4 * Copyright Advanced Micro Devices 2016-2018
7 * Brijesh Singh <brijesh.singh@amd.com>
9 * This work is licensed under the terms of the GNU GPL, version 2 or later.
10 * See the COPYING file in the top-level directory.
14 #include "qemu/osdep.h"
16 #include <linux/kvm.h>
17 #include <linux/psp-sev.h>
19 #include <sys/ioctl.h>
21 #include "qapi/error.h"
22 #include "qom/object_interfaces.h"
23 #include "qemu/base64.h"
24 #include "qemu/module.h"
25 #include "qemu/uuid.h"
26 #include "qemu/error-report.h"
27 #include "crypto/hash.h"
28 #include "sysemu/kvm.h"
29 #include "kvm/kvm_i386.h"
31 #include "sysemu/sysemu.h"
32 #include "sysemu/runstate.h"
34 #include "migration/blocker.h"
35 #include "qom/object.h"
36 #include "monitor/monitor.h"
37 #include "monitor/hmp-target.h"
38 #include "qapi/qapi-commands-misc-target.h"
39 #include "confidential-guest.h"
40 #include "hw/i386/pc.h"
41 #include "exec/address-spaces.h"
43 #define TYPE_SEV_GUEST "sev-guest"
44 OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState
, SEV_GUEST
)
50 * The SevGuestState object is used for creating and managing a SEV
54 * -object sev-guest,id=sev0 \
55 * -machine ...,memory-encryption=sev0
57 struct SevGuestState
{
58 X86ConfidentialGuest parent_obj
;
62 /* configuration parameters */
68 uint32_t reduced_phys_bits
;
83 bool reset_data_valid
;
86 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
87 #define DEFAULT_SEV_DEVICE "/dev/sev"
89 #define SEV_INFO_BLOCK_GUID "00f771de-1a7e-4fcb-890e-68c77e2fb44e"
90 typedef struct __attribute__((__packed__
)) SevInfoBlock
{
91 /* SEV-ES Reset Vector Address */
95 #define SEV_HASH_TABLE_RV_GUID "7255371f-3a3b-4b04-927b-1da6efa8d454"
96 typedef struct QEMU_PACKED SevHashTableDescriptor
{
97 /* SEV hash table area guest address */
99 /* SEV hash table area size (in bytes) */
101 } SevHashTableDescriptor
;
103 /* hard code sha256 digest size */
106 typedef struct QEMU_PACKED SevHashTableEntry
{
109 uint8_t hash
[HASH_SIZE
];
112 typedef struct QEMU_PACKED SevHashTable
{
115 SevHashTableEntry cmdline
;
116 SevHashTableEntry initrd
;
117 SevHashTableEntry kernel
;
121 * Data encrypted by sev_encrypt_flash() must be padded to a multiple of
124 typedef struct QEMU_PACKED PaddedSevHashTable
{
126 uint8_t padding
[ROUND_UP(sizeof(SevHashTable
), 16) - sizeof(SevHashTable
)];
127 } PaddedSevHashTable
;
129 QEMU_BUILD_BUG_ON(sizeof(PaddedSevHashTable
) % 16 != 0);
131 static SevGuestState
*sev_guest
;
132 static Error
*sev_mig_blocker
;
134 static const char *const sev_fw_errlist
[] = {
135 [SEV_RET_SUCCESS
] = "",
136 [SEV_RET_INVALID_PLATFORM_STATE
] = "Platform state is invalid",
137 [SEV_RET_INVALID_GUEST_STATE
] = "Guest state is invalid",
138 [SEV_RET_INAVLID_CONFIG
] = "Platform configuration is invalid",
139 [SEV_RET_INVALID_LEN
] = "Buffer too small",
140 [SEV_RET_ALREADY_OWNED
] = "Platform is already owned",
141 [SEV_RET_INVALID_CERTIFICATE
] = "Certificate is invalid",
142 [SEV_RET_POLICY_FAILURE
] = "Policy is not allowed",
143 [SEV_RET_INACTIVE
] = "Guest is not active",
144 [SEV_RET_INVALID_ADDRESS
] = "Invalid address",
145 [SEV_RET_BAD_SIGNATURE
] = "Bad signature",
146 [SEV_RET_BAD_MEASUREMENT
] = "Bad measurement",
147 [SEV_RET_ASID_OWNED
] = "ASID is already owned",
148 [SEV_RET_INVALID_ASID
] = "Invalid ASID",
149 [SEV_RET_WBINVD_REQUIRED
] = "WBINVD is required",
150 [SEV_RET_DFFLUSH_REQUIRED
] = "DF_FLUSH is required",
151 [SEV_RET_INVALID_GUEST
] = "Guest handle is invalid",
152 [SEV_RET_INVALID_COMMAND
] = "Invalid command",
153 [SEV_RET_ACTIVE
] = "Guest is active",
154 [SEV_RET_HWSEV_RET_PLATFORM
] = "Hardware error",
155 [SEV_RET_HWSEV_RET_UNSAFE
] = "Hardware unsafe",
156 [SEV_RET_UNSUPPORTED
] = "Feature not supported",
157 [SEV_RET_INVALID_PARAM
] = "Invalid parameter",
158 [SEV_RET_RESOURCE_LIMIT
] = "Required firmware resource depleted",
159 [SEV_RET_SECURE_DATA_INVALID
] = "Part-specific integrity check failure",
162 #define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist)
165 sev_ioctl(int fd
, int cmd
, void *data
, int *error
)
168 struct kvm_sev_cmd input
;
170 memset(&input
, 0x0, sizeof(input
));
174 input
.data
= (uintptr_t)data
;
176 r
= kvm_vm_ioctl(kvm_state
, KVM_MEMORY_ENCRYPT_OP
, &input
);
179 *error
= input
.error
;
186 sev_platform_ioctl(int fd
, int cmd
, void *data
, int *error
)
189 struct sev_issue_cmd arg
;
192 arg
.data
= (unsigned long)data
;
193 r
= ioctl(fd
, SEV_ISSUE_CMD
, &arg
);
202 fw_error_to_str(int code
)
204 if (code
< 0 || code
>= SEV_FW_MAX_ERROR
) {
205 return "unknown error";
208 return sev_fw_errlist
[code
];
212 sev_check_state(const SevGuestState
*sev
, SevState state
)
215 return sev
->state
== state
? true : false;
219 sev_set_guest_state(SevGuestState
*sev
, SevState new_state
)
221 assert(new_state
< SEV_STATE__MAX
);
224 trace_kvm_sev_change_state(SevState_str(sev
->state
),
225 SevState_str(new_state
));
226 sev
->state
= new_state
;
230 sev_ram_block_added(RAMBlockNotifier
*n
, void *host
, size_t size
,
234 struct kvm_enc_region range
;
239 * The RAM device presents a memory region that should be treated
240 * as IO region and should not be pinned.
