| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240329225835.400662-13-michael.roth@amd.com>
Date: Fri, 29 Mar 2024 17:58:18 -0500
From: Michael Roth <michael.roth@....com>
To: <kvm@...r.kernel.org>
CC: <linux-coco@...ts.linux.dev>, <linux-mm@...ck.org>,
<linux-crypto@...r.kernel.org>, <x86@...nel.org>,
<linux-kernel@...r.kernel.org>, <tglx@...utronix.de>, <mingo@...hat.com>,
<jroedel@...e.de>, <thomas.lendacky@....com>, <hpa@...or.com>,
<ardb@...nel.org>, <pbonzini@...hat.com>, <seanjc@...gle.com>,
<vkuznets@...hat.com>, <jmattson@...gle.com>, <luto@...nel.org>,
<dave.hansen@...ux.intel.com>, <slp@...hat.com>, <pgonda@...gle.com>,
<peterz@...radead.org>, <srinivas.pandruvada@...ux.intel.com>,
<rientjes@...gle.com>, <dovmurik@...ux.ibm.com>, <tobin@....com>,
<bp@...en8.de>, <vbabka@...e.cz>, <kirill@...temov.name>,
<ak@...ux.intel.com>, <tony.luck@...el.com>,
<sathyanarayanan.kuppuswamy@...ux.intel.com>, <alpergun@...gle.com>,
<jarkko@...nel.org>, <ashish.kalra@....com>, <nikunj.dadhania@....com>,
<pankaj.gupta@....com>, <liam.merwick@...cle.com>, Brijesh Singh
<brijesh.singh@....com>, Harald Hoyer <harald@...fian.com>
Subject: [PATCH v12 12/29] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_FINISH command
Add a KVM_SEV_SNP_LAUNCH_FINISH command to finalize the cryptographic
launch digest and stores it as the measurement of the guest at launch
time. Also extend the existing SNP firmware data structures to support
enforcing the use of Version Loaded Endorsement Keys by guests as part
of this command.
While finalizing the launch flow, it also issues the LAUNCH_UPDATE SNP
firmware commands to encrypt/measure the initial VMSA pages for each
configured vCPU. This involves setting the RMP entries for those pages
to provide, so also add handling to clean up the RMP entries for these
pages whening free'ing vCPUs.
Signed-off-by: Brijesh Singh <brijesh.singh@....com>
Signed-off-by: Harald Hoyer <harald@...fian.com>
Signed-off-by: Ashish Kalra <ashish.kalra@....com>
[mdr: always measure BSP first to get consistent launch measurements]
Signed-off-by: Michael Roth <michael.roth@....com>
---
.../virt/kvm/x86/amd-memory-encryption.rst | 26 ++++
arch/x86/include/uapi/asm/kvm.h | 15 ++
arch/x86/kvm/svm/sev.c | 137 ++++++++++++++++++
include/linux/psp-sev.h | 4 +-
4 files changed, 181 insertions(+), 1 deletion(-)
diff --git a/Documentation/virt/kvm/x86/amd-memory-encryption.rst b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
index 4268aa5c380e..a49e8cff9133 100644
--- a/Documentation/virt/kvm/x86/amd-memory-encryption.rst
+++ b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
@@ -517,6 +517,32 @@ where the allowed values for page_type are #define'd as::
See the SEV-SNP spec [snp-fw-abi]_ for further details on how each page type is
used/measured.
+20. KVM_SEV_SNP_LAUNCH_FINISH
+-----------------------------
+
+After completion of the SNP guest launch flow, the KVM_SEV_SNP_LAUNCH_FINISH
+command can be issued to make the guest ready for execution.
+
+Parameters (in): struct kvm_sev_snp_launch_finish
+
+Returns: 0 on success, -negative on error
+
+::
+
+ struct kvm_sev_snp_launch_finish {
+ __u64 id_block_uaddr;
+ __u64 id_auth_uaddr;
+ __u8 id_block_en;
+ __u8 auth_key_en;
+ __u8 vlek_required;
+ __u8 host_data[32];
+ __u8 pad[6];
+ };
+
+
+See SEV-SNP specification [snp-fw-abi]_ for SNP_LAUNCH_FINISH further details
+on launch finish input parameters.
+
Device attribute API
====================
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index 956eb548c08e..2b08fcbe039a 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -696,6 +696,7 @@ enum sev_cmd_id {
/* SNP-specific commands */
KVM_SEV_SNP_LAUNCH_START,
KVM_SEV_SNP_LAUNCH_UPDATE,
+ KVM_SEV_SNP_LAUNCH_FINISH,
KVM_SEV_NR_MAX,
};
@@ -841,6 +842,20 @@ struct kvm_sev_snp_launch_update {
__u8 type;
};
+#define KVM_SEV_SNP_ID_BLOCK_SIZE 96
+#define KVM_SEV_SNP_ID_AUTH_SIZE 4096
+#define KVM_SEV_SNP_FINISH_DATA_SIZE 32
+
+struct kvm_sev_snp_launch_finish {
+ __u64 id_block_uaddr;
+ __u64 id_auth_uaddr;
+ __u8 id_block_en;
+ __u8 auth_key_en;
+ __u8 vlek_required;
+ __u8 host_data[KVM_SEV_SNP_FINISH_DATA_SIZE];
+ __u8 pad[6];
+};
+
#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0)
#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index a8a8a285b4a4..3d6c030091c2 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -63,6 +63,8 @@ static u64 sev_supported_vmsa_features;
#define SNP_POLICY_MASK_SMT BIT_ULL(16)
#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20)
+#define INITIAL_VMSA_GPA 0xFFFFFFFFF000
+
static u8 sev_enc_bit;
static DECLARE_RWSEM(sev_deactivate_lock);
static DEFINE_MUTEX(sev_bitmap_lock);
@@ -2283,6 +2285,125 @@ static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp)
return ret;
}
+static int snp_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp)
+{
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+ struct sev_data_snp_launch_update data = {};
+ bool boot_vcpu_handled = false;
+ struct kvm_vcpu *vcpu;
+ unsigned long i;
+ int ret;
+
+ data.gctx_paddr = __psp_pa(sev->snp_context);
+ data.page_type = SNP_PAGE_TYPE_VMSA;
+
+handle_remaining_vcpus:
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ struct vcpu_svm *svm = to_svm(vcpu);
+ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT;
+
+ /* Handle boot vCPU first to ensure consistent measurement of initial state. */
+ if (!boot_vcpu_handled && vcpu->vcpu_id != 0)
+ continue;
+
+ if (boot_vcpu_handled && vcpu->vcpu_id == 0)
+ continue;
+
+ /* Perform some pre-encryption checks against the VMSA */
+ ret = sev_es_sync_vmsa(svm);
+ if (ret)
+ return ret;
+
+ /* Transition the VMSA page to a firmware state. */
+ ret = rmp_make_private(pfn, INITIAL_VMSA_GPA, PG_LEVEL_4K, sev->asid, true);
+ if (ret)
+ return ret;
+
+ /* Issue the SNP command to encrypt the VMSA */
+ data.address = __sme_pa(svm->sev_es.vmsa);
+ ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE,
+ &data, &argp->error);
+ if (ret) {
+ snp_page_reclaim(pfn);
+ return ret;
+ }
+
+ svm->vcpu.arch.guest_state_protected = true;
+
+ if (!boot_vcpu_handled) {
+ boot_vcpu_handled = true;
+ goto handle_remaining_vcpus;
+ }
+ }
+
+ return 0;
+}
+
+static int snp_launch_finish(struct kvm *kvm, struct kvm_sev_cmd *argp)
+{
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+ struct kvm_sev_snp_launch_finish params;
+ struct sev_data_snp_launch_finish *data;
+ void *id_block = NULL, *id_auth = NULL;
+ int ret;
+
+ if (!sev_snp_guest(kvm))
+ return -ENOTTY;
+
+ if (!sev->snp_context)
+ return -EINVAL;
+
+ if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params)))
+ return -EFAULT;
+
+ /* Measure all vCPUs using LAUNCH_UPDATE before finalizing the launch flow. */
+ ret = snp_launch_update_vmsa(kvm, argp);
+ if (ret)
+ return ret;
+
+ data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);
+ if (!data)
+ return -ENOMEM;
+
+ if (params.id_block_en) {
+ id_block = psp_copy_user_blob(params.id_block_uaddr, KVM_SEV_SNP_ID_BLOCK_SIZE);
+ if (IS_ERR(id_block)) {
+ ret = PTR_ERR(id_block);
+ goto e_free;
+ }
+
+ data->id_block_en = 1;
+ data->id_block_paddr = __sme_pa(id_block);
+
+ id_auth = psp_copy_user_blob(params.id_auth_uaddr, KVM_SEV_SNP_ID_AUTH_SIZE);
+ if (IS_ERR(id_auth)) {
+ ret = PTR_ERR(id_auth);
+ goto e_free_id_block;
+ }
+
+ data->id_auth_paddr = __sme_pa(id_auth);
+
+ if (params.auth_key_en)
+ data->auth_key_en = 1;
+ }
+
+ data->vcek_disabled = params.vlek_required;
+
+ memcpy(data->host_data, params.host_data, KVM_SEV_SNP_FINISH_DATA_SIZE);
+ data->gctx_paddr = __psp_pa(sev->snp_context);
+ ret = sev_issue_cmd(kvm, SEV_CMD_SNP_LAUNCH_FINISH, data, &argp->error);
+
+ kfree(id_auth);
+
+e_free_id_block:
+ kfree(id_block);
+
+e_free:
+ kfree(data);
+
+ return ret;
+}
+
int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
{
struct kvm_sev_cmd sev_cmd;
@@ -2376,6 +2497,9 @@ int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
case KVM_SEV_SNP_LAUNCH_UPDATE:
r = snp_launch_update(kvm, &sev_cmd);
break;
+ case KVM_SEV_SNP_LAUNCH_FINISH:
+ r = snp_launch_finish(kvm, &sev_cmd);
+ break;
default:
r = -EINVAL;
goto out;
@@ -2866,11 +2990,24 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu)
svm = to_svm(vcpu);
+ /*
+ * If it's an SNP guest, then the VMSA was marked in the RMP table as
+ * a guest-owned page. Transition the page to hypervisor state before
+ * releasing it back to the system.
