search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
qemu-tech.texi: Remove "QEMU compared to other emulators" section
[qemu/ar7.git] / target / i386 / sev.c
blob6dbdc3cdf10f78d9c1a30a9feedee0f0a51f644d
1 /*
2 * QEMU SEV support
3 *
4 * Copyright Advanced Micro Devices 2016-2018
5 *
6 * Author:
7 * Brijesh Singh <brijesh.singh@amd.com>
8 *
9 * This work is licensed under the terms of the GNU GPL, version 2 or later.
10 * See the COPYING file in the top-level directory.
11 *
12 */
13
14 #include "qemu/osdep.h"
15
16 #include <linux/kvm.h>
17 #include <linux/psp-sev.h>
18
19 #include <sys/ioctl.h>
20
21 #include "qapi/error.h"
22 #include "qom/object_interfaces.h"
23 #include "qemu/base64.h"
24 #include "qemu/module.h"
25 #include "sysemu/kvm.h"
26 #include "sev_i386.h"
27 #include "sysemu/sysemu.h"
28 #include "trace.h"
29 #include "migration/blocker.h"
30
31 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
32 #define DEFAULT_SEV_DEVICE "/dev/sev"
33
34 static SEVState *sev_state;
35 static Error *sev_mig_blocker;
36
37 static const char *const sev_fw_errlist[] = {
38 "",
39 "Platform state is invalid",
40 "Guest state is invalid",
41 "Platform configuration is invalid",
42 "Buffer too small",
43 "Platform is already owned",
44 "Certificate is invalid",
45 "Policy is not allowed",
46 "Guest is not active",
47 "Invalid address",
48 "Bad signature",
49 "Bad measurement",
50 "Asid is already owned",
51 "Invalid ASID",
52 "WBINVD is required",
53 "DF_FLUSH is required",
54 "Guest handle is invalid",
55 "Invalid command",
56 "Guest is active",
57 "Hardware error",
58 "Hardware unsafe",
59 "Feature not supported",
60 "Invalid parameter"
61 };
62
63 #define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist)
64
65 static int
66 sev_ioctl(int fd, int cmd, void *data, int *error)
67 {
68 int r;
69 struct kvm_sev_cmd input;
70
71 memset(&input, 0x0, sizeof(input));
72
73 input.id = cmd;
74 input.sev_fd = fd;
75 input.data = (__u64)(unsigned long)data;
76
77 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input);
78
79 if (error) {
80 *error = input.error;
81 }
82
83 return r;
84 }
85
86 static int
87 sev_platform_ioctl(int fd, int cmd, void *data, int *error)
88 {
89 int r;
90 struct sev_issue_cmd arg;
91
92 arg.cmd = cmd;
93 arg.data = (unsigned long)data;
94 r = ioctl(fd, SEV_ISSUE_CMD, &arg);
95 if (error) {
96 *error = arg.error;
97 }
98
99 return r;
100 }
101
102 static const char *
103 fw_error_to_str(int code)
104 {
105 if (code < 0 || code >= SEV_FW_MAX_ERROR) {
106 return "unknown error";
107 }
108
109 return sev_fw_errlist[code];
110 }
111
112 static bool
113 sev_check_state(SevState state)
114 {
115 assert(sev_state);
116 return sev_state->state == state ? true : false;
117 }
118
119 static void
120 sev_set_guest_state(SevState new_state)
121 {
122 assert(new_state < SEV_STATE__MAX);
123 assert(sev_state);
124
125 trace_kvm_sev_change_state(SevState_str(sev_state->state),
126 SevState_str(new_state));
127 sev_state->state = new_state;
128 }
129
130 static void
131 sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
132 {
133 int r;
134 struct kvm_enc_region range;
135 ram_addr_t offset;
136 MemoryRegion *mr;
137
138 /*
139 * The RAM device presents a memory region that should be treated
140 * as IO region and should not be pinned.
