, which
attempts to locate and link against the IGVM library via pkgconfig and
sets CONFIG_IGVM if found.
The library is added to the system_ss target in backends/meson.build
where the IGVM parsing will be performed by the ConfidentialGuestSupport
object.
Signed-off-by: Roy Hopkins
---
backends
startup and CPU reset.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 288 +-
target/i386/sev.h | 110 ++
2 files changed, 369 insertions(+), 29 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 173de91afe
://github.com/roy-hopkins/qemu/tree/igvm_master_v1
I look forward to welcoming your comments!
Why do we need Independent Guest Virtual Machine (IGVM) files?
==
IGVM files describe, using a set of directives, the memory layout and initial
IGVM support has been implemented for Confidential Guests that support
AMD SEV and AMD SEV-ES. Add some documentation that gives some
background on the IGVM format and how to use it to configure a
confidential guest.
Signed-off-by: Roy Hopkins
---
docs/system/igvm.rst | 58
current PC initialization steps. If an IGVM file has been provided
then the directives in the file are processed completing the
initalization of the target.
If no IGVM file has been specified by the user then no there is no
intended consequences in these changes.
Signed-off-by: Roy Hopkins
such as SEV.
This commit implements the required functions for SEV-ES and adds
support for processing IGVM files for configuring the guest.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 77 +++
1 file changed, 77 insertions(+)
diff --git a
.
Signed-off-by: Roy Hopkins
---
backends/confidential-guest-support.c | 26
include/exec/confidential-guest-support.h | 76 +++
2 files changed, 102 insertions(+)
diff --git a/backends/confidential-guest-support.c
b/backends/confidential-guest-support.c
index
support IGVM based
configuration.
This patch allows the filename to be configured via the QEMU
object model in preparation for subsequent patches that will read and
parse the IGVM file.
Signed-off-by: Roy Hopkins
---
backends/confidential-guest-support.c | 21 +
include
then the standard system firmware initialization is skipped and any
prepared flash devices are cleaned up.
Signed-off-by: Roy Hopkins
---
hw/i386/pc.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index f8eb684a49..17bb211708 100644
when a filename is provided but the code to
process the IGVM file is not yet hooked into target systems. This will
follow in a later commit.
Signed-off-by: Roy Hopkins
---
backends/confidential-guest-support.c | 4 +
backends/igvm.c | 718
On Wed, 2024-03-27 at 18:58 +0530, Ani Sinha wrote:
>
>
> > On 27 Feb 2024, at 20:20, Roy Hopkins wrote:
> >
> > When using an IGVM file the configuration of the system firmware is
> > defined by IGVM directives contained in the file. Therefore the default
>
when a filename is provided but the code to
process the IGVM file is not yet hooked into target systems. This will
follow in a later commit.
Signed-off-by: Roy Hopkins
---
backends/confidential-guest-support.c | 4 +
backends/igvm.c | 745
have been configured when using
IGVM, exiting with an error message if this is not the case.
Signed-off-by: Roy Hopkins
---
hw/i386/pc_sysfw.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index 3efabbbab2
.
Signed-off-by: Roy Hopkins
---
backends/confidential-guest-support.c | 32 ++
include/exec/confidential-guest-support.h | 74 +++
2 files changed, 106 insertions(+)
diff --git a/backends/confidential-guest-support.c
b/backends/confidential-guest-support.c
index
IGVM support has been implemented for Confidential Guests that support
AMD SEV and AMD SEV-ES. Add some documentation that gives some
background on the IGVM format and how to use it to configure a
confidential guest.
Signed-off-by: Roy Hopkins
---
docs/system/i386/amd-memory-encryption.rst
, which
attempts to locate and link against the IGVM library via pkgconfig and
sets CONFIG_IGVM if found.
The library is added to the system_ss target in backends/meson.build
where the IGVM parsing will be performed by the ConfidentialGuestSupport
object.
Signed-off-by: Roy Hopkins
---
backends
startup and CPU reset.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 288 +-
target/i386/sev.h | 110 ++
2 files changed, 369 insertions(+), 29 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 72930ff0dc
current PC initialization steps. If an IGVM file has been provided
then the directives in the file are processed completing the
initialization of the target.