242 mr
= memory_region_from_host(host
, &offset
);
243 if (mr
&& memory_region_is_ram_device(mr
)) {
247 range
.addr
= (uintptr_t)host
;
248 range
.size
= max_size
;
250 trace_kvm_memcrypt_register_region(host
, max_size
);
251 r
= kvm_vm_ioctl(kvm_state
, KVM_MEMORY_ENCRYPT_REG_REGION
, &range
);
253 error_report("%s: failed to register region (%p+%#zx) error '%s'",
254 __func__
, host
, max_size
, strerror(errno
));
260 sev_ram_block_removed(RAMBlockNotifier
*n
, void *host
, size_t size
,
264 struct kvm_enc_region range
;
269 * The RAM device presents a memory region that should be treated
270 * as IO region and should not have been pinned.
272 mr
= memory_region_from_host(host
, &offset
);
273 if (mr
&& memory_region_is_ram_device(mr
)) {
277 range
.addr
= (uintptr_t)host
;
278 range
.size
= max_size
;
280 trace_kvm_memcrypt_unregister_region(host
, max_size
);
281 r
= kvm_vm_ioctl(kvm_state
, KVM_MEMORY_ENCRYPT_UNREG_REGION
, &range
);
283 error_report("%s: failed to unregister region (%p+%#zx)",
284 __func__
, host
, max_size
);
288 static struct RAMBlockNotifier sev_ram_notifier
= {
289 .ram_block_added
= sev_ram_block_added
,
290 .ram_block_removed
= sev_ram_block_removed
,
294 sev_guest_finalize(Object
*obj
)
299 sev_guest_get_session_file(Object
*obj
, Error
**errp
)
301 SevGuestState
*s
= SEV_GUEST(obj
);
303 return s
->session_file
? g_strdup(s
->session_file
) : NULL
;
307 sev_guest_set_session_file(Object
*obj
, const char *value
, Error
**errp
)
309 SevGuestState
*s
= SEV_GUEST(obj
);
311 s
->session_file
= g_strdup(value
);
315 sev_guest_get_dh_cert_file(Object
*obj
, Error
**errp
)
317 SevGuestState
*s
= SEV_GUEST(obj
);
319 return g_strdup(s
->dh_cert_file
);
323 sev_guest_set_dh_cert_file(Object
*obj
, const char *value
, Error
**errp
)
325 SevGuestState
*s
= SEV_GUEST(obj
);
327 s
->dh_cert_file
= g_strdup(value
);
331 sev_guest_get_sev_device(Object
*obj
, Error
**errp
)
333 SevGuestState
*sev
= SEV_GUEST(obj
);
335 return g_strdup(sev
->sev_device
);
339 sev_guest_set_sev_device(Object
*obj
, const char *value
, Error
**errp
)
341 SevGuestState
*sev
= SEV_GUEST(obj
);
343 sev
->sev_device
= g_strdup(value
);
346 static bool sev_guest_get_kernel_hashes(Object
*obj
, Error
**errp
)
348 SevGuestState
*sev
= SEV_GUEST(obj
);
350 return sev
->kernel_hashes
;
353 static void sev_guest_set_kernel_hashes(Object
*obj
, bool value
, Error
**errp
)
355 SevGuestState
*sev
= SEV_GUEST(obj
);
357 sev
->kernel_hashes
= value
;
360 static bool sev_guest_get_legacy_vm_type(Object
*obj
, Error
**errp
)
362 return SEV_GUEST(obj
)->legacy_vm_type
;
365 static void sev_guest_set_legacy_vm_type(Object
*obj
, bool value
, Error
**errp
)
367 SEV_GUEST(obj
)->legacy_vm_type
= value
;
379 return sev_enabled() && (sev_guest
->policy
& SEV_POLICY_ES
);
383 sev_get_cbit_position(void)
385 return sev_guest
? sev_guest
->cbitpos
: 0;
389 sev_get_reduced_phys_bits(void)
391 return sev_guest
? sev_guest
->reduced_phys_bits
: 0;
394 static SevInfo
*sev_get_info(void)
398 info
= g_new0(SevInfo
, 1);
399 info
->enabled
= sev_enabled();
402 info
->api_major
= sev_guest
->api_major
;
403 info
->api_minor
= sev_guest
->api_minor
;
404 info
->build_id
= sev_guest
->build_id
;
405 info
->policy
= sev_guest
->policy
;
406 info
->state
= sev_guest
->state
;
407 info
->handle
= sev_guest
->handle
;
413 SevInfo
*qmp_query_sev(Error
**errp
)
417 info
= sev_get_info();
419 error_setg(errp
, "SEV feature is not available");
426 void hmp_info_sev(Monitor
*mon
, const QDict
*qdict
)
428 SevInfo
*info
= sev_get_info();
430 if (info
&& info
->enabled
) {
431 monitor_printf(mon
, "handle: %d\n", info
->handle
);
432 monitor_printf(mon
, "state: %s\n", SevState_str(info
->state
));
433 monitor_printf(mon
, "build: %d\n", info
->build_id
);
434 monitor_printf(mon
, "api version: %d.%d\n",
435 info
->api_major
, info
->api_minor
);
436 monitor_printf(mon
, "debug: %s\n",
437 info
->policy
& SEV_POLICY_NODBG
? "off" : "on");
438 monitor_printf(mon
, "key-sharing: %s\n",
