qemu-kvm/kvm-target-ppc-Add-experimental-option-for-enabling-secu.patch

220 lines
7.4 KiB
Diff
Raw Normal View History

From b162af531abdf6f5e8ad13b93699a3ba28de6702 Mon Sep 17 00:00:00 2001
From: Michael Roth <mroth@redhat.com>
Date: Thu, 20 Aug 2020 23:00:51 -0400
Subject: [PATCH 1/4] target/ppc: Add experimental option for enabling secure
guests
RH-Author: Michael Roth <mroth@redhat.com>
Message-id: <20200820230051.516359-2-mroth@redhat.com>
Patchwork-id: 98208
O-Subject: [RHEL-AV-8.3.0 qemu virt PATCH 1/1] target/ppc: Add experimental option for enabling secure guests
Bugzilla: 1870384
RH-Acked-by: Greg Kurz <gkurz@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: David Gibson <dgibson@redhat.com>
From: Fabiano Rosas <farosas@linux.ibm.com>
Making use of ppc's Protected Execution Facility (PEF) feature, a
guest can become a secure guest (aka. secure VM - SVM) and have its
memory protected from access by the host. This feature is mediated by
a piece of firmware called the Ultravisor (UV).
The transition from a regular to a secure VM is initiated by the guest
kernel during prom_init via the use of an ultracall (enter secure mode
- UV_ESM) and with cooperation from the hypervisor via an hcall
(H_SVM_INIT_START).
Currently QEMU has no knowledge of this process and no way to
determine if a host supports the feature. A guest with PEF support
enabled would always try to enter secure mode regardless of user
intent or hardware support.
To address the above, a new KVM capability (KVM_CAP_PPC_SECURE_GUEST
[1]) is being introduced in the kernel without which KVM will block
the secure transition.
This patch adds support for checking/enabling this KVM capability via
a new experimental spapr machine option, e.g.:
-machine pseries,x-svm-allowed=on
The capability defaults to off.
1- https://lore.kernel.org/kvm/20200319043301.GA13052@blackberry
Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1789757
Upstream: RHEL-only
*re-worked to drop use of spapr capabilities infrastructure in favor
of a simple one-off machine option
Signed-off-by: Michael Roth <mroth@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/ppc/spapr.c | 23 +++++++++++++++++++++++
include/hw/ppc/spapr.h | 3 +++
target/ppc/kvm.c | 27 +++++++++++++++++++++++++++
target/ppc/kvm_ppc.h | 13 +++++++++++++
4 files changed, 66 insertions(+)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 5e3964326d..e77c90bfc5 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1636,6 +1636,9 @@ static void spapr_machine_reset(MachineState *machine)
kvmppc_svm_off(&error_fatal);
spapr_caps_apply(spapr);
+ if (spapr->svm_allowed) {
+ kvmppc_svm_allow(&error_fatal);
+ }
first_ppc_cpu = POWERPC_CPU(first_cpu);
if (kvm_enabled() && kvmppc_has_cap_mmu_radix() &&
@@ -3303,6 +3306,20 @@ static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
spapr->host_serial = g_strdup(value);
}
+static bool spapr_get_svm_allowed(Object *obj, Error **errp)
+{
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+ return spapr->svm_allowed;
+}
+
+static void spapr_set_svm_allowed(Object *obj, bool value, Error **errp)
+{
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
+
+ spapr->svm_allowed = value;
+}
+
static void spapr_instance_init(Object *obj)
{
SpaprMachineState *spapr = SPAPR_MACHINE(obj);
@@ -3358,6 +3375,12 @@ static void spapr_instance_init(Object *obj)
spapr_get_host_serial, spapr_set_host_serial);
object_property_set_description(obj, "host-serial",
"Host serial number to advertise in guest device tree");
+ object_property_add_bool(obj, "x-svm-allowed",
