Re: [PATCH v10 48/50] KVM: SEV: Provide support for SNP_GUEST_REQUEST NAE event
From: Kalra, Ashish
Date: Wed Oct 18 2023 - 17:27:32 EST
On 10/18/2023 3:38 PM, Sean Christopherson wrote:
On Wed, Oct 18, 2023, Ashish Kalra wrote:
static int snp_handle_ext_guest_request(struct vcpu_svm *svm)
{
struct kvm_vcpu *vcpu = &svm->vcpu;
struct kvm *kvm = vcpu->kvm;
struct kvm_sev_info *sev;
unsigned long exitcode;
u64 data_gpa;
if (!sev_snp_guest(vcpu->kvm)) {
ghcb_set_sw_exit_info_2(svm->sev_es.ghcb, SEV_RET_INVALID_GUEST);
return 1;
}
data_gpa = vcpu->arch.regs[VCPU_REGS_RAX];
if (!IS_ALIGNED(data_gpa, PAGE_SIZE)) {
ghcb_set_sw_exit_info_2(svm->sev_es.ghcb, SEV_RET_INVALID_ADDRESS);
return 1;
}
vcpu->run->hypercall.nr = KVM_HC_SNP_GET_CERTS;
vcpu->run->hypercall.args[0] = data_gpa;
vcpu->run->hypercall.args[1] = vcpu->arch.regs[VCPU_REGS_RBX];
vcpu->run->hypercall.flags = KVM_EXIT_HYPERCALL_LONG_MODE;
vcpu->arch.complete_userspace_io = snp_complete_ext_guest_request;
return 0;
}
IIRC, the important consideration here is to ensure that getting the
attestation report and retrieving the certificates appears atomic to the
guest. When SNP live migration is supported we don't want a case where the
guest could have migrated between the call to obtain the certificates and
obtaining the attestation report, which can potentially cause failure of
validation of the attestation report.
Where does "obtaining the attestation report" happen? I see the guest request
and the certificate stuff, I don't see anything about attestation reports (though
I'm not looking very closely).
The guest requests that the firmware construct an attestation report via
the SNP_GUEST_REQUEST command. The certificates are piggy-backed to the
guest along with the attestation report (retrieved from the FW via the
SNP_GUEST_REQUEST command) as part of the SNP Extended Guest Request NAE
handling.
Thanks,
Ashish