search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sev/i386: Require in-kernel irqchip support for SEV-ES guests
[qemu/kevin.git] / target / i386 / sev.c
blob35b9259bfc929656bf5f13486e12b441803d72fd
1 /*
2 * QEMU SEV support
3 *
4 * Copyright Advanced Micro Devices 2016-2018
5 *
6 * Author:
7 * Brijesh Singh <brijesh.singh@amd.com>
8 *
9 * This work is licensed under the terms of the GNU GPL, version 2 or later.
10 * See the COPYING file in the top-level directory.
11 *
12 */
13
14 #include "qemu/osdep.h"
15
16 #include <linux/kvm.h>
17 #include <linux/psp-sev.h>
18
19 #include <sys/ioctl.h>
20
21 #include "qapi/error.h"
22 #include "qom/object_interfaces.h"
23 #include "qemu/base64.h"
24 #include "qemu/module.h"
25 #include "sysemu/kvm.h"
26 #include "sev_i386.h"
27 #include "sysemu/sysemu.h"
28 #include "sysemu/runstate.h"
29 #include "trace.h"
30 #include "migration/blocker.h"
31 #include "qom/object.h"
32 #include "exec/address-spaces.h"
33 #include "monitor/monitor.h"
34 #include "exec/confidential-guest-support.h"
35
36 #define TYPE_SEV_GUEST "sev-guest"
37 OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST)
38
39
40 /**
41 * SevGuestState:
42 *
43 * The SevGuestState object is used for creating and managing a SEV
44 * guest.
45 *
46 * # $QEMU \
47 * -object sev-guest,id=sev0 \
48 * -machine ...,memory-encryption=sev0
49 */
50 struct SevGuestState {
51 ConfidentialGuestSupport parent_obj;
52
53 /* configuration parameters */
54 char *sev_device;
55 uint32_t policy;
56 char *dh_cert_file;
57 char *session_file;
58 uint32_t cbitpos;
59 uint32_t reduced_phys_bits;
60
61 /* runtime state */
62 uint32_t handle;
63 uint8_t api_major;
64 uint8_t api_minor;
65 uint8_t build_id;
66 uint64_t me_mask;
67 int sev_fd;
68 SevState state;
69 gchar *measurement;
70 };
71
72 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
73 #define DEFAULT_SEV_DEVICE "/dev/sev"
74
75 static SevGuestState *sev_guest;
76 static Error *sev_mig_blocker;
77
78 static const char *const sev_fw_errlist[] = {
79 "",
80 "Platform state is invalid",
81 "Guest state is invalid",
82 "Platform configuration is invalid",
83 "Buffer too small",
84 "Platform is already owned",
85 "Certificate is invalid",
86 "Policy is not allowed",
87 "Guest is not active",
88 "Invalid address",
89 "Bad signature",
90 "Bad measurement",
91 "Asid is already owned",
92 "Invalid ASID",
93 "WBINVD is required",
94 "DF_FLUSH is required",
95 "Guest handle is invalid",
96 "Invalid command",
97 "Guest is active",
98 "Hardware error",
99 "Hardware unsafe",
100 "Feature not supported",
101 "Invalid parameter"
102 };
103
104 #define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist)
105
106 static int
107 sev_ioctl(int fd, int cmd, void *data, int *error)
108 {
109 int r;
110 struct kvm_sev_cmd input;
111
112 memset(&input, 0x0, sizeof(input));
113
114 input.id = cmd;
115 input.sev_fd = fd;
116 input.data = (__u64)(unsigned long)data;
117
118 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input);
119
120 if (error) {
121 *error = input.error;
122 }
123
124 return r;
125 }
126
127 static int
128 sev_platform_ioctl(int fd, int cmd, void *data, int *error)
129 {
130 int r;
131 struct sev_issue_cmd arg;
132
133 arg.cmd = cmd;
134 arg.data = (unsigned long)data;
135 r = ioctl(fd, SEV_ISSUE_CMD, &arg);
136 if (error) {
137 *error = arg.error;
138 }
139
140 return r;
141 }
142
143 static const char *
144 fw_error_to_str(int code)
145 {
146 if (code < 0 || code >= SEV_FW_MAX_ERROR) {
147 return "unknown error";
148 }
149
150 return sev_fw_errlist[code];
151 }
152
153 static bool
154 sev_check_state(const SevGuestState *sev, SevState state)
155 {
156 assert(sev);
157 return sev->state == state ? true : false;
158 }
159
160 static void
161 sev_set_guest_state(SevGuestState *sev, SevState new_state)
162 {
163 assert(new_state < SEV_STATE__MAX);
164 assert(sev);
165
166 trace_kvm_sev_change_state(SevState_str(sev->state),
167 SevState_str(new_state));
168 sev->state = new_state;
169 }
170
171 static void
172 sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
173 {
174 int r;
175 struct kvm_enc_region range;
176 ram_addr_t offset;
177 MemoryRegion *mr;
178
179 /*
180 * The RAM device presents a memory region that should be treated
181 * as IO region and should not be pinned.
