On 10/5/23 11:54 AM, Stefan Hajnoczi wrote:
On Wed, Oct 04, 2023 at 04:34:10PM -0400, Tyler Fanelli wrote:
The Rust sev library provides a C API for the AMD SEV launch ioctls, as
well as the ability to build with meson. Add the Rust sev library as a
QEMU subproject with the goal of outsourcing
On 10/5/23 2:03 AM, Philippe Mathieu-Daudé wrote:
Hi Tyler,
On 4/10/23 22:34, Tyler Fanelli wrote:
The Rust sev library provides a C API for the AMD SEV launch ioctls, as
well as the ability to build with meson. Add the Rust sev library as a
QEMU subproject with the goal of outsourcing all SEV
On 10/5/23 2:03 AM, Philippe Mathieu-Daudé wrote:
Hi Tyler,
On 4/10/23 22:34, Tyler Fanelli wrote:
The Rust sev library provides a C API for the AMD SEV launch ioctls, as
well as the ability to build with meson. Add the Rust sev library as a
QEMU subproject with the goal of outsourcing all SEV
UPDATE_DATA takes the VM's file descriptor, a guest memory region to
be encrypted, as well as the size of the aforementioned guest memory
region.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 31
The LAUNCH_FINISH ioctl finishes the guest launch flow and transitions
the guest into a state ready to be run.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 38 --
1 file changed, 16
The LAUNCH_SECRET API can inject a secret into the VM once the
measurement has been retrieved.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 105 --
target/i386/sev.h | 2 -
2
The LAUNCH_UPDATE_VMSA API takes the VM's file descriptor, as well as a
field for any firmware errors as input.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 29 +
1 file changed, 9 insertions
The LAUNCH_ATTESTATION ioctl fetches the guest VM's attestation report
from the PSP.
If the API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 81 ++-
target/i386/sev.h | 2 ++
2 files
The sev library offers APIs for SEV_INIT and SEV_ES_INIT, both taking
the file descriptors of the encrypting VM and /dev/sev as input.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c| 14 +-
target/i386
- Rebased to upstream/master
- Use C API for SEV_ATTESTATION_REPORT ioctl
Tyler Fanelli (9):
Add Rust SEV library as subproject
i386/sev: Replace INIT and ES_INIT ioctls with sev library equivalents
i386/sev: Replace LAUNCH_START ioctl with sev library equivalent
i386/sev: Replace UPDATE_DATA
ent in SEV is 48 bytes in size).
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 24 ++--
target/i386/sev.h | 2 ++
2 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/target/i386/sev.c b/target/
fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 80 ++-
1 file changed, 30 insertions(+), 50 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 97388f5fa2..4c888fa77f 100644
--- a/target
The Rust sev library provides a C API for the AMD SEV launch ioctls, as
well as the ability to build with meson. Add the Rust sev library as a
QEMU subproject with the goal of outsourcing all SEV launch ioctls to C
APIs provided by it.
Signed-off-by: Tyler Fanelli
---
meson.build
On 9/15/23 7:33 AM, Stefan Hajnoczi wrote:
On Fri, 15 Sept 2023 at 05:54, Daniel P. Berrangé wrote:
On Thu, Sep 14, 2023 at 01:58:27PM -0400, Tyler Fanelli wrote:
These patches are submitted as an RFC mainly because I'm a relative
newcomer to QEMU with no knowledge of the community's views
On 9/14/23 3:04 PM, Philippe Mathieu-Daudé wrote:
Hi Tyler,
On 14/9/23 19:58, Tyler Fanelli wrote:
These patches are submitted as an RFC mainly because I'm a relative
newcomer to QEMU with no knowledge of the community's views on
including Rust code, nor it's preference of using library APIs
UPDATE_DATA takes the VM's file descriptor, a guest memory region to
be encrypted, as well as the size of the aforementioned guest memory
region.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 31
The LAUNCH_FINISH ioctl finishes the guest launch flow and transitions
the guest into a state ready to be run.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 38 --
1 file changed, 16
The LAUNCH_SECRET API can inject a secret into the VM once the
measurement has been retrieved.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 105 --
target/i386/sev.h | 2 -
2
ent in SEV is 48 bytes in size).
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 24 ++--
target/i386/sev.h | 2 ++
2 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/target/i386/sev.c b/target/
The Rust sev library provides a type-safe implementation of the AMD
Secure Encrypted Virtualization (SEV) APIs.
Signed-off-by: Tyler Fanelli
---
meson.build | 7 +++
meson_options.txt | 2 ++
scripts/meson-buildoptions.sh | 3 +++
target/i386/meson.build
fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 80 ++-
1 file changed, 30 insertions(+), 50 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index f0fd291e68..49be072cbc 100644
--- a/target
being offloaded to the library.
This series looks to explore the possibility of using the library and
show a bit of what it would look like. I'm looking for comments
regarding if this feature is desired.
