Re: [PATCH RFC v7 40/64] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_FINISH command

From: Tom Lendacky
Date: Tue Dec 20 2022 - 09:26:10 EST

Next message: Deepak R Varma: "Re: kvzalloc vs kvcalloc"
Previous message: Anthony Krowiak: "Re: [PATCH 5/7] s390/vfio_ap: fix handling of error response codes"
In reply to: Kalra, Ashish: "Re: [PATCH RFC v7 40/64] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_FINISH command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/19/22 17:24, Kalra, Ashish wrote:

Hello Tom,

On 12/19/2022 12:04 PM, Tom Lendacky wrote:

On 12/14/22 13:40, Michael Roth wrote:

From: Brijesh Singh <brijesh.singh@xxxxxxx>

The KVM_SEV_SNP_LAUNCH_FINISH finalize the cryptographic digest and stores
it as the measurement of the guest at launch.

While finalizing the launch flow, it also issues the LAUNCH_UPDATE command
to encrypt the VMSA pages.

If its an SNP guest, then VMSA was added in the RMP entry as
a guest owned page and also removed from the kernel direct map
so flush it later after it is transitioned back to hypervisor
state and restored in the direct map.

Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
Signed-off-by: Harald Hoyer <harald@xxxxxxxxxxx>
Signed-off-by: Ashish Kalra <ashish.kalra@xxxxxxx>
Signed-off-by: Michael Roth <michael.roth@xxxxxxx>
---
.../virt/kvm/x86/amd-memory-encryption.rst    | 22 ++++
arch/x86/kvm/svm/sev.c                        | 119 ++++++++++++++++++
include/uapi/linux/kvm.h                      | 14 +++
3 files changed, 155 insertions(+)

diff --git a/Documentation/virt/kvm/x86/amd-memory-encryption.rst b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
index c94be8e6d657..e4b42aaab1de 100644
--- a/Documentation/virt/kvm/x86/amd-memory-encryption.rst
+++ b/Documentation/virt/kvm/x86/amd-memory-encryption.rst
@@ -513,6 +513,28 @@ Returns: 0 on success, -negative on error
See the SEV-SNP spec for further details on how to build the VMPL permission
mask and page type.
+21. KVM_SNP_LAUNCH_FINISH
+-------------------------
+
+After completion of the SNP guest launch flow, the KVM_SNP_LAUNCH_FINISH command can be
+issued to make the guest ready for the execution.
+
+Parameters (in): struct kvm_sev_snp_launch_finish
+
+Returns: 0 on success, -negative on error
+
+::
+
+        struct kvm_sev_snp_launch_finish {
+                __u64 id_block_uaddr;
+                __u64 id_auth_uaddr;
+                __u8 id_block_en;
+                __u8 auth_key_en;
+                __u8 host_data[32];

This is missing the 6 bytes of padding at the end of the struct.

Yes will fix this, the documentation is missing that, the structure defination in include/uapi/linux/kvm.h includes it.

But why do we need this padding ?

I'm assuming it was added so that any new elements added would be aligned on an 8 byte boundary (should the next element added be a __u64). I don't think that it is truly needed right now, though.

Thanks,
Tom

Next message: Deepak R Varma: "Re: kvzalloc vs kvcalloc"
Previous message: Anthony Krowiak: "Re: [PATCH 5/7] s390/vfio_ap: fix handling of error response codes"
In reply to: Kalra, Ashish: "Re: [PATCH RFC v7 40/64] KVM: SVM: Add KVM_SEV_SNP_LAUNCH_FINISH command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]