If no IGVM file has been specified by the user then no there is no
intended consequences in these changes.
Signed-off-by: Roy Hopkins
; firmware device.
Thanks to Daniel, Stefano, Ani and everyone else that has taken time to review
this so far.
[1] Link to v1:
https://lore.kernel.org/qemu-devel/cover.1709044754.git.roy.hopk...@suse.com/
[2] v2 patches also available here:
https://github.com/roy-hopkins/qemu/tree/igvm_master_v2
R
such as SEV.
This commit implements the required functions for SEV-ES and adds
support for processing IGVM files for configuring the guest.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 137 ++
1 file changed, 137 insertions(+)
diff --git a
Create an enum entry within FirmwareDevice for 'igvm' to describe that
an IGVM file can be used to map firmware into memory as an alternative
to pre-existing firmware devices.
Signed-off-by: Roy Hopkins
---
docs/interop/firmware.json | 9 -
1 file changed, 8 insertions(+),
support IGVM based
configuration.
This patch allows the filename to be configured via the QEMU
object model in preparation for subsequent patches that will read and
parse the IGVM file.
Signed-off-by: Roy Hopkins
---
backends/confidential-guest-support.c | 21 +
include
On Fri, 2024-03-01 at 16:37 +, Daniel P. Berrangé wrote:
> On Tue, Feb 27, 2024 at 02:50:09PM +0000, Roy Hopkins wrote:
> > In preparation for supporting the processing of IGVM files to configure
> > guests, this adds a set of functions to ConfidentialGuestSupport
> > allo
On Fri, 2024-03-01 at 16:51 +, Daniel P. Berrangé wrote:
> On Tue, Feb 27, 2024 at 02:50:10PM +0000, Roy Hopkins wrote:
> > This commit adds an implementation of an IGVM loader which parses the
> > file specified as a pararameter to ConfidentialGuestSupport and provides
>
On Fri, 2024-03-01 at 16:54 +, Daniel P. Berrangé wrote:
> On Tue, Feb 27, 2024 at 02:50:12PM +0000, Roy Hopkins wrote:
> > When using an IGVM file the configuration of the system firmware is
> > defined by IGVM directives contained in the file. Therefore the default
> > s
On Fri, 2024-03-01 at 17:01 +, Daniel P. Berrangé wrote:
> On Tue, Feb 27, 2024 at 02:50:13PM +0000, Roy Hopkins wrote:
> > When an SEV guest is started, the reset vector and state are
> > extracted from metadata that is contained in the firmware volume.
> >
> > In
On Tue, 2024-03-12 at 16:12 +, Daniel P. Berrangé wrote:
> On Tue, Mar 12, 2024 at 03:45:20PM +0000, Roy Hopkins wrote:
> > On Fri, 2024-03-01 at 17:01 +, Daniel P. Berrangé wrote:
> > > On Tue, Feb 27, 2024 at 02:50:13PM +,
On Fri, 2024-03-01 at 17:10 +, Daniel P. Berrangé wrote:
> On Tue, Feb 27, 2024 at 02:50:15PM +0000, Roy Hopkins wrote:
> > IGVM support has been implemented for Confidential Guests that support
> > AMD SEV and AMD SEV-ES. Add some documentation that gives some
> > b
On Tue, 2024-03-19 at 16:07 +0100, Stefano Garzarella wrote:
> Hi Roy,
> thanks for this series!
