SVSM planes + SecureTSC patches#26
Open
v-thakkar wants to merge 9 commits intococonut-svsm:svsm-planes-v6.17from
Open
SVSM planes + SecureTSC patches#26v-thakkar wants to merge 9 commits intococonut-svsm:svsm-planes-v6.17from
v-thakkar wants to merge 9 commits intococonut-svsm:svsm-planes-v6.17from
Conversation
Align with IGVM files providing SEV features with SVM_SEV_FEAT_SNP_ACTIVE set by setting the same when creating a sev-snp-guest object. Since KVM sets this feature itself, SVM_SEV_FEAT_SNP_ACTIVE is unset before KVM_SEV_INIT2 ioctl is invoked. Move that out of IGVM-specific section to common code. While at it, convert the existing SVM_SEV_FEAT_SNP_ACTIVE definition to use the BIT() macro for consistency with upcoming feature flags. Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
…r IGVM In preparation for qemu being able to set SEV features through the cli, add a check to ensure that SEV features are not also set if using IGVM files. Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Currently, check_sev_features() is called in multiple places when processing IGVM files: both when processing the initial VMSA SEV features from IGVM, as well as when validating the full contents of the VMSA. Move this to a single point in sev_common_kvm_init() to simplify the flow, as well as to re-use this function when VMSA SEV features are being set without using IGVM files. Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
…are used SEV features in the VMSA are only meaningful for SEV-ES and SEV-SNP guests, as they control aspects of the encrypted guest state that are not relevant for basic SEV guests. Add a check in check_sev_features() to ensure that SEV-ES or SEV-SNP is enabled when any SEV features are specified. Reviewed-by: Nikunj A Dadhania <nikunj@amd.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
In preparation for allowing SEV-ES guests to enable VMSA SEV features, update sev_init2_required() to return true if any SEV features are requested. This enables qemu to use KVM_SEV_INIT2 for SEV-ES guests when necessary. Reviewed-by: Nikunj A Dadhania <nikunj@amd.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Add support for enabling debug-swap VMSA SEV feature in SEV-ES and SEV-SNP guests through a new "debug-swap" boolean property on SEV guest objects. Though the boolean property is available for plain SEV guests, check_sev_features() will reject setting this for plain SEV guests. Though this SEV feature is called "Debug virtualization" in the APM, KVM calls this "debug swap" so use the same name for consistency. Sample command-line: -machine q35,confidential-guest-support=sev0 \ -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,debug-swap=on Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Add support for enabling Secure TSC VMSA SEV feature in SEV-SNP guests through a new "secure-tsc" boolean property on SEV-SNP guest objects. By default, KVM uses the host TSC frequency for Secure TSC. Sample command-line: -machine q35,confidential-guest-support=sev0 \ -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,secure-tsc=on Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Co-developed-by: Ketan Chaturvedi <Ketan.Chaturvedi@amd.com> Signed-off-by: Ketan Chaturvedi <Ketan.Chaturvedi@amd.com> Co-developed-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Add support for configuring the TSC frequency when Secure TSC is enabled in SEV-SNP guests through a new "tsc-frequency" property on SEV-SNP guest objects, similar to the vCPU-specific property used by regular guests and TDX. A new property is needed since SEV-SNP guests require the TSC frequency to be specified during early SNP_LAUNCH_START command before any vCPUs are created. The user-provided TSC frequency is set through KVM_SET_TSC_KHZ before issuing KVM_SEV_SNP_LAUNCH_START. Sample command-line: -machine q35,confidential-guest-support=sev0 \ -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,secure-tsc=on,tsc-frequency=2500000000 Co-developed-by: Ketan Chaturvedi <Ketan.Chaturvedi@amd.com> Signed-off-by: Ketan Chaturvedi <Ketan.Chaturvedi@amd.com> Co-developed-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
Refactor check_sev_features() to consolidate SEV-SNP checks to a single if block. This is also helpful when adding checks for future SEV features. While at it, move the comment about the checks being done outside of the function body and expand it to describe what this function does. Update error_setg() invocations to use a consistent format. No functional change intended. Suggested-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Naveen N Rao (AMD) <naveen@kernel.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR has 9 cherry-picked commits from the upstream qemu patchset. This patchset separates the handling of VMSA SEV features between QEMU command-line configuration and IGVM. This ensures both paths are validated consistently while allowing feature control via either interface.
Corresponding PR for host SecureTSC support can be found here.