Add support for enabling debug-swap VMSA SEV feature in SEV-ES and SEV-SNP guests through a new "debug-swap" boolean property on SEV guest objects. Though the boolean property is available for plain SEV guests, check_sev_features() has a check that rejects attempts to enable any SEV feature for a plain SEV guest.
Though this SEV feature is called "Debug virtualization" in the APM, KVM calls this "debug swap" so use the same name for consistency. Sample command-line: -machine q35,confidential-guest-support=sev0 \ -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,debug-swap=on Restrict debug-swap to SEV-SNP guests at this time due to a compatibility issue with SEV-ES pflash devices. Signed-off-by: Naveen N Rao (AMD) <[email protected]> --- target/i386/sev.h | 1 + target/i386/sev.c | 26 ++++++++++++++++++++++++++ qapi/qom.json | 7 ++++++- 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index b84ca3ce0b67..d19a39669747 100644 --- a/target/i386/sev.h +++ b/target/i386/sev.h @@ -47,6 +47,7 @@ bool sev_snp_enabled(void); #define SEV_SNP_POLICY_DBG 0x80000 #define SVM_SEV_FEAT_SNP_ACTIVE BIT(0) +#define SVM_SEV_FEAT_DEBUG_SWAP BIT(5) typedef struct SevKernelLoaderContext { char *setup_data; diff --git a/target/i386/sev.c b/target/i386/sev.c index 4553fe4d6e4a..4532b1b6a484 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -328,6 +328,11 @@ sev_set_guest_state(SevCommonState *sev_common, SevState new_state) sev_common->state = new_state; } +static bool is_sev_feature_set(SevCommonState *sev_common, uint64_t feature) +{ + return !!(sev_common->sev_features & feature); +} + static void sev_set_feature(SevCommonState *sev_common, uint64_t feature, bool set) { if (set) { @@ -527,6 +532,12 @@ static int check_sev_features(SevCommonState *sev_common, uint64_t sev_features, __func__); return -1; } + if (sev_features && sev_es_enabled() && !sev_snp_enabled()) { + error_setg(errp, + "%s: SEV features are not supported with SEV-ES at this time", + __func__); + return -1; + } if (sev_features && !sev_es_enabled()) { error_setg(errp, "%s: SEV features require either SEV-ES or SEV-SNP to be enabled", @@ -2800,6 +2811,16 @@ static int cgs_set_guest_policy(ConfidentialGuestPolicyType policy_type, return 0; } +static bool sev_common_get_debug_swap(Object *obj, Error **errp) +{ + return is_sev_feature_set(SEV_COMMON(obj), SVM_SEV_FEAT_DEBUG_SWAP); +} + +static void sev_common_set_debug_swap(Object *obj, bool value, Error **errp) +{ + sev_set_feature(SEV_COMMON(obj), SVM_SEV_FEAT_DEBUG_SWAP, value); +} + static void sev_common_class_init(ObjectClass *oc, const void *data) { @@ -2825,6 +2846,11 @@ sev_common_class_init(ObjectClass *oc, const void *data) sev_common_set_kernel_hashes); object_class_property_set_description(oc, "kernel-hashes", "add kernel hashes to guest firmware for measured Linux boot"); + object_class_property_add_bool(oc, "debug-swap", + sev_common_get_debug_swap, + sev_common_set_debug_swap); + object_class_property_set_description(oc, "debug-swap", + "enable virtualization of debug registers"); } static void diff --git a/qapi/qom.json b/qapi/qom.json index dd45ac1087c3..e2bb716b603e 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -1017,6 +1017,10 @@ # designated guest firmware page for measured boot with -kernel # (default: false) (since 6.2) # +# @debug-swap: enable virtualization of debug registers, +# only supported on SEV-ES and SEV-SNP guests +# (default: false) (since 11.1) +# # Features: # # @confidential-guest-reset: If present, the hypervisor supports @@ -1028,7 +1032,8 @@ 'data': { '*sev-device': 'str', '*cbitpos': 'uint32', 'reduced-phys-bits': 'uint32', - '*kernel-hashes': 'bool' }, + '*kernel-hashes': 'bool', + '*debug-swap': 'bool' }, 'features': ['confidential-guest-reset']} ## -- 2.54.0
