On Wed, Mar 08, 2017 at 03:53:03PM -0500, Brijesh Singh wrote:
> The command is used to bootstrap SEV guest from unencrypted boot images.
> The command creates a new VM encryption key (VEK) using guest owner's public
> DH certificate, and security policy and session parameters. The encryption
> key created during launch start process will be used for encryption the boot
> images (such as BIOS).
>
> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com>
These descriptions of what the commands do are very useful. I
suggest including something similar (but more generic and not
SEV-specific?) as the documentation of the kvm_memcrypt_*() API
functions, as it is not clear what each kvm_memcrypt_*() function
is supposed to do.
> ---
> include/sysemu/sev.h | 1 +
> kvm-all.c | 1 +
> sev.c | 55
> ++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 57 insertions(+)
>
> diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
> index dbc3c6c..747fe87 100644
> --- a/include/sysemu/sev.h
> +++ b/include/sysemu/sev.h
> @@ -86,6 +86,7 @@ typedef struct SEVState SEVState;
> bool sev_enabled(void);
> void *sev_guest_init(const char *keyid);
> void sev_set_debug_ops(void *handle, MemoryRegion *mr);
> +int sev_create_launch_context(void *handle);
>
> #endif
>
> diff --git a/kvm-all.c b/kvm-all.c
> index 1fa6413..a13d62f 100644
> --- a/kvm-all.c
> +++ b/kvm-all.c
> @@ -1826,6 +1826,7 @@ static int kvm_init(MachineState *ms)
> goto err;
> }
> kvm_state->memcrypt_debug_ops = sev_set_debug_ops;
> + kvm_state->create_launch_context = sev_create_launch_context;
> g_free(id);
> }
> }
> diff --git a/sev.c b/sev.c
> index 3e02453..4b3f39a 100644
> --- a/sev.c
> +++ b/sev.c
> @@ -148,6 +148,55 @@ static const TypeInfo qsev_launch_info = {
> };
>
> static int
> +sev_ioctl(int cmd, void *data, int *error)
> +{
> + int r;
> + struct kvm_sev_cmd input;
> +
> + input.id = cmd;
> + input.sev_fd = sev_fd;
> + input.data = (__u64)data;
> +
> + r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input);
> + *error = input.error;
> + return r;
> +}
> +
> +static int
> +sev_launch_start(SEVState *s)
> +{
> + int ret = 1;
> + Object *obj;
> + int fw_error;
> + struct kvm_sev_launch_start *start;
> +
> + if (!s) {
> + return 1;
> + }
> +
> + start = g_malloc0(sizeof(*start));
> + if (!start) {
> + return 1;
> + }
> +
> + obj = object_property_get_link(OBJECT(s->sev_info), "launch",
> &error_abort);
> + if (!obj) {
> + goto err;
> + }
> +
> + ret = sev_ioctl(KVM_SEV_LAUNCH_START, start, &fw_error);
> + if (ret < 0) {
> + fprintf(stderr, "failed LAUNCH_START %d (%#x)\n", ret, fw_error);
> + goto err;
> + }
> +
> + DPRINTF("SEV: LAUNCH_START\n");
> +err:
> + g_free(start);
> + return ret;
> +}
> +
> +static int
> sev_mem_write(uint8_t *dst, const uint8_t *src, uint32_t len, MemTxAttrs
> attrs)
> {
> return 0;
> @@ -200,6 +249,12 @@ err:
> return NULL;
> }
>
> +int
> +sev_create_launch_context(void *handle)
> +{
> + return sev_launch_start((SEVState *)handle);
> +}
> +
> void
> sev_set_debug_ops(void *handle, MemoryRegion *mr)
> {
>
--
Eduardo
