On 20/02/2023 20:38, Michael Roth wrote: > From: Dionna Glaze <dionnaglaze@xxxxxxxxxx> > > The /dev/sev device has the ability to store host-wide certificates for > the key used by the AMD-SP for SEV-SNP attestation report signing, > but for hosts that want to specify additional certificates that are > specific to the image launched in a VM, a different way is needed to > communicate those certificates. > > Add two new KVM ioctl to handle this: KVM_SEV_SNP_{GET,SET}_CERTS > > The certificates that are set with this command are expected to follow > the same format as the host certificates, but that format is opaque > to the kernel. > > The new behavior for custom certificates is that the extended guest > request command will now return the overridden certificates if they > were installed for the instance. The error condition for a too small > data buffer is changed to return the overridden certificate data size > if there is an overridden certificate set installed. > > Setting a 0 length certificate returns the system state to only return > the host certificates on an extended guest request. > > Also increase the SEV_FW_BLOB_MAX_SIZE another 4K page to allow space > for an extra certificate. > > Cc: Tom Lendacky <Thomas.Lendacky@xxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > > Signed-off-by: Dionna Glaze <dionnaglaze@xxxxxxxxxx> > Signed-off-by: Ashish Kalra <ashish.kalra@xxxxxxx> > [mdr: remove used of "we" and "this patch" in commit log] > Signed-off-by: Michael Roth <michael.roth@xxxxxxx> > --- > arch/x86/kvm/svm/sev.c | 111 ++++++++++++++++++++++++++++++++++++++- > arch/x86/kvm/svm/svm.h | 1 + > include/linux/psp-sev.h | 2 +- > include/uapi/linux/kvm.h | 12 +++++ > 4 files changed, 123 insertions(+), 3 deletions(-) > [...] > diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h > index 92116e2b74fd..3b28b78938f6 100644 > --- a/include/linux/psp-sev.h > +++ b/include/linux/psp-sev.h > @@ -22,7 +22,7 @@ > #define __psp_pa(x) __pa(x) > #endif > > -#define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ > +#define SEV_FW_BLOB_MAX_SIZE 0x5000 /* 20KB */ This change should be removed (it was also discussed in v7). If I understand correctly, 16KB is a limit of the PSP. -Dov > > /** > * SEV platform state