g_strdup(sev_snp_guest->host_data);
> +}
> +
> +static void
> +sev_snp_guest_set_host_data(Object *obj, const char *value, Error **errp)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> + struct kvm_sev_snp_launch_finish *finish = &sev_snp_guest->kvm_finish_conf;
> + g_autofree guchar *blob;
> + gsize len;
> +
> + if (sev_snp_guest->host_data) {
> + g_free(sev_snp_guest->host_data);
> + }
Redundant 'if'
> +
> + /* store the base64 str so we don't need to re-encode in getter */
> + sev_snp_guest->host_data = g_strdup(value);
> +
> + blob = qbase64_decode(sev_snp_guest->host_data, -1, &len, errp);
> +
> + if (!blob) {
> + return;
> + }
> +
> + if (len > sizeof(finish->host_data)) {
Equality test
> + error_setg(errp, "parameter length of %lu exceeds max of %lu",
> + len, sizeof(finish->host_data));
> + return;
> + }
> +
> + memcpy(finish->host_data, blob, len);
> +}
> +
> +static void
> +sev_snp_guest_class_init(ObjectClass *oc, void *data)
> +{
> + object_class_property_add(oc, "policy", "uint64",
> + sev_snp_guest_get_policy,
> + sev_snp_guest_set_policy, NULL, NULL);
> + object_class_property_add_str(oc, "guest-visible-workarounds",
> + sev_snp_guest_get_guest_visible_workarounds,
> + sev_snp_guest_set_guest_visible_workarounds);
> + object_class_property_add_str(oc, "id-block",
> + sev_snp_guest_get_id_block,
> + sev_snp_guest_set_id_block);
> + object_class_property_add_str(oc, "id-auth",
> + sev_snp_guest_get_id_auth,
> + sev_snp_guest_set_id_auth);
> + object_class_property_add_bool(oc, "auth-key-enabled",
> + sev_snp_guest_get_auth_key_en,
> + sev_snp_guest_set_auth_key_en);
> + object_class_property_add_str(oc, "host-data",
> + sev_snp_guest_get_host_data,
> + sev_snp_guest_set_host_data);
> +}
> +
> +static void
> +sev_snp_guest_instance_init(Object *obj)
> +{
> + SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);
> +
> + /* default init/start/finish params for kvm */
> + sev_snp_guest->kvm_start_conf.policy = DEFAULT_SEV_SNP_POLICY;
> +}
> +
> +/* guest info specific to sev-snp */
> +static const TypeInfo sev_snp_guest_info = {
> + .parent = TYPE_SEV_COMMON,
> + .name = TYPE_SEV_SNP_GUEST,
> + .instance_size = sizeof(SevSnpGuestState),
> + .class_init = sev_snp_guest_class_init,
> + .instance_init = sev_snp_guest_instance_init,
> +};
Use the OBJECT_DEFINE_TYPE_WITH_INTERFACES macro here.
> +
> static void
> sev_register_types(void)
> {
> type_register_static(&sev_common_info);
> type_register_static(&sev_guest_info);
> + type_register_static(&sev_snp_guest_info);
> }
>
> type_init(sev_register_types);
> diff --git a/target/i386/sev.h b/target/i386/sev.h
> index 668374eef3..bedc667eeb 100644
> --- a/target/i386/sev.h
> +++ b/target/i386/sev.h
> @@ -22,6 +22,7 @@
>
> #define TYPE_SEV_COMMON "sev-common"
> #define TYPE_SEV_GUEST "sev-guest"
> +#define TYPE_SEV_SNP_GUEST "sev-snp-guest"
>
> #define SEV_POLICY_NODBG 0x1
> #define SEV_POLICY_NOKS 0x2
> --
> 2.25.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
