VMEXITs. This helps speed up boot times.
Ping...
>
> Signed-off-by: Tom Lendacky
> ---
> accel/kvm/kvm-all.c | 2 ++
> include/system/kvm.h | 1 +
> target/i386/kvm/kvm.c | 31 ++-
> 3 files changed, 29 insertions(+), 5 deletions(-)
>
&
, resulting in 1024 additional exits.
When performing a page state change, invoke KVM_PRE_FAULT_MEMORY for the
size of the page state change in order to pre-map the pages and avoid the
additional VMEXITs. This helps speed up boot times.
Signed-off-by: Tom Lendacky
---
accel/kvm/kvm-all.c | 2
cpr_blocker because aux-ram-share=off so
> rb->fd < 0, and once in ram_block_add for a specific guest_memfd blocker.
>
> To fix, add the guest_memfd blocker iff a generic one would not be
> added by ram_block_add_cpr_blocker.
>
> Fixes: 094a3dbc55df ("migration:
cpr_blocker because aux-ram-share=off so
> rb->fd < 0, and once in ram_block_add for a specific guest_memfd blocker.
>
> To fix, add the guest_memfd blocker iff a generic one would not be
> added by ram_block_add_cpr_blocker.
>
> Fixes: 094a3dbc55df ("migration:
On 3/27/25 07:27, Steven Sistare wrote:
> On 3/26/2025 5:34 PM, Michael Roth wrote:
>> On Wed, Mar 26, 2025 at 05:13:50PM -0300, Fabiano Rosas wrote:
>>> Michael Roth writes:
>>>> Quoting Tom Lendacky (2025-03-26 14:21:31)
>>>>> On 3/26/25 13:4
On 3/26/25 13:46, Tom Lendacky wrote:
> On 3/7/25 12:15, Fabiano Rosas wrote:
>> From: Steve Sistare
>>
>> Unlike cpr-reboot mode, cpr-transfer mode cannot save volatile ram blocks
>> in the migration stream file and recreate them later, because the physical
>> me
On 3/7/25 12:15, Fabiano Rosas wrote:
> From: Steve Sistare
>
> Unlike cpr-reboot mode, cpr-transfer mode cannot save volatile ram blocks
> in the migration stream file and recreate them later, because the physical
> memory for the blocks is pinned and registered for vfio. Add a blocker
> for vo
On 2/10/25 12:53, Tom Lendacky wrote:
> On 2/7/25 17:33, Kim Phillips wrote:
>> The Allowed SEV Features feature allows the host kernel to control
>> which SEV features it does not want the guest to enable [1].
>>
>> This has to be explicitly opted-in by the user becau
On 2/7/25 17:33, Kim Phillips wrote:
> The Allowed SEV Features feature allows the host kernel to control
> which SEV features it does not want the guest to enable [1].
>
> This has to be explicitly opted-in by the user because it has the
> ability to break existing VMs if it were set automaticall
On 2/7/25 17:34, Kim Phillips wrote:
> AMD EPYC 5th generation processors have introduced a feature that allows
> the hypervisor to control the SEV_FEATURES that are set for, or by, a
> guest [1]. ALLOWED_SEV_FEATURES can be used by the hypervisor to enforce
> that SEV-ES and SEV-SNP guests cannot
t
> support or wish to be enabled.
>
> Signed-off-by: Kishon Vijay Abraham I
> Signed-off-by: Kim Phillips
Reviewed-by: Tom Lendacky
> ---
> arch/x86/include/asm/cpufeatures.h | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/include/asm/cpufeatur
sed kernel image clobber setup_data"), this was changed to
the cmdline file instead, with the sev_enabled() check left out.
Fixes: eac7a7791bb6 ("x86: don't let decompressed kernel image clobber
setup_data")
Reported-by: Tom Lendacky
Signed-off-by: Dov Murik
Signed-off-by
On 2/7/23 17:24, Jason A. Donenfeld wrote:
Hi Tom,
On Tue, Feb 7, 2023 at 8:21 PM Tom Lendacky wrote:
On 2/7/23 15:45, Michael S. Tsirkin wrote:
On Tue, Feb 07, 2023 at 08:41:16AM +, Dov Murik wrote:
Recent feature to supply RNG seed to the guest kernel modifies the
kernel command-line
d not break
anything assuming you also have some other randomness source.
