Re: [RFC PATCH v1 00/28] x86: Secure Encrypted Virtualization (AMD)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Paolo,

Thanks for reviews. I will incorporate your feedbacks in v2.

On 10/13/2016 06:19 AM, Paolo Bonzini wrote:


On 23/08/2016 01:23, Brijesh Singh wrote:
TODO:
- send qemu/seabios RFC's on respective mailing list
- integrate the psp driver with CCP driver (they share the PCI id's)
- add SEV guest migration command support
- add SEV snapshotting command support
- determine how to do ioremap of physical memory with mem encryption enabled
  (e.g acpi tables)

The would be encrypted, right?  Similar to the EFI data in patch 9.

Yes.


- determine how to share the guest memory with hypervisor for to support
  pvclock driver

Is it enough if the guest makes that page unencrypted?


Yes that should be enough. If guest can mark a page as unencrypted then hypervisor should be able to read and write to that particular page.

Tom's patches have introduced API (set_memory_dec) to mark memory as unencrypted but pvclock drv runs very early during boot (when irq was disabled). Because of this we are not able to use set_memory_dec() to mark the page as unencrypted. Will need to come up with method for handling these cases.

I reviewed the KVM host-side patches and they are pretty
straightforward, so the comments on each patch suffice.

Thanks,

Paolo

Brijesh Singh (11):
      crypto: add AMD Platform Security Processor driver
      KVM: SVM: prepare to reserve asid for SEV guest
      KVM: SVM: prepare for SEV guest management API support
      KVM: introduce KVM_SEV_ISSUE_CMD ioctl
      KVM: SVM: add SEV launch start command
      KVM: SVM: add SEV launch update command
      KVM: SVM: add SEV_LAUNCH_FINISH command
      KVM: SVM: add KVM_SEV_GUEST_STATUS command
      KVM: SVM: add KVM_SEV_DEBUG_DECRYPT command
      KVM: SVM: add KVM_SEV_DEBUG_ENCRYPT command
      KVM: SVM: add command to query SEV API version

Tom Lendacky (17):
      kvm: svm: Add support for additional SVM NPF error codes
      kvm: svm: Add kvm_fast_pio_in support
      kvm: svm: Use the hardware provided GPA instead of page walk
      x86: Secure Encrypted Virtualization (SEV) support
      KVM: SVM: prepare for new bit definition in nested_ctl
      KVM: SVM: Add SEV feature definitions to KVM
      x86: Do not encrypt memory areas if SEV is enabled
      Access BOOT related data encrypted with SEV active
      x86/efi: Access EFI data as encrypted when SEV is active
      x86: Change early_ioremap to early_memremap for BOOT data
      x86: Don't decrypt trampoline area if SEV is active
      x86: DMA support for SEV memory encryption
      iommu/amd: AMD IOMMU support for SEV
      x86: Don't set the SME MSR bit when SEV is active
      x86: Unroll string I/O when SEV is active
      x86: Add support to determine if running with SEV enabled
      KVM: SVM: Enable SEV by setting the SEV_ENABLE cpu feature


 arch/x86/boot/compressed/Makefile      |    2
 arch/x86/boot/compressed/head_64.S     |   19 +
 arch/x86/boot/compressed/mem_encrypt.S |  123 ++++
 arch/x86/include/asm/io.h              |   26 +
 arch/x86/include/asm/kvm_emulate.h     |    3
 arch/x86/include/asm/kvm_host.h        |   27 +
 arch/x86/include/asm/mem_encrypt.h     |    3
 arch/x86/include/asm/svm.h             |    3
 arch/x86/include/uapi/asm/hyperv.h     |    4
 arch/x86/include/uapi/asm/kvm_para.h   |    4
 arch/x86/kernel/acpi/boot.c            |    4
 arch/x86/kernel/head64.c               |    4
 arch/x86/kernel/mem_encrypt.S          |   44 ++
 arch/x86/kernel/mpparse.c              |   10
 arch/x86/kernel/setup.c                |    7
 arch/x86/kernel/x8664_ksyms_64.c       |    1
 arch/x86/kvm/cpuid.c                   |    4
 arch/x86/kvm/mmu.c                     |   20 +
 arch/x86/kvm/svm.c                     |  906 ++++++++++++++++++++++++++++++++
 arch/x86/kvm/x86.c                     |   73 +++
 arch/x86/mm/ioremap.c                  |    7
 arch/x86/mm/mem_encrypt.c              |   50 ++
 arch/x86/platform/efi/efi_64.c         |   14
 arch/x86/realmode/init.c               |   11
 drivers/crypto/Kconfig                 |   11
 drivers/crypto/Makefile                |    1
 drivers/crypto/psp/Kconfig             |    8
 drivers/crypto/psp/Makefile            |    3
 drivers/crypto/psp/psp-dev.c           |  220 ++++++++
 drivers/crypto/psp/psp-dev.h           |   95 +++
 drivers/crypto/psp/psp-ops.c           |  454 ++++++++++++++++
 drivers/crypto/psp/psp-pci.c           |  376 +++++++++++++
 drivers/sfi/sfi_core.c                 |    6
 include/linux/ccp-psp.h                |  833 +++++++++++++++++++++++++++++
 include/uapi/linux/Kbuild              |    1
 include/uapi/linux/ccp-psp.h           |  182 ++++++
 include/uapi/linux/kvm.h               |  125 ++++
 37 files changed, 3643 insertions(+), 41 deletions(-)
 create mode 100644 arch/x86/boot/compressed/mem_encrypt.S
 create mode 100644 drivers/crypto/psp/Kconfig
 create mode 100644 drivers/crypto/psp/Makefile
 create mode 100644 drivers/crypto/psp/psp-dev.c
 create mode 100644 drivers/crypto/psp/psp-dev.h
 create mode 100644 drivers/crypto/psp/psp-ops.c
 create mode 100644 drivers/crypto/psp/psp-pci.c
 create mode 100644 include/linux/ccp-psp.h
 create mode 100644 include/uapi/linux/ccp-psp.h


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]