[0] https://github.com/virtee/sev
Tyler Fanelli (8):
Add SEV Rust library as dependency
The LAUNCH_UPDATE_VMSA API takes the VM's file descriptor, as well as a
field for any firmware errors as input.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 29 +
1 file changed, 9 insertions
The sev library offers APIs for SEV_INIT and SEV_ES_INIT, both taking
the file descriptors of the encrypting VM and /dev/sev as input.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c| 14 +-
target/i386
The LAUNCH_SECRET API can inject a secret into the VM once the
measurement has been retrieved.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 105 --
target/i386/sev.h | 2 -
2
The LAUNCH_UPDATE_VMSA API takes the VM's file descriptor, as well as a
field for any firmware errors as input.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 29 +
1 file changed, 9 insertions
UPDATE_DATA takes the VM's file descriptor, a guest memory region to
be encrypted, as well as the size of the aforementioned guest memory
region.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 31
The LAUNCH_FINISH ioctl finishes the guest launch flow and transitions
the guest into a state ready to be run.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 38 --
1 file changed, 16
ent in SEV is 48 bytes in size).
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 24 ++--
target/i386/sev.h | 2 ++
2 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/target/i386/sev.c b/target/
The Rust sev library provides a type-safe implementation of the AMD
Secure Encrypted Virtualization (SEV) APIs.
Signed-off-by: Tyler Fanelli
---
meson.build | 7 +++
meson_options.txt | 2 ++
scripts/meson-buildoptions.sh | 3 +++
target/i386/meson.build
The sev library offers APIs for SEV_INIT and SEV_ES_INIT, both taking
the file descriptors of the encrypting VM and /dev/sev as input.
If this API ioctl call fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c| 14 +-
target/i386
fails, fw_error will be set accordingly.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 80 ++-
1 file changed, 30 insertions(+), 50 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index f0fd291e68..49be072cbc 100644
--- a/target
being offloaded to the library.
This series looks to explore the possibility of using the library and
show a bit of what it would look like. I'm looking for comments
regarding if this feature is desired.
[0] https://github.com/virtee/sev
Tyler Fanelli (8):
Add SEV Rust library as dependency
. Leaving this unchecked is dangerous and could lead to undefined
behavior.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 025ff7a6f8..e82be3e350 100644
--- a/target/i386/sev.c
+++ b/target/i386
. Leaving this unchecked is dangerous and could lead to undefined
behavior.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 025ff7a6f8..80d958369b 100644
--- a/target/i386/sev.c
+++ b/target/i386
. Leaving this unchecked is dangerous and could lead to undefined
behavior.
Signed-off-by: Tyler Fanelli
---
target/i386/sev.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 025ff7a6f8..215acd7c6b 100644
--- a/target/i386/sev.c
+++ b/target/i386
On 11/24/21 12:49 PM, Dr. David Alan Gilbert wrote:
* Tyler Fanelli (tfane...@redhat.com) wrote:
Hi,
We recently discussed a way for remote SEV guest attestation through QEMU.
My initial approach was to get data needed for attestation through different
QMP commands (all of which are already
On 11/24/21 11:34 AM, Tyler Fanelli wrote:
We recently discussed a way for remote SEV guest attestation through QEMU.
For those interested, here is where some of the discussion took place
before.
[1] https://listman.redhat.com/archives/libvir-list/2021-May/msg00196.html
[2]
https
arbitrary QMP commands, as
this could be an issue.
So I ask, does anyone involved in QEMU's SEV implementation have any
input on a quality way to perform guest attestation? If so, I'd be
interested. Thanks.
Tyler.
--
Tyler Fanelli (tfanelli)
The AMD ASK/ARK certificate chain differs between AMD SEV
processor generations. SEV capabilities should provide
which ASK/ARK certificate should be used based on the host
processor.
Signed-off-by: Tyler Fanelli
---
qapi/misc-target.json | 28 ++--
target/i386/sev.c
On 11/16/21 12:23 PM, Daniel P. Berrangé wrote:
On Tue, Nov 16, 2021 at 11:58:12AM -0500, Tyler Fanelli wrote:
On 11/16/21 10:53 AM, Daniel P. Berrangé wrote:
On Tue, Nov 16, 2021 at 10:29:35AM -0500, Tyler Fanelli wrote:
On 11/16/21 4:17 AM, Daniel P. Berrangé wrote:
On Mon, Nov 15, 2021
On 11/16/21 10:53 AM, Daniel P. Berrangé wrote:
On Tue, Nov 16, 2021 at 10:29:35AM -0500, Tyler Fanelli wrote:
On 11/16/21 4:17 AM, Daniel P. Berrangé wrote:
On Mon, Nov 15, 2021 at 02:38:04PM -0500, Tyler Fanelli wrote:
Probe for SEV-ES and SEV-SNP capabilities to distinguish between Rome
On 11/16/21 4:17 AM, Daniel P. Berrangé wrote:
On Mon, Nov 15, 2021 at 02:38:04PM -0500, Tyler Fanelli wrote:
Probe for SEV-ES and SEV-SNP capabilities to distinguish between Rome,
Naples, and Milan processors. Use the CPUID function to probe if a
processor is capable of running SEV-ES or SEV
Probe for SEV-ES and SEV-SNP capabilities to distinguish between Rome,
Naples, and Milan processors. Use the CPUID function to probe if a
processor is capable of running SEV-ES or SEV-SNP, rather than if it
actually is running SEV-ES or SEV-SNP.
Signed-off-by: Tyler Fanelli
---
qapi/misc
44 matches
Mail list logo