182 */
183 mr = memory_region_from_host(host, &offset);
184 if (mr && memory_region_is_ram_device(mr)) {
185 return;
186 }
187
188 range.addr = (__u64)(unsigned long)host;
189 range.size = size;
190
191 trace_kvm_memcrypt_register_region(host, size);
192 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
193 if (r) {
194 error_report("%s: failed to register region (%p+%#zx) error '%s'",
195 __func__, host, size, strerror(errno));
196 exit(1);
197 }
198 }
199
200 static void
201 sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
202 {
203 int r;
204 struct kvm_enc_region range;
205 ram_addr_t offset;
206 MemoryRegion *mr;
207
208 /*
209 * The RAM device presents a memory region that should be treated
210 * as IO region and should not have been pinned.
211 */
212 mr = memory_region_from_host(host, &offset);
213 if (mr && memory_region_is_ram_device(mr)) {
214 return;
215 }
216
217 range.addr = (__u64)(unsigned long)host;
218 range.size = size;
219
220 trace_kvm_memcrypt_unregister_region(host, size);
221 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_UNREG_REGION, &range);
222 if (r) {
223 error_report("%s: failed to unregister region (%p+%#zx)",
224 __func__, host, size);
225 }
226 }
227
228 static struct RAMBlockNotifier sev_ram_notifier = {
229 .ram_block_added = sev_ram_block_added,
230 .ram_block_removed = sev_ram_block_removed,
231 };
232
233 static void
234 sev_guest_finalize(Object *obj)
235 {
236 }
237
238 static char *
239 sev_guest_get_session_file(Object *obj, Error **errp)
240 {
241 SevGuestState *s = SEV_GUEST(obj);
242
243 return s->session_file ? g_strdup(s->session_file) : NULL;
244 }
245
246 static void
247 sev_guest_set_session_file(Object *obj, const char *value, Error **errp)
248 {
249 SevGuestState *s = SEV_GUEST(obj);
250
251 s->session_file = g_strdup(value);
252 }
253
254 static char *
255 sev_guest_get_dh_cert_file(Object *obj, Error **errp)
256 {
257 SevGuestState *s = SEV_GUEST(obj);
258
259 return g_strdup(s->dh_cert_file);
260 }
261
262 static void
263 sev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
264 {
265 SevGuestState *s = SEV_GUEST(obj);
266
267 s->dh_cert_file = g_strdup(value);
268 }
269
270 static char *
271 sev_guest_get_sev_device(Object *obj, Error **errp)
272 {
273 SevGuestState *sev = SEV_GUEST(obj);
274
275 return g_strdup(sev->sev_device);
276 }
277
278 static void
279 sev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
280 {
281 SevGuestState *sev = SEV_GUEST(obj);
282
283 sev->sev_device = g_strdup(value);
284 }
285
286 static void
287 sev_guest_class_init(ObjectClass *oc, void *data)
288 {
289 object_class_property_add_str(oc, "sev-device",
290 sev_guest_get_sev_device,
291 sev_guest_set_sev_device);
292 object_class_property_set_description(oc, "sev-device",
293 "SEV device to use");
294 object_class_property_add_str(oc, "dh-cert-file",
295 sev_guest_get_dh_cert_file,
296 sev_guest_set_dh_cert_file);
297 object_class_property_set_description(oc, "dh-cert-file",
298 "guest owners DH certificate (encoded with base64)");
299 object_class_property_add_str(oc, "session-file",
300 sev_guest_get_session_file,
301 sev_guest_set_session_file);
302 object_class_property_set_description(oc, "session-file",
303 "guest owners session parameters (encoded with base64)");
304 }
305
306 static void
307 sev_guest_instance_init(Object *obj)
308 {
309 SevGuestState *sev = SEV_GUEST(obj);
310
311 sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
312 sev->policy = DEFAULT_GUEST_POLICY;
313 object_property_add_uint32_ptr(obj, "policy", &sev->policy,
314 OBJ_PROP_FLAG_READWRITE);
315 object_property_add_uint32_ptr(obj, "handle", &sev->handle,
316 OBJ_PROP_FLAG_READWRITE);
317 object_property_add_uint32_ptr(obj, "cbitpos", &sev->cbitpos,
318 OBJ_PROP_FLAG_READWRITE);
