well?
Thanks for looping me in, I can confirm that SEV virtio-fs device
support was *broken* on the latest qemu, and your patch fixes it.
Tested-by: Brijesh Singh
Regards,
Halil
On Tue, 25 Jan 2022 11:21:12 +0100
Halil Pasic wrote:
ping
On Mon, 17 Jan 2022 13:02:38 +0100
Halil Pasic
On 1/17/22 1:34 AM, Dov Murik wrote:
> [+cc Tom, Brijesh, Ashish - see SEV-related changes in this series]
>
>
> On 13/01/2022 18:55, Daniel P. Berrangé wrote:
>> The AMD SEV build of EDK2 only emits a single file, intended to be
>>
>> mapped readonly. There is explicitly no separate writable VAR
On 11/29/21 8:29 AM, Brijesh Singh wrote:
On 11/25/21 7:59 AM, Dov Murik wrote:
[+cc Tom, Brijesh]
On 25/11/2021 15:42, Daniel P. Berrangé wrote:
On Thu, Nov 25, 2021 at 02:44:51PM +0200, Dov Murik wrote:
[+cc jejb, tobin, jim, hubertus]
On 25/11/2021 9:14, Sergio Lopez wrote:
On Wed
On 11/25/21 7:59 AM, Dov Murik wrote:
[+cc Tom, Brijesh]
On 25/11/2021 15:42, Daniel P. Berrangé wrote:
On Thu, Nov 25, 2021 at 02:44:51PM +0200, Dov Murik wrote:
[+cc jejb, tobin, jim, hubertus]
On 25/11/2021 9:14, Sergio Lopez wrote:
On Wed, Nov 24, 2021 at 06:29:07PM +, Dr. David
On 11/16/21 3:23 AM, Daniel P. Berrangé wrote:
> On Thu, Aug 26, 2021 at 05:26:15PM -0500, Michael Roth wrote:
>> These patches implement SEV-SNP along with CPUID enforcement support for
>> QEMU,
>> and are also available at:
>>
>>
>> https://nam11.safelinks.protection.outlook.com/?url=https%
On 11/8/21 7:48 AM, Dov Murik wrote:
Tom Lendacky and Brijesh Singh reported two issues with launching SEV
guests with the -kernel QEMU option when an old [1] or wrongly configured [2]
OVMF images are used.
To fix these issues, these series "hides" the whole kernel hashes
addition
On 11/5/21 1:32 PM, Dov Murik wrote:
On 02/11/2021 16:48, Brijesh Singh wrote:
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel, initrd and
On 11/3/21 9:08 AM, Dr. David Alan Gilbert wrote:
* Brijesh Singh (brijesh.si...@amd.com) wrote:
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel, initrd and cmdline unconditionally for
any of the SEV guest launches. This requires anyone wanting
> Tom Lendacky and Brijesh Singh reported two issues with launching SEV
> guests with the -kernel QEMU option when an old [1] or wrongly configured [2]
> OVMF images are used.
>
> The fixes in patches 1 and 2 allow such guests to boot by skipping the
> kernel/initrd/cmdline hashes additi
Hi Dov,
Sorry for coming a bit late on it but I am seeing another issue with
this patch. The hash build logic looks for a SEV_HASH_TABLE_RV_GUID in
the GUID list. If found, it uses the base address to store the hash'es.
Looking at the OVMF, it seems that base address for this GUID is zero.
It
On 10/6/21 11:55 AM, Philippe Mathieu-Daudé wrote:
> On 10/4/21 10:19, Paolo Bonzini wrote:
>> On 02/10/21 14:53, Philippe Mathieu-Daudé wrote:
>>> Only declare sev_enabled() and sev_es_enabled() when CONFIG_SEV is
>>> set, to allow the compiler to elide unused code. Remove unnecessary
>>> stubs.
On 9/5/21 4:19 AM, Dov Murik wrote:
>
> On 27/08/2021 1:26, Michael Roth wrote:
>> From: Brijesh Singh
>>
>> When SEV-SNP is enabled, the KVM_SNP_INIT command is used to initialize
>> the platform. The command checks whether SNP is enabled in the KVM, if
>>
Hi Dov,
On 9/5/21 2:07 AM, Dov Murik wrote:
...