>
> On Tue, Feb 27, 2024 at 02:50:06PM +, Roy Hopkins wrote:
> > Hi everyone,
> >
> > This initial patch series submission adds the capability to configure
>
On Tue, 2024-03-19 at 16:10 +0100, Stefano Garzarella wrote:
> On Tue, Feb 27, 2024 at 02:50:08PM +0000, Roy Hopkins wrote:
> > In order to add support for parsing IGVM files for secure virtual
> > machines, a the path to an IGVM file needs to be specified as
> > part of th
On Mon, 2024-03-18 at 16:21 +, Daniel P. Berrangé wrote:
> On Mon, Mar 18, 2024 at 03:59:31PM +0000, Roy Hopkins wrote:
> > On Fri, 2024-03-01 at 17:10 +, Daniel P. Berrangé wrote:
> > > On Tue, Feb 27, 2024 at 02:50:15PM +, Roy Hopkins wrote:
> > > > IGV
On Tue, 2024-04-16 at 15:13 +0100, Daniel P. Berrangé wrote:
> On Wed, Apr 03, 2024 at 12:11:32PM +0100, Roy Hopkins wrote:
> > The IGVM library allows Independent Guest Virtual Machine files to be
> > parsed and processed. IGVM files are used to configure guest memory
>
On Tue, 2024-04-16 at 14:31 +0100, Daniel P. Berrangé wrote:
> On Thu, Apr 04, 2024 at 10:00:53AM +0200, Philippe Mathieu-Daudé wrote:
> > Hi Roy,
> >
> > On 3/4/24 13:11, Roy Hopkins wrote:
> > > In preparation for supporting the processing of IGVM files to confi
On Thu, 2024-04-04 at 09:58 +0200, Philippe Mathieu-Daudé wrote:
> Hi Roy,
>
> On 3/4/24 13:11, Roy Hopkins wrote:
> > This commit adds an implementation of an IGVM loader which parses the
> > file specified as a pararameter to ConfidentialGuestSupport and provides
> &g
On Tue, 2024-04-16 at 15:05 +0100, Daniel P. Berrangé wrote:
> On Wed, Apr 03, 2024 at 12:11:35PM +0100, Roy Hopkins wrote:
> > This commit adds an implementation of an IGVM loader which parses the
> > file specified as a pararameter to ConfidentialGuestSupport and provides
>
On Thu, 2024-04-04 at 18:06 +0530, Ani Sinha wrote:
>
>
> > On 3 Apr 2024, at 16:41, Roy Hopkins wrote:
> >
> > When using an IGVM file the configuration of the system firmware is
> > defined by IGVM directives contained in the file. In this case the user
>
On Tue, 2024-04-16 at 15:30 +0100, Daniel P. Berrangé wrote:
> On Wed, Apr 03, 2024 at 12:11:39PM +0100, Roy Hopkins wrote:
> > The ConfidentialGuestSupport object defines a number of virtual
> > functions that are called during processing of IGVM directives to query
> > or co
does cause the IGVM file to be processed twice. Firstly to extract
the sev_features then secondly to actually configure the guest. However,
the first pass is largely ignored meaning the overhead is minimal.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 145
have been configured when using
IGVM, exiting with an error message if this is not the case.
Signed-off-by: Roy Hopkins
---
hw/i386/pc_sysfw.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index ef80281d28
Adds a handler for the guest policy initialization IGVM section and
builds an SEV policy based on this information and the ID block
directive if present. The policy is applied using by calling
'set_guest_policy()' on the ConfidentialGuestSupport object.
Signed-off-by: Roy Hopkins
---
such as SEV.
This commit implements the required functions for SEV-ES and adds
support for processing IGVM files for configuring the guest.
Signed-off-by: Roy Hopkins
---
target/i386/sev.h | 2 +
target/i386/sev.c | 250 --
2 files changed, 242
, which
attempts to locate and link against the IGVM library via pkgconfig and
sets CONFIG_IGVM if found.
The library is added to the system_ss target in backends/meson.build
where the IGVM parsing will be performed by the ConfidentialGuestSupport
object.
Signed-off-by: Roy Hopkins
system is used to encrypt
memory, apply the initial CPU state and perform other confidential guest
operations.
The loader is configured via a new IgvmCfg QOM object which allows the
user to provide a path to the IGVM file to process.
Signed-off-by: Roy Hopkins
---
qapi/qom.json
s and the
signatures are valid.
Signed-off-by: Roy Hopkins
---
target/i386/sev.h | 12 +++
target/i386/sev.c | 83 +++
2 files changed, 95 insertions(+)
diff --git a/target/i386/sev.h b/target/i386/sev.h
index 2ccd6fe1e8..7b92102bd0 100644
--- a/
initialization sections during
processing of the IGVM file.
Signed-off-by: Roy Hopkins
---
backends/igvm.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/backends/igvm.c b/backends/igvm.c
index 25bbddfa33..b6b7d30a3f 100644
--- a/backends/igvm.c
+++ b/backends/igvm.c
before it is started.