141 */
142 mr = memory_region_from_host(host, &offset);
143 if (mr && memory_region_is_ram_device(mr)) {
144 return;
145 }
146
147 range.addr = (__u64)(unsigned long)host;
148 range.size = size;
149
150 trace_kvm_memcrypt_register_region(host, size);
151 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
152 if (r) {
153 error_report("%s: failed to register region (%p+%#zx) error '%s'",
154 __func__, host, size, strerror(errno));
155 exit(1);
156 }
157 }
158
159 static void
160 sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
161 {
162 int r;
163 struct kvm_enc_region range;
164
165 range.addr = (__u64)(unsigned long)host;
166 range.size = size;
167
168 trace_kvm_memcrypt_unregister_region(host, size);
169 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_UNREG_REGION, &range);
170 if (r) {
171 error_report("%s: failed to unregister region (%p+%#zx)",
172 __func__, host, size);
173 }
174 }
175
176 static struct RAMBlockNotifier sev_ram_notifier = {
177 .ram_block_added = sev_ram_block_added,
178 .ram_block_removed = sev_ram_block_removed,
179 };
180
181 static void
182 qsev_guest_finalize(Object *obj)
183 {
184 }
185
186 static char *
187 qsev_guest_get_session_file(Object *obj, Error **errp)
188 {
189 QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
190
191 return s->session_file ? g_strdup(s->session_file) : NULL;
192 }
193
194 static void
195 qsev_guest_set_session_file(Object *obj, const char *value, Error **errp)
196 {
197 QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
198
199 s->session_file = g_strdup(value);
200 }
201
202 static char *
203 qsev_guest_get_dh_cert_file(Object *obj, Error **errp)
204 {
205 QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
206
207 return g_strdup(s->dh_cert_file);
208 }
209
210 static void
211 qsev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
212 {
213 QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
214
215 s->dh_cert_file = g_strdup(value);
216 }
217
218 static char *
219 qsev_guest_get_sev_device(Object *obj, Error **errp)
220 {
221 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
222
223 return g_strdup(sev->sev_device);
224 }
225
226 static void
227 qsev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
228 {
229 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
230
231 sev->sev_device = g_strdup(value);
232 }
233
234 static void
235 qsev_guest_class_init(ObjectClass *oc, void *data)
236 {
237 object_class_property_add_str(oc, "sev-device",
238 qsev_guest_get_sev_device,
239 qsev_guest_set_sev_device,
240 NULL);
241 object_class_property_set_description(oc, "sev-device",
242 "SEV device to use", NULL);
243 object_class_property_add_str(oc, "dh-cert-file",
244 qsev_guest_get_dh_cert_file,
245 qsev_guest_set_dh_cert_file,
246 NULL);
247 object_class_property_set_description(oc, "dh-cert-file",
248 "guest owners DH certificate (encoded with base64)", NULL);
249 object_class_property_add_str(oc, "session-file",
250 qsev_guest_get_session_file,
251 qsev_guest_set_session_file,
252 NULL);
253 object_class_property_set_description(oc, "session-file",
254 "guest owners session parameters (encoded with base64)", NULL);
255 }
256
257 static void
258 qsev_guest_set_handle(Object *obj, Visitor *v, const char *name,
259 void *opaque, Error **errp)
260 {
261 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
262 uint32_t value;
263
264 visit_type_uint32(v, name, &value, errp);
265 sev->handle = value;
266 }
267
268 static void
269 qsev_guest_set_policy(Object *obj, Visitor *v, const char *name,
270 void *opaque, Error **errp)
271 {
272 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