319 object_property_add_uint32_ptr(obj, "reduced-phys-bits",
320 &sev->reduced_phys_bits,
321 OBJ_PROP_FLAG_READWRITE);
322 }
323
324 /* sev guest info */
325 static const TypeInfo sev_guest_info = {
326 .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT,
327 .name = TYPE_SEV_GUEST,
328 .instance_size = sizeof(SevGuestState),
329 .instance_finalize = sev_guest_finalize,
330 .class_init = sev_guest_class_init,
331 .instance_init = sev_guest_instance_init,
332 .interfaces = (InterfaceInfo[]) {
333 { TYPE_USER_CREATABLE },
334 { }
335 }
336 };
337
338 bool
339 sev_enabled(void)
340 {
341 return !!sev_guest;
342 }
343
344 bool
345 sev_es_enabled(void)
346 {
347 return false;
348 }
349
350 uint64_t
351 sev_get_me_mask(void)
352 {
353 return sev_guest ? sev_guest->me_mask : ~0;
354 }
355
356 uint32_t
357 sev_get_cbit_position(void)
358 {
359 return sev_guest ? sev_guest->cbitpos : 0;
360 }
361
362 uint32_t
363 sev_get_reduced_phys_bits(void)
364 {
365 return sev_guest ? sev_guest->reduced_phys_bits : 0;
366 }
367
368 SevInfo *
369 sev_get_info(void)
370 {
371 SevInfo *info;
372
373 info = g_new0(SevInfo, 1);
374 info->enabled = sev_enabled();
375
376 if (info->enabled) {
377 info->api_major = sev_guest->api_major;
378 info->api_minor = sev_guest->api_minor;
379 info->build_id = sev_guest->build_id;
380 info->policy = sev_guest->policy;
381 info->state = sev_guest->state;
382 info->handle = sev_guest->handle;
383 }
384
385 return info;
386 }
387
388 static int
389 sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
390 size_t *cert_chain_len, Error **errp)
391 {
392 guchar *pdh_data = NULL;
393 guchar *cert_chain_data = NULL;
394 struct sev_user_data_pdh_cert_export export = {};
395 int err, r;
396
397 /* query the certificate length */
398 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
399 if (r < 0) {
400 if (err != SEV_RET_INVALID_LEN) {
401 error_setg(errp, "failed to export PDH cert ret=%d fw_err=%d (%s)",
402 r, err, fw_error_to_str(err));
403 return 1;
404 }
405 }
406
407 pdh_data = g_new(guchar, export.pdh_cert_len);
408 cert_chain_data = g_new(guchar, export.cert_chain_len);
409 export.pdh_cert_address = (unsigned long)pdh_data;
410 export.cert_chain_address = (unsigned long)cert_chain_data;
411
412 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
413 if (r < 0) {
414 error_setg(errp, "failed to export PDH cert ret=%d fw_err=%d (%s)",
415 r, err, fw_error_to_str(err));
416 goto e_free;
417 }
418
419 *pdh = pdh_data;
420 *pdh_len = export.pdh_cert_len;
421 *cert_chain = cert_chain_data;
422 *cert_chain_len = export.cert_chain_len;
423 return 0;
424
425 e_free:
426 g_free(pdh_data);
427 g_free(cert_chain_data);
428 return 1;
429 }
430
431 SevCapability *
432 sev_get_capabilities(Error **errp)
433 {
434 SevCapability *cap = NULL;
435 guchar *pdh_data = NULL;
436 guchar *cert_chain_data = NULL;
437 size_t pdh_len = 0, cert_chain_len = 0;
438 uint32_t ebx;
439 int fd;
440
441 if (!kvm_enabled()) {
442 error_setg(errp, "KVM not enabled");
443 return NULL;
444 }
445 if (kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, NULL) < 0) {
446 error_setg(errp, "SEV is not enabled in KVM");
447 return NULL;
448 }
449
450 fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
451 if (fd < 0) {
452 error_setg_errno(errp, errno, "Failed to open %s",
453 DEFAULT_SEV_DEVICE);
454 return NULL;
455 }
456
457 if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
458 &cert_chain_data, &cert_chain_len, errp)) {
459 goto out;
460 }
461
462 cap = g_new0(SevCapability, 1);
463 cap->pdh = g_base64_encode(pdh_data, pdh_len);
464 cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
465
466 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
467 cap->cbitpos = ebx & 0x3f;
468
469 /*
470 * When SEV feature is enabled, we loose one bit in guest physical
471 * addressing.
