[PATCH v4 01/17] meson: Add optional dependency on IGVM library

, which attempts to locate and link against the IGVM library via pkgconfig and sets CONFIG_IGVM if found. The library is added to the system_ss target in backends/meson.build where the IGVM parsing will be performed by the ConfidentialGuestSupport object. Signed-off-by: Roy Hopkins

[PATCH v4 03/17] backends/igvm: Add IGVM loader and configuration

for the system is used to encrypt memory, apply the initial CPU state and perform other confidential guest operations. The loader is configured via a new IgvmCfg QOM object which allows the user to provide a path to the IGVM file to process. Signed-off-by: Roy Hopkins --- qapi/qom.json

[PATCH v4 04/17] hw/i386: Add igvm-cfg object and processing for IGVM files

to the guest before it is started. If an IGVM configuration is provided then the IGVM file is processed at the end of the board initialization, before the state transition to PHASE_MACHINE_INITIALIZED. Signed-off-by: Roy Hopkins --- include/hw/i386/x86.h | 3 +++ hw/i386/pc.c | 12

[PATCH v4 05/17] i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with IGVM

have been configured when using IGVM, exiting with an error message if this is not the case. Signed-off-by: Roy Hopkins --- hw/i386/pc_sysfw.c | 31 --- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index ef80281d28

[PATCH v4 06/17] sev: Fix error handling in sev_encrypt_flash()

ion, the function takes an Error parameter which is not used when an error is actually returned. The return value is now checked for non-zero to indicate an error and a suitable error message is logged. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 9 +++-- 1 file changed, 3 insertions(+)

[PATCH v4 10/17] i386/sev: Implement ConfidentialGuestSupport functions for SEV

such as SEV. This commit implements the required functions for SEV-ES and adds support for processing IGVM files for configuring the guest. Signed-off-by: Roy Hopkins --- target/i386/sev.h | 2 + target/i386/sev.c | 250 -- 2 files changed, 242

[PATCH v4 14/17] backends/igvm: Process initialization sections in IGVM file

of the initialization sections during processing of the IGVM file. Signed-off-by: Roy Hopkins --- backends/igvm.c | 21 + 1 file changed, 21 insertions(+) diff --git a/backends/igvm.c b/backends/igvm.c index 97af1a6cb3..fa074b9107 100644 --- a/backends/igvm.c +++ b/backends/igvm.c

[PATCH v4 08/17] target/i386: Allow setting of R_LDTR and R_TR with cpu_x86_load_seg_cache()

of the segment array. Possibly by coincidence, the function does correctly set LDTR or TR in this case as the structures for these registers immediately follow the array which is accessed out of bounds. This patch adds correct handling for R_LDTR and R_TR in the function. Signed-off-by: Roy Hopkins

[PATCH v4 16/17] i386/sev: Add implementation of CGS set_guest_policy()

. Signed-off-by: Roy Hopkins --- target/i386/sev.h | 12 +++ target/i386/sev.c | 83 +++ 2 files changed, 95 insertions(+) diff --git a/target/i386/sev.h b/target/i386/sev.h index 2ccd6fe1e8..7b92102bd0 100644 --- a/target/i386/sev.h +++ b/target

[PATCH v4 12/17] docs/interop/firmware.json: Add igvm to FirmwareDevice

Create an enum entry within FirmwareDevice for 'igvm' to describe that an IGVM file can be used to map firmware into memory as an alternative to pre-existing firmware devices. Signed-off-by: Roy Hopkins --- docs/interop/firmware.json | 9 - 1 file changed, 8 insertions(+), 1 deletion

[PATCH v4 02/17] backends/confidential-guest-support: Add functions to support IGVM

-by: Roy Hopkins --- include/exec/confidential-guest-support.h | 75 +++ backends/confidential-guest-support.c | 31 ++ 2 files changed, 106 insertions(+) diff --git a/include/exec/confidential-guest-support.h b/include/exec/confidential-guest-support.h index

[PATCH v4 13/17] backends/confidential-guest-support: Add set_guest_policy() function

confidential platform, such as AMD SEV to set the policy. This will allow configuration of the policy from a multi-platform resource such as an IGVM file without the IGVM processor requiring specific implementation details for each platform. Signed-off-by: Roy Hopkins --- include/exec/confidential