273 uint32_t value;
274
275 visit_type_uint32(v, name, &value, errp);
276 sev->policy = value;
277 }
278
279 static void
280 qsev_guest_set_cbitpos(Object *obj, Visitor *v, const char *name,
281 void *opaque, Error **errp)
282 {
283 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
284 uint32_t value;
285
286 visit_type_uint32(v, name, &value, errp);
287 sev->cbitpos = value;
288 }
289
290 static void
291 qsev_guest_set_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
292 void *opaque, Error **errp)
293 {
294 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
295 uint32_t value;
296
297 visit_type_uint32(v, name, &value, errp);
298 sev->reduced_phys_bits = value;
299 }
300
301 static void
302 qsev_guest_get_policy(Object *obj, Visitor *v, const char *name,
303 void *opaque, Error **errp)
304 {
305 uint32_t value;
306 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
307
308 value = sev->policy;
309 visit_type_uint32(v, name, &value, errp);
310 }
311
312 static void
313 qsev_guest_get_handle(Object *obj, Visitor *v, const char *name,
314 void *opaque, Error **errp)
315 {
316 uint32_t value;
317 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
318
319 value = sev->handle;
320 visit_type_uint32(v, name, &value, errp);
321 }
322
323 static void
324 qsev_guest_get_cbitpos(Object *obj, Visitor *v, const char *name,
325 void *opaque, Error **errp)
326 {
327 uint32_t value;
328 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
329
330 value = sev->cbitpos;
331 visit_type_uint32(v, name, &value, errp);
332 }
333
334 static void
335 qsev_guest_get_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
336 void *opaque, Error **errp)
337 {
338 uint32_t value;
339 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
340
341 value = sev->reduced_phys_bits;
342 visit_type_uint32(v, name, &value, errp);
343 }
344
345 static void
346 qsev_guest_init(Object *obj)
347 {
348 QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
349
350 sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
351 sev->policy = DEFAULT_GUEST_POLICY;
352 object_property_add(obj, "policy", "uint32", qsev_guest_get_policy,
353 qsev_guest_set_policy, NULL, NULL, NULL);
354 object_property_add(obj, "handle", "uint32", qsev_guest_get_handle,
355 qsev_guest_set_handle, NULL, NULL, NULL);
356 object_property_add(obj, "cbitpos", "uint32", qsev_guest_get_cbitpos,
357 qsev_guest_set_cbitpos, NULL, NULL, NULL);
358 object_property_add(obj, "reduced-phys-bits", "uint32",
359 qsev_guest_get_reduced_phys_bits,
360 qsev_guest_set_reduced_phys_bits, NULL, NULL, NULL);
361 }
362
363 /* sev guest info */
364 static const TypeInfo qsev_guest_info = {
365 .parent = TYPE_OBJECT,
366 .name = TYPE_QSEV_GUEST_INFO,
367 .instance_size = sizeof(QSevGuestInfo),
368 .instance_finalize = qsev_guest_finalize,
369 .class_size = sizeof(QSevGuestInfoClass),
370 .class_init = qsev_guest_class_init,
371 .instance_init = qsev_guest_init,
372 .interfaces = (InterfaceInfo[]) {
373 { TYPE_USER_CREATABLE },
374 { }
375 }
376 };
377
378 static QSevGuestInfo *
379 lookup_sev_guest_info(const char *id)
380 {
381 Object *obj;
382 QSevGuestInfo *info;
383
384 obj = object_resolve_path_component(object_get_objects_root(), id);
385 if (!obj) {
386 return NULL;
387 }
388
389 info = (QSevGuestInfo *)
390 object_dynamic_cast(obj, TYPE_QSEV_GUEST_INFO);
391 if (!info) {
392 return NULL;
393 }
394
395 return info;
396 }
397
398 bool
399 sev_enabled(void)
400 {
401 return sev_state ? true : false;
402 }
403
404 uint64_t
405 sev_get_me_mask(void)
406 {
407 return sev_state ? sev_state->me_mask : ~0;
408 }
409
410 uint32_t
411 sev_get_cbit_position(void)
