Re: [PATCH v7 00/45] Add AMD Secure Nested Paging (SEV-SNP) Guest Support
From: Venu Busireddy
Date: Mon Nov 15 2021 - 10:57:55 EST
On 2021-11-10 16:06:46 -0600, Brijesh Singh wrote:
> This part of Secure Encrypted Paging (SEV-SNP) series focuses on the changes
> required in a guest OS for SEV-SNP support.
>
> SEV-SNP builds upon existing SEV and SEV-ES functionality while adding
> new hardware-based memory protections. SEV-SNP adds strong memory integrity
> protection to help prevent malicious hypervisor-based attacks like data
> replay, memory re-mapping and more in order to create an isolated memory
> encryption environment.
>
> This series provides the basic building blocks to support booting the SEV-SNP
> VMs, it does not cover all the security enhancement introduced by the SEV-SNP
> such as interrupt protection.
>
> Many of the integrity guarantees of SEV-SNP are enforced through a new
> structure called the Reverse Map Table (RMP). Adding a new page to SEV-SNP
> VM requires a 2-step process. First, the hypervisor assigns a page to the
> guest using the new RMPUPDATE instruction. This transitions the page to
> guest-invalid. Second, the guest validates the page using the new PVALIDATE
> instruction. The SEV-SNP VMs can use the new "Page State Change Request NAE"
> defined in the GHCB specification to ask hypervisor to add or remove page
> from the RMP table.
>
> Each page assigned to the SEV-SNP VM can either be validated or unvalidated,
> as indicated by the Validated flag in the page's RMP entry. There are two
> approaches that can be taken for the page validation: Pre-validation and
> Lazy Validation.
>
> Under pre-validation, the pages are validated prior to first use. And under
> lazy validation, pages are validated when first accessed. An access to a
> unvalidated page results in a #VC exception, at which time the exception
> handler may validate the page. Lazy validation requires careful tracking of
> the validated pages to avoid validating the same GPA more than once. The
> recently introduced "Unaccepted" memory type can be used to communicate the
> unvalidated memory ranges to the Guest OS.
>
> At this time we only sypport the pre-validation, the OVMF guest BIOS
> validates the entire RAM before the control is handed over to the guest kernel.
> The early_set_memory_{encrypt,decrypt} and set_memory_{encrypt,decrypt} are
> enlightened to perform the page validation or invalidation while setting or
> clearing the encryption attribute from the page table.
>
> This series does not provide support for the Interrupt security yet which will
> be added after the base support.
>
> The series is based on tip/master
> ea79c24a30aa (origin/master, origin/HEAD, master) Merge branch 'timers/urgent'
I am looking at
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git,
and I cannot find the commit ea79c24a30aa there. Am I looking at the
wrong tree?
Venu
>
> Additional resources
> ---------------------
> SEV-SNP whitepaper
> https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf
>
> APM 2: https://www.amd.com/system/files/TechDocs/24593.pdf
> (section 15.36)
>
> GHCB spec:
> https://developer.amd.com/wp-content/resources/56421.pdf
>
> SEV-SNP firmware specification:
> https://developer.amd.com/sev/
>
> v6: https://lore.kernel.org/linux-mm/20211008180453.462291-1-brijesh.singh@xxxxxxx/
> v5: https://lore.kernel.org/lkml/20210820151933.22401-1-brijesh.singh@xxxxxxx/
>
> Changes since v6:
> * Add rmpadjust() helper to be used by AP creation and vmpl0 detect function.
> * Clear the VM communication key if guest detects that hypervisor is modifying
> the SNP_GUEST_REQ response header.
> * Move the per-cpu GHCB registration from first #VC to idt setup.
> * Consolidate initial SEV/SME setup into a common entry point that gets called
> early enough to also be used for SEV-SNP CPUID table setup.
> * SNP CPUID: separate initial SEV-SNP feature detection out into standalone
> snp_init() routines, then add CPUID table setup to it as a separate patch.
> * SNP CPUID: fix boot issue with Seabios due to ACPI relying on certain EFI
> config table lookup failures as fallthrough cases rather than error cases.
> * SNP CPUID: drop the use of a separate init routines to handle pointer fixups
> after switching to kernel virtual addresses, instead use a helper that uses
> RIP-relative addressing to access CPUID table when either on identity mapping
> or kernel virtual addresses.