439 info
->policy
& SEV_POLICY_NOKS
? "off" : "on");
441 monitor_printf(mon
, "SEV is not enabled\n");
444 qapi_free_SevInfo(info
);
448 sev_get_pdh_info(int fd
, guchar
**pdh
, size_t *pdh_len
, guchar
**cert_chain
,
449 size_t *cert_chain_len
, Error
**errp
)
451 guchar
*pdh_data
= NULL
;
452 guchar
*cert_chain_data
= NULL
;
453 struct sev_user_data_pdh_cert_export export
= {};
456 /* query the certificate length */
457 r
= sev_platform_ioctl(fd
, SEV_PDH_CERT_EXPORT
, &export
, &err
);
459 if (err
!= SEV_RET_INVALID_LEN
) {
460 error_setg(errp
, "SEV: Failed to export PDH cert"
461 " ret=%d fw_err=%d (%s)",
462 r
, err
, fw_error_to_str(err
));
467 pdh_data
= g_new(guchar
, export
.pdh_cert_len
);
468 cert_chain_data
= g_new(guchar
, export
.cert_chain_len
);
469 export
.pdh_cert_address
= (unsigned long)pdh_data
;
470 export
.cert_chain_address
= (unsigned long)cert_chain_data
;
472 r
= sev_platform_ioctl(fd
, SEV_PDH_CERT_EXPORT
, &export
, &err
);
474 error_setg(errp
, "SEV: Failed to export PDH cert ret=%d fw_err=%d (%s)",
475 r
, err
, fw_error_to_str(err
));
480 *pdh_len
= export
.pdh_cert_len
;
481 *cert_chain
= cert_chain_data
;
482 *cert_chain_len
= export
.cert_chain_len
;
487 g_free(cert_chain_data
);
491 static int sev_get_cpu0_id(int fd
, guchar
**id
, size_t *id_len
, Error
**errp
)
494 struct sev_user_data_get_id2 get_id2
= {};
497 /* query the ID length */
498 r
= sev_platform_ioctl(fd
, SEV_GET_ID2
, &get_id2
, &err
);
499 if (r
< 0 && err
!= SEV_RET_INVALID_LEN
) {
500 error_setg(errp
, "SEV: Failed to get ID ret=%d fw_err=%d (%s)",
501 r
, err
, fw_error_to_str(err
));
505 id_data
= g_new(guchar
, get_id2
.length
);
506 get_id2
.address
= (unsigned long)id_data
;
508 r
= sev_platform_ioctl(fd
, SEV_GET_ID2
, &get_id2
, &err
);
510 error_setg(errp
, "SEV: Failed to get ID ret=%d fw_err=%d (%s)",
511 r
, err
, fw_error_to_str(err
));
516 *id_len
= get_id2
.length
;
524 static SevCapability
*sev_get_capabilities(Error
**errp
)
526 SevCapability
*cap
= NULL
;
527 guchar
*pdh_data
= NULL
;
528 guchar
*cert_chain_data
= NULL
;
529 guchar
*cpu0_id_data
= NULL
;
530 size_t pdh_len
= 0, cert_chain_len
= 0, cpu0_id_len
= 0;
534 if (!kvm_enabled()) {
535 error_setg(errp
, "KVM not enabled");
538 if (kvm_vm_ioctl(kvm_state
, KVM_MEMORY_ENCRYPT_OP
, NULL
) < 0) {
539 error_setg(errp
, "SEV is not enabled in KVM");
543 fd
= open(DEFAULT_SEV_DEVICE
, O_RDWR
);
545 error_setg_errno(errp
, errno
, "SEV: Failed to open %s",
550 if (sev_get_pdh_info(fd
, &pdh_data
, &pdh_len
,
551 &cert_chain_data
, &cert_chain_len
, errp
)) {
555 if (sev_get_cpu0_id(fd
, &cpu0_id_data
, &cpu0_id_len
, errp
)) {
559 cap
= g_new0(SevCapability
, 1);
560 cap
->pdh
= g_base64_encode(pdh_data
, pdh_len
);
561 cap
->cert_chain
= g_base64_encode(cert_chain_data
, cert_chain_len
);
562 cap
->cpu0_id
= g_base64_encode(cpu0_id_data
, cpu0_id_len
);
564 host_cpuid(0x8000001F, 0, NULL
, &ebx
, NULL
, NULL
);
565 cap
->cbitpos
= ebx
& 0x3f;
568 * When SEV feature is enabled, we loose one bit in guest physical
571 cap
->reduced_phys_bits
= 1;
574 g_free(cpu0_id_data
);
576 g_free(cert_chain_data
);
581 SevCapability
*qmp_query_sev_capabilities(Error
**errp
)
583 return sev_get_capabilities(errp
);
586 static SevAttestationReport
*sev_get_attestation_report(const char *mnonce
,
589 struct kvm_sev_attestation_report input
= {};
590 SevAttestationReport
*report
= NULL
;
591 SevGuestState
*sev
= sev_guest
;
592 g_autofree guchar
*data
= NULL
;
593 g_autofree guchar
*buf
= NULL
;
597 if (!sev_enabled()) {
598 error_setg(errp
, "SEV is not enabled");
602 /* lets decode the mnonce string */
603 buf
= g_base64_decode(mnonce
, &len
);
605 error_setg(errp
, "SEV: failed to decode mnonce input");
609 /* verify the input mnonce length */
610 if (len
!= sizeof(input
.mnonce
)) {
611 error_setg(errp
, "SEV: mnonce must be %zu bytes (got %" G_GSIZE_FORMAT
")",
612 sizeof(input
.mnonce
), len
);
616 /* Query the report length */
617 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_GET_ATTESTATION_REPORT