>
>>
>> uint64_t
>> @@ -1074,6 +1083,7 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error
>> **errp)
>> uint32_t ebx;
>> uint32_t host_cbitpos;
>> struct sev_user_data_status status = {};
>> +void *init_args = NULL;
>>
On 7/19/21 7:34 AM, Dov Murik wrote:
Hi Brijesh,
On 10/07/2021 0:55, Brijesh Singh wrote:
The SNP_LAUNCH_START is called first to create a cryptographic launch
context within the firmware.
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 30
Hi Dov,
On 7/19/21 6:24 AM, Dov Murik wrote:
s/LAUNCH_UPDATE/SNP_LAUNCH_UPDATE/
(to show it's the same command you refer to above)
Noted.
+static int
+sev_snp_launch_update_gpa(uint32_t hwaddr, uint32_t size, uint8_t type)
hwaddr is a confusing name here because it is also a typedef (
Hi Dov,
On 7/19/21 6:35 AM, Dov Murik wrote:
Hi Brijesh,
On 10/07/2021 0:55, Brijesh Singh wrote:
Sync the kvm.h with the kernel to include the SNP specific commands.
Signed-off-by: Brijesh Singh
---
linux-headers/linux/kvm.h | 47 +++
What about psp
On 7/15/21 4:32 AM, Dov Murik wrote:
Just making sure I understand:
* sev_enabled() returns true for SEV or newer (SEV or SEV-ES or
SEV-SNP).
* sev_es_enabled() returns true for SEV-ES or newer (SEV-ES or SEV-SNP).
* sev_snp_enabled() returns true for SEV-SNP or newer (currently only
S
On 7/14/21 12:29 PM, Dr. David Alan Gilbert wrote:>> +struct
snp_pre_validated_range {
+uint32_t start;
+uint32_t end;
+};
Just a thought, but maybe use a 'Range' from include/qemu/range.h ?
I will look into it.
thanks
On 7/14/21 12:08 PM, Connor Kuehl wrote:
On 7/9/21 3:55 PM, Brijesh Singh wrote:
The KVM_SEV_SNP_LAUNCH_UPDATE command is used for encrypting the bios
image used for booting the SEV-SNP guest.
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 33
On 7/14/21 4:52 AM, Dr. David Alan Gilbert wrote:
> * Brijesh Singh (brijesh.si...@amd.com) wrote:
>>
>> On 7/13/21 3:05 AM, Dov Murik wrote:>
>>> Particularly confusing is the `policy` attribute which is only relevant
>>> for SEV / SEV-ES, while there&#x
On 7/13/21 8:46 AM, Markus Armbruster wrote:
> Brijesh Singh writes:
>
>> To launch the SEV-SNP guest, a user can specify up to 8 parameters.
>> Passing all parameters through command line can be difficult. To simplify
>> the launch parameter passing, introduce a .ini-l
On 7/13/21 3:31 AM, Dr. David Alan Gilbert wrote:
adding it to QMP as well (unles sit's purely for debug and may change).
We have query-sev QMP, I will extend to add a new 'snp: bool' field.
thanks
On 7/13/21 3:05 AM, Dov Murik wrote:>
Particularly confusing is the `policy` attribute which is only relevant
for SEV / SEV-ES, while there's a new `snp.policy` attribute for SNP...
Maybe the irrelevant attributes should not be added to the tree when not
in SNP.
The policy fields are also ap
On 7/12/21 11:24 AM, Daniel P. Berrangé wrote:>>
policy: 8 bytes
flags: 8 bytes
id_block: 96 bytes
id_auth: 4096 bytes
host_data: 32 bytes
gosvw: 16 bytes
Only the id_auth parameter is really considered large here.
When you say "up to a page size", that implies that the size is
actually var
On 7/12/21 9:34 AM, Dr. David Alan Gilbert wrote:
$ cat snp-launch.init
# SNP launch parameters
[SEV-SNP]
init_flags = 0
policy = 0x1000
id_block = "YWFhYWFhYWFhYWFhYWFhCg=="
Wouldn't the 'gosvw' and 'hostdata' also be in there?
I did not included all the 8 parameters in the commit mess
On 7/12/21 9:43 AM, Daniel P. Berrangé wrote:
On Fri, Jul 09, 2021 at 04:55:46PM -0500, Brijesh Singh wrote:
To launch the SEV-SNP guest, a user can specify up to 8 parameters.