[PATCH v4 11/17] docs/system: Add documentation on support for IGVM

IGVM support has been implemented for Confidential Guests that support AMD SEV and AMD SEV-ES. Add some documentation that gives some background on the IGVM format and how to use it to configure a confidential guest. Signed-off-by: Roy Hopkins --- docs/system/i386/amd-memory-encryption.rst

[PATCH v4 15/17] backends/igvm: Handle policy for SEV guests

Adds a handler for the guest policy initialization IGVM section and builds an SEV policy based on this information and the ID block directive if present. The policy is applied using by calling 'set_guest_policy()' on the ConfidentialGuestSupport object. Signed-off-by: Roy Hopkins --- backends

[PATCH v4 17/17] sev: Provide sev_features flags from IGVM VMSA to KVM_SEV_INIT2

. This does cause the IGVM file to be processed twice. Firstly to extract the sev_features then secondly to actually configure the guest. However, the first pass is largely ignored meaning the overhead is minimal. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 160

[PATCH v4 09/17] i386/sev: Refactor setting of reset vector and initial CPU state

startup and CPU reset. Signed-off-by: Roy Hopkins --- target/i386/sev.h | 110 target/i386/sev.c | 323 +- 2 files changed, 400 insertions(+), 33 deletions(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index 858005a119..167dd154d6

[PATCH v4 00/17] Introduce support for IGVM files

nd SEV-SNP ID_BLOCK from IGVM file. 17: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES' from IGVM VMSA to KVM. [1] Link to v3: https://lore.kernel.org/qemu-devel/cover.1718979106.git.roy.hopk...@suse.com/ [2] v4 patches also available here: https://github.com/roy-hopkins

[PATCH v4 07/17] sev: Update launch_update_data functions to use Error handling

an error condition if a non-zero value is returned. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 59 +-- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 491ca5369e..5eabeadda6 100644

Re: [PATCH v3 10/15] docs/interop/firmware.json: Add igvm to FirmwareDevice

On Thu, 2024-06-27 at 14:53 +0200, Stefano Garzarella wrote: > On Fri, Jun 21, 2024 at 03:29:13PM GMT, Roy Hopkins wrote: > > Create an enum entry within FirmwareDevice for 'igvm' to describe that > > an IGVM file can be used to map firmware into memory as an alternative >

Re: [PATCH v3 09/15] docs/system: Add documentation on support for IGVM

On Mon, 2024-06-24 at 15:09 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 21, 2024 at 03:29:12PM +0100, Roy Hopkins wrote: > > IGVM support has been implemented for Confidential Guests that support > > AMD SEV and AMD SEV-ES. Add some documentation that gives some > > b

Re: [PATCH v3 15/15] sev: Provide sev_features flags from IGVM VMSA to KVM_SEV_INIT2

On Mon, 2024-06-24 at 15:14 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 21, 2024 at 03:29:18PM +0100, Roy Hopkins wrote: > > IGVM files can contain an initial VMSA that should be applied to each > > vcpu as part of the initial guest state. The sev_features flags are >

Re: [PATCH v3 04/15] hw/core/machine: Add igvm-cfg object and processing for IGVM files

On Fri, 2024-06-28 at 12:23 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 28, 2024 at 12:09:59PM +0100, Roy Hopkins wrote: > > On Mon, 2024-06-24 at 15:00 +0100, Daniel P. Berrangé wrote: > > > On Fri, Jun 21, 2024 at 03:29:07PM +0100, Roy Hopkins wrote: > > &

Re: [PATCH v3 06/15] sev: Update launch_update_data functions to use Error handling

On Thu, 2024-06-27 at 14:48 +0200, Stefano Garzarella wrote: > On Fri, Jun 21, 2024 at 03:29:09PM GMT, Roy Hopkins wrote: > > The class function and implementations for updating launch data return > > a code in case of error. In some cases an error message is generated and > >

Re: [PATCH v3 05/15] i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with IGVM