If you don't then you have other problems.
Disable the RNG seed feature in SEV guests.
Fixes: eac7a7791bb6 ("x86: don't let decompressed kernel image clobber
setup_data")
Reported-by: Tom Lendacky
On 9/30/22 10:14, Tom Lendacky wrote:
This patch series fixes up and tries to remove some confusion around the
SEV reduced-phys-bits parameter.
Based on the "AMD64 Architecture Programmer's Manual Volume 2: System
Programming", section "15.34.6 Page Table Support" [1],
especially to support the previously
documented value of 5, allow the full range of values from 1 to 63
(0 was never allowed).
- Update the setting of CPUID 0x801F_EBX to limit the values to the
field width that they are setting as an additional safeguard.
[1] https://www.amd.com/system/file
allowing a value greater
than 1 (so that the previously documented value of 5 still works), but not
allowing anything over 63.
Fixes: d8575c6c02 ("sev/i386: add command to initialize the memory encryption
context")
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 17 ++-
Update the setting of CPUID 0x801F EBX to clearly document the ranges
associated with fields being set.
Fixes: 6cb8f2a663 ("cpu/i386: populate CPUID 0x8000_001F when SEV is active")
Signed-off-by: Tom Lendacky
---
target/i386/cpu.c | 4 ++--
1 file changed, 2 insertions(+), 2
A guest only ever experiences, at most, 1 bit of reduced physical
addressing. Update the documentation to reflect this as well as change
the example value on the reduced-phys-bits option.
Fixes: a9b4942f48 ("target/i386: add Secure Encrypted Virtualization (SEV)
object")
Signed-o
A guest only ever experiences, at most, 1 bit of reduced physical
addressing. Change the query-sev-capabilities json comment to use 1.
Fixes: 31dd67f684 ("sev/i386: qmp: add query-sev-capabilities command")
Signed-off-by: Tom Lendacky
---
qapi/misc-target.json | 2 +-
1 file
On 6/30/22 03:14, Daniel P. Berrangé wrote:
On Wed, Jun 29, 2022 at 07:37:01PM +, Dionna Glaze wrote:
For SEV-SNP, an OS is "SEV-SNP capable" without supporting this UEFI
v2.9 memory type. In order for OVMF to be able to avoid pre-validating
potentially hundreds of gibibytes of data before b
On 6/15/22 10:19, Xiaoyao Li wrote:
On 6/15/2022 8:46 AM, Xu, Min M wrote:
I would like to add more engineers (Confidential Computing Reviewers in
EDK2 community and Intel's QEMU engineers) in this mail thread.
-Original Message-
From: Dionna Amalie Glaze
Sent: Wednesday, June 15, 20
following warning will be
displayed during VM launch:
qemu-system-x86_64: warning: SEV: kernel specified but OVMF has no hash
table guid
Signed-off-by: Dov Murik
Reported-by: Tom Lendacky
Just a few minor comments/questions below, otherwise:
Acked-by: Tom Lendacky
---
target/i386/sev.c |
On 10/19/21 1:18 AM, Dov Murik wrote:
On 18/10/2021 21:02, Tom Lendacky wrote:
On 9/30/21 12:49 AM, Dov Murik wrote:
...
+/*
+ * Add the hashes of the linux kernel/initrd/cmdline to an encrypted
guest page
+ * which is included in SEV's initial memory measurement.
+ */
On 9/30/21 12:49 AM, Dov Murik wrote:
...
+/*
+ * Add the hashes of the linux kernel/initrd/cmdline to an encrypted guest page
+ * which is included in SEV's initial memory measurement.