Passing all parameters through command line can be difficult.
This sentence applies to pretty much everything in
On 7/10/21 3:32 PM, Michael S. Tsirkin wrote:
On Fri, Jul 09, 2021 at 04:55:45PM -0500, Brijesh Singh wrote:
Sync the kvm.h with the kernel to include the SNP specific commands.
Signed-off-by: Brijesh Singh
Pls specify which kernel version you used for the sync.
This sync is based on
/files/TechDocs/56860.pdf
Brijesh Singh (6):
linux-header: add the SNP specific command
i386/sev: extend sev-guest property to include SEV-SNP
i386/sev: initialize SNP context
i386/sev: add the SNP launch start context
i386/sev: add support to encrypt BIOS when SEV-SNP is enabled
i386
The KVM_SEV_SNP_LAUNCH_UPDATE command is used for encrypting the bios
image used for booting the SEV-SNP guest.
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 33 -
target/i386/trace-events | 1 +
2 files changed, 33 insertions(+), 1 deletion
SNP_LAUNCH_FINISH to finalize the guest boot.
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 184 ++-
target/i386/trace-events | 2 +
2 files changed, 184 insertions(+), 2 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index
The SNP_LAUNCH_START is called first to create a cryptographic launch
context within the firmware.
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 30 +-
target/i386/trace-events | 1 +
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a
When SEV-SNP is enabled, the KVM_SNP_INIT command is used to initialize
the platform. The command checks whether SNP is enabled in the KVM, if
enabled then it allocate a new ASID from the SNP pool and calls the
firmware to initialize the all the resources.
Signed-off-by: Brijesh Singh
examples:
1) launch without additional parameters
$(QEMU_CLI) \
-object sev-guest,id=sev0,snp=on
2) launch with optional parameters
$(QEMU_CLI) \
-object sev-guest,id=sev0,snp=on,launch-config=
Signed-off-by: Brijesh Singh
---
docs/amd-memory-encryption.txt | 81 +++
Sync the kvm.h with the kernel to include the SNP specific commands.
Signed-off-by: Brijesh Singh
---
linux-headers/linux/kvm.h | 47 +++
1 file changed, 47 insertions(+)
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 20d6a263bb
On 6/3/21 6:30 AM, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert"
>
> Removes a whole bunch of g_free's and a goto.
>
> Signed-off-by: Dr. David Alan Gilbert
Reviewed-by: Brijesh Singh
thanks
> ---
> target/i386/sev.c | 11 +++
Hi,
Ping. Please let me know if you have any feedback on this patch.
Thanks
On 4/29/21 12:07 PM, Brijesh Singh wrote:
> The SEV FW >= 0.23 added a new command that can be used to query the
> attestation report containing the SHA-256 digest of the guest memory
> and VMSA encryp
uery-sev-attestation-report" that can be used
to get the report encoded in base64.
Cc: James Bottomley
Cc: Tom Lendacky
Cc: Eric Blake
Cc: Paolo Bonzini
Cc: k...@vger.kernel.org
Reviewed-by: James Bottomley
Tested-by: James Bottomley
Signed-off-by: Brijesh Singh
---
v3:
* free the bu
Hi All,
It seems creating the sev-guest object is broken rc0 tag. The following
command is no longer able to create the sev-guest object
$QEMU \
-machine ...,confidential-guest-support=sev0 \
-object sev-guest,id=sev0,policy=0x1 \
It fails with "-object sev-guest,id=sev0: Invalid parameter
'
inux-headers.sh script.
>>>
>>> Signed-off-by: Philippe Mathieu-Daudé
>>> ---
>>> Based-on: <20210218151633.215374-1-cku...@redhat.com>
I am in the favor to keep list in sync with header updates. thanks
Acked-by: Brijesh Singh
>>> ---
>>&
uery-sev-attestation-report" that can be used
to get the report encoded in base64.
Cc: James Bottomley
Cc: Tom Lendacky
Cc: Eric Blake
Cc: Paolo Bonzini
Cc: k...@vger.kernel.org
Signed-off-by: Brijesh Singh
---
v2:
* add trace event.
* fix the goto to return NULL on failure.
