With AMD SEV the hypervisor cannot decrypt or move guest memory pages. This makes migration tricky. While the AMD Secure Processor can export/import pages wrapped with a transport key, the bandwidth is limited. We look to provide similar support via firmware. In particular, we implement a Migration Handler (MH) in OVMF. The MH runs in a separate mirror VM that shares the memory of the guest. To migrate a guest, the HV asks the MH on the source to export wrapped pages, which the MH on the target will import. To start the MH on the source or the target the HV boots the mirror VM to a custom entry vector implemented in these patches.
This RFC does not include encryption support. The pages are passed to/from the HV in plaintext. This RFC depends on mirror VM support already upstreamed in KVM, AMD page encryption status tracking (Ashish Kalra's v6 OVMF live migration patches), mirror VM support in QEMU (Ashish's v1 QEMU RFC), page encryption status tracking support in QEMU (Ashish QEMU guest live migration support v4), and MH support in QEMU (coming soon). This RFC is aimed at SEV only. The general design carries over to SEV-ES and SEV-SNP, but extra support is required. Dov Murik (1): OvmfPkg/AmdSev: Build page table for migration handler Tobin Feldman-Fitzthum (8): OvmfPkg/AmdSev: Base for Confidential Migration Handler OvmfPkg/PlatfomPei: Set Confidential Migration PCD OvmfPkg/AmdSev: Setup Migration Handler Mailbox OvmfPkg/AmdSev: MH support for mailbox protocol OvmfPkg/AmdSev: Don't overwrite mailbox or pagetables OvmfPkg/AmdSev: Don't overwrite MH stack OvmfPkg/AmdSev: Add Migration Handler entry point OvmfPkg/ResetVector: Expose Migration Handler Entry Addresses OvmfPkg/OvmfPkg.dec | 13 + OvmfPkg/AmdSev/AmdSevX64.dsc | 2 + OvmfPkg/AmdSev/AmdSevX64.fdf | 16 +- .../ConfidentialMigrationDxe.inf | 38 +++ .../ConfidentialMigrationPei.inf | 37 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 2 + OvmfPkg/ResetVector/ResetVector.inf | 1 + .../ConfidentialMigration/VirtualMemory.h | 177 ++++++++++++ .../ConfidentialMigrationDxe.c | 272 ++++++++++++++++++ .../ConfidentialMigrationPei.c | 31 ++ OvmfPkg/PlatformPei/Platform.c | 10 + .../MigrationEntryPoint.nasm | 51 ++++ OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 13 + OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 14 files changed, 660 insertions(+), 4 deletions(-) create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationDxe.inf create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationPei.inf create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/VirtualMemory.h create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationDxe.c create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationPei.c create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/MigrationEntryPoint.nasm -- 2.20.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#79517): https://edk2.groups.io/g/devel/message/79517 Mute This Topic: https://groups.io/mt/84982978/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