+ */
+ if (sev_snp_guest(vcpu->kvm)) {
+ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT;
+
+ if (host_rmp_make_shared(pfn, PG_LEVEL_4K, true))
+ goto skip_vmsa_free;
+ }
+
if (vcpu->arch.guest_state_protected)
sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa);
__free_page(virt_to_page(svm->sev_es.vmsa));
+skip_vmsa_free:
if (svm->sev_es.ghcb_sa_free)
kvfree(svm->sev_es.ghcb_sa);
}
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 3705c2044fc0..903ddfea8585 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -658,6 +658,7 @@ struct sev_data_snp_launch_update {
* @id_auth_paddr: system physical address of ID block authentication structure
* @id_block_en: indicates whether ID block is present
* @auth_key_en: indicates whether author key is present in authentication structure
+ * @vcek_disabled: indicates whether use of VCEK is allowed for attestation reports
* @rsvd: reserved
* @host_data: host-supplied data for guest, not interpreted by firmware
*/
@@ -667,7 +668,8 @@ struct sev_data_snp_launch_finish {
u64 id_auth_paddr;
u8 id_block_en:1;
u8 auth_key_en:1;
- u64 rsvd:62;
+ u8 vcek_disabled:1;
+ u64 rsvd:61;
u8 host_data[32];
} __packed;
--
2.25.1
X-sender: <kvm+bounces-13116-martin.weber=secunet.com@...r.kernel.org>
X-Receiver: <martin.weber@...unet.com> ORCPT=rfc822;martin.weber@...unet.com NOTIFY=NEVER; X-ExtendedProps=BQAVABYAAgAAAAUAFAARAJuYHy0vkvxLoOu7fW2WcxcPADUAAABNaWNyb3NvZnQuRXhjaGFuZ2UuVHJhbnNwb3J0LkRpcmVjdG9yeURhdGEuSXNSZXNvdXJjZQIAAAUAagAJAAEAAAAAAAAABQAWAAIAAAUAQwACAAAFAEYABwADAAAABQBHAAIAAAUAEgAPAF4AAAAvbz1zZWN1bmV0L291PUV4Y2hhbmdlIEFkbWluaXN0cmF0aXZlIEdyb3VwIChGWURJQk9IRjIzU1BETFQpL2NuPVJlY2lwaWVudHMvY249V2ViZXIgTWFydGluOTU1BQALABcAvgAAALMpUnVJ4+pPsL47FHo+lvtDTj1EQjIsQ049RGF0YWJhc2VzLENOPUV4Y2hhbmdlIEFkbWluaXN0cmF0aXZlIEdyb3VwIChGWURJQk9IRjIzU1BETFQpLENOPUFkbWluaXN0cmF0aXZlIEdyb3VwcyxDTj1zZWN1bmV0LENOPU1pY3Jvc29mdCBFeGNoYW5nZSxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlY3VuZXQsREM9ZGUFAA4AEQBACf3SYEkDT461FZzDv+B7BQAdAA8ADAAAAG1ieC1lc3Nlbi0wMQUAPAACAAAPADYAAABNaWNyb3NvZnQuRXhjaGFuZ2UuVHJhbnNwb3J0Lk1haWxSZWNpcGllbnQuRGlzcGxheU5hbWUPAA0AAABXZWJlciwgTWFydGluBQAMAAIAAAUAbAACAAAFAFgAFwBGAAAAm5gfLS+S/Eug67t9bZZzF0NOPVdlYmVyIE1hcnRpbixPVT1Vc2VycyxPVT1NaWdyYXRpb24sREM9c2VjdW5ldCxEQz1kZQUAJgACAAEFACIADwAxAAAAQXV0b1Jlc3BvbnNlU3VwcHJlc3M6IDANClRyYW5zbWl0SGlzdG9yeTogRmFsc2UNCg8ALwAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuRXhwYW5zaW9uR3JvdXBUeXBlDwAVAAAATWVtYmVyc0dyb3VwRXhwYW5zaW9uBQAjAAIAAQ==
X-CreatedBy: MSExchange15
X-HeloDomain: b.mx.secunet.com
X-ExtendedProps: BQBjAAoAm0mmlidQ3AgFAGEACAABAAAABQA3AAIAAA8APAAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuTWFpbFJlY2lwaWVudC5Pcmdhbml6YXRpb25TY29wZREAAAAAAAAAAAAAAAAAAAAAAAUASQACAAEFAAQAFCABAAAAGAAAAG1hcnRpbi53ZWJlckBzZWN1bmV0LmNvbQUABgACAAEFACkAAgABDwAJAAAAQ0lBdWRpdGVkAgABBQACAAcAAQAAAAUAAwAHAAAAAAAFAAUAAgABBQBiAAoAFwAAAM6KAAAFAGQADwADAAAASHVi
X-Source: SMTP:Default MBX-ESSEN-02
X-SourceIPAddress: 62.96.220.37
X-EndOfInjectedXHeaders: 31432
Received: from cas-essen-01.secunet.de (10.53.40.201) by
mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.37; Sat, 30 Mar 2024 00:01:01 +0100
Received: from b.mx.secunet.com (62.96.220.37) by cas-essen-01.secunet.de
(10.53.40.201) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend
Transport; Sat, 30 Mar 2024 00:01:01 +0100
Received: from localhost (localhost [127.0.0.1])
by b.mx.secunet.com (Postfix) with ESMTP id 214F82032C
for <martin.weber@...unet.com>; Sat, 30 Mar 2024 00:01:01 +0100 (CET)
X-Virus-Scanned: by secunet
X-Spam-Flag: NO
X-Spam-Score: -2.85
X-Spam-Level:
X-Spam-Status: No, score=-2.85 tagged_above=-999 required=2.1
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.099, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: a.mx.secunet.com (amavisd-new);
dkim=pass (1024-bit key) header.d=amd.com
Received: from b.mx.secunet.com ([127.0.0.1])
by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DNJ6gDc25nHX for <martin.weber@...unet.com>;
Sat, 30 Mar 2024 00:00:57 +0100 (CET)
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=kvm+bounces-13116-martin.weber=secunet.com@...r.kernel.org; receiver=martin.weber@...unet.com
DKIM-Filter: OpenDKIM Filter v2.11.0 b.mx.secunet.com 6E0D2200BB
Authentication-Results: b.mx.secunet.com;
dkim=pass (1024-bit key) header.d=amd.com header.i=@....com header.b="Xnn0YoyP"
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by b.mx.secunet.com (Postfix) with ESMTPS id 6E0D2200BB
for <martin.weber@...unet.com>; Sat, 30 Mar 2024 00:00:57 +0100 (CET)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by am.mirrors.kernel.org (Postfix) with ESMTPS id EEAC71F25708
for <martin.weber@...unet.com>; Fri, 29 Mar 2024 23:00:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 91A0D13D240;
Fri, 29 Mar 2024 23:00:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=amd.com header.i=@....com header.b="Xnn0YoyP"
X-Original-To: kvm@...r.kernel.org
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2062.outbound.protection.outlook.com [40.107.220.62])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 513D513E401;
Fri, 29 Mar 2024 23:00:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.220.62
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1711753230; cv=fail; b=uZhgEsPvzM/O5hYoPvgVIjlWXaSncWu/gH+CMWkulPd23+p3QPC07Xcnvdc1pEegop+1fw5FWQt9xrKIhggwnnc/cJxhZmvY+efDK8zTDVGgPMZ1OBnPCJ1svuKjpe/xapUf2zfGgrB87DdADrHQzinKcE/FLI1mCdSAohMJ7OM=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1711753230; c=relaxed/simple;
bh=q4vzPdo0+oii9a1ZolELIlylzfsIrazGRpbjD/k5aUY=;
h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version:Content-Type; b=ko9KEZg3yLMXSxkN960Y/B2POJkn5tv0c1SE4wQqMBJNeTCF+VtC3I5Rs/cG3vbuvj3mVK5BMvEK9Yegm31H3BjyyNl7K1T0LCemXg4usQSAgVIu4IbicWvb3FBKu3DMFE8ZSoRJpC6bFHCBONslTx3MM6W14Bvvg8XrK8Um0Lw=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@....com header.b=Xnn0YoyP; arc=fail smtp.client-ip=40.107.220.62
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com
Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=koAhSHTroS7Six8Mk2ptjimEuKhzjh+UOZ0BKjgCc81mT+BeIOoN5WsMBdVaZUUy0R+PvNTm4fC8i+uwFGBJV8NQMJkhjHeFNHs9v7dqfn1NGIFcfGChcbS/FPOvmOVVYpB/pw5U7oG2gLnAwxc20CK7NLojtWh4NCJ6M9OY8OY2nW344YP5M7kPGqBhcAq4W9kwvwslxNGFFGDAer3lswUX447A9LE0/fnMv5jbJ83rm5ix4N0K58GDPEx9VUGhhOgggVbAfXgKVio1kRzvNH8kJtZzXieWO/wEifcUb+WRXxN3ZBE88A4zgVuKZm7/Oqe/HvOr/XrFZWS7gVA25Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=JrYjCWIu6wNf/NkduP5S/uOo7LBR9vnyryH5vZHAlfA=;
b=LVmfJFAum0chfh8MZAu/WI+/8Q1sh2O9o7TULA0rPfys5d3XWI3rdAqs/rYpjoaI+XLbCnHEgvanj9y++g3Pa/6WeAuyuUZZP+r2ZuuqLZc6edOigte0P3F00JsEgpwhi4L//QOMpICtIepUxvGLpwvRyID4b85yTfLiPEsYzfzxDzMtwa6xyDWidl6wddXopfSMfQOn4cp+NLLaX0CGH64ADEMNjDgJRUx5k4b/vRjK7TOLrW1vnz5Ty62s6kgRDA13YMF0niFXxzCeK2SekIWp/623ludL5H2O+JvT+5Bk3UU6+HQWzVWe4SzWyVmdcw+PiS9jlTsjHpiAmnR1Mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=amd.com; dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=JrYjCWIu6wNf/NkduP5S/uOo7LBR9vnyryH5vZHAlfA=;
b=Xnn0YoyPydUttY9jZm4o1iMO+E8KBjfMOPusb4Vj5axJk8hQRG/osW1QECRxvBowisK2iaRPpIm14+OOzYXxmMPkAt9nxcFBlrEsW8iRuNHSFxG83FlEnCf0xJ4+jqhhyl6Gtqjia8oulEv9c2cH+koDudTK+LTVXbryYxTNGZM=
Received: from SJ0PR03CA0173.namprd03.prod.outlook.com (2603:10b6:a03:338::28)
by DS0PR12MB8197.namprd12.prod.outlook.com (2603:10b6:8:f1::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.40; Fri, 29 Mar
2024 23:00:26 +0000
Received: from SJ1PEPF00001CE2.namprd05.prod.outlook.com
(2603:10b6:a03:338:cafe::51) by SJ0PR03CA0173.outlook.office365.com
(2603:10b6:a03:338::28) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.41 via Frontend
Transport; Fri, 29 Mar 2024 23:00:26 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
smtp.mailfrom=amd.com; dkim=none (message not signed)
header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
165.204.84.17 as permitted sender) receiver=protection.outlook.com;
client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
Received: from SATLEXMB04.amd.com (165.204.84.17) by