>
> Changes since v5:
> * move the seqno allocation in the sevguest driver.
> * extend snp_issue_guest_request() to accept the exit_info to simplify the logic.
> * use smaller structure names based on feedback.
> * explicitly clear the memory after the SNP guest request is completed.
> * cpuid validation: use a local copy of cpuid table instead of keeping
> firmware table mapped throughout boot.
> * cpuid validation: coding style fix-ups and refactor cpuid-related helpers
> as suggested.
> * cpuid validation: drop a number of BOOT_COMPRESSED-guarded defs/declarations
> by moving things like snp_cpuid_init*() out of sev-shared.c and keeping only
> the common bits there.
> * Break up EFI config table helpers and related acpi.c changes into separate
> patches.
> * re-enable stack protection for 32-bit kernels as well, not just 64-bit
>
> Changes since v4:
> * Address the cpuid specific review comment
> * Simplified the macro based on the review feedback
> * Move macro definition to the patch that needs it
> * Fix the issues reported by the checkpath
> * Address the AP creation specific review comment
>
> Changes since v3:
> * Add support to use the PSP filtered CPUID.
> * Add support for the extended guest request.
> * Move sevguest driver in driver/virt/coco.
> * Add documentation for sevguest ioctl.
> * Add support to check the vmpl0.
> * Pass the VM encryption key and id to be used for encrypting guest messages
> through the platform drv data.
> * Multiple cleanup and fixes to address the review feedbacks.
>
> Changes since v2:
> * Add support for AP startup using SNP specific vmgexit.
> * Add snp_prep_memory() helper.
> * Drop sev_snp_active() helper.
> * Add sev_feature_enabled() helper to check which SEV feature is active.
> * Sync the SNP guest message request header with latest SNP FW spec.
> * Multiple cleanup and fixes to address the review feedbacks.
>
> Changes since v1:
> * Integerate the SNP support in sev.{ch}.
> * Add support to query the hypervisor feature and detect whether SNP is supported.
> * Define Linux specific reason code for the SNP guest termination.
> * Extend the setup_header provide a way for hypervisor to pass secret and cpuid page.
> * Add support to create a platform device and driver to query the attestation report
> and the derive a key.
> * Multiple cleanup and fixes to address Boris's review fedback.
>
> Borislav Petkov (3):
> x86/sev: Get rid of excessive use of defines
> x86/head64: Carve out the guest encryption postprocessing into a
> helper
> x86/sev: Remove do_early_exception() forward declarations
>
> Brijesh Singh (22):
> x86/mm: Extend cc_attr to include AMD SEV-SNP
> x86/sev: Shorten GHCB terminate macro names
> x86/sev: Define the Linux specific guest termination reasons
> x86/sev: Save the negotiated GHCB version
> x86/sev: Add support for hypervisor feature VMGEXIT
> x86/sev: Check SEV-SNP features support
> x86/sev: Add a helper for the PVALIDATE instruction
> x86/sev: Check the vmpl level
> x86/compressed: Add helper for validating pages in the decompression
> stage
> x86/compressed: Register GHCB memory when SEV-SNP is active
> x86/sev: Register GHCB memory when SEV-SNP is active
> x86/sev: Add helper for validating pages in early enc attribute
> changes
> x86/kernel: Make the bss.decrypted section shared in RMP table
> x86/kernel: Validate rom memory before accessing when SEV-SNP is
> active
> x86/mm: Add support to validate memory when changing C-bit
> KVM: SVM: Define sev_features and vmpl field in the VMSA
> x86/boot: Add Confidential Computing type to setup_data
> x86/sev: Provide support for SNP guest request NAEs
> x86/sev: Register SNP guest request platform device
