220 lines
7.4 KiB
Diff
220 lines
7.4 KiB
Diff
|
From b162af531abdf6f5e8ad13b93699a3ba28de6702 Mon Sep 17 00:00:00 2001
|
||
|
From: Michael Roth <mroth@redhat.com>
|
||
|
Date: Thu, 20 Aug 2020 23:00:51 -0400
|
||
|
Subject: [PATCH 1/4] target/ppc: Add experimental option for enabling secure
|
||
|
guests
|
||
|
|
||
|
RH-Author: Michael Roth <mroth@redhat.com>
|
||
|
Message-id: <20200820230051.516359-2-mroth@redhat.com>
|
||
|
Patchwork-id: 98208
|
||
|
O-Subject: [RHEL-AV-8.3.0 qemu virt PATCH 1/1] target/ppc: Add experimental option for enabling secure guests
|
||
|
Bugzilla: 1870384
|
||
|
RH-Acked-by: Greg Kurz <gkurz@redhat.com>
|
||
|
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
|
||
|
RH-Acked-by: David Gibson <dgibson@redhat.com>
|
||
|
|
||
|
From: Fabiano Rosas <farosas@linux.ibm.com>
|
||
|
|
||
|
Making use of ppc's Protected Execution Facility (PEF) feature, a
|
||
|
guest can become a secure guest (aka. secure VM - SVM) and have its
|
||
|
memory protected from access by the host. This feature is mediated by
|
||
|
a piece of firmware called the Ultravisor (UV).
|
||
|
|
||
|
The transition from a regular to a secure VM is initiated by the guest
|
||
|
kernel during prom_init via the use of an ultracall (enter secure mode
|
||
|
- UV_ESM) and with cooperation from the hypervisor via an hcall
|
||
|
(H_SVM_INIT_START).
|
||
|
|
||
|
Currently QEMU has no knowledge of this process and no way to
|
||
|
determine if a host supports the feature. A guest with PEF support
|
||
|
enabled would always try to enter secure mode regardless of user
|
||
|
intent or hardware support.
|
||
|
|
||
|
To address the above, a new KVM capability (KVM_CAP_PPC_SECURE_GUEST
|
||
|
[1]) is being introduced in the kernel without which KVM will block
|
||
|
the secure transition.
|
||
|
|
||
|
This patch adds support for checking/enabling this KVM capability via
|
||
|
a new experimental spapr machine option, e.g.:
|
||
|
|
||
|
-machine pseries,x-svm-allowed=on
|
||
|
|
||
|
The capability defaults to off.
|
||
|
|
||
|
1- https://lore.kernel.org/kvm/20200319043301.GA13052@blackberry
|
||
|
|
||
|
Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
|
||
|
|
||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1789757
|
||
|
Upstream: RHEL-only
|
||
|
*re-worked to drop use of spapr capabilities infrastructure in favor
|
||
|
of a simple one-off machine option
|
||
|
Signed-off-by: Michael Roth <mroth@redhat.com>
|
||
|
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
||
|
---
|
||
|
hw/ppc/spapr.c | 23 +++++++++++++++++++++++
|
||
|
include/hw/ppc/spapr.h | 3 +++
|
||
|
target/ppc/kvm.c | 27 +++++++++++++++++++++++++++
|
||
|
target/ppc/kvm_ppc.h | 13 +++++++++++++
|
||
|
4 files changed, 66 insertions(+)
|
||
|
|
||
|
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
|
||
|
index 5e3964326d..e77c90bfc5 100644
|
||
|