SJ1PEPF00001CE2.mail.protection.outlook.com (10.167.242.10) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.20.7409.10 via Frontend Transport; Fri, 29 Mar 2024 23:00:25 +0000
Received: from localhost (10.180.168.240) by SATLEXMB04.amd.com
(10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 29 Mar
2024 18:00:24 -0500
From: Michael Roth <michael.roth@....com>
To: <kvm@...r.kernel.org>
CC: <linux-coco@...ts.linux.dev>, <linux-mm@...ck.org>,
<linux-crypto@...r.kernel.org>, <x86@...nel.org>,
<linux-kernel@...r.kernel.org>, <tglx@...utronix.de>, <mingo@...hat.com>,
<jroedel@...e.de>, <thomas.lendacky@....com>, <hpa@...or.com>,
<ardb@...nel.org>, <pbonzini@...hat.com>, <seanjc@...gle.com>,
<vkuznets@...hat.com>, <jmattson@...gle.com>, <luto@...nel.org>,
<dave.hansen@...ux.intel.com>, <slp@...hat.com>, <pgonda@...gle.com>,
<peterz@...radead.org>, <srinivas.pandruvada@...ux.intel.com>,
<rientjes@...gle.com>, <dovmurik@...ux.ibm.com>, <tobin@....com>,
<bp@...en8.de>, <vbabka@...e.cz>, <kirill@...temov.name>,
<ak@...ux.intel.com>, <tony.luck@...el.com>,
<sathyanarayanan.kuppuswamy@...ux.intel.com>, <alpergun@...gle.com>,
<jarkko@...nel.org>, <ashish.kalra@....com>, <nikunj.dadhania@....com>,
<pankaj.gupta@....com>, <liam.merwick@...cle.com>, Brijesh Singh
<brijesh.singh@....com>, Harald Hoyer <harald@...fian.com>
Subject: [PATCH v12 12/29] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_FINISH command
Date: Fri, 29 Mar 2024 17:58:18 -0500
Message-ID: <20240329225835.400662-13-michael.roth@....com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240329225835.400662-1-michael.roth@....com>
References: <20240329225835.400662-1-michael.roth@....com>
Precedence: bulk
X-Mailing-List: kvm@...r.kernel.org
List-Id: <kvm.vger.kernel.org>
List-Subscribe: <mailto:kvm+subscribe@...r.kernel.org>
List-Unsubscribe: <mailto:kvm+unsubscribe@...r.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
(10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ1PEPF00001CE2:EE_|DS0PR12MB8197:EE_
X-MS-Office365-Filtering-Correlation-Id: 640e01f2-0a92-4152-816e-08dc50440591
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: maS+wkIOrEV5dsQi+1Ucl7Dek3wbv2EkPTvamXV0iSrN3blKHKdzKy2sIgDkiuuCucCw1OYKPEXgE5LMW8sdaz4286tIVkN+6PYuPsOVvp7iv1rneuIp9shRSXhmHDARnXxJmXnr0iJa+9y2ATf3fTJJo5La1aeAucorCGMUeZYKun+1WQUJA1HQ3EOcWxwO84rEOPNsqnSbmycdcDtS590W5Ec83CUA4agPDbAh4zj2CzuSejnH/9AfsThwsQHoNe6C0wP3YOSooNdigv7LS1g8Gv/K22w1hhc+2MjW7fKBuX9EGyBoPr2TiquiVGKTnfSA5CUdNUY8ebM82UWYw4VCzSjz8oNq06u7n8KmAJsEuQ+xDxDZ9+8UlUNuQmxbCqDLfOyyZTLQjuhoDsTsM7dZuGpqkAcvYHMMabFFq/mztOspe6IHwNWZuktMUfkhQT7jfXyNaEZMCch7qF1cFC/up6WcdI0HYTFJ1UW7LBjeIob+EJ9kPY8h7Mga93hhX3a55AynoannyjJkB/w916AFKVrRl53kdOW6ZUE+bCya4N3zsIQugolgebJDaVz3Zpt1Fdmee3h+45NUEoPhjIZIHrNfM8rK95aSy6fqixSHZ+oWPMkaTbYOYHhxpFXjMNlLe99ies3YgJ497umzrqGnQvGumS2jFNXz7xNkuKy2goBVtLNt3XHkMtD/fCYNc3oZE47i9tYjl+Soj5sN/JHUGL8jIuyLlq4kRQ30VQqSLpzThuTSB+XGQ31m+C8/
X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(376005)(1800799015)(82310400014)(7416005)(36860700004);DIR:OUT;SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Mar 2024 23:00:25.9312
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 640e01f2-0a92-4152-816e-08dc50440591
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00001CE2.namprd05.prod.outlookcom
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB8197
Return-Path: kvm+bounces-13116-martin.weber=secunet.com@...r.kernel.org
X-MS-Exchange-Organization-OriginalArrivalTime: 29 Mar 2024 23:01:01.1638
(UTC)
X-MS-Exchange-Organization-Network-Message-Id: a7f21cc1-bc8e-4458-4436-08dc50441a75
X-MS-Exchange-Organization-OriginalClientIPAddress: 62.96.220.37
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.53.40.201
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: cas-essen-01.secunet.de
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=mbx-essen-02.secunet.de:TOTAL-HUB=0.203|SMR=0.132(SMRDE=0.006|SMRC=0.126(SMRCL=0.102|X-SMRCR=0.126))|CAT=0.070(CATOS=0.001
(CATSM=0.001)|CATRESL=0.028(CATRESLP2R=0.022)|CATORES=0.038(CATRS=0.038(CATRS-Index
Routing Agent=0.036 )));2024-03-29T23:01:01.383Z
X-MS-Exchange-Forest-ArrivalHubServer: mbx-essen-02.secunet.de
X-MS-Exchange-Organization-AuthSource: cas-essen-01.secunet.de
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-OriginalSize: 21124
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatency: SRV=cas-essen-01.secunet.de:TOTAL-FE=0.016|SMR=0.005(SMRPI=0.003(SMRPI-FrontendProxyAgent=0.003))|SMS=0.011
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Organization-TotalRecipientCount: 1
X-MS-Exchange-Organization-Rules-Execution-History: 0b0cf904-14ac-4724-8bdf-482ee6223cf2%%%fd34672d-751c-45ae-a963-ed177fcabe23%%%d8080257-b0c3-47b4-b0db-23bc0c8ddb3c%%%95e591a2-5d7d-4afa-b1d0-7573d6c0a5d9%%%f7d0f6bc-4dcc-4876-8c5d-b3d6ddbb3d55%%%16355082-c50b-4214-9c7d-d39575f9f79b
X-MS-Exchange-Forest-RulesExecuted: mbx-essen-02
X-MS-Exchange-Organization-RulesExecuted: mbx-essen-02
X-MS-Exchange-Forest-IndexAgent-0: AQ0CZW4AAfkTAAAPAAADH4sIAAAAAAAEAMU6DXfTxpaSPxMTk/DRAo
X2Dfv20CTYjuN84ITCqQluySGBvCTw2u3p0ZHlcayNbXklOZC+x7/d
H7L33pmRJVl2oG/3rAmxNLr3zv3+GOW//9Zot5nJXr8/NE6a742TN0
fGQePdm71Xxk/7b/ZPXjHL6ffNQZv5DuvYA7Nn/8GZ3+XMci+HvnPm
msOubRULPXM0sLqsbZ9xz2eI4PmOyz1mw51HGH1ueiOX9/nAZ06Hls
5GBO0zgV4s+HafV1ij5zmMf/Q57gtg/KPt+fbgjAF7wIXb/2C6nLVN
34Rd3JHlj3An4NAbDYeO6xcLfNBxXAtREH/kcdzxPXc92xmwA8ds8z
ZrDtqO6wl+XvNLj7UuBUMecjw0kQ7xaXtKC5VioVj4e9fucaUMtYWU
v9NzPpRIZhTB9rwRF8JLpb47etk4baIcxUIgiCROEvABKXZNKotw7Y
Ht22aPvT88aQBfoGEG0jFuosYsZ9CxzwC0zS72jt5V2Cnyaw8unN4F
AHrc9xWPx4dHQN93bUnA7zqgGCIImnfY0HUu7DYvMWCd+DfBN7rAWY
8oOMzqcXPARsMp1LjHiwXB34cuHyBSx+X8e7xA3jxS34l9NuDtstPp
lFuXu+yFa/8n97rsBKC67IeWuK14ePuj2W9XQDvPJ7Bema7Za7NXzi
V32Q9duvsR+O/Y5iAZo+GBXrrstdlzTfaDSXeVc7wL7fJbv+3uguwf
THAHZYIXJ+R04KiggjPug70GHjgk+o00e8i1vd8ntj60ra7Je+zY8U
HCvriruHAX2rpcLhcLrFKprF3Yrr92ftFf+1jfXgOAcp/3HfeyLF0D
PLiCzMDnn4zVttlj+ACq6VpdQrEHVm/U5msjc2ivmV4faVW6LPoB1P
UtFkXEPT38zy8qFpvy+Sdb33hCe0Y/QEhtDO4y+rg29IZlpBTfOcQB
22SPUepN0G8PvAYUMzjj7RJbr68DNY+7KK23/HgFllib9zjeL5dX0I
/adqfDyuUzDLa1l441Qu2bCPC5Gmz9KbRiwR60+Ue2Wduum+aWtVGv
8krF3NzhdavT2Vnf2GDr1er25ibZ9E/yViyASv80gz/+yMpb609K4B
v4tVFjsAIhKfOJ2YMshfnC7I1k8GLUGv7lEB4C0F/bHNIb/x4qg7e7
CwY64QITSkQZc7A35Bb7zRsMy50PZbNl/24Qlc7IBSgXLOWbds9jkG
u7zgdKVLQDox1syDaYktsqyYm0+rhWrUyvQ/C8POsDz+Gn0fFhewio
oXAVVWeQZ1FrInkaH83aUdU+C7Jei4t0TpWwb57zUAFzudm+FDn5I7
dGZAjB0BFkpj4Hpjy2bA9WdmW9YmBEA4LDABUagiUDNA4pSaAdcyhp
A2+XVVGH3siyuOeVWHnAz8ATLjiuctd1XAGONsJvFVpXbcL+EQJWH8
MYbW8yu220eo51bowg+btPZ8GZI787E6w+psYHU2GIzDm/nAVz0ePn
hsv/a2SDt0yFgnLmG9gV/LZR+30q1NBs/7YdefzpqVAf/KCjh53c7t
gWxV6Ct0/2SjH/B3qAqDxOaN4eDEc+NhfSLYSfsJf8wrYg+Hyop62R
z1njaB+WnyV8JnLfVYm/dRWEymg7W9u8tbVZt6p1yGi1VrXesVq8ur
FjxjLalfRE8roSDPPU9s425in8eoJpig9GfYZea/Xbht1GV1V2WltF
nZeVXcZ90+raGCghnk9OG8enpZkgoi8rjZ1ialooof7jlN4cG4eNX3
AL9CUUq765jmLVN2ulWhXlmh6ToyH4LA8LSn6KufKppAh8yZwcYWz/
pfHi4O3ea+Nk/z+aAnVnezps493pqxAo26xOhRayGqCUhsLYqIkQ+Z
LkckVOmZ1KZmSQGYljZr6IpYlZEv8eRxvnDZkvWFhxv9QgYvcM+GW8
O2kaG7UX+6eg85Nw+llef3dwwH74gVVXpmO/3D9pvDhoGi+O3zZe7j
VOTo2/vds/fh3CXp9sf6a0cK0pD1TAm3X4V6tvtTbNzUplo71tVTeq
1Z11qzYt4GNkYnEee0rhvUHRvVGqiyCAZGoxtDr5jhjXeNu46Hum0e
EmTXJPQ9pB0xy9Pdjf+xUi7AQ8/fA0rFLUMqhleX17ZRbS/pufQaUn
ECrN0zFSrboSCS3wgNP9xoGBc5bx81GDVT/+pD7ValUYXYlQJwmg8z
Jatv90/OBlc++gcdw0jv9+0jxcRpg29D9QtCHGDfTklQgwuF3TOHx3
2vyFYIFW3xwGcKjBWq1OOoTvrdJ6bSukRxsmkIlEsjwOULYKv0rx1A
OJla2a7tlwZZxxXGo48ItSDqll1iZksC/a6XEoLcTAbBjW2SpcsWfs
ke8YtH7RX4bvlfJzBfF0Ap+UC3GckEzpbOAZ+8enEFbLcXr4yzcurO
HIoMEW2rlnrAPDLp8kj2wgJFvF36HnIxj/cMBjPQcmWzv0BHUldBhq
x5CXypnlfzSGmOFgQ8OA4Qju0OQgIHAPI6XPP/orT2No4778mfDqxs
9N4/TXoyY5qdxHSAL5rm/aOHUT197umBRKAh2LgY04PVy2Swy/S/ho
JakdlDogTXloX/z1DHpfsgwuryR0WBjYw85AiAjiXfSF/bhXQYdZYc
+fMxLh5NX+T6dRNakPVPlXJBDZig4OxuM3H9BIHprAY6dK6qwEnZdX
qDOIb2B32PLDST949IikLT+nVeg8Hj6jRD3RRcoPmgwGXZ4sBW7yGX
s8+1f2AE0dcRcMCw2T0+ds6PLQKAjTNLfOPWaegVeg9mBcoROkJJ2A
04LRhKkM7xKymghw8I4EM6NwgDGD8Ug+SWb91DXBiMRpwJoYEh1mjk
/5ZhhSMO32hwbOY8bQpSS7DA5YmsjlJXb0s3HQfN88MDZflxgFnunZ