If an IGVM configuration is provided then the IGVM file is processed at
the end of the board initialization, before the state transition to
PHASE_MACHINE_INITIALIZED.
Signed-off-by: Roy Hopkins
---
include/hw/boards.h | 2 ++
hw/core/machine.c | 20
tly set an error condition if a non-zero value is
returned.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 67 +--
1 file changed, 35 insertions(+), 32 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 30b83f1d77..1900c3d9b4 10
IGVM support has been implemented for Confidential Guests that support
AMD SEV and AMD SEV-ES. Add some documentation that gives some
background on the IGVM format and how to use it to configure a
confidential guest.
Signed-off-by: Roy Hopkins
---
docs/system/i386/amd-memory-encryption.rst
Create an enum entry within FirmwareDevice for 'igvm' to describe that
an IGVM file can be used to map firmware into memory as an alternative
to pre-existing firmware devices.
Signed-off-by: Roy Hopkins
---
docs/interop/firmware.json | 9 -
1 file changed, 8 insertions(+),
: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES'
from IGVM VMSA to KVM.
[1] Link to v2:
https://lore.kernel.org/qemu-devel/cover.1712138654.git.roy.hopk...@suse.com/
[2] v3 patches also available here:
https://github.com/roy-hopkins/qemu/tree/igvm_mas
-by: Roy Hopkins
---
include/exec/confidential-guest-support.h | 75 +++
backends/confidential-guest-support.c | 31 ++
2 files changed, 106 insertions(+)
diff --git a/include/exec/confidential-guest-support.h
b/include/exec/confidential-guest-support.h
index
startup and CPU reset.
Signed-off-by: Roy Hopkins
---
target/i386/sev.h | 110
target/i386/sev.c | 323 +-
2 files changed, 400 insertions(+), 33 deletions(-)
diff --git a/target/i386/sev.h b/target/i386/sev.h
index 858005a119..167dd154d6
confidential platform, such as AMD SEV to set the
policy. This will allow configuration of the policy from a
multi-platform resource such as an IGVM file without the IGVM processor
requiring specific implementation details for each platform.
Signed-off-by: Roy Hopkins
---
include/exec/confidential
On Mon, 2024-06-24 at 14:50 +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 21, 2024 at 03:29:03PM +0100, Roy Hopkins wrote:
> > Based-on: 02d9c38236
> >
> > Here is v3 of the set of patches to add support for IGVM files to QEMU.
> >
> > Firstly, apologies for the
On Mon, 2024-06-24 at 14:29 +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 21, 2024 at 03:29:06PM +0100, Roy Hopkins wrote:
> > Adds an IGVM loader to QEMU which processes a given IGVM file and
> > applies the directives within the file to the current guest
> > configurati
On Thu, 2024-06-27 at 10:14 +0100, Daniel P. Berrangé wrote:
> On Thu, Jun 27, 2024 at 11:06:50AM +0200, Stefano Garzarella wrote:
> > On Fri, Jun 21, 2024 at 03:29:06PM GMT, Roy Hopkins wrote:
> > > Adds an IGVM loader to QEMU which processes a given IGVM file and
> >
On Mon, 2024-06-24 at 15:00 +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 21, 2024 at 03:29:07PM +0100, Roy Hopkins wrote:
> > An IGVM file contains configuration of guest state that should be
> > applied during configuration of the guest, before the guest is started.