--- a/hw/ppc/spapr.c
|
||
|
+++ b/hw/ppc/spapr.c
|
||
|
@@ -1636,6 +1636,9 @@ static void spapr_machine_reset(MachineState *machine)
|
||
|
|
||
|
kvmppc_svm_off(&error_fatal);
|
||
|
spapr_caps_apply(spapr);
|
||
|
+ if (spapr->svm_allowed) {
|
||
|
+ kvmppc_svm_allow(&error_fatal);
|
||
|
+ }
|
||
|
|
||
|
first_ppc_cpu = POWERPC_CPU(first_cpu);
|
||
|
if (kvm_enabled() && kvmppc_has_cap_mmu_radix() &&
|
||
|
@@ -3303,6 +3306,20 @@ static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
|
||
|
spapr->host_serial = g_strdup(value);
|
||
|
}
|
||
|
|
||
|
+static bool spapr_get_svm_allowed(Object *obj, Error **errp)
|
||
|
+{
|
||
|
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
|
||
|
+
|
||
|
+ return spapr->svm_allowed;
|
||
|
+}
|
||
|
+
|
||
|
+static void spapr_set_svm_allowed(Object *obj, bool value, Error **errp)
|
||
|
+{
|
||
|
+ SpaprMachineState *spapr = SPAPR_MACHINE(obj);
|
||
|
+
|
||
|
+ spapr->svm_allowed = value;
|
||
|
+}
|
||
|
+
|
||
|
static void spapr_instance_init(Object *obj)
|
||
|
{
|
||
|
SpaprMachineState *spapr = SPAPR_MACHINE(obj);
|
||
|
@@ -3358,6 +3375,12 @@ static void spapr_instance_init(Object *obj)
|
||
|
spapr_get_host_serial, spapr_set_host_serial);
|
||
|
object_property_set_description(obj, "host-serial",
|
||
|
"Host serial number to advertise in guest device tree");
|
||
|
+ object_property_add_bool(obj, "x-svm-allowed",
|
||
|
+ spapr_get_svm_allowed,
|
||
|
+ spapr_set_svm_allowed);
|
||
|
+ object_property_set_description(obj, "x-svm-allowed",
|
||
|
+ "Allow the guest to become a Secure Guest"
|
||
|
+ " (experimental only)");
|
||
|
}
|
||
|
|
||
|
static void spapr_machine_finalizefn(Object *obj)
|
||
|
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
|
||
|
index f48089edba..d0728a4758 100644
|
||
|
--- a/include/hw/ppc/spapr.h
|
||
|
+++ b/include/hw/ppc/spapr.h
|
||
|
@@ -212,6 +212,9 @@ struct SpaprMachineState {
|
||
|
int fwnmi_machine_check_interlock;
|
||
|
QemuCond fwnmi_machine_check_interlock_cond;
|
||
|
|
||
|
+ /* Secure Guest support via x-svm-allowed */
|
||
|
+ bool svm_allowed;
|
||
|
+
|
||
|
/*< public >*/
|
||
|
char *kvm_type;
|
||
|
char *host_model;
|
||
|
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
|
||
|
index d85ba8ffe0..ce63f8b6f3 100644
|
||
|
--- a/target/ppc/kvm.c
|
||
|
+++ b/target/ppc/kvm.c
|
||
|
@@ -89,6 +89,7 @@ static int cap_ppc_count_cache_flush_assist;
|
||
|
static int cap_ppc_nested_kvm_hv;
|
||
|
static int cap_large_decr;
|
||
|
static int cap_fwnmi;
|
||
|
+static int cap_ppc_secure_guest;
|
||
|
|
||
|
static uint32_t debug_inst_opcode;
|
||
|
|
||
|
@@ -136,6 +137,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
|
||
|
cap_resize_hpt = kvm_vm_check_extension(s, KVM_CAP_SPAPR_RESIZE_HPT);
|
||
|
kvmppc_get_cpu_characteristics(s);
|
||
|
cap_ppc_nested_kvm_hv = kvm_vm_check_extension(s, KVM_CAP_PPC_NESTED_HV);
|
||
|