,
620 if (err
!= SEV_RET_INVALID_LEN
) {
621 error_setg(errp
, "SEV: Failed to query the attestation report"
622 " length ret=%d fw_err=%d (%s)",
623 ret
, err
, fw_error_to_str(err
));
628 data
= g_malloc(input
.len
);
629 input
.uaddr
= (unsigned long)data
;
630 memcpy(input
.mnonce
, buf
, sizeof(input
.mnonce
));
632 /* Query the report */
633 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_GET_ATTESTATION_REPORT
,
636 error_setg_errno(errp
, errno
, "SEV: Failed to get attestation report"
637 " ret=%d fw_err=%d (%s)", ret
, err
, fw_error_to_str(err
));
641 report
= g_new0(SevAttestationReport
, 1);
642 report
->data
= g_base64_encode(data
, input
.len
);
644 trace_kvm_sev_attestation_report(mnonce
, report
->data
);
649 SevAttestationReport
*qmp_query_sev_attestation_report(const char *mnonce
,
652 return sev_get_attestation_report(mnonce
, errp
);
656 sev_read_file_base64(const char *filename
, guchar
**data
, gsize
*len
)
659 g_autofree gchar
*base64
= NULL
;
660 GError
*error
= NULL
;
662 if (!g_file_get_contents(filename
, &base64
, &sz
, &error
)) {
663 error_report("SEV: Failed to read '%s' (%s)", filename
, error
->message
);
668 *data
= g_base64_decode(base64
, len
);
673 sev_launch_start(SevGuestState
*sev
)
678 struct kvm_sev_launch_start start
= {
679 .handle
= sev
->handle
, .policy
= sev
->policy
681 guchar
*session
= NULL
, *dh_cert
= NULL
;
683 if (sev
->session_file
) {
684 if (sev_read_file_base64(sev
->session_file
, &session
, &sz
) < 0) {
687 start
.session_uaddr
= (unsigned long)session
;
688 start
.session_len
= sz
;
691 if (sev
->dh_cert_file
) {
692 if (sev_read_file_base64(sev
->dh_cert_file
, &dh_cert
, &sz
) < 0) {
695 start
.dh_uaddr
= (unsigned long)dh_cert
;
699 trace_kvm_sev_launch_start(start
.policy
, session
, dh_cert
);
700 rc
= sev_ioctl(sev
->sev_fd
, KVM_SEV_LAUNCH_START
, &start
, &fw_error
);
702 error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
703 __func__
, ret
, fw_error
, fw_error_to_str(fw_error
));
707 sev_set_guest_state(sev
, SEV_STATE_LAUNCH_UPDATE
);
708 sev
->handle
= start
.handle
;
718 sev_launch_update_data(SevGuestState
*sev
, uint8_t *addr
, uint64_t len
)
721 struct kvm_sev_launch_update_data update
;
727 update
.uaddr
= (uintptr_t)addr
;
729 trace_kvm_sev_launch_update_data(addr
, len
);
730 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_LAUNCH_UPDATE_DATA
,
733 error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'",
734 __func__
, ret
, fw_error
, fw_error_to_str(fw_error
));
741 sev_launch_update_vmsa(SevGuestState
*sev
)
745 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_LAUNCH_UPDATE_VMSA
, NULL
, &fw_error
);
747 error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'",
748 __func__
, ret
, fw_error
, fw_error_to_str(fw_error
));
755 sev_launch_get_measure(Notifier
*notifier
, void *unused
)
757 SevGuestState
*sev
= sev_guest
;
759 g_autofree guchar
*data
= NULL
;
760 struct kvm_sev_launch_measure measurement
= {};
762 if (!sev_check_state(sev
, SEV_STATE_LAUNCH_UPDATE
)) {
766 if (sev_es_enabled()) {
767 /* measure all the VM save areas before getting launch_measure */
768 ret
= sev_launch_update_vmsa(sev
);
772 kvm_mark_guest_state_protected();
775 /* query the measurement blob length */
776 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_LAUNCH_MEASURE
,
777 &measurement
, &error
);
778 if (!measurement
.len
) {
779 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
780 __func__
, ret
, error
, fw_error_to_str(errno
));
784 data
= g_new0(guchar
, measurement
.len
);
785 measurement
.uaddr
= (unsigned long)data
;
787 /* get the measurement blob */
788 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_LAUNCH_MEASURE
,
789 &measurement
, &error
);
791 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
792 __func__
, ret
, error
, fw_error_to_str(errno
));
796 sev_set_guest_state(sev
, SEV_STATE_LAUNCH_SECRET
);
798 /* encode the measurement value and emit the event */
799 sev
->measurement
