| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cover.1735931639.git.ashish.kalra@amd.com> Date: Fri, 3 Jan 2025 19:58:59 +0000 From: Ashish Kalra <Ashish.Kalra@....com> To: <seanjc@...gle.com>, <pbonzini@...hat.com>, <tglx@...utronix.de>, <mingo@...hat.com>, <bp@...en8.de>, <dave.hansen@...ux.intel.com>, <x86@...nel.org>, <hpa@...or.com>, <thomas.lendacky@....com>, <john.allen@....com>, <herbert@...dor.apana.org.au>, <davem@...emloft.net> CC: <michael.roth@....com>, <dionnaglaze@...gle.com>, <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <linux-crypto@...r.kernel.org>, <linux-coco@...ts.linux.dev> Subject: [PATCH v3 0/7] Move initializing SEV/SNP functionality to KVM From: Ashish Kalra <ashish.kalra@....com> Remove initializing SEV/SNP functionality from PSP driver and instead add support to KVM to explicitly initialize the PSP if KVM wants to use SEV/SNP functionality. This removes SEV/SNP initialization at PSP module probe time and does on-demand SEV/SNP initialization when KVM really wants to use SEV/SNP functionality. This will allow running legacy non-confidential VMs without initializating SEV functionality. This will assist in adding SNP CipherTextHiding support and SEV firmware hotloading support in KVM without sharing SEV ASID management and SNP guest context support between PSP driver and KVM and keeping all that support only in KVM. To support SEV firmware hotloading, SEV Shutdown will be done explicitly prior to DOWNLOAD_FIRMWARE_EX and SEV INIT post it to work with the requirement of SEV to be in UNINIT state for DOWNLOAD_FIRMWARE_EX. NOTE: SEV firmware hotloading will only be supported if there are no active SEV/SEV-ES guests. v3: - Move back to do both SNP and SEV platform initialization at KVM module load time instead of SEV initialization on demand at SEV/SEV-ES VM launch to prevent breaking QEMU which has a check for SEV to be initialized prior to launching SEV/SEV-ES VMs. - As both SNP and SEV platform initialization and shutdown is now done at KVM module load and unload time remove patches for separate SEV and SNP platform initialization and shutdown. v2: - Added support for separate SEV and SNP platform initalization, while SNP platform initialization is done at KVM module load time, SEV platform initialization is done on demand at SEV/SEV-ES VM launch. - Added support for separate SEV and SNP platform shutdown, both SEV and SNP shutdown done at KVM module unload time, only SEV shutdown down when all SEV/SEV-ES VMs have been destroyed, this allows SEV firmware hotloading support anytime during system lifetime. - Updated commit messages for couple of patches in the series with reference to the feedback received on v1 patches. Ashish Kalra (7): crypto: ccp: Move dev_info/err messages for SEV/SNP initialization crypto: ccp: Fix implicit SEV/SNP init and shutdown in ioctls crypto: ccp: Reset TMR size at SNP Shutdown crypto: ccp: Register SNP panic notifier only if SNP is enabled crypto: ccp: Add new SEV/SNP platform shutdown API KVM: SVM: Add support to initialize SEV/SNP functionality in KVM crypto: ccp: Move SEV/SNP Platform initialization to KVM arch/x86/kvm/svm/sev.c | 15 ++- drivers/crypto/ccp/sev-dev.c | 239 +++++++++++++++++++++++++---------- include/linux/psp-sev.h | 7 +- 3 files changed, 190 insertions(+), 71 deletions(-) -- 2.34.1
Powered by blists - more mailing lists