On 3/20/24 09:38, Michael Roth wrote:
These patches implement SEV-SNP base support along with CPUID enforcement
support for QEMU, and are also available at:
https://github.com/amdese/qemu/commits/snp-v3-rfc
they are based on top of the following patchset from Paolo:
"[PATCH 0/7] target/i386: VM type infrastructure and KVM_SEV_INIT2 support"
https://lists.gnu.org/archive/html/qemu-devel/2024-03/msg04663.html
Patch Layout
------------
01-05: Various changes needed to handle new header files in kvm-next tree
and some hacks to get a functional header sync in place for building
this series.
06-18: These are patches directly plucked from Xiaoyao's TDX v5 patchset[1]
that implement common dependencies between SNP/TDX like base
guest_memfd, KVM_EXIT_MEMORY_FAULT handling (with a small FIXUP), and
mechanisms to disable SMM. We would've also needed some of the basic
infrastructure for handling specifying VM types for KVM_CREATE, but
much of that is now part of the sevinit2 series this patchset is based
on. Ideally all these patches, once stable, could be maintained in a
common tree so that future SNP/TDX patchsets can be more easily
iterated on/reviewed.
19-20: Patches introduced by this series that are possible candidate for a
common tree.
shared/private pages when things like VFIO are in use.
21-32: Introduction of sev-snp-guest object and various configuration
requirements for SNP.
33-36: Handling for various KVM_EXIT_VMGEXIT events that are handled in
userspace.
37-49: Support for creating a cryptographic "launch" context and populating
various OVMF metadata pages, BIOS regions, and vCPU/VMSA pages with
the initial encrypted/measured/validated launch data prior to
launching the SNP guest.
I reviewed the non-SEV bits of patches 21-46 and it looks nicely
self-contained. That's pretty much expected but still good news.
I didn't look closely at the SEV-SNP code for obvious reasons (it's only
been one hour :)), except for the object-oriented aesthetics which I
have remarked upon. However, they seem to be in good shape.
I will now focus on reviewing patches 6-20. This way we can prepare a
common tree for SEV_INIT2/SNP/TDX, for both vendors to build upon.
Thanks for posting this, and thanks to the Intel people too for the
previous work on the guest_memfd parts!
Paolo