+ spapr_get_svm_allowed,
+ spapr_set_svm_allowed);
+ object_property_set_description(obj, "x-svm-allowed",
+ "Allow the guest to become a Secure Guest"
+ " (experimental only)");
}
static void spapr_machine_finalizefn(Object *obj)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index f48089edba..d0728a4758 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -212,6 +212,9 @@ struct SpaprMachineState {
int fwnmi_machine_check_interlock;
QemuCond fwnmi_machine_check_interlock_cond;
+ /* Secure Guest support via x-svm-allowed */
+ bool svm_allowed;
+
/*< public >*/
char *kvm_type;
char *host_model;
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index d85ba8ffe0..ce63f8b6f3 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -89,6 +89,7 @@ static int cap_ppc_count_cache_flush_assist;
static int cap_ppc_nested_kvm_hv;
static int cap_large_decr;
static int cap_fwnmi;
+static int cap_ppc_secure_guest;
static uint32_t debug_inst_opcode;
@@ -136,6 +137,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
cap_resize_hpt = kvm_vm_check_extension(s, KVM_CAP_SPAPR_RESIZE_HPT);
kvmppc_get_cpu_characteristics(s);
cap_ppc_nested_kvm_hv = kvm_vm_check_extension(s, KVM_CAP_PPC_NESTED_HV);
+ cap_ppc_secure_guest = kvm_vm_check_extension(s, KVM_CAP_PPC_SECURE_GUEST);
cap_large_decr = kvmppc_get_dec_bits();
cap_fwnmi = kvm_vm_check_extension(s, KVM_CAP_PPC_FWNMI);
/*
@@ -2538,6 +2540,16 @@ int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable)
return 0;
}
+bool kvmppc_has_cap_secure_guest(void)
+{
+ return !!cap_ppc_secure_guest;
+}
+
+int kvmppc_enable_cap_secure_guest(void)
+{
+ return kvm_vm_enable_cap(kvm_state, KVM_CAP_PPC_SECURE_GUEST, 0, 1);
+}
+
PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void)
{
uint32_t host_pvr = mfpvr();
@@ -2948,3 +2960,18 @@ void kvmppc_svm_off(Error **errp)
error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
}
}
+
+void kvmppc_svm_allow(Error **errp)
+{
+ if (!kvm_enabled()) {
+ error_setg(errp, "No PEF support in tcg, try x-svm-allowed=off");
+ return;
+ }
+
+ if (!kvmppc_has_cap_secure_guest()) {
+ error_setg(errp, "KVM implementation does not support secure guests, "
+ "try x-svm-allowed=off");
+ } else if (kvmppc_enable_cap_secure_guest() < 0) {
+ error_setg(errp, "Error enabling x-svm-allowed, try x-svm-allowed=off");
+ }
+}
diff --git a/target/ppc/kvm_ppc.h b/target/ppc/kvm_ppc.h
index 72e05f1cd2..3fd5ea2414 100644
--- a/target/ppc/kvm_ppc.h
+++ b/target/ppc/kvm_ppc.h
@@ -40,6 +40,7 @@ target_ulong kvmppc_configure_v3_mmu(PowerPCCPU *cpu,
bool radix, bool gtse,
uint64_t proc_tbl);
void kvmppc_svm_off(Error **errp);
+void kvmppc_svm_allow(Error **errp);
#ifndef CONFIG_USER_ONLY
bool kvmppc_spapr_use_multitce(void);
int kvmppc_spapr_enable_inkernel_multitce(void);
@@ -73,6 +74,8 @@ int kvmppc_set_cap_nested_kvm_hv(int enable);
int kvmppc_get_cap_large_decr(void);
int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable);
int kvmppc_enable_hwrng(void);
+bool kvmppc_has_cap_secure_guest(void);
+int kvmppc_enable_cap_secure_guest(void);
int kvmppc_put_books_sregs(PowerPCCPU *cpu);
PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void);
void kvmppc_check_papr_resize_hpt(Error **errp);
@@ -386,6 +389,16 @@ static inline int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable)
return -1;
}
+static inline bool kvmppc_has_cap_secure_guest(void)
+{
+ return false;
+}
+
+static inline int kvmppc_enable_cap_secure_guest(void)
+{
+ return -1;
+}
+
static inline int kvmppc_enable_hwrng(void)
{
return -1;
--
2.27.0