bRgC3RH/PxNyH0fGYAQNnaVKO822CqUAzBkw/VFMeX2eGFcJ7AvlGC
LBIheYjZcxGQvUDoiOvc/e4cuZjfDszyNkscQeCbo0ks7SZeLgKT+Y
BindudzqmXYf7ZhEKyRgSPuxh58SDUJ6w9CrYMtSoeHdIAcD53F8bv
lUD9Ajpkf1ZOqYKVZSwVEbTEE5c8BBkpP6FFETpZYKqlLLqnr3pJIu
+vb/72o+faCgadn7vPovUVZxPYRx4UCyXVXDBHD2BhrAEq3gGCEXrq
rkZH7FI3kPSZWQIqTuy803b09Pf02mEq38M2jsv3nfOJikYTnDS6Pj
On1j5HF3+ZFQUwmLsAF6x0Vj6Lsy5lEhK2BT+w/udJYF7MpM1n9qvD
uI1WjIaIfyVNzs9cShPhvhWX3sBUeLQ1ma9ZIkmtFl+UnuMskXye+e
RhWQnJ2nZWXZEp7/gcef1rJUxKrUy88/HRmvm8dvoD409vbevntzGt
/tIUHONPVh83DSTELVldAgm5gvQr6JzSEZl0wIq60JIjQrl6YfBkxL
wvsnRvP4eFnRWZmZuoRVjk6PozhXZS5u4Fufz07KqNby85B6YM/1BO
wY3LiXlkUxwl+ifmWkz1Tv+CRiQrvB8cnVykUqX6hbQvk81RpK1C/X
MYmXpLpg+2TRpIJCRy4z+iKxWwg2ZtFPE3GJVZmfG23bM1uiRMoNJw
5yxnh93reGl8sCPTjTKSnM0MqsY574xFV+/uWT2rh5HjdalLQS+it5
iMim9E2hmQ0tHbdMzP67CeCRGBDwE2CUyaLbRbOmsJDoE0AsUDWddN
iO5fcm+wQqrgaF0/hgIXScmdBHyG91xLHxhA6Ba5s7T0o7eMDxr+ws
P5bpJb7dERVqdwyoPm5SCRKGfCT5pbOb2KflcjMcidP2FZbfnQyb2L
6yG5vYN46m9g2ijnfMUc+fIti4i4g/pcTijHxli/r2dml9HYyxs1Mt
1TbRGqRmGhrQ++gAIfGMZCV8Np54YBBuJUIiwaAEo7v/PUyrg/HLOn
pBF5oOP5ge65vuOSQIexD8DYKPKYOZXoScKSiUnQ94ToNjRSU+cKpZ
s3s55O6F7TmumDVl7xIh5/IetD3Yxtg+a5lQpQERiXiXns/7lTBwqK
3BzBltF8X0T01jUnX43zg/wU0p+QWDsdeFQbot5uLIFEyj74xETq7h
ndtDeT4bLesySYS2FdJNn61WJr2PvKo38rqGnIh5m6bAZXE8lTTpht
+TkEMKeNv1se2lmwk06XtRWXaj3IeRzrpWy5BgCVyfX1AeTcBYkeen
keP5aX8Y0Zr2RB3Qbzypblm16uZmx6pWKjvVjXa7w836Vn0rdkA/lY
44oZ/6mI7ot+p0Rg9fT0JvqmacrlJuX2U/RhqKXRkMbNi99GzL7DF1
cuF02P5LJrpbhOcDX71VDf58a0xRtYG7EORthBN/TkQvVgMytoenXR
5QkoihbiMJER9DgANACBWzyHR+HiPZSFuSRFj9adle8zVSVn9age+H
TR8AxV9uQALBFx2eZNb1LoAYMuFe8LZcDBqWXXpDVcaXIz0baNHggg
RlUhw4yLnPXRADDyxal8FpGZFak2bdfgL2fLy9XVfvXq4amkMlO/xe
bijfywXPIm/ldtejj8KGwEflEEWSe7sWPkqvs6iKw33iGCW2R/xFP/
tE+dI6px4RY6JYqFVqW5V1vCsWNC2tZXQtlda1e1omTT85LQ8/eW0u
paXntHlYKWqLYlE8hXX4getr2oK4yGo5uMhpcxktl9GyAlLgwm9YKW
jXACCvzc9rBbEL3c4BJBABAEJHyhkiBSt5bQHIAqLYNFiXbOhaUbKU
hS3gRxCEH3iaR06ygA7XGSIiGAMwASBgBOdZ2jdPFABG8AzXQqgocB
4W4RoAslpB8ECyIAA8zevaV3iRI6xcGCCHuHlYuUm6nfb0Nm1B6Cha
TgJnAmZAFlhcAItEdwcB84g+J0RI6wurKHtW8P+V9nVaL6Q0LaUVxG
I+gAQH0G/Ro/GKWr+fRg+5lxdC6Vperj/QNU3X8/hbS6FO9HmCzBT0
RbE4py1miD1d17a1VFG7HmFm6jpabUG7vqAXc5qW0xamgM0nr+sgAp
DOEnspcU2i5YRWhcuhV+javJYl3CyZOy+lVjJmSN4COWpa4YqgoKdZ
8ZOi33N6kcTPTsRRSfhw4EhwK5xZ7BUFls4ZioWsclGEn9eWChhxFA
Jx3AUwgdA8OXNB+fD9JOBvcRddu05ODjDitkg7wi0GuK5dkyFwFznB
2yzxJm+LqLfvxDVqUur5HkqqZ4iTe2F9Qg6J6RNub4SyDfAsBKdYAK
XdgAtKF99JR9JSCa6rpaasp+OOlAyWT17Xc5OOREKRz5AgpI0bcL1A
GWNO+wqu74b0nNWWJjR/Y2LlVhoNIVNiWr8+zYGT7HibnGQp9kjkro
yMd4l4N/QUXVe/hsRFOOjagxBZepoXCSFx06jz3Iw6z82o8yxGnWcx
5DxfjZ2HVBrngUgpX1oM+MypUKWgWMrocwQgxXykAMCa4DxZsKkCiH
nROMuFXCi0ONV/QjD5hEU9h6lAsK2nxteqcgGT9zGWC1SPioLtW0rq
NIUJhoyeIRPkBcC3CoBMMBeFmc9R6VlSDnxduy0SSBo1LxjLC5iiyu
S3qJRkCDeHPpwX64tiI/1aVtOyek5IIa4pxeUDKYLgFVU4rfKS2hEs
SFYTMhLK1wpF1fFErFtiZSHIwyALRlxaKRn5nMNH0iu+UZVOEb9NPg
wcZqmRADeQMUJY4AmLoi2BTYjgDQFfAAfWobinZDCSW15DX7olAMhX
kc7NcQm4lkO58uRsS0ItQYHQqZ9Ja3dJpbB7lkTOgTg5WUfuEgNzwX
Y5GaHzkh/tOxUOWdVl5cFwovWiunw/FRGWWh10j2xKmE97QIk6cxXM
Q5kAKR2JNkPUowxmctT5UpA9UIo7KeT8O7LjA9GnqZqYpgZgniqLRK
R9gVo25KjZUKIQpgfT3A2TVb1QRlTegB+kphdillKqu5vWc4v0KOgA
1dPJmlvNUDnOYuWCRRbl9i/ERimtyn0WGzwsx/PYtX4T1fy/h10uo/
0FnXzsG+s52S8tfEkEfXEsxNr4HJXRiRgB/S9myA/nUP9wi2TzqD3Q
xqIIihRptThOtndyWBFup4Qby9D4Ri2ig12XisqJHLWoHCYt406wdJ
9Q7oQ68FzQzwv3VlXgphAwnDdILUtkrK9JbxC8eerr5oLYJNe9Rb1Z
wDOODPMoZmpe08nl7gTii8oSNHU5AlsgsGxibSUvDaJY0flrOtQkq8
WHmAcQEipFWehc+rzsKG6LRVlPQ/lHUXgQmCaRz2uaTskhqcpP8El0
/i3GJy0yweciVTQSsyIYk5U9yhih3E/JYhHU929FYpG3UsBvxCIV/W
sCnq6/Fp2wyqs58UhcJ/UDSwJ4RpYWchVV4Cc15HMq3m+TCYQgC1HB
l7Lj0Cgq2y2S3SketetB/AatSBDCgn4QuSqWVSesz08WVtEefAbNxU
yCRPf0aDIJGfdOFpX2xSgQ1NSu3CNcyTB2Gnp6fE0DtdB24I2hCnsj
WuYeCodUxwV5lRNkRgrPR9Al4lCJqsuRznNBcQEwuCbN3JqneSGgma
MaF85XlC3vXVVe74vEdVvxI3QeLkwiNELJ7duUlDFcDh6I6KPrgsiB
kR31m9fIwQSpBWI7oxKp4mohtMtiSjmwohBg3ZGOEXqEpRz3lS1ufG
CnFndiMaHFnYDJJyxOH46Sas1iaDpAZxOHMOIQCche1xZhsA0rHBQo
AETDk4cZf5xh5NOcPPpIC0hBRCWWgoAJ0mDQOUDXhNS0HJ5OqFSjsO
bVuJ1Pq6OtOf3Wl0gaG4WWIqOQnhbVPzIQqUX0PTnoFccjkpzoE56G
Jm7oPxcFeyJC8fp/AFSmq3C9PAAAAQLcAjw/eG1sIHZlcnNpb249Ij
EuMCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPFRhc2tTZXQ+DQogIDxW
ZXJzaW9uPjE1LjAuMC4wPC9WZXJzaW9uPg0KICA8VGFza3M+DQogIC
AgPFRhc2sgU3RhcnRJbmRleD0iNTIwIj4NCiAgICAgIDxUYXNrU3Ry
aW5nPnRvIHByb3ZpZGUsIHNvIGFsc28gYWRkIGhhbmRsaW5nIHRvIG
NsZWFuIHVwIHRoZSBSTVAgZW50cmllcyBmb3IgdGhlc2U8L1Rhc2tT
dHJpbmc+DQogICAgICA8QXNzaWduZWVzPg0KICAgICAgICA8RW1haW
xVc2VyIElkPSJrdm1Admdlci5rZXJuZWwub3JnIiAvPg0KICAgICAg
PC9Bc3NpZ25lZXM+DQogICAgPC9UYXNrPg0KICA8L1Rhc2tzPg0KPC
9UYXNrU2V0PgEKxwQ8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5n
PSJ1dGYtMTYiPz4NCjxFbWFpbFNldD4NCiAgPFZlcnNpb24+MTUuMC
4wLjA8L1ZlcnNpb24+DQogIDxFbWFpbHM+DQogICAgPEVtYWlsIFN0
YXJ0SW5kZXg9IjY1NSIgUG9zaXRpb249Ik90aGVyIj4NCiAgICAgID
xFbWFpbFN0cmluZz5icmlqZXNoLnNpbmdoQGFtZC5jb208L0VtYWls
U3RyaW5nPg0KICAgIDwvRW1haWw+DQogICAgPEVtYWlsIFN0YXJ0SW
5kZXg9IjcwOCIgUG9zaXRpb249Ik90aGVyIj4NCiAgICAgIDxFbWFp
bFN0cmluZz5oYXJhbGRAcHJvZmlhbi5jb208L0VtYWlsU3RyaW5nPg
0KICAgIDwvRW1haWw+DQogICAgPEVtYWlsIFN0YXJ0SW5kZXg9Ijc1
OCIgUG9zaXRpb249Ik90aGVyIj4NCiAgICAgIDxFbWFpbFN0cmluZz
5hc2hpc2gua2FscmFAYW1kLmNvbTwvRW1haWxTdHJpbmc+DQogICAg
PC9FbWFpbD4NCiAgICA8RW1haWwgU3RhcnRJbmRleD0iODgxIiBQb3
NpdGlvbj0iT3RoZXIiPg0KICAgICAgPEVtYWlsU3RyaW5nPm1pY2hh
ZWwucm90aEBhbWQuY29tPC9FbWFpbFN0cmluZz4NCiAgICA8L0VtYW
lsPg0KICA8L0VtYWlscz4NCjwvRW1haWxTZXQ+AQ7PAVJldHJpZXZl
ck9wZXJhdG9yLDEwLDI7UmV0cmlldmVyT3BlcmF0b3IsMTEsMjtQb3
N0RG9jUGFyc2VyT3BlcmF0b3IsMTAsMTtQb3N0RG9jUGFyc2VyT3Bl
cmF0b3IsMTEsMDtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3Blcm
F0b3IsMTAsNjtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3BlcmF0
b3IsMTEsMDtUcmFuc3BvcnRXcml0ZXJQcm9kdWNlciwyMCwxMw==
X-MS-Exchange-Forest-IndexAgent: 1 6274
X-MS-Exchange-Forest-EmailMessageHash: 9C18AEDE
X-MS-Exchange-Forest-Language: en
X-MS-Exchange-Organization-Processed-By-Journaling: Journal Agent
Add a KVM_SEV_SNP_LAUNCH_FINISH command to finalize the cryptographic
launch digest and stores it as the measurement of the guest at launch
time. Also extend the existing SNP firmware data structures to support
enforcing the use of Version Loaded Endorsement Keys by guests as part
of this command.
While finalizing the launch flow, it also issues the LAUNCH_UPDATE SNP
firmware commands to encrypt/measure the initial VMSA pages for each
configured vCPU. This involves setting the RMP entries for those pages
to provide, so also add handling to clean up the RMP entries for these
pages whening free'ing vCPUs.
Signed-off-by: Brijesh Singh <brijesh.singh@....com>
Signed-off-by: Harald Hoyer <harald@...fian.com>
Signed-off-by: Ashish Kalra <ashish.kalra@....com>
[mdr: always measure BSP first to get consistent launch measurements]
Signed-off-by: Michael Roth <michael.roth@....com>
---
.../virt/kvm/x86/amd-memory-encryption.rst | 26 ++++
arch/x86/include/uapi/asm/kvm.h | 15 ++
arch/x86/kvm/svm/sev.c | 137 ++++++++++++++++++
include/linux/psp-sev.h | 4 +-
4 files changed, 181 insertions(+), 1 deletion(-)
diff --git a/Documentation/virt/kvm/x86/amd-memory-encryption.rst b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
index 4268aa5c380e..a49e8cff9133 100644
--- a/Documentation/virt/kvm/x86/amd-memory-encryption.rst
+++ b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
@@ -517,6 +517,32 @@ where the allowed values for page_type are #define'd as::
See the SEV-SNP spec [snp-fw-abi]_ for further details on how each page type is
used/measured.
+20. KVM_SEV_SNP_LAUNCH_FINISH
+-----------------------------
+
+After completion of the SNP guest launch flow, the KVM_SEV_SNP_LAUNCH_FINISH
+command can be issued to make the guest ready for execution.
+
+Parameters (in): struct kvm_sev_snp_launch_finish
+
+Returns: 0 on success, -negative on error
+
+::
+
+ struct kvm_sev_snp_launch_finish {
+ __u64 id_block_uaddr;
+ __u64 id_auth_uaddr;
+ __u8 id_block_en;
+ __u8 auth_key_en;
+ __u8 vlek_required;
+ __u8 host_data[32];
+ __u8 pad[6];
+ };
+
+
+See SEV-SNP specification [snp-fw-abi]_ for SNP_LAUNCH_FINISH further details
+on launch finish input parameters.
