Re: [Part2 PATCH v9 00/38] x86: Secure Encrypted Virtualization (AMD)

[Paolo Bonzini]

On 05/12/2017 02:04, Brijesh Singh wrote:
> This part of Secure Encrypted Virtualization (SEV) patch series focuses on KVM
> changes required to create and manage SEV guests.
> 
> SEV is an extension to the AMD-V architecture which supports running encrypted
> virtual machine (VMs) under the control of a hypervisor. Encrypted VMs have their
> pages (code and data) secured such that only the guest itself has access to
> unencrypted version. Each encrypted VM is associated with a unique encryption key;
> if its data is accessed to a different entity using a different key the encrypted
> guest's data will be incorrectly decrypted, leading to unintelligible data.
> This security model ensures that hypervisor will no longer able to inspect or
> alter any guest code or data.
> 
> The key management of this feature is handled by a separate processor known as
> the AMD Secure Processor (AMD-SP) which is present on AMD SOCs. The SEV Key
> Management Specification (see below) provides a set of commands which can be
> used by hypervisor to load virtual machine keys through the AMD-SP driver.
> 
> The patch series adds a new ioctl in KVM driver (KVM_MEMORY_ENCRYPT_OP). The
> ioctl will be used by qemu to issue SEV guest-specific commands defined in Key
> Management Specification.

Hi Brijesh,

I have a couple comments:

1) how is MSR_AMD64_SEV's value passed to the guest, and where is it in
the manual?

2) ECX should be 0 in the guest's 0x8000_001f leaf, because we don't
support nested SEV guests.  Likewise, EAX bit 2 should be 0 since you
don't emulate the page flush MSR.

Both can be fixed on top (and I can do the second myself of course), so
there should be no need for a v10.  But MSR_AMD64_SEV is leaving me
quite puzzled.