On Thu, 2024-06-27 at 14:38 +0200, Stefano Garzarella wrote: > On Fri, Jun 21, 2024 at 03:29:08PM GMT, Roy Hopkins wrote: > > When using an IGVM file the configuration of the system firmware is > > defined by IGVM directives contained in the file. In this case the user > > sho

Re: [PATCH v3 04/15] hw/core/machine: Add igvm-cfg object and processing for IGVM files

On Mon, 2024-06-24 at 15:00 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 21, 2024 at 03:29:07PM +0100, Roy Hopkins wrote: > > An IGVM file contains configuration of guest state that should be > > applied during configuration of the guest, before the guest is started. > >

Re: [PATCH v3 03/15] backends/igvm: Add IGVM loader and configuration

On Thu, 2024-06-27 at 10:14 +0100, Daniel P. Berrangé wrote: > On Thu, Jun 27, 2024 at 11:06:50AM +0200, Stefano Garzarella wrote: > > On Fri, Jun 21, 2024 at 03:29:06PM GMT, Roy Hopkins wrote: > > > Adds an IGVM loader to QEMU which processes a given IGVM file and > >

Re: [PATCH v3 03/15] backends/igvm: Add IGVM loader and configuration

On Mon, 2024-06-24 at 14:29 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 21, 2024 at 03:29:06PM +0100, Roy Hopkins wrote: > > Adds an IGVM loader to QEMU which processes a given IGVM file and > > applies the directives within the file to the current guest > > configurati

Re: [PATCH v3 00/15] Introduce support for IGVM files

On Mon, 2024-06-24 at 14:50 +0100, Daniel P. Berrangé wrote: > On Fri, Jun 21, 2024 at 03:29:03PM +0100, Roy Hopkins wrote: > > Based-on: 02d9c38236 > > > > Here is v3 of the set of patches to add support for IGVM files to QEMU. > > > > Firstly, apologies f

[PATCH v3 11/15] backends/confidential-guest-support: Add set_guest_policy() function

confidential platform, such as AMD SEV to set the policy. This will allow configuration of the policy from a multi-platform resource such as an IGVM file without the IGVM processor requiring specific implementation details for each platform. Signed-off-by: Roy Hopkins --- include/exec/confidential

[PATCH v3 07/15] i386/sev: Refactor setting of reset vector and initial CPU state

startup and CPU reset. Signed-off-by: Roy Hopkins --- target/i386/sev.h | 110 target/i386/sev.c | 323 +- 2 files changed, 400 insertions(+), 33 deletions(-) diff --git a/target/i386/sev.h b/target/i386/sev.h index 858005a119..167dd154d6

[PATCH v3 02/15] backends/confidential-guest-support: Add functions to support IGVM

-by: Roy Hopkins --- include/exec/confidential-guest-support.h | 75 +++ backends/confidential-guest-support.c | 31 ++ 2 files changed, 106 insertions(+) diff --git a/include/exec/confidential-guest-support.h b/include/exec/confidential-guest-support.h index

[PATCH v3 00/15] Introduce support for IGVM files

: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES' from IGVM VMSA to KVM. [1] Link to v2: https://lore.kernel.org/qemu-devel/cover.1712138654.git.roy.hopk...@suse.com/ [2] v3 patches also available here: https://github.com/roy-hopkins/qemu/tree/igvm_master_v3 [3

[PATCH v3 10/15] docs/interop/firmware.json: Add igvm to FirmwareDevice

Create an enum entry within FirmwareDevice for 'igvm' to describe that an IGVM file can be used to map firmware into memory as an alternative to pre-existing firmware devices. Signed-off-by: Roy Hopkins --- docs/interop/firmware.json | 9 - 1 file changed, 8 insertions(+), 1 deletion

[PATCH v3 09/15] docs/system: Add documentation on support for IGVM

IGVM support has been implemented for Confidential Guests that support AMD SEV and AMD SEV-ES. Add some documentation that gives some background on the IGVM format and how to use it to configure a confidential guest. Signed-off-by: Roy Hopkins --- docs/system/i386/amd-memory-encryption.rst