472 */
473 cap->reduced_phys_bits = 1;
474
475 out:
476 g_free(pdh_data);
477 g_free(cert_chain_data);
478 close(fd);
479 return cap;
480 }
481
482 static int
483 sev_read_file_base64(const char *filename, guchar **data, gsize *len)
484 {
485 gsize sz;
486 gchar *base64;
487 GError *error = NULL;
488
489 if (!g_file_get_contents(filename, &base64, &sz, &error)) {
490 error_report("failed to read '%s' (%s)", filename, error->message);
491 g_error_free(error);
492 return -1;
493 }
494
495 *data = g_base64_decode(base64, len);
496 return 0;
497 }
498
499 static int
500 sev_launch_start(SevGuestState *sev)
501 {
502 gsize sz;
503 int ret = 1;
504 int fw_error, rc;
505 struct kvm_sev_launch_start *start;
506 guchar *session = NULL, *dh_cert = NULL;
507
508 start = g_new0(struct kvm_sev_launch_start, 1);
509
510 start->handle = sev->handle;
511 start->policy = sev->policy;
512 if (sev->session_file) {
513 if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) {
514 goto out;
515 }
516 start->session_uaddr = (unsigned long)session;
517 start->session_len = sz;
518 }
519
520 if (sev->dh_cert_file) {
521 if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) {
522 goto out;
523 }
524 start->dh_uaddr = (unsigned long)dh_cert;
525 start->dh_len = sz;
526 }
527
528 trace_kvm_sev_launch_start(start->policy, session, dh_cert);
529 rc = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_START, start, &fw_error);
530 if (rc < 0) {
531 error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
532 __func__, ret, fw_error, fw_error_to_str(fw_error));
533 goto out;
534 }
535
536 sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE);
537 sev->handle = start->handle;
538 ret = 0;
539
540 out:
541 g_free(start);
542 g_free(session);
543 g_free(dh_cert);
544 return ret;
545 }
546
547 static int
548 sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len)
549 {
550 int ret, fw_error;
551 struct kvm_sev_launch_update_data update;
552
553 if (!addr || !len) {
554 return 1;
555 }
556
557 update.uaddr = (__u64)(unsigned long)addr;
558 update.len = len;
559 trace_kvm_sev_launch_update_data(addr, len);
560 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA,
561 &update, &fw_error);
562 if (ret) {
563 error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'",
564 __func__, ret, fw_error, fw_error_to_str(fw_error));
565 }
566
567 return ret;
568 }
569
570 static int
571 sev_launch_update_vmsa(SevGuestState *sev)
572 {
573 int ret, fw_error;
574
575 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_VMSA, NULL, &fw_error);
576 if (ret) {
577 error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'",
578 __func__, ret, fw_error, fw_error_to_str(fw_error));
579 }
580
581 return ret;
582 }
583
584 static void
585 sev_launch_get_measure(Notifier *notifier, void *unused)
586 {
587 SevGuestState *sev = sev_guest;
588 int ret, error;
589 guchar *data;
590 struct kvm_sev_launch_measure *measurement;
591
592 if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) {
593 return;
594 }
595
596 if (sev_es_enabled()) {
597 /* measure all the VM save areas before getting launch_measure */
598 ret = sev_launch_update_vmsa(sev);
599 if (ret) {
600 exit(1);
601 }
602 }
603
604 measurement = g_new0(struct kvm_sev_launch_measure, 1);
605
606 /* query the measurement blob length */
607 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE,
608 measurement, &error);
609 if (!measurement->len) {
610 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
611 __func__, ret, error, fw_error_to_str(errno));
612 goto free_measurement;
613 }
614