Thanks,

Paolo

> The following links provide additional details:
> 
> AMD Memory Encryption white paper:
> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
> 
> AMD64 Architecture Programmer's Manual:
>     http://support.amd.com/TechDocs/24593.pdf
>     SME is section 7.10
>     SEV is section 15.34
> 
> SEV Key Management:
> http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf
> 
> KVM Forum Presentation:
> http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
> 
> SEV Guest BIOS support:
>   SEV support has been add to EDKII/OVMF BIOS
>   https://github.com/tianocore/edk2
> 
> --
> 
> The series applies on kvm/next commit : 4fbd8d194f06 (Linux 4.15-rc1)
> 
> Complete tree is available at:
> repo: https://github.com/codomania/kvm.git
> branch: sev-v9-p2
> 
> TODO:
> * Add SEV guest migration command support
> 
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: "Radim KrÃÂmÃÂÃâ" <rkrcmar@xxxxxxxxxx>
> Cc: Joerg Roedel <joro@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxx>
> Cc: Tom Lendacky <thomas.lendacky@xxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: David S. Miller <davem@xxxxxxxxxxxxx>
> Cc: Gary Hook <gary.hook@xxxxxxx>
> Cc: x86@xxxxxxxxxx
> Cc: kvm@xxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> Cc: linux-crypto@xxxxxxxxxxxxxxx
> 
> Changes since v8:
>  * Rebase the series to kvm/next branch
>  * Update SEV asid allocation to limit the ASID between SEV_MIN_ASID to SEV_MAX_ASID
>    (EPYC BIOS provide option to change the SEV_MIN_ASID -- which can be used to
>    limit the number of SEV-enable guest)
> 
> Changes since v7:
>  * Rebase the series to kvm/next branch
>  * move the FW error enum definition in include/uapi/linux/psp-sev.h so that
>    both userspace and kernel can share it.
>  * (ccp) drop cmd_buf arg from sev_platform_init()
>  * (ccp) apply some cleanup/fixup from Boris
>  * (ccp) add some comments in FACTORY_RESET command handling
>  * (kvm) some fixup/cleanup from Boris
>  * (kvm) acquire the kvm->lock when modifying the sev->regions_list
> 
> Changes since v6:
>  * (ccp): Extend psp_device structure to track the FW INIT and SHUTDOWN states.
>  * (ccp): Init and Uninit SEV FW during module load/unload
>  * (ccp): Avoid repeated k*alloc() for init and status command buffer
>  * (kvm): Rework DBG command to fix the compilation warning seen with gcc7.x
>  * (kvm): Convert the SEV doc in rst format
> 
> Changes since v5:
>  * split the PSP driver support into multiple patches
>  * multiple improvements from Boris
>  * remove mem_enc_enabled() ops
> 
> Changes since v4:
>  * Fixes to address kbuild robot errors
>  * Add 'sev' module params to allow enable/disable SEV feature
>  * Update documentation
>  * Multiple fixes to address v4 feedbacks
>  * Some coding style changes to address checkpatch reports
> 
> Changes since v3:
>  * Re-design the PSP interface support patch
>  * Rename the ioctls based on the feedbacks
>  * Improve documentation
>  * Fix i386 build issues
>  * Add LAUNCH_SECRET command
>  * Add new Kconfig option to enable SEV support
>  * Changes to address v3 feedbacks.
> 
> Changes since v2:
>  * Add KVM_MEMORY_ENCRYPT_REGISTER/UNREGISTER_RAM ioct to register encrypted
>    memory ranges (recommend by Paolo)
>  * Extend kvm_x86_ops to provide new memory_encryption_enabled ops
>  * Enhance DEBUG DECRYPT/ENCRYPT commands to work with more than one page \
>                 (recommended by Paolo)
>  * Optimize LAUNCH_UPDATE command to reduce the number of calls to AMD-SP driver
>  * Changes to address v2 feedbacks
> 
> 
> Borislav Petkov (1):
>   crypto: ccp: Build the AMD secure processor driver only with AMD CPU
>     support
> 
> Brijesh Singh (34):
>   Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization
>     (SEV)
>   KVM: SVM: Prepare to reserve asid for SEV guest
>   KVM: X86: Extend CPUID range to include new leaf
>   KVM: Introduce KVM_MEMORY_ENCRYPT_OP ioctl
>   KVM: Introduce KVM_MEMORY_ENCRYPT_{UN,}REG_REGION ioctl
>   crypto: ccp: Define SEV userspace ioctl and command id
>   crypto: ccp: Define SEV key management command id
>   crypto: ccp: Add Platform Security Processor (PSP) device support
>   crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support
>   crypto: ccp: Implement SEV_FACTORY_RESET ioctl command
>   crypto: ccp: Implement SEV_PLATFORM_STATUS ioctl command
>   crypto: ccp: Implement SEV_PEK_GEN ioctl command
>   crypto: ccp: Implement SEV_PDH_GEN ioctl command
>   crypto: ccp: Implement SEV_PEK_CSR ioctl command
>   crypto: ccp: Implement SEV_PEK_CERT_IMPORT ioctl command
>   crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command
>   KVM: X86: Add CONFIG_KVM_AMD_SEV
>   KVM: SVM: Reserve ASID range for SEV guest
>   KVM: SVM: Add sev module_param
>   KVM: Define SEV key management command id
>   KVM: SVM: Add KVM_SEV_INIT command
>   KVM: SVM: VMRUN should use associated ASID when SEV is enabled
>   KVM: SVM: Add support for KVM_SEV_LAUNCH_START command
>   KVM: SVM: Add support for KVM_SEV_LAUNCH_UPDATE_DATA command
>   KVM: SVM: Add support for KVM_SEV_LAUNCH_MEASURE command
>   KVM: SVM: Add support for SEV LAUNCH_FINISH command
>   KVM: SVM: Add support for SEV GUEST_STATUS command
>   KVM: SVM: Add support for SEV DEBUG_DECRYPT command
>   KVM: SVM: Add support for SEV DEBUG_ENCRYPT command
>   KVM: SVM: Add support for SEV LAUNCH_SECRET command
>   KVM: SVM: Pin guest memory when SEV is active
>   KVM: SVM: Clear C-bit from the page fault address
>   KVM: SVM: Do not install #UD intercept when SEV is enabled
>   KVM: X86: Restart the guest when insn_len is zero and SEV is enabled
> 
> Tom Lendacky (3):
>   x86/CPU/AMD: Add the Secure Encrypted Virtualization CPU feature
>   kvm: svm: prepare for new bit definition in nested_ctl
>   kvm: svm: Add SEV feature definitions to KVM
> 
>  Documentation/virtual/kvm/00-INDEX                 |    3 +
>  .../virtual/kvm/amd-memory-encryption.rst          |  247 ++++
>  Documentation/virtual/kvm/api.txt                  |   50 +
>  arch/x86/include/asm/cpufeatures.h                 |    1 +
>  arch/x86/include/asm/kvm_host.h                    |   15 +
>  arch/x86/include/asm/msr-index.h                   |    2 +
>  arch/x86/include/asm/svm.h                         |    3 +
>  arch/x86/kernel/cpu/amd.c                          |   66 +-
>  arch/x86/kernel/cpu/scattered.c                    |    1 +
>  arch/x86/kvm/Kconfig                               |   10 +
>  arch/x86/kvm/cpuid.c                               |    2 +-
>  arch/x86/kvm/mmu.c                                 |   10 +
>  arch/x86/kvm/svm.c                                 | 1178 +++++++++++++++++++-
>  arch/x86/kvm/x86.c                                 |   30 +
>  drivers/crypto/ccp/Kconfig                         |   12 +
>  drivers/crypto/ccp/Makefile                        |    1 +
>  drivers/crypto/ccp/psp-dev.c                       |  805 +++++++++++++
>  drivers/crypto/ccp/psp-dev.h                       |   83 ++
>  drivers/crypto/ccp/sp-dev.c                        |   35 +
>  drivers/crypto/ccp/sp-dev.h                        |   28 +-
>  drivers/crypto/ccp/sp-pci.c                        |   52 +
>  include/linux/psp-sev.h                            |  606 ++++++++++
>  include/uapi/linux/kvm.h                           |   90 ++
>  include/uapi/linux/psp-sev.h                       |  142 +++
>  24 files changed, 3440 insertions(+), 32 deletions(-)
>  create mode 100644 Documentation/virtual/kvm/amd-memory-encryption.rst
>  create mode 100644 drivers/crypto/ccp/psp-dev.c
>  create mode 100644 drivers/crypto/ccp/psp-dev.h
>  create mode 100644 include/linux/psp-sev.h
>  create mode 100644 include/uapi/linux/psp-sev.h
>