> virt: Add SEV-SNP guest driver
> virt: sevguest: Add support to derive key
> virt: sevguest: Add support to get extended report
>
> Michael Roth (16):
> x86/compressed/64: detect/setup SEV/SME features earlier in boot
> x86/sev: detect/setup SEV/SME features earlier in boot
> x86/head: re-enable stack protection for 32/64-bit builds
> x86/sev: move MSR-based VMGEXITs for CPUID to helper
> KVM: x86: move lookup of indexed CPUID leafs to helper
> x86/compressed/acpi: move EFI system table lookup to helper
> x86/compressed/acpi: move EFI config table lookup to helper
> x86/compressed/acpi: move EFI vendor table lookup to helper
> KVM: SEV: Add documentation for SEV-SNP CPUID Enforcement
> x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers
> x86/boot: add a pointer to Confidential Computing blob in bootparams
> x86/compressed: add SEV-SNP feature detection/setup
> x86/compressed: use firmware-validated CPUID for SEV-SNP guests
> x86/compressed/64: add identity mapping for Confidential Computing
> blob
> x86/sev: add SEV-SNP feature detection/setup
> x86/sev: use firmware-validated CPUID for SEV-SNP guests
>
> Tom Lendacky (4):
> KVM: SVM: Create a separate mapping for the SEV-ES save area
> KVM: SVM: Create a separate mapping for the GHCB save area
> KVM: SVM: Update the SEV-ES save area mapping
> x86/sev: Use SEV-SNP AP creation to start secondary CPUs
>
> Documentation/virt/coco/sevguest.rst | 117 +++
> .../virt/kvm/amd-memory-encryption.rst | 28 +
> arch/x86/boot/compressed/Makefile | 1 +
> arch/x86/boot/compressed/acpi.c | 129 +--
> arch/x86/boot/compressed/efi.c | 178 ++++
> arch/x86/boot/compressed/head_64.S | 8 +-
> arch/x86/boot/compressed/ident_map_64.c | 44 +-
> arch/x86/boot/compressed/mem_encrypt.S | 36 -
> arch/x86/boot/compressed/misc.h | 44 +-
> arch/x86/boot/compressed/sev.c | 243 ++++-
> arch/x86/include/asm/bootparam_utils.h | 1 +
> arch/x86/include/asm/cpuid.h | 26 +
> arch/x86/include/asm/msr-index.h | 2 +
> arch/x86/include/asm/setup.h | 2 +-
> arch/x86/include/asm/sev-common.h | 137 ++-
> arch/x86/include/asm/sev.h | 96 +-
> arch/x86/include/asm/svm.h | 171 +++-
> arch/x86/include/uapi/asm/bootparam.h | 4 +-
> arch/x86/include/uapi/asm/svm.h | 13 +
> arch/x86/kernel/Makefile | 1 -
> arch/x86/kernel/cc_platform.c | 2 +
> arch/x86/kernel/cpu/common.c | 5 +
> arch/x86/kernel/head64.c | 78 +-
> arch/x86/kernel/head_64.S | 24 +
> arch/x86/kernel/probe_roms.c | 13 +-
> arch/x86/kernel/sev-shared.c | 554 +++++++++++-
> arch/x86/kernel/sev.c | 838 ++++++++++++++++--
> arch/x86/kernel/smpboot.c | 3 +
> arch/x86/kvm/cpuid.c | 17 +-
> arch/x86/kvm/svm/sev.c | 24 +-
> arch/x86/kvm/svm/svm.c | 4 +-
> arch/x86/kvm/svm/svm.h | 2 +-
> arch/x86/mm/mem_encrypt.c | 55 +-
> arch/x86/mm/mem_encrypt_identity.c | 8 +
> arch/x86/mm/pat/set_memory.c | 15 +
> drivers/virt/Kconfig | 3 +
> drivers/virt/Makefile | 1 +
> drivers/virt/coco/sevguest/Kconfig | 9 +
> drivers/virt/coco/sevguest/Makefile | 2 +
> drivers/virt/coco/sevguest/sevguest.c | 743 ++++++++++++++++
> drivers/virt/coco/sevguest/sevguest.h | 98 ++
> include/linux/cc_platform.h | 8 +
> include/linux/efi.h | 1 +
> include/uapi/linux/sev-guest.h | 81 ++
> 44 files changed, 3524 insertions(+), 345 deletions(-)
> create mode 100644 Documentation/virt/coco/sevguest.rst
> create mode 100644 arch/x86/boot/compressed/efi.c
> create mode 100644 arch/x86/include/asm/cpuid.h
> create mode 100644 drivers/virt/coco/sevguest/Kconfig
> create mode 100644 drivers/virt/coco/sevguest/Makefile
> create mode 100644 drivers/virt/coco/sevguest/sevguest.c
> create mode 100644 drivers/virt/coco/sevguest/sevguest.h
> create mode 100644 include/uapi/linux/sev-guest.h
>
> --
> 2.25.1
>