* make th
On 12/10/20 10:13 AM, James Bottomley wrote:
> On Fri, 2020-12-04 at 15:31 -0600, Brijesh Singh wrote:
>> The SEV FW >= 0.23 added a new command that can be used to query the
>> attestation report containing the SHA-256 digest of the guest memory
>> and VMSA encrypted wi
uery-sev-attestation-report" that can be used
to get the report encoded in base64.
Cc: James Bottomley
Cc: Tom Lendacky
Cc: Eric Blake
Cc: Paolo Bonzini
Cc: k...@vger.kernel.org
Signed-off-by: Brijesh Singh
---
linux-headers/linux/kvm.h | 8 ++
qapi/misc-target.
with the Transport Integrity
> Key. Although QEMU facilitates the injection of the
> launch secret, it cannot access the secret.
>
> Signed-off-by: Tobin Feldman-Fitzthum
> Reviewed-by: Daniel P. Berrangé
Reviewed-by: Brijesh Singh
thanks
> ---
> include/monitor/monitor.h |
On 10/14/20 10:17 AM, to...@linux.ibm.com wrote:
> From: Tobin Feldman-Fitzthum
>
> AMD SEV allows a guest owner to inject a secret blob
> into the memory of a virtual machine. The secret is
> encrypted with the SEV Transport Encryption Key and
> integrity is guaranteed with the Transport Integr
On 9/24/20 2:06 PM, Ashish Kalra wrote:
> Hello Dave,
>
> Thanks for your response, please see my replies inline :
>
> On Thu, Sep 24, 2020 at 02:53:42PM +0100, Dr. David Alan Gilbert wrote:
>> * Ashish Kalra (ashish.ka...@amd.com) wrote:
>>> Hello Alan, Paolo,
>>>
>>> I am following up on Brijes
On 7/3/20 6:11 AM, Dr. David Alan Gilbert wrote:
> * Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
>> From: Tobin Feldman-Fitzthum
>>
>> AMD SEV allows a guest owner to inject a secret blob
>> into the memory of a virtual machine. The secret is
>> encrypted with the SEV Transport Encr
On 3/20/20 1:43 PM, Halil Pasic wrote:
> On Thu, 19 Mar 2020 18:31:11 +0100
> David Hildenbrand wrote:
>
>> [...]
>>
I asked this question already to Michael (cc) via a different
channel, but hare is it again:
Why does the balloon driver not support VIRTIO_F_IOMMU_PLATFORM? I
On 3/13/20 7:44 AM, Halil Pasic wrote:
> [..]
>>> CCing Tom. @Tom does vhost-vsock work for you with SEV and current qemu?
>>>
>>> Also, one can specify iommu_platform=on on a device that ain't a part of
>>> a secure-capable VM, just for the fun of it. And that breaks
>>> vhost-vsock. Or is setti
On 09/17/2018 01:06 PM, Eduardo Habkost wrote:
...#define TYPE_AMD_IOMMU_DEVICE "amd-iommu"
#define AMD_IOMMU_DEVICE(obj)\
@@ -278,6 +288,9 @@ typedef struct AMDVIState {
/* IOTLB */
GHashTable *iotlb;
+
+/* Interrupt remapping */
+bool intr_enabled;
Why do y
On 09/17/2018 08:49 AM, Eduardo Habkost wrote:
Hi,
I couldn't review the whole patch yet, but I have some comments
below:
On Fri, Sep 14, 2018 at 01:26:59PM -0500, Brijesh Singh wrote:
Register the interrupt remapping callback and read/write ops for the
amd-iommu-ir memory region.
On 09/17/2018 12:52 AM, Peter Xu wrote:
On Fri, Sep 14, 2018 at 01:27:00PM -0500, Brijesh Singh wrote:
Emulate the interrupt remapping support when guest virtual APIC is
not enabled.
