Hi I have some questions: 1) May I know what is the usage of this UEFI variable - SevLiveMigrationEnabled? I only see it is created, but I do not see how it is consumed.
2) Is this a full live migration patch, or is this just a startup and there will be more on the way? Thank you Yao Jiewen > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ashish Kalra > via groups.io > Sent: Monday, August 2, 2021 8:31 PM > To: devel@edk2.groups.io > Cc: dovmu...@linux.vnet.ibm.com; brijesh.si...@amd.com; to...@ibm.com; > thomas.lenda...@amd.com; j...@linux.ibm.com; Justen, Jordan L > <jordan.l.jus...@intel.com>; ard.biesheu...@arm.com; > erdemak...@google.com; Yao, Jiewen <jiewen....@intel.com>; Xu, Min M > <min.m...@intel.com> > Subject: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF. > > From: Ashish Kalra <ashish.ka...@amd.com> > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3467 > > By default all the SEV guest memory regions are considered encrypted, > if a guest changes the encryption attribute of the page (e.g mark a > page as decrypted) then notify hypervisor. Hypervisor will need to > track the unencrypted pages. The information will be used during > guest live migration, guest page migration and guest debugging. > > The patch-set detects if it is running under KVM hypervisor and then > checks for SEV live migration feature support via KVM_FEATURE_CPUID, > if detected setup a new UEFI enviroment variable to indicate OVMF > support for SEV live migration. > > A branch containing these patches is available here: > https://github.com/ashkalra/edk2-1/tree/sev_live_migration_v5_10 > > Changes since v5: > - Split first patch into three components, one patch for the > MemEncryptSevLiveMigrationIsEnabled() API, one patch for the > SetMemoryEncDecHypercall3() API, one patch to make use of the > SetMemoryEncDecHypercall3() API. > - Fix patch subject, in code and patch comments and > additionally add relevant comments. > - Replace SetMemoryEncDecHypercall3() API's Status argument > with a boolean IsEncrypted argument and corresponding fixes > to users of this API call. > - Fix AsciiStrCmp() usage in KVM hypervisor detection code. > > Changes since v4: > - Remove MemEncryptHypercallLib Library and add support to issue > hypercall in the BaseMemEncryptSevLib library itself. > - For SEV-ES, make the VC handler hypercall aware by comparing > the hypercall number and add the additional register values > in the GHCB. > - Fix comments in the hypercall API interface. > - The encryption bit is set/clear on the smallest page size, hence > use the 4k page size in MAP_GPA_RANGE hypercall. > - Make the hypercall expect the guest physical address to be > page-aligned. > - Add KVM live migration feature flag check in BaseMemEncryptSevLib > library similar to how BaseMemEncryptSevLib does for the > MemEncryptSevIsEnabled() and check it before invoking HC. Also > export the MemEncryptSevLiveMigrationIsEnabled() function as > part of the library. > - Add error handling on hypercall return, on failure, return error > code to caller which potentially will cause an assert() and > terminate the boot. > > Changes since v3: > - Fix all DSC files under OvmfPkg except X64 to add support for > BaseMemEncryptLib and add NULL instance of BaseMemEncryptLib > for 32 bit platforms. > - Add the MemEncryptHypercallLib-related files to Maintainers.txt, > in section "OvmfPkg: Confidential Computing". > - Add support for the new KVM_HC_MAP_GPA_RANGE hypercall interface. > - Add patch for SEV live migration support. > > Changes since v2: > - GHCB_BASE setup during reset-vector as decrypted is marked explicitly > in the hypervisor page encryption bitmap after setting the > PcdSevEsIsEnabled PCD. > > Changes since v1: > - Mark GHCB_BASE setup during reset-vector as decrypted explicitly in > the hypervisor page encryption bitmap. > - Resending the series with correct shallow threading. > > Ashish Kalra (6): > OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature. > OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state > change > OvmfPkg/BaseMemEncryptLib: Invoke page encryption state change > hypercall > OvmfPkg/VmgExitLib: Encryption state change hypercall support in VC > handler > OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall > OvmfPkg/AmdSevDxe: Add support for SEV live migration. > > OvmfPkg/AmdSevDxe/AmdSevDxe.c | 64 +++++++++++++++++ > OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 4 ++ > OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h | 20 ++++++ > OvmfPkg/Include/Library/MemEncryptSevLib.h | 70 +++++++++++++++++++ > .../DxeMemEncryptSevLib.inf | 1 + > .../DxeMemEncryptSevLibInternal.c | 39 +++++++++++ > .../Ia32/MemEncryptSevLib.c | 27 +++++++ > .../PeiDxeMemEncryptSevLibInternal.c | 52 ++++++++++++++ > .../PeiMemEncryptSevLib.inf | 1 + > .../PeiMemEncryptSevLibInternal.c | 39 +++++++++++ > .../SecMemEncryptSevLibInternal.c | 38 ++++++++++ > .../X64/AsmHelperStub.nasm | 33 +++++++++ > .../X64/MemEncryptSevLib.c | 62 ++++++++++++++++ > .../X64/PeiDxeVirtualMemory.c | 20 ++++++ > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 13 ++++ > OvmfPkg/OvmfPkg.dec | 1 + > OvmfPkg/PlatformPei/AmdSev.c | 11 +++ > 17 files changed, 495 insertions(+) > create mode 100644 OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm > > -- > 2.17.1 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78700): https://edk2.groups.io/g/devel/message/78700 Mute This Topic: https://groups.io/mt/84609828/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
