Am 22/04/2024 um 14:16 schrieb Markus Frank:
> This patch is for enabling AMD SEV (Secure Encrypted
> Virtualization) support in QEMU
try to keep a somewhat unified line length over the whole commit message,
most editors support re-flowing (parts of the) text to e.g. the for
commit messages commonly used 70 or 72 text width.
>
> VM-Config-Examples:
> amd_sev: type=std,nodbg=1,noks=1
> amd_sev: es,nodbg=1,kernel-hashes=1
>
> Node-Config-Example (gets generated automatically):
> amd_sev: cbitpos=47,reduced-phys-bios=1
>
> kernel-hashes, reduced-phys-bios & cbitpos correspond to the varibles
typo: variables
> with the same name in qemu.
>
> kernel-hashes=1 adds kernel-hashes to enable measured linux kernel
> launch since it is per default off for backward compatibility.
>
> reduced-phys-bios and cbitpos are system specific and are read out by
> the amd-sev-support.service on boot and saved to the /run/amd-sev-params
> file. This file is parsed and than used by qemu-server to correctly
> start a AMD SEV VM.
>
> type=std stands for standard sev to differentiate it from sev-es (es)
> or sev-snp (snp) when support is upstream.
>
> QEMU's sev-guest policy gets calculated with the parameters nodbg & noks
> These parameters correspond to policy-bits 0 & 1.
> If type is 'es' than policy-bit 2 gets set to 1 to activate SEV-ES.
> Policy bit 3 (nosend) is always set to 1, because migration
> features for sev are not upstream yet and are attackable.
>
> SEV-ES is highly experimental since it could not be tested.
>
> see coherent doc patch
>
> Signed-off-by: Markus Frank <m.fr...@proxmox.com>
> ---
> v7:
> * adjustments for the changes made in the query-machine-params C program
>
> v6:
> * rebase on master
> * removed unused $sev_node_fmt object
>
> v5:
> * parse /run/amd-sev-params for hardware parameters
> * removed NodeConfig dependency
> * only disallow live-migration and snapshots with vmstate
> -> allow offline migration and snapshots without vmstate
>
> v4:
> * reduced lines of code
> * added text that SEV-ES is experimental
>
> PVE/API2/Qemu.pm | 10 ++++++
> PVE/QemuMigrate.pm | 4 +++
> PVE/QemuServer.pm | 83 ++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 97 insertions(+)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 2a349c8..2e8d654 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -4512,6 +4512,10 @@ __PACKAGE__->register_method({
> push $local_resources->@*, "clipboard=vnc";
> }
> > + if ($res->{running} && $vmconf->{amd_sev}) {
a comment might be good here
> + push $local_resources->@*, "amd_sev";
> + }
> +
> # if vm is not running, return target nodes where local storage/mapped
> devices are available
> # for offline migration
> if (!$res->{running}) {
> @@ -5192,6 +5196,12 @@ __PACKAGE__->register_method({
> die "unable to use snapshot name 'pending' (reserved name)\n"
> if lc($snapname) eq 'pending';
>
> + my $conf = PVE::QemuConfig->load_config($vmid);
> + if ($param->{vmstate} && $conf->{amd_sev}) {
> + die "Snapshots that include memory are not supported while memory"
> + ." is encrypted by AMD SEV.\n"
> + }
> +
> my $realcmd = sub {
> PVE::Cluster::log_msg('info', $authuser, "snapshot VM $vmid:
> $snapname");
> PVE::QemuConfig->snapshot_create($vmid, $snapname,
> $param->{vmstate},
> diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
> index 8d9b35a..7db18b2 100644
> --- a/PVE/QemuMigrate.pm
> +++ b/PVE/QemuMigrate.pm
> @@ -260,6 +260,10 @@ sub prepare {
> die "VMs with 'clipboard' set to 'vnc' are not live migratable!\n";
> }
>
> + if ($running && $conf->{'amd_sev'}) {
> + die "VMs with AMD SEV are not live migratable!\n";
cannot live-migrate VM when AMD SEV is enabled.