412 {
413 return sev_state ? sev_state->cbitpos : 0;
414 }
415
416 uint32_t
417 sev_get_reduced_phys_bits(void)
418 {
419 return sev_state ? sev_state->reduced_phys_bits : 0;
420 }
421
422 SevInfo *
423 sev_get_info(void)
424 {
425 SevInfo *info;
426
427 info = g_new0(SevInfo, 1);
428 info->enabled = sev_state ? true : false;
429
430 if (info->enabled) {
431 info->api_major = sev_state->api_major;
432 info->api_minor = sev_state->api_minor;
433 info->build_id = sev_state->build_id;
434 info->policy = sev_state->policy;
435 info->state = sev_state->state;
436 info->handle = sev_state->handle;
437 }
438
439 return info;
440 }
441
442 static int
443 sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
444 size_t *cert_chain_len)
445 {
446 guchar *pdh_data = NULL;
447 guchar *cert_chain_data = NULL;
448 struct sev_user_data_pdh_cert_export export = {};
449 int err, r;
450
451 /* query the certificate length */
452 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
453 if (r < 0) {
454 if (err != SEV_RET_INVALID_LEN) {
455 error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
456 r, err, fw_error_to_str(err));
457 return 1;
458 }
459 }
460
461 pdh_data = g_new(guchar, export.pdh_cert_len);
462 cert_chain_data = g_new(guchar, export.cert_chain_len);
463 export.pdh_cert_address = (unsigned long)pdh_data;
464 export.cert_chain_address = (unsigned long)cert_chain_data;
465
466 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
467 if (r < 0) {
468 error_report("failed to export PDH cert ret=%d fw_err=%d (%s)",
469 r, err, fw_error_to_str(err));
470 goto e_free;
471 }
472
473 *pdh = pdh_data;
474 *pdh_len = export.pdh_cert_len;
475 *cert_chain = cert_chain_data;
476 *cert_chain_len = export.cert_chain_len;
477 return 0;
478
479 e_free:
480 g_free(pdh_data);
481 g_free(cert_chain_data);
482 return 1;
483 }
484
485 SevCapability *
486 sev_get_capabilities(void)
487 {
488 SevCapability *cap = NULL;
489 guchar *pdh_data = NULL;
490 guchar *cert_chain_data = NULL;
491 size_t pdh_len = 0, cert_chain_len = 0;
492 uint32_t ebx;
493 int fd;
494
495 fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
496 if (fd < 0) {
497 error_report("%s: Failed to open %s '%s'", __func__,
498 DEFAULT_SEV_DEVICE, strerror(errno));
499 return NULL;
500 }
501
502 if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
503 &cert_chain_data, &cert_chain_len)) {
504 goto out;
505 }
506
507 cap = g_new0(SevCapability, 1);
508 cap->pdh = g_base64_encode(pdh_data, pdh_len);
509 cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
510
511 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
512 cap->cbitpos = ebx & 0x3f;
513
514 /*
515 * When SEV feature is enabled, we loose one bit in guest physical
516 * addressing.
517 */
518 cap->reduced_phys_bits = 1;
519
520 out:
521 g_free(pdh_data);
522 g_free(cert_chain_data);
523 close(fd);
524 return cap;
525 }
526
527 static int
528 sev_read_file_base64(const char *filename, guchar **data, gsize *len)
529 {
530 gsize sz;
531 gchar *base64;
532 GError *error = NULL;
533
534 if (!g_file_get_contents(filename, &base64, &sz, &error)) {
535 error_report("failed to read '%s' (%s)", filename, error->message);
536 return -1;
537 }
538
539 *data = g_base64_decode(base64, len);
540 return 0;
541 }
542
543 static int
544 sev_launch_start(SEVState *s)
545 {
546 gsize sz;
547 int ret = 1;
548 int fw_error, rc;
549 QSevGuestInfo *sev = s->sev_info;
550 struct kvm_sev_launch_start *start;
551 guchar *session = NULL, *dh_cert = NULL;
552
553 start = g_new0(struct kvm_sev_launch_start, 1);
554
555 start->handle = object_property_get_int(OBJECT(sev), "handle",