For more info Refer: AMD IOMMU spec Rev 3.0 - section 2.2.5.1
When VAPIC is not enabled, it uses interrupt
On 09/17/2018 07:56 AM, Eduardo Habkost wrote:
On Fri, Sep 14, 2018 at 01:26:58PM -0500, Brijesh Singh wrote:
Currently, the amdvi_validate_dte() assumes that a valid DTE will
always have V=1. This is not true. The V=1 means that bit[127:1] are
valid. A valid DTE can have IV=1 and V=0 (i.e
On 9/16/18 11:33 PM, Peter Xu wrote:
> On Fri, Sep 14, 2018 at 01:26:58PM -0500, Brijesh Singh wrote:
>> Currently, the amdvi_validate_dte() assumes that a valid DTE will
>> always have V=1. This is not true. The V=1 means that bit[127:1] are
>> valid. A valid DTE can have
When interrupt remapping is enabled, add a special IVHD device
(type IOAPIC).
Signed-off-by: Brijesh Singh
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
---
hw/i386/acpi-bu
lo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Signed-off-by: Brijesh Singh
---
hw/i386/amd_iommu.c | 189 ++-
hw/i386/amd_iommu.h | 46 -
hw/i386/trace-ev
IV bits.
Signed-off-by: Brijesh Singh
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
---
hw/i386/amd_iommu.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff
dress space name to include the devfn.
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Signed-off-by: Brijesh Singh
---
hw/i386/amd
e comments explaining why we add the special device
- some minor cleanups based on Peter's feedbacks
Brijesh Singh (8):
x86_iommu: move the kernel-irqchip check in common code
x86_iommu: move vtd_generate_msi_message in common file
x86_iommu/amd: remove V=1 check from amdvi_validate_dte()
-iommu does not
support guest virtual APIC mode (aka AVIC) which would be used for the
nested VMs.
See Table 21 from IOMMU spec for interrupt virtualization controls
Signed-off-by: Brijesh Singh
Reviewed-by: Peter Xu
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
C
no logic changes in the code flow.
Signed-off-by: Brijesh Singh
Suggested-by: Peter Xu
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
---
hw/i386/intel_iommu.c
Interrupt remapping needs kernel-irqchip={off|split} on both Intel and AMD
platforms. Move the check in common place.
Signed-off-by: Brijesh Singh
Reviewed-by: Peter Xu
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbau
On 09/13/2018 01:18 PM, Michael S. Tsirkin wrote:
...>>
0x01 00a0 00 00 48
Byte 0: 0x48 (special device)
Byte 1 & 2: must be zero
Byte 3: 0 (dte setting)
Byte 4: 0 (handle)
Byte 5 & 6: IOAPIC devfn (14:0.0)
Do you mean *bus* devfn? devfn is 0.0.
Sorry my bad, I was meaning to write
On 09/11/2018 11:52 PM, Peter Xu wrote:
...
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 5c2c638..1cbc8ba 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2565,7 +2565,8 @@ build_amd_iommu(GArray *table_data, BIOSLinker *linker)
build_append_int_nopref
On 09/12/2018 11:35 AM, Igor Mammedov wrote:
...
+/*
+ * When interrupt remapping is enabled, Linux IOMMU driver also checks
+ * for special IVHD device (type IO-APIC), which is typically presented
+ * as PCI device 14:00.0.
Probably it shouldn't be a 'typically' device fr
On 09/11/2018 11:35 PM, Peter Xu wrote:
On Tue, Sep 11, 2018 at 11:49:47AM -0500, Brijesh Singh wrote:
When interrupt remapping is enabled, add a special IVHD device
(type IOAPIC) -- which is typically PCI device 14:0.0. Linux IOMMU driver
checks for this special device.
Cc: "Mich
On 09/11/2018 10:52 PM, Peter Xu wrote:
On Tue, Sep 11, 2018 at 11:49:45AM -0500, Brijesh Singh wrote:
static AddressSpace *amdvi_host_dma_iommu(PCIBus *bus, void *opaque, int
devfn)
{
AMDVIState *s = opaque;
@@ -1055,6 +1151,12 @@ static AddressSpace *amdvi_host_dma_iommu(PCIBus
Thanks for the quick review feedback.
On 09/11/2018 10:37 PM, Peter Xu wrote:
On Tue, Sep 11, 2018 at 11:49:46AM -0500, Brijesh Singh wrote:
Emulate the interrupt remapping support when guest virtual APIC is
not enabled.
See IOMMU spec: https://support.amd.com/TechDocs/48882_IOMMU.pdf
m Lendacky
Cc: Suravee Suthikulpanit
Signed-off-by: Brijesh Singh
---
hw/i386/acpi-build.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index e1ee8ae..5c2c638 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/ac
Register the interrupt remapping callback and read/write ops for the
amd-iommu-ir memory region.