> + }
> +
> my $vollist = PVE::QemuServer::get_vm_volumes($conf);
>
> my $storages = {};
> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
> index 28e630d..b03f1b4 100644
> --- a/PVE/QemuServer.pm
> +++ b/PVE/QemuServer.pm
> @@ -177,6 +177,40 @@ my $agent_fmt = {
> },
> };
>
> +my $sev_fmt = {
> + type => {
> + description => "Enable standard SEV with type='std' or enable
> experimental SEV-ES"
> + ." with the 'es' option.",
> + type => 'string',
> + default_key => 1,
> + format_description => "qemu-sev-type",
> + enum => ['std', 'es'],
> + maxLength => 3,
> + },
> + nodbg => {
'no-debug' would be more telling
> + description => "Sets policy bit 0 to 1 to disallow debugging of guest",
> + type => 'boolean',
> + format_description => "qemu-sev-nodbg",
do we need a format description for a boolean
> + default => 0,
> + optional => 1,
> + },
> + noks => {
'no-key-sharing' would be also more telling
> + description => "Sets policy bit 1 to 1 to disallow key sharing with
> other guests",
> + type => 'boolean',
> + format_description => "qemu-sev-noks",
do we need a format description for a boolean
> + default => 0,
> + optional => 1,
> + },
> + "kernel-hashes" => {
> + description => "Add kernel hashes to guest firmware for measured linux
> kernel launch",
> + type => 'boolean',
> + format_description => "qemu-sev-kernel-hashes",
> + default => 0,
> + optional => 1,
> + },
> +};
> +PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt);
> +
> my $vga_fmt = {
> type => {
> description => "Select the VGA type.",
> @@ -358,6 +392,12 @@ my $confdesc = {
> description => "Memory properties.",
> format => $PVE::QemuServer::Memory::memory_fmt
> },
> + amd_sev => {
> + description => "Secure Encrypted Virtualization (SEV) features by AMD
> CPUs",
> + optional => 1,
> + format => 'pve-qemu-sev-fmt',
> + type => 'string',
> + },
> balloon => {
> optional => 1,
> type => 'integer',
> @@ -4091,6 +4131,39 @@ sub config_to_command {
> }
> }
>
> + if ($conf->{amd_sev}) {
> + if ($conf->{bios} && $conf->{bios} ne 'ovmf') {
> + die "For using SEV you need to change your guest bios to ovmf.\n";
> + }
> +
> + my $amd_sev_conf = parse_property_string($sev_fmt, $conf->{amd_sev});
> + my $sev_hw_params = get_hw_parameters()->{'amd-sev'};
> +
> + if (!$sev_hw_params->{'sev-support'}) {
> + die "Your CPU does not support AMD SEV!\n";
> + }
> + if ($amd_sev_conf->{type} eq 'es' &&
> !$sev_hw_params->{'sev-support-es'}) {
> + die "Your CPU does not support AMD SEV-ES!\n";
> + }
> +
> + my $sev_mem_object = 'sev-guest,id=sev0'
> + .',cbitpos='.$sev_hw_params->{cbitpos}
> + .',reduced-phys-bits='.$sev_hw_params->{'reduced-phys-bits'};
> +
> + my $policy = 0b0;
> + $policy += 0b1 if ($amd_sev_conf->{nodbg});
> + $policy += 0b10 if ($amd_sev_conf->{noks});
> + $policy += 0b100 if ($amd_sev_conf->{type} eq 'es');
> + # disable migration with bit 3 nosend to prevent
> amd-sev-migration-attack
> + $policy += 0b1000;
> +
> + $sev_mem_object .= ',policy='.sprintf("%#x", $policy);
> + $sev_mem_object .= ',kernel-hashes=on' if
> ($amd_sev_conf->{'kernel-hashes'});
> +
> + push @$devices, '-object' , $sev_mem_object;
> + push @$machineFlags, 'confidential-guest-support=sev0';
> + }
> +
> push @$cmd, @$devices;
> push @$cmd, '-rtc', join(',', @$rtcFlags) if scalar(@$rtcFlags);
> push @$cmd, '-machine', join(',', @$machineFlags) if
> scalar(@$machineFlags);
> @@ -4134,6 +4207,16 @@ sub check_rng_source {
> }
> }
>
> +sub get_hw_parameters {
> + # Get reduced-phys-bits & cbitpos from /run/qemu-server/hw-params.json
> + my $filename = '/run/qemu-server/hw-params.json';
I'd not use params, as parameters are normally something one can change in
software,
(i.e. without buying a different CPU, and FW updates are a grey area ^^)
"host-hw-capabilities.json" might be better here
> + open my $fh, '<', $filename or die "Could not open '$filename' for
> reading: $!";
> + my $json_text = do { local $/; <$fh> };
> + close $fh;
> + my $hw_params = JSON->new->decode($json_text);
> + return $hw_params;
> +}
> +
> sub spice_port {
> my ($vmid) = @_;
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
