Re: [PATCH v4 27/31] hw/i386/sev: Use guest_memfd for legacy ROMs

Paolo Bonzini <pbonzini@xxxxxxxxxx> · Fri, 31 May 2024 13:27:36 +0200

On Thu, May 30, 2024 at 1:17 PM Pankaj Gupta <pankaj.gupta@xxxxxxx> wrote:
>
> From: Michael Roth <michael.roth@xxxxxxx>
>
> Current SNP guest kernels will attempt to access these regions with
> with C-bit set, so guest_memfd is needed to handle that. Otherwise,
> kvm_convert_memory() will fail when the guest kernel tries to access it
> and QEMU attempts to call KVM_SET_MEMORY_ATTRIBUTES to set these ranges
> to private.
>
> Whether guests should actually try to access ROM regions in this way (or
> need to deal with legacy ROM regions at all), is a separate issue to be
> addressed on kernel side, but current SNP guest kernels will exhibit
> this behavior and so this handling is needed to allow QEMU to continue
> running existing SNP guest kernels.

[...]

>  #ifdef CONFIG_XEN_EMU
> @@ -1022,10 +1023,15 @@ void pc_memory_init(PCMachineState *pcms,
>      pc_system_firmware_init(pcms, rom_memory);
>
>      option_rom_mr = g_malloc(sizeof(*option_rom_mr));
> -    memory_region_init_ram(option_rom_mr, NULL, "pc.rom", PC_ROM_SIZE,
> -                           &error_fatal);
> -    if (pcmc->pci_enabled) {
> -        memory_region_set_readonly(option_rom_mr, true);
> +    if (sev_snp_enabled()) {

Using sev_snp_enabled() here however is pretty ugly...

Fortunately we can fix machine_require_guest_memfd(), which I think is
initialized later (?), so that it is usable here too (and the code is
cleaner). To do so, just delegate machine_require_guest_memfd() to the
ConfidentialGuestSupport object (see patch at
https://patchew.org/QEMU/20240531112636.80097-1-pbonzini@xxxxxxxxxx/)
and then initialize the new field in SevSnpGuest's instance_init
function:

diff --git a/target/i386/sev.c b/target/i386/sev.c
index 1c5e2e7a1f9..a7574d1c707 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -2328,8 +2328,11 @@ sev_snp_guest_class_init(ObjectClass *oc, void *data)
 static void
 sev_snp_guest_instance_init(Object *obj)
 {
+    ConfidentialGuestSupport *cgs = CONFIDENTIAL_GUEST_SUPPORT(obj);
     SevSnpGuestState *sev_snp_guest = SEV_SNP_GUEST(obj);

+    cgs->require_guest_memfd = true;
+
     /* default init/start/finish params for kvm */
     sev_snp_guest->kvm_start_conf.policy = DEFAULT_SEV_SNP_POLICY;
 }


Paolo