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Signed-off-by: Brijesh Singh
--
Interrupt remapping needs kernel-irqchip={off|split} on both Intel and AMD
platforms. Move the check in common place.
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Signed-off-b
.
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Signed-off-by: Brijesh Singh
---
hw/i386/amd_iommu.c | 187 +++
hw/i386/amd_iomm
interrupts
...
...
Cc: "Michael S. Tsirkin"
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Brijesh Singh (6):
x86_iommu: move the kernel-irqchip check in common code
x86_iommu/amd: Prepare for inter
elbaum
Cc: Tom Lendacky
Cc: Suravee Suthikulpanit
Signed-off-by: Brijesh Singh
---
hw/i386/acpi-build.c | 3 ++-
hw/i386/amd_iommu.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 5c2c638..1cbc8ba 100644
--- a/hw/i386/ac
On 7/18/18 8:49 AM, Eduardo Habkost wrote:
> CCing the AMD people who worked on this.
>
> On Wed, Jul 18, 2018 at 12:18:45PM +0200, Pavel Hrdina wrote:
>> On Wed, Jul 18, 2018 at 10:50:34AM +0100, Daniel P. Berrangé wrote:
>>> On Wed, Jul 18, 2018 at 12:41:48PM +0300, Hetz Ben Hamo wrote:
H
Hi Eduardo,
On 06/27/2018 09:48 AM, Eduardo Habkost wrote:
Hi,
On Tue, Aug 15, 2017 at 12:00:51PM -0500, Brijesh Singh wrote:
Add a new base CPU model called 'EPYC' to model processors from AMD EPYC
family (which includes EPYC 76xx,75xx,74xx, 73xx and 72xx).
The following features
-0500, Brijesh Singh wrote:
A guest boot hangs while probing the network interface when
iommu_platform=on is used.
The following qemu cli hangs without this patch:
# $QEMU \
-netdev tap,fd=3,id=hostnet0,vhost=on,vhostfd=4 3<>/dev/tap67
4<>/dev/host-net \
-device
virtio-net-pci,netdev
net: device IOTLB support"
Cc: Michael S. Tsirkin
Cc: Jason Wang
Signed-off-by: Brijesh Singh
---
Changes since v1:
- use qemu_set_nonblock() instead of fcntl(..)
net/tap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/tap.c b/net/tap.c
index 2b3a36f9b50d..89c4e19162a2 100644
On 04/06/2018 10:44 AM, Eric Blake wrote:
On 04/06/2018 07:03 AM, Brijesh Singh wrote:
A guest boot hangs while probing the network interface when
iommu_platform=on is used.
The following qemu cli hangs without this patch:
# $QEMU \
-netdev tap,fd=3,id=hostnet0,vhost=on,vhostfd=4 3<&g
net: device IOTLB support"
Cc: Michael S. Tsirkin
Cc: Jason Wang
Signed-off-by: Brijesh Singh
---
net/tap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tap.c b/net/tap.c
index 2b3a36f9b50d..8c026fbf95cd 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -693,6 +693,7 @@ static void
On 3/13/18 4:33 AM, Paolo Bonzini wrote:
> On 08/03/2018 13:48, Brijesh Singh wrote:
>> sev_set_guest_state(SEV_STATE_RUNNING);
>> +
>> +/* add migration blocker */
>> +error_setg(&sev_mig_blocker,
>> + "SEV: M
On 3/13/18 4:07 AM, Paolo Bonzini wrote:
> On 09/03/2018 11:12, Dr. David Alan Gilbert wrote:
>> * Eduardo Habkost (ehabk...@redhat.com) wrote:
>>> On Thu, Mar 08, 2018 at 02:18:55PM -0600, Brijesh Singh wrote:
>>>>
>>>> On 3/8/18 11:08 AM, Daniel P. Ber
On 3/8/18 11:05 AM, Daniel P. Berrangé wrote:
> On Thu, Mar 08, 2018 at 06:48:59AM -0600, Brijesh Singh wrote:
>> The command can be used by libvirt to query the SEV capabilities.