+ */
+bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
+{
+uint8_t *data;
+
On 7/9/21 4:55 PM, Brijesh Singh wrote:
> SEV-SNP builds upon existing SEV and SEV-ES functionality while adding
> new hardware-based memory protections. SEV-SNP adds strong memory integrity
> protection to help prevent malicious hypervisor-based attacks like data
> replay, memory re-mapping and mo
oding style prefer not initializing the bool to false since
it will default to that? Otherwise,
Reviewed-by: Tom Lendacky
> ---
> hw/i386/pc_sysfw.c | 7 ++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
> index 6
On 6/29/21 2:11 AM, Philippe Mathieu-Daudé wrote:
> On 6/29/21 7:56 AM, Dov Murik wrote:
>> On 29/06/2021 1:03, Tom Lendacky wrote:
>>> On 6/22/21 7:58 AM, Dov Murik wrote:
>>
>> (a) add a 'static bool ovmf_table_parsed' which will be set to true at
>&g
On 6/22/21 7:58 AM, Dov Murik wrote:
> +cc: Tom Lendacky
>
> On 22/06/2021 15:47, Philippe Mathieu-Daudé wrote:
>> On 6/22/21 2:44 PM, Dov Murik wrote:
>>> Suggested-by: Philippe Mathieu-Daudé
>>> Signed-off-by: Dov Murik
>>> ---
>>> hw/i386
Just a quick ping on this series...
Thanks,
Tom
On 4/23/21 3:08 PM, Tom Lendacky wrote:
> From: Tom Lendacky
>
> Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
> file. No new information added.
>
> Signed-off-by: Tom Lendacky
> ---
> docs/a
On 4/22/21 9:09 AM, Laszlo Ersek wrote:
> On 04/21/21 21:31, Tom Lendacky wrote:
>> On 4/21/21 2:12 PM, Tom Lendacky wrote:
>>> From: Tom Lendacky
>>>
>>> Update the amd-memory-encryption.txt file with information about SEV-ES,
>>> including
From: Tom Lendacky
Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differences
between SEV and SEV-ES guests in regards to launching and measuring the
guest.
Signed-off-by: Tom Lendacky
---
docs/amd-memory
From: Tom Lendacky
Create an enum definition, '@amd-sev-es', for SEV-ES and add documention
for the new enum. Add an example that shows some of the requirements for
SEV-ES, including not having SMM support and the requirement for an
X64-only build.
Signed-off-by: Tom Lendacky
---
do
From: Tom Lendacky
Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
file. No new information added.
Signed-off-by: Tom Lendacky
---
docs/amd-memory-encryption.txt | 59 +-
1 file changed, 29 insertions(+), 30 deletions(-)
diff --git a
On 4/21/21 2:12 PM, Tom Lendacky wrote:
> From: Tom Lendacky
>
> Update the amd-memory-encryption.txt file with information about SEV-ES,
> including how to launch an SEV-ES guest and some of the differences
> between SEV and SEV-ES guests in regards to launching and measur
From: Tom Lendacky
Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differences
between SEV and SEV-ES guests in regards to launching and measuring the
guest.
Signed-off-by: Tom Lendacky
---
docs/amd-memory
On 4/21/21 4:54 AM, Laszlo Ersek wrote:
> Hi Brijesh, Tom,
Hi Laszlo,
>
> in QEMU's "docs/interop/firmware.json", the @FirmwareFeature enumeration
> has a constant called @amd-sev. We should introduce an @amd-sev-es
> constant as well, minimally for the following reason:
>
> AMD document #56421
nd the SevGuestProperties type
> unconditionally to avoid the issue. We do not expect to have
> many target-dependent user-creatable classes, so it is not
> particularly problematic.
>
> Reported-by: Tom Lendacky
> Signed-off-by: Paolo Bonzini
I'm once again able to launch
On 3/25/21 1:51 PM, Brijesh Singh wrote:
> Hi All,
>
> It seems creating the sev-guest object is broken rc0 tag. The following
> command is no longer able to create the sev-guest object
>
> $QEMU \
>
> -machine ...,confidential-guest-support=sev0 \
>
> -object sev-guest,id=sev0,policy=0x1 \
>
On 2/8/21 10:31 AM, Paolo Bonzini wrote:
On 08/02/21 16:48, Tom Lendacky wrote:
Queued, thanks.
It looks like David Gibson's patches for the memory encryption rework
went into the main tree before mine. So, I think I'm going to have to
rework my patches. Let me look into i
On 2/5/21 4:59 AM, Paolo Bonzini wrote:
On 26/01/21 18:36, Tom Lendacky wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
...
