[RFC PATCH v1 00/28] x86: Secure Encrypted Virtualization (AMD)

Paolo Bonzini pbonzini at redhat.com
Thu Oct 13 11:19:47 UTC 2016 


On 23/08/2016 01:23, Brijesh Singh wrote:
> TODO:
> - send qemu/seabios RFC's on respective mailing list
> - integrate the psp driver with CCP driver (they share the PCI id's)
> - add SEV guest migration command support
> - add SEV snapshotting command support
> - determine how to do ioremap of physical memory with mem encryption enabled
>   (e.g acpi tables)

The would be encrypted, right?  Similar to the EFI data in patch 9.

> - determine how to share the guest memory with hypervisor for to support
>   pvclock driver

Is it enough if the guest makes that page unencrypted?

I reviewed the KVM host-side patches and they are pretty
straightforward, so the comments on each patch suffice.

Thanks,

Paolo

> Brijesh Singh (11):
>       crypto: add AMD Platform Security Processor driver
>       KVM: SVM: prepare to reserve asid for SEV guest
>       KVM: SVM: prepare for SEV guest management API support
>       KVM: introduce KVM_SEV_ISSUE_CMD ioctl
>       KVM: SVM: add SEV launch start command
>       KVM: SVM: add SEV launch update command
>       KVM: SVM: add SEV_LAUNCH_FINISH command
>       KVM: SVM: add KVM_SEV_GUEST_STATUS command
>       KVM: SVM: add KVM_SEV_DEBUG_DECRYPT command
>       KVM: SVM: add KVM_SEV_DEBUG_ENCRYPT command
>       KVM: SVM: add command to query SEV API version
> 
> Tom Lendacky (17):
>       kvm: svm: Add support for additional SVM NPF error codes
>       kvm: svm: Add kvm_fast_pio_in support
>       kvm: svm: Use the hardware provided GPA instead of page walk
>       x86: Secure Encrypted Virtualization (SEV) support
>       KVM: SVM: prepare for new bit definition in nested_ctl
>       KVM: SVM: Add SEV feature definitions to KVM
>       x86: Do not encrypt memory areas if SEV is enabled
>       Access BOOT related data encrypted with SEV active
>       x86/efi: Access EFI data as encrypted when SEV is active
>       x86: Change early_ioremap to early_memremap for BOOT data
>       x86: Don't decrypt trampoline area if SEV is active
>       x86: DMA support for SEV memory encryption
>       iommu/amd: AMD IOMMU support for SEV
>       x86: Don't set the SME MSR bit when SEV is active
>       x86: Unroll string I/O when SEV is active
>       x86: Add support to determine if running with SEV enabled
>       KVM: SVM: Enable SEV by setting the SEV_ENABLE cpu feature
> 
> 
>  arch/x86/boot/compressed/Makefile      |    2 
>  arch/x86/boot/compressed/head_64.S     |   19 +
>  arch/x86/boot/compressed/mem_encrypt.S |  123 ++++
>  arch/x86/include/asm/io.h              |   26 +
>  arch/x86/include/asm/kvm_emulate.h     |    3 
>  arch/x86/include/asm/kvm_host.h        |   27 +
>  arch/x86/include/asm/mem_encrypt.h     |    3 
>  arch/x86/include/asm/svm.h             |    3 
>  arch/x86/include/uapi/asm/hyperv.h     |    4 
>  arch/x86/include/uapi/asm/kvm_para.h   |    4 
>  arch/x86/kernel/acpi/boot.c            |    4 
>  arch/x86/kernel/head64.c               |    4 
>  arch/x86/kernel/mem_encrypt.S          |   44 ++
>  arch/x86/kernel/mpparse.c              |   10 
>  arch/x86/kernel/setup.c                |    7 
>  arch/x86/kernel/x8664_ksyms_64.c       |    1 
>  arch/x86/kvm/cpuid.c                   |    4 
>  arch/x86/kvm/mmu.c                     |   20 +
>  arch/x86/kvm/svm.c                     |  906 ++++++++++++++++++++++++++++++++
>  arch/x86/kvm/x86.c                     |   73 +++
>  arch/x86/mm/ioremap.c                  |    7 
>  arch/x86/mm/mem_encrypt.c              |   50 ++
>  arch/x86/platform/efi/efi_64.c         |   14 
>  arch/x86/realmode/init.c               |   11 
>  drivers/crypto/Kconfig                 |   11 
>  drivers/crypto/Makefile                |    1 
>  drivers/crypto/psp/Kconfig             |    8 
>  drivers/crypto/psp/Makefile            |    3 
>  drivers/crypto/psp/psp-dev.c           |  220 ++++++++
>  drivers/crypto/psp/psp-dev.h           |   95 +++
>  drivers/crypto/psp/psp-ops.c           |  454 ++++++++++++++++
>  drivers/crypto/psp/psp-pci.c           |  376 +++++++++++++
>  drivers/sfi/sfi_core.c                 |    6 
>  include/linux/ccp-psp.h                |  833 +++++++++++++++++++++++++++++
>  include/uapi/linux/Kbuild              |    1 
>  include/uapi/linux/ccp-psp.h           |  182 ++++++
>  include/uapi/linux/kvm.h               |  125 ++++
>  37 files changed, 3643 insertions(+), 41 deletions(-)
>  create mode 100644 arch/x86/boot/compressed/mem_encrypt.S
>  create mode 100644 drivers/crypto/psp/Kconfig
>  create mode 100644 drivers/crypto/psp/Makefile
>  create mode 100644 drivers/crypto/psp/psp-dev.c
>  create mode 100644 drivers/crypto/psp/psp-dev.h
>  create mode 100644 drivers/crypto/psp/psp-ops.c
>  create mode 100644 drivers/crypto/psp/psp-pci.c
>  create mode 100644 include/linux/ccp-psp.h
>  create mode 100644 include/uapi/linux/ccp-psp.h
>

More information about the devel mailing list