subject:"\[PATCH v3 47\/49\] hw\/i386\/sev\: Add support to encrypt BIOS when SEV\-SNP is enabled"

Re: [PATCH v3 47/49] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled

2024-03-21 Thread Michael Roth via

On Wed, Mar 20, 2024 at 12:22:34PM +, Daniel P. Berrangé wrote:
> On Wed, Mar 20, 2024 at 03:39:43AM -0500, Michael Roth wrote:
> > TODO: Brijesh as author, me as co-author (vice-versa depending)
> >   drop flash handling? we only support BIOS now
> 
> A reminder that this commit message needs fixing.

Sorry, definitely meant to fix this one up before submitting. I've
gone ahead and force-pushed an updated tree to same qemu-v3-rc branch.
The only change is proper attribution/commit message for this patch:

  https://github.com/AMDESE/qemu/commit/c54618a1cc23f2398e6c3af6f3cf140c4901347c

-Mike

> 
> > 
> > Signed-off-by: Michael Roth 
> > ---
> >  hw/i386/pc_sysfw.c| 12 +++-
> >  hw/i386/x86.c |  2 +-
> >  include/hw/i386/x86.h |  2 +-
> >  target/i386/sev-sysemu-stub.c |  2 +-
> >  target/i386/sev.c | 15 +++
> >  target/i386/sev.h |  2 +-
> >  6 files changed, 22 insertions(+), 13 deletions(-)
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-https://fstop138.berrange.com :|
> |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
>

Re: [PATCH v3 47/49] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled

2024-03-20 Thread Daniel P . Berrangé

On Wed, Mar 20, 2024 at 03:39:43AM -0500, Michael Roth wrote:
> TODO: Brijesh as author, me as co-author (vice-versa depending)
>   drop flash handling? we only support BIOS now

A reminder that this commit message needs fixing.

> 
> Signed-off-by: Michael Roth 
> ---
>  hw/i386/pc_sysfw.c| 12 +++-
>  hw/i386/x86.c |  2 +-
>  include/hw/i386/x86.h |  2 +-
>  target/i386/sev-sysemu-stub.c |  2 +-
>  target/i386/sev.c | 15 +++
>  target/i386/sev.h |  2 +-
>  6 files changed, 22 insertions(+), 13 deletions(-)

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[PATCH v3 47/49] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled

2024-03-20 Thread Michael Roth

TODO: Brijesh as author, me as co-author (vice-versa depending)
  drop flash handling? we only support BIOS now

Signed-off-by: Michael Roth 
---
 hw/i386/pc_sysfw.c| 12 +++-
 hw/i386/x86.c |  2 +-
 include/hw/i386/x86.h |  2 +-
 target/i386/sev-sysemu-stub.c |  2 +-
 target/i386/sev.c | 15 +++
 target/i386/sev.h |  2 +-
 6 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index 3efabbbab2..9dbb3f7337 100644
--- a/hw/i386/pc_sysfw.c
+++ b/hw/i386/pc_sysfw.c
@@ -149,6 +149,8 @@ static void pc_system_flash_map(PCMachineState *pcms,
 assert(PC_MACHINE_GET_CLASS(pcms)->pci_enabled);
 
 for (i = 0; i < ARRAY_SIZE(pcms->flash); i++) {
+hwaddr gpa;
+
 system_flash = pcms->flash[i];
 blk = pflash_cfi01_get_blk(system_flash);
 if (!blk) {
@@ -178,11 +180,11 @@ static void pc_system_flash_map(PCMachineState *pcms,
 }
 
 total_size += size;
+gpa = 0x1ULL - total_size; /* where the flash is mapped */
 qdev_prop_set_uint32(DEVICE(system_flash), "num-blocks",
  size / FLASH_SECTOR_SIZE);
 sysbus_realize_and_unref(SYS_BUS_DEVICE(system_flash), _fatal);
-sysbus_mmio_map(SYS_BUS_DEVICE(system_flash), 0,
-0x1ULL - total_size);
+sysbus_mmio_map(SYS_BUS_DEVICE(system_flash), 0, gpa);
 
 if (i == 0) {
 flash_mem = pflash_cfi01_get_memory(system_flash);
@@ -192,7 +194,7 @@ static void pc_system_flash_map(PCMachineState *pcms,
 if (sev_enabled()) {
 flash_ptr = memory_region_get_ram_ptr(flash_mem);
 flash_size = memory_region_size(flash_mem);
-x86_firmware_configure(flash_ptr, flash_size);
+x86_firmware_configure(gpa, flash_ptr, flash_size);
 }
 }
 }
@@ -245,7 +247,7 @@ void pc_system_firmware_init(PCMachineState *pcms,
 pc_system_flash_cleanup_unused(pcms);
 }
 