[PATCH v3 06/15] sev: Update launch_update_data functions to use Error handling

an error condition if a non-zero value is returned. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 67 +-- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 30b83f1d77..1900c3d9b4 100644

[PATCH v3 12/15] backends/igvm: Process initialization sections in IGVM file

of the initialization sections during processing of the IGVM file. Signed-off-by: Roy Hopkins --- backends/igvm.c | 21 + 1 file changed, 21 insertions(+) diff --git a/backends/igvm.c b/backends/igvm.c index 25bbddfa33..b6b7d30a3f 100644 --- a/backends/igvm.c +++ b/backends/igvm.c

[PATCH v3 04/15] hw/core/machine: Add igvm-cfg object and processing for IGVM files

before it is started. If an IGVM configuration is provided then the IGVM file is processed at the end of the board initialization, before the state transition to PHASE_MACHINE_INITIALIZED. Signed-off-by: Roy Hopkins --- include/hw/boards.h | 2 ++ hw/core/machine.c | 20

[PATCH v3 14/15] i386/sev: Add implementation of CGS set_guest_policy()

. Signed-off-by: Roy Hopkins --- target/i386/sev.h | 12 +++ target/i386/sev.c | 83 +++ 2 files changed, 95 insertions(+) diff --git a/target/i386/sev.h b/target/i386/sev.h index 2ccd6fe1e8..7b92102bd0 100644 --- a/target/i386/sev.h +++ b/target

[PATCH v3 08/15] i386/sev: Implement ConfidentialGuestSupport functions for SEV

such as SEV. This commit implements the required functions for SEV-ES and adds support for processing IGVM files for configuring the guest. Signed-off-by: Roy Hopkins --- target/i386/sev.h | 2 + target/i386/sev.c | 250 -- 2 files changed, 242

[PATCH v3 01/15] meson: Add optional dependency on IGVM library

, which attempts to locate and link against the IGVM library via pkgconfig and sets CONFIG_IGVM if found. The library is added to the system_ss target in backends/meson.build where the IGVM parsing will be performed by the ConfidentialGuestSupport object. Signed-off-by: Roy Hopkins

[PATCH v3 03/15] backends/igvm: Add IGVM loader and configuration

for the system is used to encrypt memory, apply the initial CPU state and perform other confidential guest operations. The loader is configured via a new IgvmCfg QOM object which allows the user to provide a path to the IGVM file to process. Signed-off-by: Roy Hopkins --- qapi/qom.json

[PATCH v3 13/15] backends/igvm: Handle policy for SEV guests

Adds a handler for the guest policy initialization IGVM section and builds an SEV policy based on this information and the ID block directive if present. The policy is applied using by calling 'set_guest_policy()' on the ConfidentialGuestSupport object. Signed-off-by: Roy Hopkins --- backends

[PATCH v3 05/15] i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with IGVM

have been configured when using IGVM, exiting with an error message if this is not the case. Signed-off-by: Roy Hopkins --- hw/i386/pc_sysfw.c | 23 +-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index ef80281d28

[PATCH v3 15/15] sev: Provide sev_features flags from IGVM VMSA to KVM_SEV_INIT2

. This does cause the IGVM file to be processed twice. Firstly to extract the sev_features then secondly to actually configure the guest. However, the first pass is largely ignored meaning the overhead is minimal. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 145

Re: [PATCH v2 08/10] i386/sev: Implement ConfidentialGuestSupport functions for SEV

On Tue, 2024-04-16 at 15:30 +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2024 at 12:11:39PM +0100, Roy Hopkins wrote: > > The ConfidentialGuestSupport object defines a number of virtual > > functions that are called during processing of IGVM directives to query > > or co

Re: [PATCH v2 06/10] i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with IGVM

On Thu, 2024-04-04 at 18:06 +0530, Ani Sinha wrote: > > > > On 3 Apr 2024, at 16:41, Roy Hopkins wrote: > > > > When using an IGVM file the configuration of the system firmware is > > defined by IGVM directives contained in the file. In this case the user >

Re: [PATCH v2 04/10] backends/igvm: Implement parsing and processing of IGVM files