Queued, thanks.
It looks like David Gibson's patches for the memory encryption rework went
into the main
On 1/29/21 11:44 AM, Venu Busireddy wrote:
On 2021-01-26 11:36:46 -0600, Tom Lendacky wrote:
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Dr
From: Tom Lendacky
SMM is not currently supported for an SEV-ES guest by KVM. Change the SMM
capability check from a KVM-wide check to a per-VM check in order to have
a finer-grained SMM capability check.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Suggested-by: Sean
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When an SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES. Prevent that from occuring by introducing an arch
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Dr. David Alan Gilbert
Signed-off-by: Tom Lendacky
---
target/i386
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part of the
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume
On 1/26/21 10:49 AM, Tom Lendacky wrote:
> On 1/26/21 10:21 AM, Paolo Bonzini wrote:
>> On 25/09/20 21:03, Tom Lendacky wrote:
>>> From: Tom Lendacky
>>>
>>> This patch series provides support for launching an SEV-ES guest.
>>>
>
> ...
>
&g
On 1/26/21 10:21 AM, Paolo Bonzini wrote:
> On 25/09/20 21:03, Tom Lendacky wrote:
>> From: Tom Lendacky
>>
>> This patch series provides support for launching an SEV-ES guest.
>>
...
>>
>
> Looks good! Please fix the nit in patch 4 and rebase, I'
On 1/26/21 10:16 AM, Paolo Bonzini wrote:
> On 25/09/20 21:03, Tom Lendacky wrote:
>>
>> {
>> - if (no_reboot && reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
>> + if (!cpus_are_resettable()) {
>> + error_report("cpus are not resettable,
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When an SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES. Prevent that from occuring by introducing an arch
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Reviewed-by: Dr
From: Tom Lendacky
SMM is not currently supported for an SEV-ES guest by KVM. Change the SMM
capability check from a KVM-wide check to a per-VM check in order to have
a finer-grained SMM capability check.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Suggested-by: Sean
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Cc: Paolo Bonzini
Cc: Richard Henderson
Cc: Eduardo Habkost
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 6 ++
1 file changed, 6
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part of the
On 12/11/20 4:45 PM, James Bottomley wrote:
On Fri, 2020-12-11 at 16:00 -0600, Tom Lendacky wrote:
On 12/9/20 11:23 AM, James Bottomley wrote:
So for this one I'm not checking the length, which argues it wouldn't
be subject to the added length new data rule and I'd have to use
On 12/9/20 11:23 AM, James Bottomley wrote:
If the gpa isn't specified, it's value is extracted from the OVMF
properties table located below the reset vector (and if this doesn't
exist, an error is returned). OVMF has defined the GUID for the SEV
secret area as 4c2eb361-7d9b-4cc3-8081-127c90d3d2
On 11/16/20 12:09 PM, Paolo Bonzini wrote:
> On 16/11/20 18:02, Tom Lendacky wrote:
>> From: Tom Lendacky
>>
>> Currently, the nested state format is hardcoded to VMX. This will result
>> in kvm_put_nested_state() returning an error because the KVM SVM support
>>
From: Tom Lendacky
Currently, the nested state format is hardcoded to VMX. This will result
in kvm_put_nested_state() returning an error because the KVM SVM support
checks for the nested state to be KVM_STATE_NESTED_FORMAT_SVM. As a
result, kvm_arch_put_registers() errors out early.
Update the
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume
On 9/25/20 2:03 PM, Tom Lendacky wrote:
> From: Tom Lendacky
>
> This patch series provides support for launching an SEV-ES guest.
>
> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
> SEV support to protect the guest register state from the hyperv
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Reviewed-by: Dr. David Alan Gilbert
Signed-off-by: Tom Lendacky
---
target
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
From: Tom Lendacky
SMM is not currently supported for an SEV-ES guest by KVM. Change the SMM
capability check from a KVM-wide check to a per-VM check in order to have
a finer-grained SMM capability check.