-void x86_firmware_configure(void *ptr, int size)
+void x86_firmware_configure(hwaddr gpa, void *ptr, int size)
 {
 int ret;
 
@@ -262,6 +264,6 @@ void x86_firmware_configure(void *ptr, int size)
 exit(1);
 }
 
-sev_encrypt_flash(ptr, size, _fatal);
+sev_encrypt_flash(gpa, ptr, size, _fatal);
 }
 }
diff --git a/hw/i386/x86.c b/hw/i386/x86.c
index 825dc4c735..e3ddc39133 100644
--- a/hw/i386/x86.c
+++ b/hw/i386/x86.c
@@ -1161,7 +1161,7 @@ void x86_bios_rom_init(MachineState *ms, const char 
*default_firmware,
  */
 void *ptr = memory_region_get_ram_ptr(bios);
 load_image_size(filename, ptr, bios_size);
-x86_firmware_configure(ptr, bios_size);
+x86_firmware_configure(0x1ULL - bios_size, ptr, bios_size);
 } else {
 if (!isapc_ram_fw) {
 memory_region_set_readonly(bios, true);
diff --git a/include/hw/i386/x86.h b/include/hw/i386/x86.h
index 4dc30dcb4d..53dfd95cb2 100644
--- a/include/hw/i386/x86.h
+++ b/include/hw/i386/x86.h
@@ -143,6 +143,6 @@ void ioapic_init_gsi(GSIState *gsi_state, Object *parent);
 DeviceState *ioapic_init_secondary(GSIState *gsi_state);
 
 /* pc_sysfw.c */
-void x86_firmware_configure(void *ptr, int size);
+void x86_firmware_configure(hwaddr gpa, void *ptr, int size);
 
 #endif
diff --git a/target/i386/sev-sysemu-stub.c b/target/i386/sev-sysemu-stub.c
index 96e1c15cc3..6af643e3a1 100644
--- a/target/i386/sev-sysemu-stub.c
+++ b/target/i386/sev-sysemu-stub.c
@@ -42,7 +42,7 @@ void qmp_sev_inject_launch_secret(const char *packet_header, 
const char *secret,
 error_setg(errp, "SEV is not available in this QEMU");
 }
 
-int sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp)
+int sev_encrypt_flash(hwaddr gpa, uint8_t *ptr, uint64_t len, Error **errp)
 {
 g_assert_not_reached();
 }
diff --git a/target/i386/sev.c b/target/i386/sev.c
index e2506f74da..d8e6aba67c 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -1449,7 +1449,7 @@ err:
 }
 
 int
-sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp)
+sev_encrypt_flash(hwaddr gpa, uint8_t *ptr, uint64_t len, Error **errp)
 {
 SevCommonState *sev_common = SEV_COMMON(MACHINE(qdev_get_machine())->cgs);
 
@@ -1459,7 +1459,14 @@ sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error 
**errp)
 
 /* if SEV is in update state then encrypt the data else do nothing */
 if (sev_check_state(sev_common, SEV_STATE_LAUNCH_UPDATE)) {
-int ret = sev_launch_update_data(SEV_GUEST(sev_common), ptr, len);
+int ret;
+
+if (sev_snp_enabled()) {
+ret = snp_launch_update_data(gpa, ptr, len,
+ KVM_SEV_SNP_PAGE_TYPE_NORMAL);
+} else {
+ret = sev_launch_update_data(SEV_GUEST(sev_common), ptr, len);
+}
 if (ret < 0) {
 error_setg(errp, "SEV: Failed

Re: [PATCH v3 47/49] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled

Re: [PATCH v3 47/49] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled

[PATCH v3 47/49] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled

3 matches

Site Navigation

Mail list logo

Footer information