diff options
| -rw-r--r-- | accel/kvm/kvm-all.c | 1 | ||||
| -rw-r--r-- | hw/i386/pc_sysfw.c | 8 | ||||
| -rw-r--r-- | include/sysemu/sev.h | 4 | ||||
| -rw-r--r-- | target/i386/kvm/kvm.c | 2 | ||||
| -rw-r--r-- | target/i386/sev-stub.c | 9 | ||||
| -rw-r--r-- | target/i386/sev.c | 128 |
6 files changed, 151 insertions, 1 deletions
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c index 4751691..bf61ef4 100644 --- a/accel/kvm/kvm-all.c +++ b/accel/kvm/kvm-all.c @@ -39,7 +39,6 @@ #include "qemu/main-loop.h" #include "trace.h" #include "hw/irq.h" -#include "sysemu/sev.h" #include "qapi/visitor.h" #include "qapi/qapi-types-common.h" #include "qapi/qapi-visit-common.h" diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c index 6404b5a..9fe72b3 100644 --- a/hw/i386/pc_sysfw.c +++ b/hw/i386/pc_sysfw.c @@ -256,6 +256,7 @@ static void pc_system_flash_map(PCMachineState *pcms, MemoryRegion *flash_mem; void *flash_ptr; int flash_size; + int ret; assert(PC_MACHINE_GET_CLASS(pcms)->pci_enabled); @@ -308,6 +309,13 @@ static void pc_system_flash_map(PCMachineState *pcms, * search for them */ pc_system_parse_ovmf_flash(flash_ptr, flash_size); + + ret = sev_es_save_reset_vector(flash_ptr, flash_size); + if (ret) { + error_report("failed to locate and/or save reset vector"); + exit(1); + } + sev_encrypt_flash(flash_ptr, flash_size, &error_fatal); } } diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h index 882e8a4..94d821d 100644 --- a/include/sysemu/sev.h +++ b/include/sysemu/sev.h @@ -21,4 +21,8 @@ int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp); int sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp); int sev_inject_launch_secret(const char *hdr, const char *secret, uint64_t gpa, Error **errp); + +int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size); +void sev_es_set_reset_vector(CPUState *cpu); + #endif diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index e97f841..f56a853 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -1922,6 +1922,8 @@ void kvm_arch_reset_vcpu(X86CPU *cpu) } /* enabled by default */ env->poll_control_msr = 1; + + sev_es_set_reset_vector(CPU(cpu)); } void kvm_arch_do_init_vcpu(X86CPU *cpu) diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c index edf6c51..0207f1c 100644 --- a/target/i386/sev-stub.c +++ b/target/i386/sev-stub.c @@ -65,3 +65,12 @@ bool sev_es_enabled(void) { return false; } + +void sev_es_set_reset_vector(CPUState *cpu) +{ +} + +int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size) +{ + abort(); +} diff --git a/target/i386/sev.c b/target/i386/sev.c index 35b9259..4b70d42 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -22,6 +22,7 @@ #include "qom/object_interfaces.h" #include "qemu/base64.h" #include "qemu/module.h" +#include "qemu/uuid.h" #include "sysemu/kvm.h" #include "sev_i386.h" #include "sysemu/sysemu.h" @@ -32,6 +33,7 @@ #include "exec/address-spaces.h" #include "monitor/monitor.h" #include "exec/confidential-guest-support.h" +#include "hw/i386/pc.h" #define TYPE_SEV_GUEST "sev-guest" OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST) @@ -67,11 +69,21 @@ struct SevGuestState { int sev_fd; SevState state; gchar *measurement; + + uint32_t reset_cs; + uint32_t reset_ip; + bool reset_data_valid; }; #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ #define DEFAULT_SEV_DEVICE "/dev/sev" +#define SEV_INFO_BLOCK_GUID "00f771de-1a7e-4fcb-890e-68c77e2fb44e" +typedef struct __attribute__((__packed__)) SevInfoBlock { + /* SEV-ES Reset Vector Address */ + uint32_t reset_addr; +} SevInfoBlock; + static SevGuestState *sev_guest; static Error *sev_mig_blocker; @@ -879,6 +891,122 @@ int sev_inject_launch_secret(const char *packet_hdr, const char *secret, return 0; } +static int +sev_es_parse_reset_block(SevInfoBlock *info, uint32_t *addr) +{ + if (!info->reset_addr) { + error_report("SEV-ES reset address is zero"); + return 1; + } + + *addr = info->reset_addr; + + return 0; +} + +static int +sev_es_find_reset_vector(void *flash_ptr, uint64_t flash_size, + uint32_t *addr) +{ + QemuUUID info_guid, *guid; + SevInfoBlock *info; + uint8_t *data; + uint16_t *len; + + /* + * Initialize the address to zero. An address of zero with a successful + * return code indicates that SEV-ES is not active. + */ + *addr = 0; + + /* + * Extract the AP reset vector for SEV-ES guests by locating the SEV GUID. + * The SEV GUID is located on its own (original implementation) or within + * the Firmware GUID Table (new implementation), either of which are + * located 32 bytes from the end of the flash. + * + * Check the Firmware GUID Table first. + */ + if (pc_system_ovmf_table_find(SEV_INFO_BLOCK_GUID, &data, NULL)) { + return sev_es_parse_reset_block((SevInfoBlock *)data, addr); + } + + /* + * SEV info block not found in the Firmware GUID Table (or there isn't + * a Firmware GUID Table), fall back to the original implementation. + */ + data = flash_ptr + flash_size - 0x20; + + qemu_uuid_parse(SEV_INFO_BLOCK_GUID, &info_guid); + info_guid = qemu_uuid_bswap(info_guid); /* GUIDs are LE */ + + guid = (QemuUUID *)(data - sizeof(info_guid)); + if (!qemu_uuid_is_equal(guid, &info_guid)) { + error_report("SEV information block/Firmware GUID Table block not found in pflash rom"); + return 1; + } + + len = (uint16_t *)((uint8_t *)guid - sizeof(*len)); + info = (SevInfoBlock *)(data - le16_to_cpu(*len)); + + return sev_es_parse_reset_block(info, addr); +} + +void sev_es_set_reset_vector(CPUState *cpu) +{ + X86CPU *x86; + CPUX86State *env; + + /* Only update if we have valid reset information */ + if (!sev_guest || !sev_guest->reset_data_valid) { + return; + } + + /* Do not update the BSP reset state */ + if (cpu->cpu_index == 0) { + return; + } + + x86 = X86_CPU(cpu); + env = &x86->env; + + cpu_x86_load_seg_cache(env, R_CS, 0xf000, sev_guest->reset_cs, 0xffff, + DESC_P_MASK | DESC_S_MASK | DESC_CS_MASK | + DESC_R_MASK | DESC_A_MASK); + + env->eip = sev_guest->reset_ip; +} + +int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size) +{ + CPUState *cpu; + uint32_t addr; + int ret; + + if (!sev_es_enabled()) { + return 0; + } + + addr = 0; + ret = sev_es_find_reset_vector(flash_ptr, flash_size, + &addr); + if (ret) { + return ret; + } + + if (addr) { + sev_guest->reset_cs = addr & 0xffff0000; + sev_guest->reset_ip = addr & 0x0000ffff; + sev_guest->reset_data_valid = true; + + CPU_FOREACH(cpu) { + sev_es_set_reset_vector(cpu); + } + } + + return 0; +} + static void sev_register_types(void) { |