+
Device attribute API
====================
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index 956eb548c08e..2b08fcbe039a 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -696,6 +696,7 @@ enum sev_cmd_id {
/* SNP-specific commands */
KVM_SEV_SNP_LAUNCH_START,
KVM_SEV_SNP_LAUNCH_UPDATE,
+ KVM_SEV_SNP_LAUNCH_FINISH,
KVM_SEV_NR_MAX,
};
@@ -841,6 +842,20 @@ struct kvm_sev_snp_launch_update {
__u8 type;
};
+#define KVM_SEV_SNP_ID_BLOCK_SIZE 96
+#define KVM_SEV_SNP_ID_AUTH_SIZE 4096
+#define KVM_SEV_SNP_FINISH_DATA_SIZE 32
+
+struct kvm_sev_snp_launch_finish {
+ __u64 id_block_uaddr;
+ __u64 id_auth_uaddr;
+ __u8 id_block_en;
+ __u8 auth_key_en;
+ __u8 vlek_required;
+ __u8 host_data[KVM_SEV_SNP_FINISH_DATA_SIZE];
+ __u8 pad[6];
+};
+
#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0)
#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index a8a8a285b4a4..3d6c030091c2 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -63,6 +63,8 @@ static u64 sev_supported_vmsa_features;
#define SNP_POLICY_MASK_SMT BIT_ULL(16)
#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20)
+#define INITIAL_VMSA_GPA 0xFFFFFFFFF000
+
static u8 sev_enc_bit;
static DECLARE_RWSEM(sev_deactivate_lock);
static DEFINE_MUTEX(sev_bitmap_lock);
@@ -2283,6 +2285,125 @@ static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp)
return ret;
}
+static int snp_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp)
+{
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+ struct sev_data_snp_launch_update data = {};
+ bool boot_vcpu_handled = false;
+ struct kvm_vcpu *vcpu;
+ unsigned long i;
+ int ret;
+
+ data.gctx_paddr = __psp_pa(sev->snp_context);
+ data.page_type = SNP_PAGE_TYPE_VMSA;
+
+handle_remaining_vcpus:
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ struct vcpu_svm *svm = to_svm(vcpu);
+ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT;
+
+ /* Handle boot vCPU first to ensure consistent measurement of initial state. */
+ if (!boot_vcpu_handled && vcpu->vcpu_id != 0)
+ continue;
+
+ if (boot_vcpu_handled && vcpu->vcpu_id == 0)
+ continue;
+
+ /* Perform some pre-encryption checks against the VMSA */
+ ret = sev_es_sync_vmsa(svm);
+ if (ret)
+ return ret;
+
+ /* Transition the VMSA page to a firmware state. */
+ ret = rmp_make_private(pfn, INITIAL_VMSA_GPA, PG_LEVEL_4K, sev->asid, true);
+ if (ret)
+ return ret;
+
+ /* Issue the SNP command to encrypt the VMSA */
+ data.address = __sme_pa(svm->sev_es.vmsa);
+ ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE,
+ &data, &argp->error);
+ if (ret) {
+ snp_page_reclaim(pfn);
+ return ret;
+ }
+
+ svm->vcpu.arch.guest_state_protected = true;
+
+ if (!boot_vcpu_handled) {
+ boot_vcpu_handled = true;
+ goto handle_remaining_vcpus;
+ }
+ }
+
+ return 0;
+}
+
+static int snp_launch_finish(struct kvm *kvm, struct kvm_sev_cmd *argp)
+{
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+ struct kvm_sev_snp_launch_finish params;
+ struct sev_data_snp_launch_finish *data;
+ void *id_block = NULL, *id_auth = NULL;
+ int ret;
+
+ if (!sev_snp_guest(kvm))
+ return -ENOTTY;
+
+ if (!sev->snp_context)
+ return -EINVAL;
+
+ if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params)))
+ return -EFAULT;
+
+ /* Measure all vCPUs using LAUNCH_UPDATE before finalizing the launch flow. */
+ ret = snp_launch_update_vmsa(kvm, argp);
+ if (ret)
+ return ret;
+
+ data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);
+ if (!data)
+ return -ENOMEM;
+
+ if (params.id_block_en) {
+ id_block = psp_copy_user_blob(params.id_block_uaddr, KVM_SEV_SNP_ID_BLOCK_SIZE);
+ if (IS_ERR(id_block)) {
+ ret = PTR_ERR(id_block);
+ goto e_free;
+ }
+
+ data->id_block_en = 1;
+ data->id_block_paddr = __sme_pa(id_block);
+
+ id_auth = psp_copy_user_blob(params.id_auth_uaddr, KVM_SEV_SNP_ID_AUTH_SIZE);
+ if (IS_ERR(id_auth)) {
+ ret = PTR_ERR(id_auth);
+ goto e_free_id_block;
+ }
+
+ data->id_auth_paddr = __sme_pa(id_auth);
+
+ if (params.auth_key_en)
+ data->auth_key_en = 1;
+ }
+
+ data->vcek_disabled = params.vlek_required;
+
+ memcpy(data->host_data, params.host_data, KVM_SEV_SNP_FINISH_DATA_SIZE);
+ data->gctx_paddr = __psp_pa(sev->snp_context);
+ ret = sev_issue_cmd(kvm, SEV_CMD_SNP_LAUNCH_FINISH, data, &argp->error);
+
+ kfree(id_auth);
+
+e_free_id_block:
+ kfree(id_block);
+
+e_free:
+ kfree(data);
+
+ return ret;
+}
+
int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
{
struct kvm_sev_cmd sev_cmd;
@@ -2376,6 +2497,9 @@ int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
case KVM_SEV_SNP_LAUNCH_UPDATE:
r = snp_launch_update(kvm, &sev_cmd);
break;
+ case KVM_SEV_SNP_LAUNCH_FINISH:
+ r = snp_launch_finish(kvm, &sev_cmd);
+ break;
default:
r = -EINVAL;
goto out;
@@ -2866,11 +2990,24 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu)
svm = to_svm(vcpu);
+ /*
+ * If it's an SNP guest, then the VMSA was marked in the RMP table as
+ * a guest-owned page. Transition the page to hypervisor state before
+ * releasing it back to the system.
+ */
+ if (sev_snp_guest(vcpu->kvm)) {
+ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT;
+
+ if (host_rmp_make_shared(pfn, PG_LEVEL_4K, true))
+ goto skip_vmsa_free;
+ }
+
if (vcpu->arch.guest_state_protected)
sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa);
__free_page(virt_to_page(svm->sev_es.vmsa));
+skip_vmsa_free:
if (svm->sev_es.ghcb_sa_free)
kvfree(svm->sev_es.ghcb_sa);
}
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 3705c2044fc0..903ddfea8585 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -658,6 +658,7 @@ struct sev_data_snp_launch_update {
* @id_auth_paddr: system physical address of ID block authentication structure
* @id_block_en: indicates whether ID block is present
* @auth_key_en: indicates whether author key is present in authentication structure
+ * @vcek_disabled: indicates whether use of VCEK is allowed for attestation reports
* @rsvd: reserved
* @host_data: host-supplied data for guest, not interpreted by firmware
*/
@@ -667,7 +668,8 @@ struct sev_data_snp_launch_finish {
u64 id_auth_paddr;
u8 id_block_en:1;
u8 auth_key_en:1;
- u64 rsvd:62;
+ u8 vcek_disabled:1;
+ u64 rsvd:61;
u8 host_data[32];
} __packed;
--
2.25.1
X-sender: <linux-kernel+bounces-125491-steffen.klassert=secunet.com@...r.kernel.org>
X-Receiver: <steffen.klassert@...unet.com> ORCPT=rfc822;steffen.klassert@...unet.com NOTIFY=NEVER; X-ExtendedProps=BQAVABYAAgAAAAUAFAARAPDFCS25BAlDktII2g02frgPADUAAABNaWNyb3NvZnQuRXhjaGFuZ2UuVHJhbnNwb3J0LkRpcmVjdG9yeURhdGEuSXNSZXNvdXJjZQIAAAUAagAJAAEAAAAAAAAABQAWAAIAAAUAQwACAAAFAEYABwADAAAABQBHAAIAAAUAEgAPAGIAAAAvbz1zZWN1bmV0L291PUV4Y2hhbmdlIEFkbWluaXN0cmF0aXZlIEdyb3VwIChGWURJQk9IRjIzU1BETFQpL2NuPVJlY2lwaWVudHMvY249U3RlZmZlbiBLbGFzc2VydDY4YwUACwAXAL4AAACheZxkHSGBRqAcAp3ukbifQ049REI2LENOPURhdGFiYXNlcyxDTj1FeGNoYW5nZSBBZG1pbmlzdHJhdGl2ZSBHcm91cCAoRllESUJPSEYyM1NQRExUKSxDTj1BZG1pbmlzdHJhdGl2ZSBHcm91cHMsQ049c2VjdW5ldCxDTj1NaWNyb3NvZnQgRXhjaGFuZ2UsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZWN1bmV0LERDPWRlBQAOABEABiAS9uuMOkqzwmEZDvWNNQUAHQAPAAwAAABtYngtZXNzZW4tMDIFADwAAgAADwA2AAAATWljcm9zb2Z0LkV4Y2hhbmdlLlRyYW5zcG9ydC5NYWlsUmVjaXBpZW50LkRpc3BsYXlOYW1lDwARAAAAS2xhc3NlcnQsIFN0ZWZmZW4FAAwAAgAABQBsAAIAAAUAWAAXAEoAAADwxQktuQQJQ5LSCNoNNn64Q049S2xhc3NlcnQgU3RlZmZlbixPVT1Vc2VycyxPVT1NaWdyYXRpb24sREM9c2VjdW5ldCxEQz1kZQUAJgACAAEFACIADwAxAAAAQXV0b1Jlc3BvbnNlU3VwcHJlc3M6IDANClRyYW5zbWl0SGlzdG9yeTogRmFsc2UNCg8ALwAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuRXhwYW5zaW9uR3JvdXBUeXBlDwAVAAAATWVtYmVyc0dyb3VwRXhwYW5zaW9uBQAjAAIAAQ==
X-CreatedBy: MSExchange15
X-HeloDomain: b.mx.secunet.com
X-ExtendedProps: BQBjAAoAm0mmlidQ3AgFAGEACAABAAAABQA3AAIAAA8APAAAAE1pY3Jvc29mdC5FeGNoYW5nZS5UcmFuc3BvcnQuTWFpbFJlY2lwaWVudC5Pcmdhbml6YXRpb25TY29wZREAAAAAAAAAAAAAAAAAAAAAAAUASQACAAEFAAQAFCABAAAAHAAAAHN0ZWZmZW4ua2xhc3NlcnRAc2VjdW5ldC5jb20FAAYAAgABBQApAAIAAQ8ACQAAAENJQXVkaXRlZAIAAQUAAgAHAAEAAAAFAAMABwAAAAAABQAFAAIAAQUAYgAKABkAAADOigAABQBkAA8AAwAAAEh1Yg==
X-Source: SMTP:Default MBX-ESSEN-02
X-SourceIPAddress: 62.96.220.37
X-EndOfInjectedXHeaders: 31491
Received: from cas-essen-01.secunet.de (10.53.40.201) by
mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.37; Sat, 30 Mar 2024 00:01:09 +0100
Received: from b.mx.secunet.com (62.96.220.37) by cas-essen-01.secunet.de
(10.53.40.201) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend
Transport; Sat, 30 Mar 2024 00:01:09 +0100
Received: from localhost (localhost [127.0.0.1])
by b.mx.secunet.com (Postfix) with ESMTP id B74D720375
for <steffen.klassert@...unet.com>; Sat, 30 Mar 2024 00:01:09 +0100 (CET)
X-Virus-Scanned: by secunet
X-Spam-Flag: NO
X-Spam-Score: -5.15
X-Spam-Level:
X-Spam-Status: No, score=-5.15 tagged_above=-999 required=2.1
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.099, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1,
RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=unavailable autolearn_force=no
Authentication-Results: a.mx.secunet.com (amavisd-new);
dkim=pass (1024-bit key) header.d=amd.com
Received: from b.mx.secunet.com ([127.0.0.1])
by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2FRRxC-dgc2R for <steffen.klassert@...unet.com>;
Sat, 30 Mar 2024 00:01:08 +0100 (CET)