On Tue, 2024-04-16 at 15:05 +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2024 at 12:11:35PM +0100, Roy Hopkins wrote: > > This commit adds an implementation of an IGVM loader which parses the > > file specified as a pararameter to ConfidentialGuestSupport and provides

Re: [PATCH v2 04/10] backends/igvm: Implement parsing and processing of IGVM files

On Thu, 2024-04-04 at 09:58 +0200, Philippe Mathieu-Daudé wrote: > Hi Roy, > > On 3/4/24 13:11, Roy Hopkins wrote: > > This commit adds an implementation of an IGVM loader which parses the > > file specified as a pararameter to ConfidentialGuestSupport and provides >

Re: [PATCH v2 03/10] backends/confidential-guest-support: Add functions to support IGVM

On Tue, 2024-04-16 at 14:31 +0100, Daniel P. Berrangé wrote: > On Thu, Apr 04, 2024 at 10:00:53AM +0200, Philippe Mathieu-Daudé wrote: > > Hi Roy, > > > > On 3/4/24 13:11, Roy Hopkins wrote: > > > In preparation for supporting the processing of IGVM files to con

Re: [PATCH v2 01/10] meson: Add optional dependency on IGVM library

On Tue, 2024-04-16 at 15:13 +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2024 at 12:11:32PM +0100, Roy Hopkins wrote: > > The IGVM library allows Independent Guest Virtual Machine files to be > > parsed and processed. IGVM files are used to configure guest memory >

[PATCH v2 02/10] backends/confidential-guest-support: Add IGVM file parameter

support IGVM based configuration. This patch allows the filename to be configured via the QEMU object model in preparation for subsequent patches that will read and parse the IGVM file. Signed-off-by: Roy Hopkins --- backends/confidential-guest-support.c | 21 + include

[PATCH v2 10/10] docs/interop/firmware.json: Add igvm to FirmwareDevice

Create an enum entry within FirmwareDevice for 'igvm' to describe that an IGVM file can be used to map firmware into memory as an alternative to pre-existing firmware devices. Signed-off-by: Roy Hopkins --- docs/interop/firmware.json | 9 - 1 file changed, 8 insertions(+), 1 deletion

[PATCH v2 08/10] i386/sev: Implement ConfidentialGuestSupport functions for SEV

such as SEV. This commit implements the required functions for SEV-ES and adds support for processing IGVM files for configuring the guest. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 137 ++ 1 file changed, 137 insertions(+) diff --git

[PATCH v2 00/10] Introduce support for IGVM files

device. Thanks to Daniel, Stefano, Ani and everyone else that has taken time to review this so far. [1] Link to v1: https://lore.kernel.org/qemu-devel/cover.1709044754.git.roy.hopk...@suse.com/ [2] v2 patches also available here: https://github.com/roy-hopkins/qemu/tree/igvm_master_v2 Roy Hopkins

[PATCH v2 05/10] i386/pc: Process IGVM file during PC initialization if present

of the current PC initialization steps. If an IGVM file has been provided then the directives in the file are processed completing the initialization of the target. If no IGVM file has been specified by the user then no there is no intended consequences in these changes. Signed-off-by: Roy Hopkins

[PATCH v2 07/10] i386/sev: Refactor setting of reset vector and initial CPU state

startup and CPU reset. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 288 +- target/i386/sev.h | 110 ++ 2 files changed, 369 insertions(+), 29 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 72930ff0dc

[PATCH v2 01/10] meson: Add optional dependency on IGVM library

, which attempts to locate and link against the IGVM library via pkgconfig and sets CONFIG_IGVM if found. The library is added to the system_ss target in backends/meson.build where the IGVM parsing will be performed by the ConfidentialGuestSupport object. Signed-off-by: Roy Hopkins --- backends

[PATCH v2 09/10] docs/system: Add documentation on support for IGVM

IGVM support has been implemented for Confidential Guests that support AMD SEV and AMD SEV-ES. Add some documentation that gives some background on the IGVM format and how to use it to configure a confidential guest. Signed-off-by: Roy Hopkins --- docs/system/i386/amd-memory-encryption.rst