= g_base64_encode(data
, measurement
.len
);
800 trace_kvm_sev_launch_measurement(sev
->measurement
);
803 static char *sev_get_launch_measurement(void)
806 sev_guest
->state
>= SEV_STATE_LAUNCH_SECRET
) {
807 return g_strdup(sev_guest
->measurement
);
813 SevLaunchMeasureInfo
*qmp_query_sev_launch_measure(Error
**errp
)
816 SevLaunchMeasureInfo
*info
;
818 data
= sev_get_launch_measurement();
820 error_setg(errp
, "SEV launch measurement is not available");
824 info
= g_malloc0(sizeof(*info
));
830 static Notifier sev_machine_done_notify
= {
831 .notify
= sev_launch_get_measure
,
835 sev_launch_finish(SevGuestState
*sev
)
839 trace_kvm_sev_launch_finish();
840 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_LAUNCH_FINISH
, 0, &error
);
842 error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'",
843 __func__
, ret
, error
, fw_error_to_str(error
));
847 sev_set_guest_state(sev
, SEV_STATE_RUNNING
);
849 /* add migration blocker */
850 error_setg(&sev_mig_blocker
,
851 "SEV: Migration is not implemented");
852 migrate_add_blocker(&sev_mig_blocker
, &error_fatal
);
856 sev_vm_state_change(void *opaque
, bool running
, RunState state
)
858 SevGuestState
*sev
= opaque
;
861 if (!sev_check_state(sev
, SEV_STATE_RUNNING
)) {
862 sev_launch_finish(sev
);
867 static int sev_kvm_type(X86ConfidentialGuest
*cg
)
869 SevGuestState
*sev
= SEV_GUEST(cg
);
872 if (sev
->kvm_type
!= -1) {
876 kvm_type
= (sev
->policy
& SEV_POLICY_ES
) ? KVM_X86_SEV_ES_VM
: KVM_X86_SEV_VM
;
877 if (kvm_is_vm_type_supported(kvm_type
) && !sev
->legacy_vm_type
) {
878 sev
->kvm_type
= kvm_type
;
880 sev
->kvm_type
= KVM_X86_DEFAULT_VM
;
884 return sev
->kvm_type
;
887 static int sev_kvm_init(ConfidentialGuestSupport
*cgs
, Error
**errp
)
889 SevGuestState
*sev
= SEV_GUEST(cgs
);
891 int ret
, fw_error
, cmd
;
893 uint32_t host_cbitpos
;
894 struct sev_user_data_status status
= {};
896 ret
= ram_block_discard_disable(true);
898 error_report("%s: cannot disable RAM discard", __func__
);
903 sev
->state
= SEV_STATE_UNINIT
;
905 host_cpuid(0x8000001F, 0, NULL
, &ebx
, NULL
, NULL
);
906 host_cbitpos
= ebx
& 0x3f;
909 * The cbitpos value will be placed in bit positions 5:0 of the EBX
910 * register of CPUID 0x8000001F. No need to verify the range as the
911 * comparison against the host value accomplishes that.
913 if (host_cbitpos
!= sev
->cbitpos
) {
914 error_setg(errp
, "%s: cbitpos check failed, host '%d' requested '%d'",
915 __func__
, host_cbitpos
, sev
->cbitpos
);
920 * The reduced-phys-bits value will be placed in bit positions 11:6 of
921 * the EBX register of CPUID 0x8000001F, so verify the supplied value
922 * is in the range of 1 to 63.
924 if (sev
->reduced_phys_bits
< 1 || sev
->reduced_phys_bits
> 63) {
925 error_setg(errp
, "%s: reduced_phys_bits check failed,"
926 " it should be in the range of 1 to 63, requested '%d'",
927 __func__
, sev
->reduced_phys_bits
);
931 devname
= object_property_get_str(OBJECT(sev
), "sev-device", NULL
);
932 sev
->sev_fd
= open(devname
, O_RDWR
);
933 if (sev
->sev_fd
< 0) {
934 error_setg(errp
, "%s: Failed to open %s '%s'", __func__
,
935 devname
, strerror(errno
));
941 ret
= sev_platform_ioctl(sev
->sev_fd
, SEV_PLATFORM_STATUS
, &status
,
944 error_setg(errp
, "%s: failed to get platform status ret=%d "
945 "fw_error='%d: %s'", __func__
, ret
, fw_error
,
946 fw_error_to_str(fw_error
));
949 sev
->build_id
= status
.build
;
950 sev
->api_major
= status
.api_major
;
951 sev
->api_minor
= status
.api_minor
;
953 if (sev_es_enabled()) {
954 if (!kvm_kernel_irqchip_allowed()) {
955 error_report("%s: SEV-ES guests require in-kernel irqchip support",
960 if (!(status
.flags
& SEV_STATUS_FLAGS_CONFIG_ES
)) {
961 error_report("%s: guest policy requires SEV-ES, but "
962 "host SEV-ES support unavailable",
968 trace_kvm_sev_init();
969 if (sev_kvm_type(X86_CONFIDENTIAL_GUEST(sev
)) == KVM_X86_DEFAULT_VM
) {
970 cmd
= sev_es_enabled() ? KVM_SEV_ES_INIT
: KVM_SEV_INIT
;
972 ret
= sev_ioctl(sev
->sev_fd
, cmd
, NULL
, &fw_error
);