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=linux-kernel+bounces-125491-steffen.klassert=secunet.com@...r.kernel.org; receiver=steffen.klassert@...unet.com
DKIM-Filter: OpenDKIM Filter v2.11.0 b.mx.secunet.com 904C4200BB
Authentication-Results: b.mx.secunet.com;
dkim=pass (1024-bit key) header.d=amd.com header.i=@....com header.b="Xnn0YoyP"
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by b.mx.secunet.com (Postfix) with ESMTPS id 904C4200BB
for <steffen.klassert@...unet.com>; Sat, 30 Mar 2024 00:01:08 +0100 (CET)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id CDBA3284466
for <steffen.klassert@...unet.com>; Fri, 29 Mar 2024 23:01:06 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 9CA0C13CFB6;
Fri, 29 Mar 2024 23:00:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=amd.com header.i=@....com header.b="Xnn0YoyP"
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2062.outbound.protection.outlook.com [40.107.220.62])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 513D513E401;
Fri, 29 Mar 2024 23:00:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.220.62
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1711753230; cv=fail; b=uZhgEsPvzM/O5hYoPvgVIjlWXaSncWu/gH+CMWkulPd23+p3QPC07Xcnvdc1pEegop+1fw5FWQt9xrKIhggwnnc/cJxhZmvY+efDK8zTDVGgPMZ1OBnPCJ1svuKjpe/xapUf2zfGgrB87DdADrHQzinKcE/FLI1mCdSAohMJ7OM=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1711753230; c=relaxed/simple;
bh=q4vzPdo0+oii9a1ZolELIlylzfsIrazGRpbjD/k5aUY=;
h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version:Content-Type; b=ko9KEZg3yLMXSxkN960Y/B2POJkn5tv0c1SE4wQqMBJNeTCF+VtC3I5Rs/cG3vbuvj3mVK5BMvEK9Yegm31H3BjyyNl7K1T0LCemXg4usQSAgVIu4IbicWvb3FBKu3DMFE8ZSoRJpC6bFHCBONslTx3MM6W14Bvvg8XrK8Um0Lw=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com; spf=fail smtp.mailfrom=amd.com; dkim=pass (1024-bit key) header.d=amd.com header.i=@....com header.b=Xnn0YoyP; arc=fail smtp.client-ip=40.107.220.62
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amd.com
Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=amd.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=koAhSHTroS7Six8Mk2ptjimEuKhzjh+UOZ0BKjgCc81mT+BeIOoN5WsMBdVaZUUy0R+PvNTm4fC8i+uwFGBJV8NQMJkhjHeFNHs9v7dqfn1NGIFcfGChcbS/FPOvmOVVYpB/pw5U7oG2gLnAwxc20CK7NLojtWh4NCJ6M9OY8OY2nW344YP5M7kPGqBhcAq4W9kwvwslxNGFFGDAer3lswUX447A9LE0/fnMv5jbJ83rm5ix4N0K58GDPEx9VUGhhOgggVbAfXgKVio1kRzvNH8kJtZzXieWO/wEifcUb+WRXxN3ZBE88A4zgVuKZm7/Oqe/HvOr/XrFZWS7gVA25Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=JrYjCWIu6wNf/NkduP5S/uOo7LBR9vnyryH5vZHAlfA=;
b=LVmfJFAum0chfh8MZAu/WI+/8Q1sh2O9o7TULA0rPfys5d3XWI3rdAqs/rYpjoaI+XLbCnHEgvanj9y++g3Pa/6WeAuyuUZZP+r2ZuuqLZc6edOigte0P3F00JsEgpwhi4L//QOMpICtIepUxvGLpwvRyID4b85yTfLiPEsYzfzxDzMtwa6xyDWidl6wddXopfSMfQOn4cp+NLLaX0CGH64ADEMNjDgJRUx5k4b/vRjK7TOLrW1vnz5Ty62s6kgRDA13YMF0niFXxzCeK2SekIWp/623ludL5H2O+JvT+5Bk3UU6+HQWzVWe4SzWyVmdcw+PiS9jlTsjHpiAmnR1Mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
165.204.84.17) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=amd.com;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=amd.com; dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=JrYjCWIu6wNf/NkduP5S/uOo7LBR9vnyryH5vZHAlfA=;
b=Xnn0YoyPydUttY9jZm4o1iMO+E8KBjfMOPusb4Vj5axJk8hQRG/osW1QECRxvBowisK2iaRPpIm14+OOzYXxmMPkAt9nxcFBlrEsW8iRuNHSFxG83FlEnCf0xJ4+jqhhyl6Gtqjia8oulEv9c2cH+koDudTK+LTVXbryYxTNGZM=
Received: from SJ0PR03CA0173.namprd03.prod.outlook.com (2603:10b6:a03:338::28)
by DS0PR12MB8197.namprd12.prod.outlook.com (2603:10b6:8:f1::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.40; Fri, 29 Mar
2024 23:00:26 +0000
Received: from SJ1PEPF00001CE2.namprd05.prod.outlook.com
(2603:10b6:a03:338:cafe::51) by SJ0PR03CA0173.outlook.office365.com
(2603:10b6:a03:338::28) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.41 via Frontend
Transport; Fri, 29 Mar 2024 23:00:26 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
smtp.mailfrom=amd.com; dkim=none (message not signed)
header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
165.204.84.17 as permitted sender) receiver=protection.outlook.com;
client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
Received: from SATLEXMB04.amd.com (165.204.84.17) by
SJ1PEPF00001CE2.mail.protection.outlook.com (10.167.242.10) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.20.7409.10 via Frontend Transport; Fri, 29 Mar 2024 23:00:25 +0000
Received: from localhost (10.180.168.240) by SATLEXMB04.amd.com
(10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 29 Mar
2024 18:00:24 -0500
From: Michael Roth <michael.roth@....com>
To: <kvm@...r.kernel.org>
CC: <linux-coco@...ts.linux.dev>, <linux-mm@...ck.org>,
<linux-crypto@...r.kernel.org>, <x86@...nel.org>,
<linux-kernel@...r.kernel.org>, <tglx@...utronix.de>, <mingo@...hat.com>,
<jroedel@...e.de>, <thomas.lendacky@....com>, <hpa@...or.com>,
<ardb@...nel.org>, <pbonzini@...hat.com>, <seanjc@...gle.com>,
<vkuznets@...hat.com>, <jmattson@...gle.com>, <luto@...nel.org>,
<dave.hansen@...ux.intel.com>, <slp@...hat.com>, <pgonda@...gle.com>,
<peterz@...radead.org>, <srinivas.pandruvada@...ux.intel.com>,
<rientjes@...gle.com>, <dovmurik@...ux.ibm.com>, <tobin@....com>,
<bp@...en8.de>, <vbabka@...e.cz>, <kirill@...temov.name>,
<ak@...ux.intel.com>, <tony.luck@...el.com>,
<sathyanarayanan.kuppuswamy@...ux.intel.com>, <alpergun@...gle.com>,
<jarkko@...nel.org>, <ashish.kalra@....com>, <nikunj.dadhania@....com>,
<pankaj.gupta@....com>, <liam.merwick@...cle.com>, Brijesh Singh
<brijesh.singh@....com>, Harald Hoyer <harald@...fian.com>
Subject: [PATCH v12 12/29] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_FINISH command
Date: Fri, 29 Mar 2024 17:58:18 -0500
Message-ID: <20240329225835.400662-13-michael.roth@....com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240329225835.400662-1-michael.roth@....com>
References: <20240329225835.400662-1-michael.roth@....com>
Precedence: bulk
X-Mailing-List: linux-kernel@...r.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@...r.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@...r.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
(10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ1PEPF00001CE2:EE_|DS0PR12MB8197:EE_
X-MS-Office365-Filtering-Correlation-Id: 640e01f2-0a92-4152-816e-08dc50440591
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: maS+wkIOrEV5dsQi+1Ucl7Dek3wbv2EkPTvamXV0iSrN3blKHKdzKy2sIgDkiuuCucCw1OYKPEXgE5LMW8sdaz4286tIVkN+6PYuPsOVvp7iv1rneuIp9shRSXhmHDARnXxJmXnr0iJa+9y2ATf3fTJJo5La1aeAucorCGMUeZYKun+1WQUJA1HQ3EOcWxwO84rEOPNsqnSbmycdcDtS590W5Ec83CUA4agPDbAh4zj2CzuSejnH/9AfsThwsQHoNe6C0wP3YOSooNdigv7LS1g8Gv/K22w1hhc+2MjW7fKBuX9EGyBoPr2TiquiVGKTnfSA5CUdNUY8ebM82UWYw4VCzSjz8oNq06u7n8KmAJsEuQ+xDxDZ9+8UlUNuQmxbCqDLfOyyZTLQjuhoDsTsM7dZuGpqkAcvYHMMabFFq/mztOspe6IHwNWZuktMUfkhQT7jfXyNaEZMCch7qF1cFC/up6WcdI0HYTFJ1UW7LBjeIob+EJ9kPY8h7Mga93hhX3a55AynoannyjJkB/w916AFKVrRl53kdOW6ZUE+bCya4N3zsIQugolgebJDaVz3Zpt1Fdmee3h+45NUEoPhjIZIHrNfM8rK95aSy6fqixSHZ+oWPMkaTbYOYHhxpFXjMNlLe99ies3YgJ497umzrqGnQvGumS2jFNXz7xNkuKy2goBVtLNt3XHkMtD/fCYNc3oZE47i9tYjl+Soj5sN/JHUGL8jIuyLlq4kRQ30VQqSLpzThuTSB+XGQ31m+C8/
X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(376005)(1800799015)(82310400014)(7416005)(36860700004);DIR:OUT;SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Mar 2024 23:00:25.9312
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 640e01f2-0a92-4152-816e-08dc50440591
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00001CE2.namprd05.prod.outlookcom
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB8197
Return-Path: linux-kernel+bounces-125491-steffen.klassert=secunet.com@...r.kernel.org
X-MS-Exchange-Organization-OriginalArrivalTime: 29 Mar 2024 23:01:09.8227
(UTC)
X-MS-Exchange-Organization-Network-Message-Id: 22dd6ec8-82d0-4e01-8306-08dc50441f9e
X-MS-Exchange-Organization-OriginalClientIPAddress: 62.96.220.37
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.53.40.201
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: cas-essen-01.secunet.de
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=mbx-essen-02.secunet.de:TOTAL-HUB=0.201|SMR=0.133(SMRDE=0.003|SMRC=0.129(SMRCL=0.102|X-SMRCR=0.128))|CAT=0.066(CATRESL=0.027
(CATRESLP2R=0.020)|CATORES=0.036(CATRS=0.036(CATRS-Transport Rule
Agent=0.001|CATRS-Index Routing Agent=0.034 )));2024-03-29T23:01:10.041Z
X-MS-Exchange-Forest-ArrivalHubServer: mbx-essen-02.secunet.de
X-MS-Exchange-Organization-AuthSource: cas-essen-01.secunet.de
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-OriginalSize: 21177
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatency: SRV=cas-essen-01.secunet.de:TOTAL-FE=0.017|SMR=0.008(SMRPI=0.005(SMRPI-FrontendProxyAgent=0.005))|SMS=0.010
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Organization-TotalRecipientCount: 1
X-MS-Exchange-Organization-Rules-Execution-History: 0b0cf904-14ac-4724-8bdf-482ee6223cf2%%%fd34672d-751c-45ae-a963-ed177fcabe23%%%d8080257-b0c3-47b4-b0db-23bc0c8ddb3c%%%95e591a2-5d7d-4afa-b1d0-7573d6c0a5d9%%%f7d0f6bc-4dcc-4876-8c5d-b3d6ddbb3d55%%%16355082-c50b-4214-9c7d-d39575f9f79b
X-MS-Exchange-Forest-RulesExecuted: mbx-essen-02