[PATCH v2 03/10] backends/confidential-guest-support: Add functions to support IGVM

. Signed-off-by: Roy Hopkins --- backends/confidential-guest-support.c | 32 ++ include/exec/confidential-guest-support.h | 74 +++ 2 files changed, 106 insertions(+) diff --git a/backends/confidential-guest-support.c b/backends/confidential-guest-support.c index

[PATCH v2 06/10] i386/pc_sysfw: Ensure sysfw flash configuration does not conflict with IGVM

have been configured when using IGVM, exiting with an error message if this is not the case. Signed-off-by: Roy Hopkins --- hw/i386/pc_sysfw.c | 23 +-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index 3efabbbab2

[PATCH v2 04/10] backends/igvm: Implement parsing and processing of IGVM files

when a filename is provided but the code to process the IGVM file is not yet hooked into target systems. This will follow in a later commit. Signed-off-by: Roy Hopkins --- backends/confidential-guest-support.c | 4 + backends/igvm.c | 745

Re: [PATCH 6/9] i386/pc: Skip initialization of system FW when using IGVM

On Wed, 2024-03-27 at 18:58 +0530, Ani Sinha wrote: > > > > On 27 Feb 2024, at 20:20, Roy Hopkins wrote: > > > > When using an IGVM file the configuration of the system firmware is > > defined by IGVM directives contained in the file. Therefore the defa

Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM

On Mon, 2024-03-18 at 16:21 +, Daniel P. Berrangé wrote: > On Mon, Mar 18, 2024 at 03:59:31PM +0000, Roy Hopkins wrote: > > On Fri, 2024-03-01 at 17:10 +, Daniel P. Berrangé wrote: > > > On Tue, Feb 27, 2024 at 02:50:15PM +, Roy Hopkins wrote: > > > > IGV

Re: [PATCH 2/9] backends/confidential-guest-support: Add IGVM file parameter

On Tue, 2024-03-19 at 16:10 +0100, Stefano Garzarella wrote: > On Tue, Feb 27, 2024 at 02:50:08PM +0000, Roy Hopkins wrote: > > In order to add support for parsing IGVM files for secure virtual > > machines, a the path to an IGVM file needs to be specified as > > part of th

Re: [PATCH 0/9] Introduce support for IGVM files

On Tue, 2024-03-19 at 16:07 +0100, Stefano Garzarella wrote: > Hi Roy, > thanks for this series! > > On Tue, Feb 27, 2024 at 02:50:06PM +, Roy Hopkins wrote: > > Hi everyone, > > > > This initial patch series submission adds the capability to configure >

Re: [PATCH 9/9] docs/system: Add documentation on support for IGVM

On Fri, 2024-03-01 at 17:10 +, Daniel P. Berrangé wrote: > On Tue, Feb 27, 2024 at 02:50:15PM +0000, Roy Hopkins wrote: > > IGVM support has been implemented for Confidential Guests that support > > AMD SEV and AMD SEV-ES. Add some documentation that gives some > > b

Re: [PATCH 7/9] i386/sev: Refactor setting of reset vector and initial CPU state

On Tue, 2024-03-12 at 16:12 +, Daniel P. Berrangé wrote: > On Tue, Mar 12, 2024 at 03:45:20PM +0000, Roy Hopkins wrote: > > On Fri, 2024-03-01 at 17:01 +, Daniel P. Berrangé wrote: > > > On Tue, Feb 27, 2024 at 02:50:13PM +,

Re: [PATCH 7/9] i386/sev: Refactor setting of reset vector and initial CPU state

On Fri, 2024-03-01 at 17:01 +, Daniel P. Berrangé wrote: > On Tue, Feb 27, 2024 at 02:50:13PM +0000, Roy Hopkins wrote: > > When an SEV guest is started, the reset vector and state are > > extracted from metadata that is contained in the firmware volume. > > > > In

Re: [PATCH 6/9] i386/pc: Skip initialization of system FW when using IGVM

On Fri, 2024-03-01 at 16:54 +, Daniel P. Berrangé wrote: > On Tue, Feb 27, 2024 at 02:50:12PM +0000, Roy Hopkins wrote: > > When using an IGVM file the configuration of the system firmware is > > defined by IGVM directives contained in the file. Therefore the default > > s