974 struct kvm_sev_init args
= { 0 };
976 ret
= sev_ioctl(sev
->sev_fd
, KVM_SEV_INIT2
, &args
, &fw_error
);
980 error_setg(errp
, "%s: failed to initialize ret=%d fw_error=%d '%s'",
981 __func__
, ret
, fw_error
, fw_error_to_str(fw_error
));
985 ret
= sev_launch_start(sev
);
987 error_setg(errp
, "%s: failed to create encryption context", __func__
);
991 ram_block_notifier_add(&sev_ram_notifier
);
992 qemu_add_machine_init_done_notifier(&sev_machine_done_notify
);
993 qemu_add_vm_change_state_handler(sev_vm_state_change
, sev
);
1000 ram_block_discard_disable(false);
1005 sev_encrypt_flash(uint8_t *ptr
, uint64_t len
, Error
**errp
)
1011 /* if SEV is in update state then encrypt the data else do nothing */
1012 if (sev_check_state(sev_guest
, SEV_STATE_LAUNCH_UPDATE
)) {
1013 int ret
= sev_launch_update_data(sev_guest
, ptr
, len
);
1015 error_setg(errp
, "SEV: Failed to encrypt pflash rom");
1023 int sev_inject_launch_secret(const char *packet_hdr
, const char *secret
,
1024 uint64_t gpa
, Error
**errp
)
1027 struct kvm_sev_launch_secret input
;
1028 g_autofree guchar
*data
= NULL
, *hdr
= NULL
;
1031 gsize hdr_sz
= 0, data_sz
= 0;
1032 MemoryRegion
*mr
= NULL
;
1035 error_setg(errp
, "SEV not enabled for guest");
1039 /* secret can be injected only in this state */
1040 if (!sev_check_state(sev_guest
, SEV_STATE_LAUNCH_SECRET
)) {
1041 error_setg(errp
, "SEV: Not in correct state. (LSECRET) %x",
1046 hdr
= g_base64_decode(packet_hdr
, &hdr_sz
);
1047 if (!hdr
|| !hdr_sz
) {
1048 error_setg(errp
, "SEV: Failed to decode sequence header");
1052 data
= g_base64_decode(secret
, &data_sz
);
1053 if (!data
|| !data_sz
) {
1054 error_setg(errp
, "SEV: Failed to decode data");
1058 hva
= gpa2hva(&mr
, gpa
, data_sz
, errp
);
1060 error_prepend(errp
, "SEV: Failed to calculate guest address: ");
1064 input
.hdr_uaddr
= (uint64_t)(unsigned long)hdr
;
1065 input
.hdr_len
= hdr_sz
;
1067 input
.trans_uaddr
= (uint64_t)(unsigned long)data
;
1068 input
.trans_len
= data_sz
;
1070 input
.guest_uaddr
= (uint64_t)(unsigned long)hva
;
1071 input
.guest_len
= data_sz
;
1073 trace_kvm_sev_launch_secret(gpa
, input
.guest_uaddr
,
1074 input
.trans_uaddr
, input
.trans_len
);
1076 ret
= sev_ioctl(sev_guest
->sev_fd
, KVM_SEV_LAUNCH_SECRET
,
1079 error_setg(errp
, "SEV: failed to inject secret ret=%d fw_error=%d '%s'",
1080 ret
, error
, fw_error_to_str(error
));
1087 #define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294"
1088 struct sev_secret_area
{
1093 void qmp_sev_inject_launch_secret(const char *packet_hdr
,
1095 bool has_gpa
, uint64_t gpa
,
1098 if (!sev_enabled()) {
1099 error_setg(errp
, "SEV not enabled for guest");
1104 struct sev_secret_area
*area
;
1106 if (!pc_system_ovmf_table_find(SEV_SECRET_GUID
, &data
, NULL
)) {
1107 error_setg(errp
, "SEV: no secret area found in OVMF,"
1108 " gpa must be specified.");
1111 area
= (struct sev_secret_area
*)data
;
1115 sev_inject_launch_secret(packet_hdr
, secret
, gpa
, errp
);
1119 sev_es_parse_reset_block(SevInfoBlock
*info
, uint32_t *addr
)
1121 if (!info
->reset_addr
) {
1122 error_report("SEV-ES reset address is zero");
1126 *addr
= info
->reset_addr
;
1132 sev_es_find_reset_vector(void *flash_ptr
, uint64_t flash_size
,
1135 QemuUUID info_guid
, *guid
;
1141 * Initialize the address to zero. An address of zero with a successful
1142 * return code indicates that SEV-ES is not active.
1147 * Extract the AP reset vector for SEV-ES guests by locating the SEV GUID.
1148 * The SEV GUID is located on its own (original implementation) or within
1149 * the Firmware GUID Table (new implementation), either of which are
1150 * located 32 bytes from the end of the flash.
1152 * Check the Firmware GUID Table first.
1154 if (pc_system_ovmf_table_find(SEV_INFO_BLOCK_GUID
, &data
, NULL
)) {
1155 return sev_es_parse_reset_block((SevInfoBlock
*)data
, addr
);
1159 * SEV info block not found in the Firmware GUID Table (or there isn't
1160 * a Firmware GUID Table), fall back to the original implementation.