>>
>> Cc: "Daniel P. Berrangé"
>> Cc: "Dr. David Alan Gilbert"
>
On 3/8/18 10:49 AM, Daniel P. Berrangé wrote:
> On Thu, Mar 08, 2018 at 06:48:41AM -0600, Brijesh Singh wrote:
>> Add a new memory encryption object 'sev-guest'. The object will be used
>> to create enrypted VMs on AMD EPYC CPU. The object provides the properties
>&g
On 3/8/18 11:08 AM, Daniel P. Berrangé wrote:
> On Thu, Mar 08, 2018 at 06:49:01AM -0600, Brijesh Singh wrote:
>> Blacklist the following commands to fix the 'make check' failure.
>>
>> query-sev-launch-measure: it returns meaninful data only when we launch
>
: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
target/i386/monitor.c | 11 +--
target/i386/sev-stub.c | 5 +++
target/i386/sev.c | 83 ++
target/i386/sev_i386.h | 1 +
4 files changed, 98 insertions(+), 2
ic Blake
Signed-off-by: Brijesh Singh
---
monitor.c | 7 +++
qapi/misc.json| 29 +
target/i386/monitor.c | 17 +
3 files changed, 53 insertions(+)
diff --git a/monitor.c b/monitor.c
index 2225cf5030dc..d53ecc5ddab3 100644
-
The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK).
The encryption key created with the command will be used for encrypting
the bootstrap images (such as guest bios).
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
target/i386
Inorder to integerate the Secure Encryption Virtualization (SEV) support
add few high-level memory encryption APIs which can be used for encrypting
the guest memory region.
Cc: Paolo Bonzini
Cc: k...@vger.kernel.org
Signed-off-by: Brijesh Singh
---
accel/kvm/kvm-all.c| 30
SEV firmware.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
accel/kvm/kvm-all.c | 16
include/sysemu/sev.h | 22 +
stubs/Makefile.objs | 1 +
stubs/sev.c | 21 +
target/i386/Makefile.objs | 2
isabled at the build time)
query-sev-capabilities: it returns an error when SEV feature is not
available on host machine.
Cc: "Daniel P. Berrangé"
Cc: "Dr. David Alan Gilbert"
Cc: Markus Armbruster
Reviewed-by: "Dr. David Alan Gilbert"
Signed-off-by: Brijesh Singh
memory regions.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 42 ++
target/i386/trace-events | 2 ++
2 files changed, 44 insertions(+)
diff --git a/target/i386/sev.c b/target
The command can be used by libvirt to query the SEV capabilities.
Cc: "Daniel P. Berrangé"
Cc: "Dr. David Alan Gilbert"
Cc: Markus Armbruster
Signed-off-by: Brijesh Singh
---
monitor.c | 7 +++
qapi/misc.json| 42 ++
KVM_SEV_DBG_DECRYPT and KVM_SEV_DBG_ENCRYPT commands are used for
decrypting and encrypting guest memory region. The command works only if
the guest policy allows the debugging.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
accel/kvm/kvm-all.c
The header file provide the ioctl command and structure to communicate
with /dev/sev device.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
linux-headers/linux/psp-sev.h | 142 ++
1 file changed, 142
In SEV-enabled guest the pte entry will have C-bit set, we need to
clear the C-bit when walking the page table.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
target/i386/helper.c | 31 +--
target/i386/monitor.c | 68
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
target/i386/cpu.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 2c04645ceac9..647f792ba123 100644
--- a
When CPU supports memory encryption feature, the property can be used to
specify the encryption object to use when launching an encrypted guest.
Cc: Paolo Bonzini
Cc: Eduardo Habkost
Cc: Marcel Apfelbaum
Cc: Stefan Hajnoczi
Signed-off-by: Brijesh Singh
---
hw/core/machine.c | 22
irkin"
Signed-off-by: Brijesh Singh
---
hw/i386/pc.c | 9 +
hw/i386/pc_sysfw.c | 6 ++
2 files changed, 15 insertions(+)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 35fcb6efdfb9..69364b6856b5 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1360,6 +1360,15 @@ void pc_m
SEV launch flow requires us to issue LAUNCH_FINISH command before guest
is ready to run.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Brijesh Singh
---
target/i386/sev.c| 29 +
target/i386/trace-events | 1 +
2 files changed
1 - 100 of 459 matches
Mail list logo
