This is a demonstration of fast migration for encrypted virtual machines using a Migration Handler that lives in OVMF. This demo uses AMD SEV, but the ideas may generalize to other confidential computing platforms. With AMD SEV, guest memory is encrypted and the hypervisor cannot access or move it. This makes migration tricky. In this demo, we show how the HV can ask a Migration Handler (MH) in the firmware for an encrypted page. The MH encrypts the page with a transport key prior to releasing it to the HV. The target machine also runs an MH that decrypts the page once it is passed in by the target HV. These patches are not ready for production, but the are a full end-to-end solution that facilitates a fast live migration between two SEV VMs.
Corresponding patches for QEMU have been posted my colleague Dov Murik on qemu-devel. Our approach needs little kernel support, requiring only one hypercall that the guest can use to mark a page as encrypted or shared. This series includes updated patches from Ashish Kalra and Brijesh Singh that allow OVMF to use this hypercall. The MH runs continuously in the guest, waiting for communication from the HV. The HV starts an additional vCPU for the MH but does not expose it to the guest OS via ACPI. We use the MpService to start the MH. The MpService is only available at runtime and processes that are started by it are usually cleaned up on ExitBootServices. Since we need the MH to run continuously, we had to make some modifications. Ideally a feature could be added to the MpService to allow for the starting of long-running processes. Besides migration, this could support other background processes that need to operate within the encryption boundary. For now, we have included a handful of patches that modify the MpService to allow the MH to keep running after ExitBootServices. These are temporary. Ashish Kalra (2): OvmfPkg/PlatformPei: Mark SEC GHCB page in the page encrpytion bitmap. OvmfPkg/PlatformDxe: Add support for SEV live migration. Brijesh Singh (1): OvmfPkg/BaseMemEncryptLib: Support to issue unencrypted hypercall Dov Murik (1): OvmfPkg/AmdSev: Build page table for migration handler Tobin Feldman-Fitzthum (10): OvmfPkg/AmdSev: Base for Confidential Migration Handler OvmfPkg/PlatfomPei: Set Confidential Migration PCD OvmfPkg/AmdSev: Setup Migration Handler Mailbox OvmfPkg/AmdSev: MH support for mailbox protocol UefiCpuPkg/MpInitLib: temp removal of MpLib cleanup UefiCpuPkg/MpInitLib: Allocate MP buffer as runtime memory UefiCpuPkg/CpuExceptionHandlerLib: Exception handling as runtime memory OvmfPkg/AmdSev: Don't overwrite mailbox or pagetables OvmfPkg/AmdSev: Don't overwrite MH stack OvmfPkg/AmdSev: MH page encryption POC OvmfPkg/OvmfPkg.dec | 11 + OvmfPkg/AmdSev/AmdSevX64.dsc | 2 + OvmfPkg/AmdSev/AmdSevX64.fdf | 13 +- .../ConfidentialMigrationDxe.inf | 45 +++ .../ConfidentialMigrationPei.inf | 35 ++ .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + OvmfPkg/PlatformDxe/Platform.inf | 2 + OvmfPkg/PlatformPei/PlatformPei.inf | 2 + UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 2 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 2 + OvmfPkg/AmdSev/ConfidentialMigration/MpLib.h | 235 +++++++++++++ .../ConfidentialMigration/VirtualMemory.h | 177 ++++++++++ OvmfPkg/Include/Guid/MemEncryptLib.h | 16 + OvmfPkg/PlatformDxe/PlatformConfig.h | 5 + .../ConfidentialMigrationDxe.c | 325 ++++++++++++++++++ .../ConfidentialMigrationPei.c | 25 ++ .../X64/PeiDxeVirtualMemory.c | 18 + OvmfPkg/PlatformDxe/AmdSev.c | 99 ++++++ OvmfPkg/PlatformDxe/Platform.c | 6 + OvmfPkg/PlatformPei/AmdSev.c | 10 + OvmfPkg/PlatformPei/Platform.c | 10 + .../CpuExceptionHandlerLib/DxeException.c | 8 +- UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 21 +- UefiCpuPkg/Library/MpInitLib/MpLib.c | 7 +- 25 files changed, 1061 insertions(+), 17 deletions(-) create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationDxe.inf create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationPei.inf create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/MpLib.h create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/VirtualMemory.h create mode 100644 OvmfPkg/Include/Guid/MemEncryptLib.h create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationDxe.c create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationPei.c create mode 100644 OvmfPkg/PlatformDxe/AmdSev.c -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#72353): https://edk2.groups.io/g/devel/message/72353 Mute This Topic: https://groups.io/mt/81036365/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-