Suggested-by: Sean Christopherson
Signed-off-by: Tom Lendacky
---
target/i386/kvm.c | 2
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part of the
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When an SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES. Prevent that from occuring by introducing an arch
On 9/21/20 3:33 PM, Tobin Feldman-Fitzthum wrote:
> On 2020-09-21 15:16, Dr. David Alan Gilbert wrote:
>> * Tobin Feldman-Fitzthum (to...@linux.vnet.ibm.com) wrote:
>>> AMD SEV allows a guest owner to inject a secret blob
>>> into the memory of a virtual machine. The secret is
>>> encrypted with th
On 9/21/20 6:48 AM, Dr. David Alan Gilbert wrote:
> * Tom Lendacky (thomas.lenda...@amd.com) wrote:
>> On 9/18/20 5:00 AM, Dr. David Alan Gilbert wrote:
>>> * Tom Lendacky (thomas.lenda...@amd.com) wrote:
>>>> On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
>
On 9/21/20 1:45 AM, Dov Murik wrote:
> On 16/09/2020 0:29, Tom Lendacky wrote:
>> From: Tom Lendacky
>>
>> Provide initial support for SEV-ES. This includes creating a function to
>> indicate the guest is an SEV-ES guest (which will return false until all
>> sup
On 9/18/20 5:00 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure
On 9/17/20 10:40 PM, Sean Christopherson wrote:
On Thu, Sep 17, 2020 at 01:56:21PM -0500, Tom Lendacky wrote:
On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES
On 9/17/20 12:28 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest
On 9/17/20 12:01 PM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume
On 9/17/20 11:46 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request
On 9/17/20 10:34 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set
On 9/17/20 11:07 AM, Tom Lendacky wrote:
On 9/17/20 10:34 AM, Dr. David Alan Gilbert wrote:
* Tom Lendacky (thomas.lenda...@amd.com) wrote:
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is
On 9/16/20 4:23 AM, Laszlo Ersek wrote:
> Hi Tom,
Hi Laszlo,
>
> sorry for the random feedback -- I haven't followed (and don't really
> intend to follow) the QEMU side of the feature. Just one style idea:
>
> On 09/15/20 23:29, Tom Lendacky wrote:
>> From:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 4 +++-
1 file changed, 3
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES, so prevent that from occurring.
Signed-off-by: Tom
From: Tom Lendacky
In prep for AP booting, require the use of in-kernel irqchip support. This
lessens the Qemu support burden required to boot APs.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part of the
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES, so prevent that from occurring.
Signed-off-by: Tom
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV initialization and
ensuring that the guest CPU state is measured as part of the
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 4 +++-
1 file changed, 3
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
On 8/25/20 2:05 PM, Tom Lendacky wrote:
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
I've made the changes associated with the checkpatch script output. I'll
wait a few more days for other feedback before submitting a v2.
Sorry about t
On 8/26/20 2:07 PM, Connor Kuehl wrote:
On 8/25/20 2:05 PM, Tom Lendacky wrote:
From: Tom Lendacky
Provide initial support for SEV-ES. This includes creating a function to
indicate the guest is an SEV-ES guest (which will return false until all
support is in place), performing the proper SEV
On 8/26/20 2:07 PM, Connor Kuehl wrote:
On 8/25/20 2:05 PM, Tom Lendacky wrote:
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the
From: Tom Lendacky
This patch series provides support for launching an SEV-ES guest.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume
From: Tom Lendacky
When SEV-ES is enabled, it is not possible modify the guests register
state after it has been initially created, encrypted and measured.
Normally, an INIT-SIPI-SIPI request is used to boot the AP. However, the
hypervisor cannot emulate this because it cannot update the AP
From: Tom Lendacky
Update the sev_es_enabled() function return value to be based on the SEV
policy that has been specified. SEV-ES is enabled if SEV is enabled and
the SEV-ES policy bit is set in the policy object.
Signed-off-by: Tom Lendacky
---
target/i386/sev.c | 4 +++-
1 file changed, 3
From: Tom Lendacky
An SEV-ES guest does not allow register state to be altered once it has
been measured. When a SEV-ES guest issues a reboot command, Qemu will
reset the vCPU state and resume the guest. This will cause failures under
SEV-ES, so prevent that from occurring.
Signed-off-by: Tom
1 - 100 of 107 matches
Mail list logo