+ cap_ppc_secure_guest = kvm_vm_check_extension(s, KVM_CAP_PPC_SECURE_GUEST);
|
||
|
cap_large_decr = kvmppc_get_dec_bits();
|
||
|
cap_fwnmi = kvm_vm_check_extension(s, KVM_CAP_PPC_FWNMI);
|
||
|
/*
|
||
|
@@ -2538,6 +2540,16 @@ int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable)
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
+bool kvmppc_has_cap_secure_guest(void)
|
||
|
+{
|
||
|
+ return !!cap_ppc_secure_guest;
|
||
|
+}
|
||
|
+
|
||
|
+int kvmppc_enable_cap_secure_guest(void)
|
||
|
+{
|
||
|
+ return kvm_vm_enable_cap(kvm_state, KVM_CAP_PPC_SECURE_GUEST, 0, 1);
|
||
|
+}
|
||
|
+
|
||
|
PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void)
|
||
|
{
|
||
|
uint32_t host_pvr = mfpvr();
|
||
|
@@ -2948,3 +2960,18 @@ void kvmppc_svm_off(Error **errp)
|
||
|
error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
|
||
|
}
|
||
|
}
|
||
|
+
|
||
|
+void kvmppc_svm_allow(Error **errp)
|
||
|
+{
|
||
|
+ if (!kvm_enabled()) {
|
||
|
+ error_setg(errp, "No PEF support in tcg, try x-svm-allowed=off");
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (!kvmppc_has_cap_secure_guest()) {
|
||
|
+ error_setg(errp, "KVM implementation does not support secure guests, "
|
||
|
+ "try x-svm-allowed=off");
|
||
|
+ } else if (kvmppc_enable_cap_secure_guest() < 0) {
|
||
|
+ error_setg(errp, "Error enabling x-svm-allowed, try x-svm-allowed=off");
|
||
|
+ }
|
||
|
+}
|
||
|
diff --git a/target/ppc/kvm_ppc.h b/target/ppc/kvm_ppc.h
|
||
|
index 72e05f1cd2..3fd5ea2414 100644
|
||
|
--- a/target/ppc/kvm_ppc.h
|
||
|
+++ b/target/ppc/kvm_ppc.h
|
||
|
@@ -40,6 +40,7 @@ target_ulong kvmppc_configure_v3_mmu(PowerPCCPU *cpu,
|
||
|
bool radix, bool gtse,
|
||
|
uint64_t proc_tbl);
|
||
|
void kvmppc_svm_off(Error **errp);
|
||
|
+void kvmppc_svm_allow(Error **errp);
|
||
|
#ifndef CONFIG_USER_ONLY
|
||
|
bool kvmppc_spapr_use_multitce(void);
|
||
|
int kvmppc_spapr_enable_inkernel_multitce(void);
|
||
|
@@ -73,6 +74,8 @@ int kvmppc_set_cap_nested_kvm_hv(int enable);
|
||
|
int kvmppc_get_cap_large_decr(void);
|
||
|
int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable);
|
||
|
int kvmppc_enable_hwrng(void);
|
||
|
+bool kvmppc_has_cap_secure_guest(void);
|
||
|
+int kvmppc_enable_cap_secure_guest(void);
|
||
|
int kvmppc_put_books_sregs(PowerPCCPU *cpu);
|
||
|
PowerPCCPUClass *kvm_ppc_get_host_cpu_class(void);
|
||
|
void kvmppc_check_papr_resize_hpt(Error **errp);
|
||
|
@@ -386,6 +389,16 @@ static inline int kvmppc_enable_cap_large_decr(PowerPCCPU *cpu, int enable)
|
||
|
return -1;
|
||
|
}
|
||
|
|
||
|
+static inline bool kvmppc_has_cap_secure_guest(void)
|
||
|
+{
|
||
|
+ return false;
|
||
|
+}
|
||
|
+
|
||
|
+static inline int kvmppc_enable_cap_secure_guest(void)
|
||
|
+{
|
||
|
+ return -1;
|
||
|
+}
|
||
|
+
|
||
|
static inline int kvmppc_enable_hwrng(void)
|
||
|
{
|
||
|
return -1;
|
||
|
--
|
||
|
2.27.0
|
||
|
|