615 data = g_new0(guchar, measurement->len);
616 measurement->uaddr = (unsigned long)data;
617
618 /* get the measurement blob */
619 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE,
620 measurement, &error);
621 if (ret) {
622 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
623 __func__, ret, error, fw_error_to_str(errno));
624 goto free_data;
625 }
626
627 sev_set_guest_state(sev, SEV_STATE_LAUNCH_SECRET);
628
629 /* encode the measurement value and emit the event */
630 sev->measurement = g_base64_encode(data, measurement->len);
631 trace_kvm_sev_launch_measurement(sev->measurement);
632
633 free_data:
634 g_free(data);
635 free_measurement:
636 g_free(measurement);
637 }
638
639 char *
640 sev_get_launch_measurement(void)
641 {
642 if (sev_guest &&
643 sev_guest->state >= SEV_STATE_LAUNCH_SECRET) {
644 return g_strdup(sev_guest->measurement);
645 }
646
647 return NULL;
648 }
649
650 static Notifier sev_machine_done_notify = {
651 .notify = sev_launch_get_measure,
652 };
653
654 static void
655 sev_launch_finish(SevGuestState *sev)
656 {
657 int ret, error;
658 Error *local_err = NULL;
659
660 trace_kvm_sev_launch_finish();
661 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error);
662 if (ret) {
663 error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'",
664 __func__, ret, error, fw_error_to_str(error));
665 exit(1);
666 }
667
668 sev_set_guest_state(sev, SEV_STATE_RUNNING);
669
670 /* add migration blocker */
671 error_setg(&sev_mig_blocker,
672 "SEV: Migration is not implemented");
673 ret = migrate_add_blocker(sev_mig_blocker, &local_err);
674 if (local_err) {
675 error_report_err(local_err);
676 error_free(sev_mig_blocker);
677 exit(1);
678 }
679 }
680
681 static void
682 sev_vm_state_change(void *opaque, int running, RunState state)
683 {
684 SevGuestState *sev = opaque;
685
686 if (running) {
687 if (!sev_check_state(sev, SEV_STATE_RUNNING)) {
688 sev_launch_finish(sev);
689 }
690 }
691 }
692
693 int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
694 {
695 SevGuestState *sev
696 = (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST);
697 char *devname;
698 int ret, fw_error, cmd;
699 uint32_t ebx;
700 uint32_t host_cbitpos;
701 struct sev_user_data_status status = {};
702
703 if (!sev) {
704 return 0;
705 }
706
707 ret = ram_block_discard_disable(true);
708 if (ret) {
709 error_report("%s: cannot disable RAM discard", __func__);
710 return -1;
711 }
712
713 sev_guest = sev;
714 sev->state = SEV_STATE_UNINIT;
715
716 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
717 host_cbitpos = ebx & 0x3f;
718
719 if (host_cbitpos != sev->cbitpos) {
720 error_setg(errp, "%s: cbitpos check failed, host '%d' requested '%d'",
721 __func__, host_cbitpos, sev->cbitpos);
722 goto err;
723 }
724
725 if (sev->reduced_phys_bits < 1) {
726 error_setg(errp, "%s: reduced_phys_bits check failed, it should be >=1,"
727 " requested '%d'", __func__, sev->reduced_phys_bits);
728 goto err;
729 }
730
731 sev->me_mask = ~(1UL << sev->cbitpos);
732
733 devname = object_property_get_str(OBJECT(sev), "sev-device", NULL);
734 sev->sev_fd = open(devname, O_RDWR);
735 if (sev->sev_fd < 0) {
736 error_setg(errp, "%s: Failed to open %s '%s'", __func__,
737 devname, strerror(errno));
738 g_free(devname);
739 goto err;
740 }
741 g_free(devname);
742
743 ret = sev_platform_ioctl(sev->sev_fd, SEV_PLATFORM_STATUS, &status,
744 &fw_error);
745 if (ret) {
746 error_setg(errp, "%s: failed to get platform status ret=%d "
747 "fw_error='%d: %s'", __func__, ret, fw_error,
748 fw_error_to_str(fw_error));
749 goto err;
750 }