1162 data
= flash_ptr
+ flash_size
- 0x20;
1164 qemu_uuid_parse(SEV_INFO_BLOCK_GUID
, &info_guid
);
1165 info_guid
= qemu_uuid_bswap(info_guid
); /* GUIDs are LE */
1167 guid
= (QemuUUID
*)(data
- sizeof(info_guid
));
1168 if (!qemu_uuid_is_equal(guid
, &info_guid
)) {
1169 error_report("SEV information block/Firmware GUID Table block not found in pflash rom");
1173 len
= (uint16_t *)((uint8_t *)guid
- sizeof(*len
));
1174 info
= (SevInfoBlock
*)(data
- le16_to_cpu(*len
));
1176 return sev_es_parse_reset_block(info
, addr
);
1179 void sev_es_set_reset_vector(CPUState
*cpu
)
1184 /* Only update if we have valid reset information */
1185 if (!sev_guest
|| !sev_guest
->reset_data_valid
) {
1189 /* Do not update the BSP reset state */
1190 if (cpu
->cpu_index
== 0) {
1197 cpu_x86_load_seg_cache(env
, R_CS
, 0xf000, sev_guest
->reset_cs
, 0xffff,
1198 DESC_P_MASK
| DESC_S_MASK
| DESC_CS_MASK
|
1199 DESC_R_MASK
| DESC_A_MASK
);
1201 env
->eip
= sev_guest
->reset_ip
;
1204 int sev_es_save_reset_vector(void *flash_ptr
, uint64_t flash_size
)
1210 if (!sev_es_enabled()) {
1215 ret
= sev_es_find_reset_vector(flash_ptr
, flash_size
,
1222 sev_guest
->reset_cs
= addr
& 0xffff0000;
1223 sev_guest
->reset_ip
= addr
& 0x0000ffff;
1224 sev_guest
->reset_data_valid
= true;
1227 sev_es_set_reset_vector(cpu
);
1234 static const QemuUUID sev_hash_table_header_guid
= {
1235 .data
= UUID_LE(0x9438d606, 0x4f22, 0x4cc9, 0xb4, 0x79, 0xa7, 0x93,
1236 0xd4, 0x11, 0xfd, 0x21)
1239 static const QemuUUID sev_kernel_entry_guid
= {
1240 .data
= UUID_LE(0x4de79437, 0xabd2, 0x427f, 0xb8, 0x35, 0xd5, 0xb1,
1241 0x72, 0xd2, 0x04, 0x5b)
1243 static const QemuUUID sev_initrd_entry_guid
= {
1244 .data
= UUID_LE(0x44baf731, 0x3a2f, 0x4bd7, 0x9a, 0xf1, 0x41, 0xe2,
1245 0x91, 0x69, 0x78, 0x1d)
1247 static const QemuUUID sev_cmdline_entry_guid
= {
1248 .data
= UUID_LE(0x97d02dd8, 0xbd20, 0x4c94, 0xaa, 0x78, 0xe7, 0x71,
1249 0x4d, 0x36, 0xab, 0x2a)
1253 * Add the hashes of the linux kernel/initrd/cmdline to an encrypted guest page
1254 * which is included in SEV's initial memory measurement.
1256 bool sev_add_kernel_loader_hashes(SevKernelLoaderContext
*ctx
, Error
**errp
)
1259 SevHashTableDescriptor
*area
;
1261 PaddedSevHashTable
*padded_ht
;
1262 uint8_t cmdline_hash
[HASH_SIZE
];
1263 uint8_t initrd_hash
[HASH_SIZE
];
1264 uint8_t kernel_hash
[HASH_SIZE
];
1266 size_t hash_len
= HASH_SIZE
;
1267 hwaddr mapped_len
= sizeof(*padded_ht
);
1268 MemTxAttrs attrs
= { 0 };
1272 * Only add the kernel hashes if the sev-guest configuration explicitly
1273 * stated kernel-hashes=on.
1275 if (!sev_guest
->kernel_hashes
) {
1279 if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID
, &data
, NULL
)) {
1280 error_setg(errp
, "SEV: kernel specified but guest firmware "
1281 "has no hashes table GUID");
1284 area
= (SevHashTableDescriptor
*)data
;
1285 if (!area
->base
|| area
->size
< sizeof(PaddedSevHashTable
)) {
1286 error_setg(errp
, "SEV: guest firmware hashes table area is invalid "
1287 "(base=0x%x size=0x%x)", area
->base
, area
->size
);
1292 * Calculate hash of kernel command-line with the terminating null byte. If
1293 * the user doesn't supply a command-line via -append, the 1-byte "\0" will
1296 hashp
= cmdline_hash
;
1297 if (qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256
, ctx
->cmdline_data
,
1298 ctx
->cmdline_size
, &hashp
, &hash_len
, errp
) < 0) {
1301 assert(hash_len
== HASH_SIZE
);
1304 * Calculate hash of initrd. If the user doesn't supply an initrd via
1305 * -initrd, an empty buffer will be used (ctx->initrd_size == 0).
