Currently, the SEV guest launch registers to a RAM block notifier. When
called, we issue KVM_MEMORY_ENCRYPT_{REG,UNREG}_REGION ioctl to register
the memory with the KVM driver. These ioctls should be called only for
the region which contains the encrypted data but the RAM block notifier
gets called for any memory region allocated during the guest creation.
Some of those memory regions do not contain encrypted data so we end up
calling the ioctl for a memory region which contains unencrypted data
(e.g. vga RAM etc.).In case of SEV, only the guest RAM and pflash unit=0 contain the encrypted data. To solve this problem, we introduce a new notifier (RAM block encrypted). If a memory region will contain encrypted data then the caller can use memory_region_mark_encrypted() to set the memory region as encrypted. Clients can register to the RAM block encrypted notifier and they will be called when a memory region is set encrypted. Janakarajan Natarajan (3): ram-encrypted-notifier: Introduce a RAM block encrypted notifier hw: Notify listeners about guest pages which contain encrypted data sev: Change SEV to use EncryptedRAMBlock Notifier exec.c | 6 ++++++ hw/i386/pc.c | 1 + hw/i386/pc_sysfw.c | 2 ++ hw/mem/memory-device.c | 1 + include/exec/memory.h | 18 ++++++++++++++++++ include/exec/ramlist.h | 19 +++++++++++++++++++ memory.c | 16 ++++++++++++++++ numa.c | 33 +++++++++++++++++++++++++++++++++ stubs/ram-block.c | 8 ++++++++ target/i386/sev.c | 25 ++++++++----------------- 10 files changed, 112 insertions(+), 17 deletions(-) -- 2.20.1