556 &error_abort);
557 start->policy = object_property_get_int(OBJECT(sev), "policy",
558 &error_abort);
559 if (sev->session_file) {
560 if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) {
561 goto out;
562 }
563 start->session_uaddr = (unsigned long)session;
564 start->session_len = sz;
565 }
566
567 if (sev->dh_cert_file) {
568 if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) {
569 goto out;
570 }
571 start->dh_uaddr = (unsigned long)dh_cert;
572 start->dh_len = sz;
573 }
574
575 trace_kvm_sev_launch_start(start->policy, session, dh_cert);
576 rc = sev_ioctl(s->sev_fd, KVM_SEV_LAUNCH_START, start, &fw_error);
577 if (rc < 0) {
578 error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
579 __func__, ret, fw_error, fw_error_to_str(fw_error));
580 goto out;
581 }
582
583 object_property_set_int(OBJECT(sev), start->handle, "handle",
584 &error_abort);
585 sev_set_guest_state(SEV_STATE_LAUNCH_UPDATE);
586 s->handle = start->handle;
587 s->policy = start->policy;
588 ret = 0;
589
590 out:
591 g_free(start);
592 g_free(session);
593 g_free(dh_cert);
594 return ret;
595 }
596
597 static int
598 sev_launch_update_data(uint8_t *addr, uint64_t len)
599 {
600 int ret, fw_error;
601 struct kvm_sev_launch_update_data update;
602
603 if (!addr || !len) {
604 return 1;
605 }
606
607 update.uaddr = (__u64)(unsigned long)addr;
608 update.len = len;
609 trace_kvm_sev_launch_update_data(addr, len);
610 ret = sev_ioctl(sev_state->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA,
611 &update, &fw_error);
612 if (ret) {
613 error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'",
614 __func__, ret, fw_error, fw_error_to_str(fw_error));
615 }
616
617 return ret;
618 }
619
620 static void
621 sev_launch_get_measure(Notifier *notifier, void *unused)
622 {
623 int ret, error;
624 guchar *data;
625 SEVState *s = sev_state;
626 struct kvm_sev_launch_measure *measurement;
627
628 if (!sev_check_state(SEV_STATE_LAUNCH_UPDATE)) {
629 return;
630 }
631
632 measurement = g_new0(struct kvm_sev_launch_measure, 1);
633
634 /* query the measurement blob length */
635 ret = sev_ioctl(sev_state->sev_fd, KVM_SEV_LAUNCH_MEASURE,
636 measurement, &error);
637 if (!measurement->len) {
638 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
639 __func__, ret, error, fw_error_to_str(errno));
640 goto free_measurement;
641 }
642
643 data = g_new0(guchar, measurement->len);
644 measurement->uaddr = (unsigned long)data;
645
646 /* get the measurement blob */
647 ret = sev_ioctl(sev_state->sev_fd, KVM_SEV_LAUNCH_MEASURE,
648 measurement, &error);
649 if (ret) {
650 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
651 __func__, ret, error, fw_error_to_str(errno));
652 goto free_data;
653 }
654
655 sev_set_guest_state(SEV_STATE_LAUNCH_SECRET);
656
657 /* encode the measurement value and emit the event */
658 s->measurement = g_base64_encode(data, measurement->len);
659 trace_kvm_sev_launch_measurement(s->measurement);
660
661 free_data:
662 g_free(data);
663 free_measurement:
664 g_free(measurement);
665 }
666
667 char *
668 sev_get_launch_measurement(void)
669 {
670 if (sev_state &&
671 sev_state->state >= SEV_STATE_LAUNCH_SECRET) {
672 return g_strdup(sev_state->measurement);
673 }
674
675 return NULL;
676 }
677
678 static Notifier sev_machine_done_notify = {
679 .notify = sev_launch_get_measure,
680 };
681
682 static void
683 sev_launch_finish(SEVState *s)
684 {
685 int ret, error;
686 Error *local_err = NULL;
687
688 trace_kvm_sev_launch_finish();
689 ret = sev_ioctl(sev_state->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error);
690 if (ret) {