1307 hashp
= initrd_hash
;
1308 if (qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256
, ctx
->initrd_data
,
1309 ctx
->initrd_size
, &hashp
, &hash_len
, errp
) < 0) {
1312 assert(hash_len
== HASH_SIZE
);
1314 /* Calculate hash of the kernel */
1315 hashp
= kernel_hash
;
1316 struct iovec iov
[2] = {
1317 { .iov_base
= ctx
->setup_data
, .iov_len
= ctx
->setup_size
},
1318 { .iov_base
= ctx
->kernel_data
, .iov_len
= ctx
->kernel_size
}
1320 if (qcrypto_hash_bytesv(QCRYPTO_HASH_ALG_SHA256
, iov
, ARRAY_SIZE(iov
),
1321 &hashp
, &hash_len
, errp
) < 0) {
1324 assert(hash_len
== HASH_SIZE
);
1327 * Populate the hashes table in the guest's memory at the OVMF-designated
1328 * area for the SEV hashes table
1330 padded_ht
= address_space_map(&address_space_memory
, area
->base
,
1331 &mapped_len
, true, attrs
);
1332 if (!padded_ht
|| mapped_len
!= sizeof(*padded_ht
)) {
1333 error_setg(errp
, "SEV: cannot map hashes table guest memory area");
1336 ht
= &padded_ht
->ht
;
1338 ht
->guid
= sev_hash_table_header_guid
;
1339 ht
->len
= sizeof(*ht
);
1341 ht
->cmdline
.guid
= sev_cmdline_entry_guid
;
1342 ht
->cmdline
.len
= sizeof(ht
->cmdline
);
1343 memcpy(ht
->cmdline
.hash
, cmdline_hash
, sizeof(ht
->cmdline
.hash
));
1345 ht
->initrd
.guid
= sev_initrd_entry_guid
;
1346 ht
->initrd
.len
= sizeof(ht
->initrd
);
1347 memcpy(ht
->initrd
.hash
, initrd_hash
, sizeof(ht
->initrd
.hash
));
1349 ht
->kernel
.guid
= sev_kernel_entry_guid
;
1350 ht
->kernel
.len
= sizeof(ht
->kernel
);
1351 memcpy(ht
->kernel
.hash
, kernel_hash
, sizeof(ht
->kernel
.hash
));
1353 /* zero the excess data so the measurement can be reliably calculated */
1354 memset(padded_ht
->padding
, 0, sizeof(padded_ht
->padding
));
1356 if (sev_encrypt_flash((uint8_t *)padded_ht
, sizeof(*padded_ht
), errp
) < 0) {
1360 address_space_unmap(&address_space_memory
, padded_ht
,
1361 mapped_len
, true, mapped_len
);
1367 sev_guest_class_init(ObjectClass
*oc
, void *data
)
1369 ConfidentialGuestSupportClass
*klass
= CONFIDENTIAL_GUEST_SUPPORT_CLASS(oc
);
1370 X86ConfidentialGuestClass
*x86_klass
= X86_CONFIDENTIAL_GUEST_CLASS(oc
);
1372 klass
->kvm_init
= sev_kvm_init
;
1373 x86_klass
->kvm_type
= sev_kvm_type
;
1375 object_class_property_add_str(oc
, "sev-device",
1376 sev_guest_get_sev_device
,
1377 sev_guest_set_sev_device
);
1378 object_class_property_set_description(oc
, "sev-device",
1379 "SEV device to use");
1380 object_class_property_add_str(oc
, "dh-cert-file",
1381 sev_guest_get_dh_cert_file
,
1382 sev_guest_set_dh_cert_file
);
1383 object_class_property_set_description(oc
, "dh-cert-file",
1384 "guest owners DH certificate (encoded with base64)");
1385 object_class_property_add_str(oc
, "session-file",
1386 sev_guest_get_session_file
,
1387 sev_guest_set_session_file
);
1388 object_class_property_set_description(oc
, "session-file",
1389 "guest owners session parameters (encoded with base64)");
1390 object_class_property_add_bool(oc
, "kernel-hashes",
1391 sev_guest_get_kernel_hashes
,
1392 sev_guest_set_kernel_hashes
);
1393 object_class_property_set_description(oc
, "kernel-hashes",
1394 "add kernel hashes to guest firmware for measured Linux boot");
1395 object_class_property_add_bool(oc
, "legacy-vm-type",
1396 sev_guest_get_legacy_vm_type
,
1397 sev_guest_set_legacy_vm_type
);
1398 object_class_property_set_description(oc
, "legacy-vm-type",
1399 "use legacy VM type to maintain measurement compatibility with older QEMU or kernel versions.");
1403 sev_guest_instance_init(Object
*obj
)
1405 SevGuestState
*sev
= SEV_GUEST(obj
);
1409 sev
->sev_device
= g_strdup(DEFAULT_SEV_DEVICE
);
1410 sev
->policy
= DEFAULT_GUEST_POLICY
;
1411 object_property_add_uint32_ptr(obj
, "policy", &sev
->policy
,
1412 OBJ_PROP_FLAG_READWRITE
);
1413 object_property_add_uint32_ptr(obj
, "handle", &sev
->handle
,
1414 OBJ_PROP_FLAG_READWRITE
);
1415 object_property_add_uint32_ptr(obj
, "cbitpos", &sev
->cbitpos
,
1416 OBJ_PROP_FLAG_READWRITE
);
1417 object_property_add_uint32_ptr(obj
, "reduced-phys-bits",
1418 &sev
->reduced_phys_bits
,
1419 OBJ_PROP_FLAG_READWRITE
);
1420 object_apply_compat_props(obj
);
1423 /* sev guest info */
1424 static const TypeInfo sev_guest_info
= {
1425 .parent
= TYPE_X86_CONFIDENTIAL_GUEST
,
1426 .name
= TYPE_SEV_GUEST
,
1427 .instance_size
= sizeof(SevGuestState
),
1428 .instance_finalize
= sev_guest_finalize
,
1429 .class_init
= sev_guest_class_init
,
1430 .instance_init
= sev_guest_instance_init
,
1431 .interfaces
= (InterfaceInfo
[]) {
1432 { TYPE_USER_CREATABLE
},
1438 sev_register_types(void)
1440 type_register_static(&sev_guest_info
);
1443 type_init(sev_register_types
);