X-MS-Exchange-Organization-RulesExecuted: mbx-essen-02
X-MS-Exchange-Forest-IndexAgent-0: AQ0CZW4AAfkTAAAPAAADH4sIAAAAAAAEAMU6DXfTxpaSPxMTk/DRAo
X2Dfv20CTYjuN84ITCqQluySGBvCTw2u3p0ZHlcayNbXklOZC+x7/d
H7L33pmRJVl2oG/3rAmxNLr3zv3+GOW//9Zot5nJXr8/NE6a742TN0
fGQePdm71Xxk/7b/ZPXjHL6ffNQZv5DuvYA7Nn/8GZ3+XMci+HvnPm
msOubRULPXM0sLqsbZ9xz2eI4PmOyz1mw51HGH1ueiOX9/nAZ06Hls
5GBO0zgV4s+HafV1ij5zmMf/Q57gtg/KPt+fbgjAF7wIXb/2C6nLVN
34Rd3JHlj3An4NAbDYeO6xcLfNBxXAtREH/kcdzxPXc92xmwA8ds8z
ZrDtqO6wl+XvNLj7UuBUMecjw0kQ7xaXtKC5VioVj4e9fucaUMtYWU
v9NzPpRIZhTB9rwRF8JLpb47etk4baIcxUIgiCROEvABKXZNKotw7Y
Ht22aPvT88aQBfoGEG0jFuosYsZ9CxzwC0zS72jt5V2Cnyaw8unN4F
AHrc9xWPx4dHQN93bUnA7zqgGCIImnfY0HUu7DYvMWCd+DfBN7rAWY
8oOMzqcXPARsMp1LjHiwXB34cuHyBSx+X8e7xA3jxS34l9NuDtstPp
lFuXu+yFa/8n97rsBKC67IeWuK14ePuj2W9XQDvPJ7Bema7Za7NXzi
V32Q9duvsR+O/Y5iAZo+GBXrrstdlzTfaDSXeVc7wL7fJbv+3uguwf
THAHZYIXJ+R04KiggjPug70GHjgk+o00e8i1vd8ntj60ra7Je+zY8U
HCvriruHAX2rpcLhcLrFKprF3Yrr92ftFf+1jfXgOAcp/3HfeyLF0D
PLiCzMDnn4zVttlj+ACq6VpdQrEHVm/U5msjc2ivmV4faVW6LPoB1P
UtFkXEPT38zy8qFpvy+Sdb33hCe0Y/QEhtDO4y+rg29IZlpBTfOcQB
22SPUepN0G8PvAYUMzjj7RJbr68DNY+7KK23/HgFllib9zjeL5dX0I
/adqfDyuUzDLa1l441Qu2bCPC5Gmz9KbRiwR60+Ue2Wduum+aWtVGv
8krF3NzhdavT2Vnf2GDr1er25ibZ9E/yViyASv80gz/+yMpb609K4B
v4tVFjsAIhKfOJ2YMshfnC7I1k8GLUGv7lEB4C0F/bHNIb/x4qg7e7
CwY64QITSkQZc7A35Bb7zRsMy50PZbNl/24Qlc7IBSgXLOWbds9jkG
u7zgdKVLQDox1syDaYktsqyYm0+rhWrUyvQ/C8POsDz+Gn0fFhewio
oXAVVWeQZ1FrInkaH83aUdU+C7Jei4t0TpWwb57zUAFzudm+FDn5I7
dGZAjB0BFkpj4Hpjy2bA9WdmW9YmBEA4LDABUagiUDNA4pSaAdcyhp
A2+XVVGH3siyuOeVWHnAz8ATLjiuctd1XAGONsJvFVpXbcL+EQJWH8
MYbW8yu220eo51bowg+btPZ8GZI787E6w+psYHU2GIzDm/nAVz0ePn
hsv/a2SDt0yFgnLmG9gV/LZR+30q1NBs/7YdefzpqVAf/KCjh53c7t
gWxV6Ct0/2SjH/B3qAqDxOaN4eDEc+NhfSLYSfsJf8wrYg+Hyop62R
z1njaB+WnyV8JnLfVYm/dRWEymg7W9u8tbVZt6p1yGi1VrXesVq8ur
FjxjLalfRE8roSDPPU9s425in8eoJpig9GfYZea/Xbht1GV1V2WltF
nZeVXcZ90+raGCghnk9OG8enpZkgoi8rjZ1ialooof7jlN4cG4eNX3
AL9CUUq765jmLVN2ulWhXlmh6ToyH4LA8LSn6KufKppAh8yZwcYWz/
pfHi4O3ea+Nk/z+aAnVnezps493pqxAo26xOhRayGqCUhsLYqIkQ+Z
LkckVOmZ1KZmSQGYljZr6IpYlZEv8eRxvnDZkvWFhxv9QgYvcM+GW8
O2kaG7UX+6eg85Nw+llef3dwwH74gVVXpmO/3D9pvDhoGi+O3zZe7j
VOTo2/vds/fh3CXp9sf6a0cK0pD1TAm3X4V6tvtTbNzUplo71tVTeq
1Z11qzYt4GNkYnEee0rhvUHRvVGqiyCAZGoxtDr5jhjXeNu46Hum0e
EmTXJPQ9pB0xy9Pdjf+xUi7AQ8/fA0rFLUMqhleX17ZRbS/pufQaUn
ECrN0zFSrboSCS3wgNP9xoGBc5bx81GDVT/+pD7ValUYXYlQJwmg8z
Jatv90/OBlc++gcdw0jv9+0jxcRpg29D9QtCHGDfTklQgwuF3TOHx3
2vyFYIFW3xwGcKjBWq1OOoTvrdJ6bSukRxsmkIlEsjwOULYKv0rx1A
OJla2a7tlwZZxxXGo48ItSDqll1iZksC/a6XEoLcTAbBjW2SpcsWfs
ke8YtH7RX4bvlfJzBfF0Ap+UC3GckEzpbOAZ+8enEFbLcXr4yzcurO
HIoMEW2rlnrAPDLp8kj2wgJFvF36HnIxj/cMBjPQcmWzv0BHUldBhq
x5CXypnlfzSGmOFgQ8OA4Qju0OQgIHAPI6XPP/orT2No4778mfDqxs
9N4/TXoyY5qdxHSAL5rm/aOHUT197umBRKAh2LgY04PVy2Swy/S/ho
JakdlDogTXloX/z1DHpfsgwuryR0WBjYw85AiAjiXfSF/bhXQYdZYc
+fMxLh5NX+T6dRNakPVPlXJBDZig4OxuM3H9BIHprAY6dK6qwEnZdX
qDOIb2B32PLDST949IikLT+nVeg8Hj6jRD3RRcoPmgwGXZ4sBW7yGX
s8+1f2AE0dcRcMCw2T0+ds6PLQKAjTNLfOPWaegVeg9mBcoROkJJ2A
04LRhKkM7xKymghw8I4EM6NwgDGD8Ug+SWb91DXBiMRpwJoYEh1mjk
/5ZhhSMO32hwbOY8bQpSS7DA5YmsjlJXb0s3HQfN88MDZflxgFnunZ
bRgC3RH/PxNyH0fGYAQNnaVKO822CqUAzBkw/VFMeX2eGFcJ7AvlGC
LBIheYjZcxGQvUDoiOvc/e4cuZjfDszyNkscQeCbo0ks7SZeLgKT+Y
BindudzqmXYf7ZhEKyRgSPuxh58SDUJ6w9CrYMtSoeHdIAcD53F8bv
lUD9Ajpkf1ZOqYKVZSwVEbTEE5c8BBkpP6FFETpZYKqlLLqnr3pJIu
+vb/72o+faCgadn7vPovUVZxPYRx4UCyXVXDBHD2BhrAEq3gGCEXrq
rkZH7FI3kPSZWQIqTuy803b09Pf02mEq38M2jsv3nfOJikYTnDS6Pj
On1j5HF3+ZFQUwmLsAF6x0Vj6Lsy5lEhK2BT+w/udJYF7MpM1n9qvD
uI1WjIaIfyVNzs9cShPhvhWX3sBUeLQ1ma9ZIkmtFl+UnuMskXye+e
RhWQnJ2nZWXZEp7/gcef1rJUxKrUy88/HRmvm8dvoD409vbevntzGt
/tIUHONPVh83DSTELVldAgm5gvQr6JzSEZl0wIq60JIjQrl6YfBkxL
wvsnRvP4eFnRWZmZuoRVjk6PozhXZS5u4Fufz07KqNby85B6YM/1BO
wY3LiXlkUxwl+ifmWkz1Tv+CRiQrvB8cnVykUqX6hbQvk81RpK1C/X
MYmXpLpg+2TRpIJCRy4z+iKxWwg2ZtFPE3GJVZmfG23bM1uiRMoNJw
5yxnh93reGl8sCPTjTKSnM0MqsY574xFV+/uWT2rh5HjdalLQS+it5
iMim9E2hmQ0tHbdMzP67CeCRGBDwE2CUyaLbRbOmsJDoE0AsUDWddN
iO5fcm+wQqrgaF0/hgIXScmdBHyG91xLHxhA6Ba5s7T0o7eMDxr+ws
P5bpJb7dERVqdwyoPm5SCRKGfCT5pbOb2KflcjMcidP2FZbfnQyb2L
6yG5vYN46m9g2ijnfMUc+fIti4i4g/pcTijHxli/r2dml9HYyxs1Mt
1TbRGqRmGhrQ++gAIfGMZCV8Np54YBBuJUIiwaAEo7v/PUyrg/HLOn
pBF5oOP5ge65vuOSQIexD8DYKPKYOZXoScKSiUnQ94ToNjRSU+cKpZ
s3s55O6F7TmumDVl7xIh5/IetD3Yxtg+a5lQpQERiXiXns/7lTBwqK
3BzBltF8X0T01jUnX43zg/wU0p+QWDsdeFQbot5uLIFEyj74xETq7h
ndtDeT4bLesySYS2FdJNn61WJr2PvKo38rqGnIh5m6bAZXE8lTTpht
+TkEMKeNv1se2lmwk06XtRWXaj3IeRzrpWy5BgCVyfX1AeTcBYkeen
keP5aX8Y0Zr2RB3Qbzypblm16uZmx6pWKjvVjXa7w836Vn0rdkA/lY
44oZ/6mI7ot+p0Rg9fT0JvqmacrlJuX2U/RhqKXRkMbNi99GzL7DF1
cuF02P5LJrpbhOcDX71VDf58a0xRtYG7EORthBN/TkQvVgMytoenXR
5QkoihbiMJER9DgANACBWzyHR+HiPZSFuSRFj9adle8zVSVn9age+H
TR8AxV9uQALBFx2eZNb1LoAYMuFe8LZcDBqWXXpDVcaXIz0baNHggg
RlUhw4yLnPXRADDyxal8FpGZFak2bdfgL2fLy9XVfvXq4amkMlO/xe
bijfywXPIm/ldtejj8KGwEflEEWSe7sWPkqvs6iKw33iGCW2R/xFP/
tE+dI6px4RY6JYqFVqW5V1vCsWNC2tZXQtlda1e1omTT85LQ8/eW0u
paXntHlYKWqLYlE8hXX4getr2oK4yGo5uMhpcxktl9GyAlLgwm9YKW
jXACCvzc9rBbEL3c4BJBABAEJHyhkiBSt5bQHIAqLYNFiXbOhaUbKU
hS3gRxCEH3iaR06ygA7XGSIiGAMwASBgBOdZ2jdPFABG8AzXQqgocB
4W4RoAslpB8ECyIAA8zevaV3iRI6xcGCCHuHlYuUm6nfb0Nm1B6Cha
TgJnAmZAFlhcAItEdwcB84g+J0RI6wurKHtW8P+V9nVaL6Q0LaUVxG
I+gAQH0G/Ro/GKWr+fRg+5lxdC6Vperj/QNU3X8/hbS6FO9HmCzBT0
RbE4py1miD1d17a1VFG7HmFm6jpabUG7vqAXc5qW0xamgM0nr+sgAp
DOEnspcU2i5YRWhcuhV+javJYl3CyZOy+lVjJmSN4COWpa4YqgoKdZ
8ZOi33N6kcTPTsRRSfhw4EhwK5xZ7BUFls4ZioWsclGEn9eWChhxFA
Jx3AUwgdA8OXNB+fD9JOBvcRddu05ODjDitkg7wi0GuK5dkyFwFznB
2yzxJm+LqLfvxDVqUur5HkqqZ4iTe2F9Qg6J6RNub4SyDfAsBKdYAK
XdgAtKF99JR9JSCa6rpaasp+OOlAyWT17Xc5OOREKRz5AgpI0bcL1A
GWNO+wqu74b0nNWWJjR/Y2LlVhoNIVNiWr8+zYGT7HibnGQp9kjkro
yMd4l4N/QUXVe/hsRFOOjagxBZepoXCSFx06jz3Iw6z82o8yxGnWcx
5DxfjZ2HVBrngUgpX1oM+MypUKWgWMrocwQgxXykAMCa4DxZsKkCiH
nROMuFXCi0ONV/QjD5hEU9h6lAsK2nxteqcgGT9zGWC1SPioLtW0rq
NIUJhoyeIRPkBcC3CoBMMBeFmc9R6VlSDnxduy0SSBo1LxjLC5iiyu
S3qJRkCDeHPpwX64tiI/1aVtOyek5IIa4pxeUDKYLgFVU4rfKS2hEs
SFYTMhLK1wpF1fFErFtiZSHIwyALRlxaKRn5nMNH0iu+UZVOEb9NPg
wcZqmRADeQMUJY4AmLoi2BTYjgDQFfAAfWobinZDCSW15DX7olAMhX
kc7NcQm4lkO58uRsS0ItQYHQqZ9Ja3dJpbB7lkTOgTg5WUfuEgNzwX
Y5GaHzkh/tOxUOWdVl5cFwovWiunw/FRGWWh10j2xKmE97QIk6cxXM
Q5kAKR2JNkPUowxmctT5UpA9UIo7KeT8O7LjA9GnqZqYpgZgniqLRK
R9gVo25KjZUKIQpgfT3A2TVb1QRlTegB+kphdillKqu5vWc4v0KOgA
1dPJmlvNUDnOYuWCRRbl9i/ERimtyn0WGzwsx/PYtX4T1fy/h10uo/
0FnXzsG+s52S8tfEkEfXEsxNr4HJXRiRgB/S9myA/nUP9wi2TzqD3Q
xqIIihRptThOtndyWBFup4Qby9D4Ri2ig12XisqJHLWoHCYt406wdJ
9Q7oQ68FzQzwv3VlXgphAwnDdILUtkrK9JbxC8eerr5oLYJNe9Rb1Z
wDOODPMoZmpe08nl7gTii8oSNHU5AlsgsGxibSUvDaJY0flrOtQkq8
WHmAcQEipFWehc+rzsKG6LRVlPQ/lHUXgQmCaRz2uaTskhqcpP8El0
/i3GJy0yweciVTQSsyIYk5U9yhih3E/JYhHU929FYpG3UsBvxCIV/W
sCnq6/Fp2wyqs58UhcJ/UDSwJ4RpYWchVV4Cc15HMq3m+TCYQgC1HB
l7Lj0Cgq2y2S3SketetB/AatSBDCgn4QuSqWVSesz08WVtEefAbNxU
yCRPf0aDIJGfdOFpX2xSgQ1NSu3CNcyTB2Gnp6fE0DtdB24I2hCnsj
WuYeCodUxwV5lRNkRgrPR9Al4lCJqsuRznNBcQEwuCbN3JqneSGgma
MaF85XlC3vXVVe74vEdVvxI3QeLkwiNELJ7duUlDFcDh6I6KPrgsiB
kR31m9fIwQSpBWI7oxKp4mohtMtiSjmwohBg3ZGOEXqEpRz3lS1ufG
CnFndiMaHFnYDJJyxOH46Sas1iaDpAZxOHMOIQCche1xZhsA0rHBQo
AETDk4cZf5xh5NOcPPpIC0hBRCWWgoAJ0mDQOUDXhNS0HJ5OqFSjsO
bVuJ1Pq6OtOf3Wl0gaG4WWIqOQnhbVPzIQqUX0PTnoFccjkpzoE56G
Jm7oPxcFeyJC8fp/AFSmq3C9PAAAAQLcAjw/eG1sIHZlcnNpb249Ij
EuMCIgZW5jb2Rpbmc9InV0Zi0xNiI/Pg0KPFRhc2tTZXQ+DQogIDxW
ZXJzaW9uPjE1LjAuMC4wPC9WZXJzaW9uPg0KICA8VGFza3M+DQogIC
AgPFRhc2sgU3RhcnRJbmRleD0iNTIwIj4NCiAgICAgIDxUYXNrU3Ry
aW5nPnRvIHByb3ZpZGUsIHNvIGFsc28gYWRkIGhhbmRsaW5nIHRvIG
NsZWFuIHVwIHRoZSBSTVAgZW50cmllcyBmb3IgdGhlc2U8L1Rhc2tT
dHJpbmc+DQogICAgICA8QXNzaWduZWVzPg0KICAgICAgICA8RW1haW
xVc2VyIElkPSJrdm1Admdlci5rZXJuZWwub3JnIiAvPg0KICAgICAg
PC9Bc3NpZ25lZXM+DQogICAgPC9UYXNrPg0KICA8L1Rhc2tzPg0KPC
9UYXNrU2V0PgEKxwQ8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5n
PSJ1dGYtMTYiPz4NCjxFbWFpbFNldD4NCiAgPFZlcnNpb24+MTUuMC
4wLjA8L1ZlcnNpb24+DQogIDxFbWFpbHM+DQogICAgPEVtYWlsIFN0
YXJ0SW5kZXg9IjY1NSIgUG9zaXRpb249Ik90aGVyIj4NCiAgICAgID
xFbWFpbFN0cmluZz5icmlqZXNoLnNpbmdoQGFtZC5jb208L0VtYWls
U3RyaW5nPg0KICAgIDwvRW1haWw+DQogICAgPEVtYWlsIFN0YXJ0SW
5kZXg9IjcwOCIgUG9zaXRpb249Ik90aGVyIj4NCiAgICAgIDxFbWFp
bFN0cmluZz5oYXJhbGRAcHJvZmlhbi5jb208L0VtYWlsU3RyaW5nPg
0KICAgIDwvRW1haWw+DQogICAgPEVtYWlsIFN0YXJ0SW5kZXg9Ijc1
OCIgUG9zaXRpb249Ik90aGVyIj4NCiAgICAgIDxFbWFpbFN0cmluZz
5hc2hpc2gua2FscmFAYW1kLmNvbTwvRW1haWxTdHJpbmc+DQogICAg
PC9FbWFpbD4NCiAgICA8RW1haWwgU3RhcnRJbmRleD0iODgxIiBQb3
NpdGlvbj0iT3RoZXIiPg0KICAgICAgPEVtYWlsU3RyaW5nPm1pY2hh
ZWwucm90aEBhbWQuY29tPC9FbWFpbFN0cmluZz4NCiAgICA8L0VtYW
lsPg0KICA8L0VtYWlscz4NCjwvRW1haWxTZXQ+AQ7PAVJldHJpZXZl
ck9wZXJhdG9yLDEwLDA7UmV0cmlldmVyT3BlcmF0b3IsMTEsMjtQb3
N0RG9jUGFyc2VyT3BlcmF0b3IsMTAsMTtQb3N0RG9jUGFyc2VyT3Bl
cmF0b3IsMTEsMDtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3Blcm
F0b3IsMTAsNTtQb3N0V29yZEJyZWFrZXJEaWFnbm9zdGljT3BlcmF0
b3IsMTEsMDtUcmFuc3BvcnRXcml0ZXJQcm9kdWNlciwyMCwxMw==
X-MS-Exchange-Forest-IndexAgent: 1 6274
X-MS-Exchange-Forest-EmailMessageHash: 9C18AEDE
X-MS-Exchange-Forest-Language: en
X-MS-Exchange-Organization-Processed-By-Journaling: Journal Agent
Add a KVM_SEV_SNP_LAUNCH_FINISH command to finalize the cryptographic
launch digest and stores it as the measurement of the guest at launch
time. Also extend the existing SNP firmware data structures to support
enforcing the use of Version Loaded Endorsement Keys by guests as part
of this command.