751 sev->build_id = status.build;
752 sev->api_major = status.api_major;
753 sev->api_minor = status.api_minor;
754
755 if (sev_es_enabled()) {
756 if (!kvm_kernel_irqchip_allowed()) {
757 error_report("%s: SEV-ES guests require in-kernel irqchip support",
758 __func__);
759 goto err;
760 }
761
762 if (!(status.flags & SEV_STATUS_FLAGS_CONFIG_ES)) {
763 error_report("%s: guest policy requires SEV-ES, but "
764 "host SEV-ES support unavailable",
765 __func__);
766 goto err;
767 }
768 cmd = KVM_SEV_ES_INIT;
769 } else {
770 cmd = KVM_SEV_INIT;
771 }
772
773 trace_kvm_sev_init();
774 ret = sev_ioctl(sev->sev_fd, cmd, NULL, &fw_error);
775 if (ret) {
776 error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'",
777 __func__, ret, fw_error, fw_error_to_str(fw_error));
778 goto err;
779 }
780
781 ret = sev_launch_start(sev);
782 if (ret) {
783 error_setg(errp, "%s: failed to create encryption context", __func__);
784 goto err;
785 }
786
787 ram_block_notifier_add(&sev_ram_notifier);
788 qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
789 qemu_add_vm_change_state_handler(sev_vm_state_change, sev);
790
791 cgs->ready = true;
792
793 return 0;
794 err:
795 sev_guest = NULL;
796 ram_block_discard_disable(false);
797 return -1;
798 }
799
800 int
801 sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp)
802 {
803 if (!sev_guest) {
804 return 0;
805 }
806
807 /* if SEV is in update state then encrypt the data else do nothing */
808 if (sev_check_state(sev_guest, SEV_STATE_LAUNCH_UPDATE)) {
809 int ret = sev_launch_update_data(sev_guest, ptr, len);
810 if (ret < 0) {
811 error_setg(errp, "failed to encrypt pflash rom");
812 return ret;
813 }
814 }
815
816 return 0;
817 }
818
819 int sev_inject_launch_secret(const char *packet_hdr, const char *secret,
820 uint64_t gpa, Error **errp)
821 {
822 struct kvm_sev_launch_secret input;
823 g_autofree guchar *data = NULL, *hdr = NULL;
824 int error, ret = 1;
825 void *hva;
826 gsize hdr_sz = 0, data_sz = 0;
827 MemoryRegion *mr = NULL;
828
829 if (!sev_guest) {
830 error_setg(errp, "SEV: SEV not enabled.");
831 return 1;
832 }
833
834 /* secret can be injected only in this state */
835 if (!sev_check_state(sev_guest, SEV_STATE_LAUNCH_SECRET)) {
836 error_setg(errp, "SEV: Not in correct state. (LSECRET) %x",
837 sev_guest->state);
838 return 1;
839 }
840
841 hdr = g_base64_decode(packet_hdr, &hdr_sz);
842 if (!hdr || !hdr_sz) {
843 error_setg(errp, "SEV: Failed to decode sequence header");
844 return 1;
845 }
846
847 data = g_base64_decode(secret, &data_sz);
848 if (!data || !data_sz) {
849 error_setg(errp, "SEV: Failed to decode data");
850 return 1;
851 }
852
853 hva = gpa2hva(&mr, gpa, data_sz, errp);
854 if (!hva) {
855 error_prepend(errp, "SEV: Failed to calculate guest address: ");
856 return 1;
857 }
858
859 input.hdr_uaddr = (uint64_t)(unsigned long)hdr;
860 input.hdr_len = hdr_sz;
861
862 input.trans_uaddr = (uint64_t)(unsigned long)data;
863 input.trans_len = data_sz;
864
865 input.guest_uaddr = (uint64_t)(unsigned long)hva;
866 input.guest_len = data_sz;
867
868 trace_kvm_sev_launch_secret(gpa, input.guest_uaddr,
869 input.trans_uaddr, input.trans_len);
870
871 ret = sev_ioctl(sev_guest->sev_fd, KVM_SEV_LAUNCH_SECRET,
872 &input, &error);
873 if (ret) {
874 error_setg(errp, "SEV: failed to inject secret ret=%d fw_error=%d '%s'",
875 ret, error, fw_error_to_str(error));
876 return ret;
877 }
878
879 return 0;
880 }
881
882 static void
883 sev_register_types(void)
884 {
885 type_register_static(&sev_guest_info);
886 }
887
888 type_init(sev_register_types);
Random patches