691 error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'",
692 __func__, ret, error, fw_error_to_str(error));
693 exit(1);
694 }
695
696 sev_set_guest_state(SEV_STATE_RUNNING);
697
698 /* add migration blocker */
699 error_setg(&sev_mig_blocker,
700 "SEV: Migration is not implemented");
701 ret = migrate_add_blocker(sev_mig_blocker, &local_err);
702 if (local_err) {
703 error_report_err(local_err);
704 error_free(sev_mig_blocker);
705 exit(1);
706 }
707 }
708
709 static void
710 sev_vm_state_change(void *opaque, int running, RunState state)
711 {
712 SEVState *s = opaque;
713
714 if (running) {
715 if (!sev_check_state(SEV_STATE_RUNNING)) {
716 sev_launch_finish(s);
717 }
718 }
719 }
720
721 void *
722 sev_guest_init(const char *id)
723 {
724 SEVState *s;
725 char *devname;
726 int ret, fw_error;
727 uint32_t ebx;
728 uint32_t host_cbitpos;
729 struct sev_user_data_status status = {};
730
731 sev_state = s = g_new0(SEVState, 1);
732 s->sev_info = lookup_sev_guest_info(id);
733 if (!s->sev_info) {
734 error_report("%s: '%s' is not a valid '%s' object",
735 __func__, id, TYPE_QSEV_GUEST_INFO);
736 goto err;
737 }
738
739 s->state = SEV_STATE_UNINIT;
740
741 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
742 host_cbitpos = ebx & 0x3f;
743
744 s->cbitpos = object_property_get_int(OBJECT(s->sev_info), "cbitpos", NULL);
745 if (host_cbitpos != s->cbitpos) {
746 error_report("%s: cbitpos check failed, host '%d' requested '%d'",
747 __func__, host_cbitpos, s->cbitpos);
748 goto err;
749 }
750
751 s->reduced_phys_bits = object_property_get_int(OBJECT(s->sev_info),
752 "reduced-phys-bits", NULL);
753 if (s->reduced_phys_bits < 1) {
754 error_report("%s: reduced_phys_bits check failed, it should be >=1,"
755 "' requested '%d'", __func__, s->reduced_phys_bits);
756 goto err;
757 }
758
759 s->me_mask = ~(1UL << s->cbitpos);
760
761 devname = object_property_get_str(OBJECT(s->sev_info), "sev-device", NULL);
762 s->sev_fd = open(devname, O_RDWR);
763 if (s->sev_fd < 0) {
764 error_report("%s: Failed to open %s '%s'", __func__,
765 devname, strerror(errno));
766 }
767 g_free(devname);
768 if (s->sev_fd < 0) {
769 goto err;
770 }
771
772 ret = sev_platform_ioctl(s->sev_fd, SEV_PLATFORM_STATUS, &status,
773 &fw_error);
774 if (ret) {
775 error_report("%s: failed to get platform status ret=%d"
776 "fw_error='%d: %s'", __func__, ret, fw_error,
777 fw_error_to_str(fw_error));
778 goto err;
779 }
780 s->build_id = status.build;
781 s->api_major = status.api_major;
782 s->api_minor = status.api_minor;
783
784 trace_kvm_sev_init();
785 ret = sev_ioctl(s->sev_fd, KVM_SEV_INIT, NULL, &fw_error);
786 if (ret) {
787 error_report("%s: failed to initialize ret=%d fw_error=%d '%s'",
788 __func__, ret, fw_error, fw_error_to_str(fw_error));
789 goto err;
790 }
791
792 ret = sev_launch_start(s);
793 if (ret) {
794 error_report("%s: failed to create encryption context", __func__);
795 goto err;
796 }
797
798 ram_block_notifier_add(&sev_ram_notifier);
799 qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
800 qemu_add_vm_change_state_handler(sev_vm_state_change, s);
801
802 return s;
803 err:
804 g_free(sev_state);
805 sev_state = NULL;
806 return NULL;
807 }
808
809 int
810 sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len)
811 {
812 assert(handle);
813
814 /* if SEV is in update state then encrypt the data else do nothing */
815 if (sev_check_state(SEV_STATE_LAUNCH_UPDATE)) {
816 return sev_launch_update_data(ptr, len);
817 }
818
819 return 0;
820 }
821
822 static void
823 sev_register_types(void)
824 {
825 type_register_static(&qsev_guest_info);
826 }
827
828 type_init(sev_register_types);
AR7 emulation for QEMU