While finalizing the launch flow, it also issues the LAUNCH_UPDATE SNP
firmware commands to encrypt/measure the initial VMSA pages for each
configured vCPU. This involves setting the RMP entries for those pages
to provide, so also add handling to clean up the RMP entries for these
pages whening free'ing vCPUs.
Signed-off-by: Brijesh Singh <brijesh.singh@....com>
Signed-off-by: Harald Hoyer <harald@...fian.com>
Signed-off-by: Ashish Kalra <ashish.kalra@....com>
[mdr: always measure BSP first to get consistent launch measurements]
Signed-off-by: Michael Roth <michael.roth@....com>
---
.../virt/kvm/x86/amd-memory-encryption.rst | 26 ++++
arch/x86/include/uapi/asm/kvm.h | 15 ++
arch/x86/kvm/svm/sev.c | 137 ++++++++++++++++++
include/linux/psp-sev.h | 4 +-
4 files changed, 181 insertions(+), 1 deletion(-)
diff --git a/Documentation/virt/kvm/x86/amd-memory-encryption.rst b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
index 4268aa5c380e..a49e8cff9133 100644
--- a/Documentation/virt/kvm/x86/amd-memory-encryption.rst
+++ b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
@@ -517,6 +517,32 @@ where the allowed values for page_type are #define'd as::
See the SEV-SNP spec [snp-fw-abi]_ for further details on how each page type is
used/measured.
+20. KVM_SEV_SNP_LAUNCH_FINISH
+-----------------------------
+
+After completion of the SNP guest launch flow, the KVM_SEV_SNP_LAUNCH_FINISH
+command can be issued to make the guest ready for execution.
+
+Parameters (in): struct kvm_sev_snp_launch_finish
+
+Returns: 0 on success, -negative on error
+
+::
+
+ struct kvm_sev_snp_launch_finish {
+ __u64 id_block_uaddr;
+ __u64 id_auth_uaddr;
+ __u8 id_block_en;
+ __u8 auth_key_en;
+ __u8 vlek_required;
+ __u8 host_data[32];
+ __u8 pad[6];
+ };
+
+
+See SEV-SNP specification [snp-fw-abi]_ for SNP_LAUNCH_FINISH further details
+on launch finish input parameters.
+
Device attribute API
====================
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index 956eb548c08e..2b08fcbe039a 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -696,6 +696,7 @@ enum sev_cmd_id {
/* SNP-specific commands */
KVM_SEV_SNP_LAUNCH_START,
KVM_SEV_SNP_LAUNCH_UPDATE,
+ KVM_SEV_SNP_LAUNCH_FINISH,
KVM_SEV_NR_MAX,
};
@@ -841,6 +842,20 @@ struct kvm_sev_snp_launch_update {
__u8 type;
};
+#define KVM_SEV_SNP_ID_BLOCK_SIZE 96
+#define KVM_SEV_SNP_ID_AUTH_SIZE 4096
+#define KVM_SEV_SNP_FINISH_DATA_SIZE 32
+
+struct kvm_sev_snp_launch_finish {
+ __u64 id_block_uaddr;
+ __u64 id_auth_uaddr;
+ __u8 id_block_en;
+ __u8 auth_key_en;
+ __u8 vlek_required;
+ __u8 host_data[KVM_SEV_SNP_FINISH_DATA_SIZE];
+ __u8 pad[6];
+};
+
#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0)
#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index a8a8a285b4a4..3d6c030091c2 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -63,6 +63,8 @@ static u64 sev_supported_vmsa_features;
#define SNP_POLICY_MASK_SMT BIT_ULL(16)
#define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20)
+#define INITIAL_VMSA_GPA 0xFFFFFFFFF000
+
static u8 sev_enc_bit;
static DECLARE_RWSEM(sev_deactivate_lock);
static DEFINE_MUTEX(sev_bitmap_lock);
@@ -2283,6 +2285,125 @@ static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp)
return ret;
}
+static int snp_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp)
+{
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+ struct sev_data_snp_launch_update data = {};
+ bool boot_vcpu_handled = false;
+ struct kvm_vcpu *vcpu;
+ unsigned long i;
+ int ret;
+
+ data.gctx_paddr = __psp_pa(sev->snp_context);
+ data.page_type = SNP_PAGE_TYPE_VMSA;
+
+handle_remaining_vcpus:
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ struct vcpu_svm *svm = to_svm(vcpu);
+ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT;
+
+ /* Handle boot vCPU first to ensure consistent measurement of initial state. */
+ if (!boot_vcpu_handled && vcpu->vcpu_id != 0)
+ continue;
+
+ if (boot_vcpu_handled && vcpu->vcpu_id == 0)
+ continue;
+
+ /* Perform some pre-encryption checks against the VMSA */
+ ret = sev_es_sync_vmsa(svm);
+ if (ret)
+ return ret;
+
+ /* Transition the VMSA page to a firmware state. */
+ ret = rmp_make_private(pfn, INITIAL_VMSA_GPA, PG_LEVEL_4K, sev->asid, true);
+ if (ret)
+ return ret;
+
+ /* Issue the SNP command to encrypt the VMSA */
+ data.address = __sme_pa(svm->sev_es.vmsa);
+ ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE,
+ &data, &argp->error);
+ if (ret) {
+ snp_page_reclaim(pfn);
+ return ret;
+ }
+
+ svm->vcpu.arch.guest_state_protected = true;
+
+ if (!boot_vcpu_handled) {
+ boot_vcpu_handled = true;
+ goto handle_remaining_vcpus;
+ }
+ }
+
+ return 0;
+}
+
+static int snp_launch_finish(struct kvm *kvm, struct kvm_sev_cmd *argp)
+{
+ struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
+ struct kvm_sev_snp_launch_finish params;
+ struct sev_data_snp_launch_finish *data;
+ void *id_block = NULL, *id_auth = NULL;
+ int ret;
+
+ if (!sev_snp_guest(kvm))
+ return -ENOTTY;
+
+ if (!sev->snp_context)
+ return -EINVAL;
+
+ if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params)))
+ return -EFAULT;
+
+ /* Measure all vCPUs using LAUNCH_UPDATE before finalizing the launch flow. */
+ ret = snp_launch_update_vmsa(kvm, argp);
+ if (ret)
+ return ret;
+
+ data = kzalloc(sizeof(*data), GFP_KERNEL_ACCOUNT);
+ if (!data)
+ return -ENOMEM;
+
+ if (params.id_block_en) {
+ id_block = psp_copy_user_blob(params.id_block_uaddr, KVM_SEV_SNP_ID_BLOCK_SIZE);
+ if (IS_ERR(id_block)) {
+ ret = PTR_ERR(id_block);
+ goto e_free;
+ }
+
+ data->id_block_en = 1;
+ data->id_block_paddr = __sme_pa(id_block);
+
+ id_auth = psp_copy_user_blob(params.id_auth_uaddr, KVM_SEV_SNP_ID_AUTH_SIZE);
+ if (IS_ERR(id_auth)) {
+ ret = PTR_ERR(id_auth);
+ goto e_free_id_block;
+ }
+
+ data->id_auth_paddr = __sme_pa(id_auth);
+
+ if (params.auth_key_en)
+ data->auth_key_en = 1;
+ }
+
+ data->vcek_disabled = params.vlek_required;
+
+ memcpy(data->host_data, params.host_data, KVM_SEV_SNP_FINISH_DATA_SIZE);
+ data->gctx_paddr = __psp_pa(sev->snp_context);
+ ret = sev_issue_cmd(kvm, SEV_CMD_SNP_LAUNCH_FINISH, data, &argp->error);
+
+ kfree(id_auth);
+
+e_free_id_block:
+ kfree(id_block);
+
+e_free:
+ kfree(data);
+
+ return ret;
+}
+
int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
{
struct kvm_sev_cmd sev_cmd;
@@ -2376,6 +2497,9 @@ int sev_mem_enc_ioctl(struct kvm *kvm, void __user *argp)
case KVM_SEV_SNP_LAUNCH_UPDATE:
r = snp_launch_update(kvm, &sev_cmd);
break;
+ case KVM_SEV_SNP_LAUNCH_FINISH:
+ r = snp_launch_finish(kvm, &sev_cmd);
+ break;
default:
r = -EINVAL;
goto out;
@@ -2866,11 +2990,24 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu)
svm = to_svm(vcpu);
+ /*
+ * If it's an SNP guest, then the VMSA was marked in the RMP table as
+ * a guest-owned page. Transition the page to hypervisor state before
+ * releasing it back to the system.
+ */
+ if (sev_snp_guest(vcpu->kvm)) {
+ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT;
+
+ if (host_rmp_make_shared(pfn, PG_LEVEL_4K, true))
+ goto skip_vmsa_free;
+ }
+
if (vcpu->arch.guest_state_protected)
sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa);
__free_page(virt_to_page(svm->sev_es.vmsa));
+skip_vmsa_free:
if (svm->sev_es.ghcb_sa_free)
kvfree(svm->sev_es.ghcb_sa);
}
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index 3705c2044fc0..903ddfea8585 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -658,6 +658,7 @@ struct sev_data_snp_launch_update {
* @id_auth_paddr: system physical address of ID block authentication structure
* @id_block_en: indicates whether ID block is present
* @auth_key_en: indicates whether author key is present in authentication structure
+ * @vcek_disabled: indicates whether use of VCEK is allowed for attestation reports
* @rsvd: reserved
* @host_data: host-supplied data for guest, not interpreted by firmware
*/
@@ -667,7 +668,8 @@ struct sev_data_snp_launch_finish {
u64 id_auth_paddr;
u8 id_block_en:1;
u8 auth_key_en:1;
- u64 rsvd:62;
+ u8 vcek_disabled:1;
+ u64 rsvd:61;
u8 host_data[32];
} __packed;
--
2.25.1
Powered by blists - more mailing lists