Re: [PATCH 4/9] backends/igvm: Implement parsing and processing of IGVM files

On Fri, 2024-03-01 at 16:51 +, Daniel P. Berrangé wrote: > On Tue, Feb 27, 2024 at 02:50:10PM +0000, Roy Hopkins wrote: > > This commit adds an implementation of an IGVM loader which parses the > > file specified as a pararameter to ConfidentialGuestSupport and provides

Re: [PATCH 3/9] backends/confidential-guest-support: Add functions to support IGVM

On Fri, 2024-03-01 at 16:37 +, Daniel P. Berrangé wrote: > On Tue, Feb 27, 2024 at 02:50:09PM +0000, Roy Hopkins wrote: > > In preparation for supporting the processing of IGVM files to configure > > guests, this adds a set of functions to ConfidentialGuestSupport > > a

[PATCH 4/9] backends/igvm: Implement parsing and processing of IGVM files

when a filename is provided but the code to process the IGVM file is not yet hooked into target systems. This will follow in a later commit. Signed-off-by: Roy Hopkins --- backends/confidential-guest-support.c | 4 + backends/igvm.c | 718

[PATCH 6/9] i386/pc: Skip initialization of system FW when using IGVM

then the standard system firmware initialization is skipped and any prepared flash devices are cleaned up. Signed-off-by: Roy Hopkins --- hw/i386/pc.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c index f8eb684a49..17bb211708 100644

[PATCH 2/9] backends/confidential-guest-support: Add IGVM file parameter

support IGVM based configuration. This patch allows the filename to be configured via the QEMU object model in preparation for subsequent patches that will read and parse the IGVM file. Signed-off-by: Roy Hopkins --- backends/confidential-guest-support.c | 21 + include

[PATCH 3/9] backends/confidential-guest-support: Add functions to support IGVM

. Signed-off-by: Roy Hopkins --- backends/confidential-guest-support.c | 26 include/exec/confidential-guest-support.h | 76 +++ 2 files changed, 102 insertions(+) diff --git a/backends/confidential-guest-support.c b/backends/confidential-guest-support.c index

[PATCH 8/9] i386/sev: Implement ConfidentialGuestSupport functions for SEV

such as SEV. This commit implements the required functions for SEV-ES and adds support for processing IGVM files for configuring the guest. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 77 +++ 1 file changed, 77 insertions(+) diff --git

[PATCH 5/9] i386/pc: Process IGVM file during PC initialization if present

of the current PC initialization steps. If an IGVM file has been provided then the directives in the file are processed completing the initalization of the target. If no IGVM file has been specified by the user then no there is no intended consequences in these changes. Signed-off-by: Roy Hopkins

[PATCH 9/9] docs/system: Add documentation on support for IGVM

IGVM support has been implemented for Confidential Guests that support AMD SEV and AMD SEV-ES. Add some documentation that gives some background on the IGVM format and how to use it to configure a confidential guest. Signed-off-by: Roy Hopkins --- docs/system/igvm.rst | 58

[PATCH 0/9] Introduce support for IGVM files

://github.com/roy-hopkins/qemu/tree/igvm_master_v1 I look forward to welcoming your comments! Why do we need Independent Guest Virtual Machine (IGVM) files? == IGVM files describe, using a set of directives, the memory layout and initial

[PATCH 7/9] i386/sev: Refactor setting of reset vector and initial CPU state

startup and CPU reset. Signed-off-by: Roy Hopkins --- target/i386/sev.c | 288 +- target/i386/sev.h | 110 ++ 2 files changed, 369 insertions(+), 29 deletions(-) diff --git a/target/i386/sev.c b/target/i386/sev.c index 173de91afe

[PATCH 1/9] meson: Add optional dependency on IGVM library

, which attempts to locate and link against the IGVM library via pkgconfig and sets CONFIG_IGVM if found. The library is added to the system_ss target in backends/meson.build where the IGVM parsing will be performed by the ConfidentialGuestSupport object. Signed-off-by: Roy Hopkins --- backends