> >
On Thu, 2024-06-27 at 14:38 +0200, Stefano Garzarella wrote:
> On Fri, Jun 21, 2024 at 03:29:08PM GMT, Roy Hopkins wrote:
> > When using an IGVM file the configuration of the system firmware is
> > defined by IGVM directives contained in the file. In this case the user
> > sho
On Thu, 2024-06-27 at 14:48 +0200, Stefano Garzarella wrote:
> On Fri, Jun 21, 2024 at 03:29:09PM GMT, Roy Hopkins wrote:
> > The class function and implementations for updating launch data return
> > a code in case of error. In some cases an error message is generated and
> >
On Fri, 2024-06-28 at 12:23 +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 28, 2024 at 12:09:59PM +0100, Roy Hopkins wrote:
> > On Mon, 2024-06-24 at 15:00 +0100, Daniel P. Berrangé wrote:
> > > On Fri, Jun 21, 2024 at 03:29:07PM +0100, Roy Hopkins wrote:
> > &
On Mon, 2024-06-24 at 15:14 +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 21, 2024 at 03:29:18PM +0100, Roy Hopkins wrote:
> > IGVM files can contain an initial VMSA that should be applied to each
> > vcpu as part of the initial guest state. The sev_features flags are
> > pr
On Mon, 2024-06-24 at 15:09 +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 21, 2024 at 03:29:12PM +0100, Roy Hopkins wrote:
> > IGVM support has been implemented for Confidential Guests that support
> > AMD SEV and AMD SEV-ES. Add some documentation that gives some
> > b
On Thu, 2024-06-27 at 14:53 +0200, Stefano Garzarella wrote:
> On Fri, Jun 21, 2024 at 03:29:13PM GMT, Roy Hopkins wrote:
> > Create an enum entry within FirmwareDevice for 'igvm' to describe that
> > an IGVM file can be used to map firmware into memory as an altern
tly set an error condition if a non-zero value is
returned.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 59 +--
1 file changed, 31 insertions(+), 28 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 491ca5369e..5eabeadda6 10
ve platforms.
13-16: Processing of policy and SEV-SNP ID_BLOCK from IGVM file.
17: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES'
from IGVM VMSA to KVM.
[1] Link to v3:
https://lore.kernel.org/qemu-devel/cover.1718979106.git.roy.hopk...@suse.com/
[2] v4 patc
startup and CPU reset.
Signed-off-by: Roy Hopkins
---
target/i386/sev.h | 110
target/i386/sev.c | 323 +-
2 files changed, 400 insertions(+), 33 deletions(-)
diff --git a/target/i386/sev.h b/target/i386/sev.h
index 858005a119..167dd154d6
does cause the IGVM file to be processed twice. Firstly to extract
the sev_features then secondly to actually configure the guest. However,
the first pass is largely ignored meaning the overhead is minimal.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 160
Adds a handler for the guest policy initialization IGVM section and
builds an SEV policy based on this information and the ID block
directive if present. The policy is applied using by calling
'set_guest_policy()' on the ConfidentialGuestSupport object.
Signed-off-by: Roy Hopkins
---
IGVM support has been implemented for Confidential Guests that support
AMD SEV and AMD SEV-ES. Add some documentation that gives some
background on the IGVM format and how to use it to configure a
confidential guest.
Signed-off-by: Roy Hopkins
---
docs/system/i386/amd-memory-encryption.rst
Create an enum entry within FirmwareDevice for 'igvm' to describe that
an IGVM file can be used to map firmware into memory as an alternative
to pre-existing firmware devices.
Signed-off-by: Roy Hopkins
---
docs/interop/firmware.json | 9 -
1 file changed, 8 insertions(+),
-by: Roy Hopkins
---
include/exec/confidential-guest-support.h | 75 +++
backends/confidential-guest-support.c | 31 ++
2 files changed, 106 insertions(+)
diff --git a/include/exec/confidential-guest-support.h
b/include/exec/confidential-guest-support.h
index
confidential platform, such as AMD SEV to set the
policy. This will allow configuration of the policy from a
multi-platform resource such as an IGVM file without the IGVM processor
requiring specific implementation details for each platform.
Signed-off-by: Roy Hopkins
---
include/exec/confidential
s and the
signatures are valid.
Signed-off-by: Roy Hopkins
---
target/i386/sev.h | 12 +++
target/i386/sev.c | 83 +++
2 files changed, 95 insertions(+)
diff --git a/target/i386/sev.h b/target/i386/sev.h
index 2ccd6fe1e8..7b92102bd0 100644
--- a/
initialization sections during
processing of the IGVM file.
Signed-off-by: Roy Hopkins
---
backends/igvm.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/backends/igvm.c b/backends/igvm.c
index 97af1a6cb3..fa074b9107 100644
--- a/backends/igvm.c
+++ b/backends/igvm.c
access of the segment array.
Possibly by coincidence, the function does correctly set LDTR or TR in
this case as the structures for these registers immediately follow the
array which is accessed out of bounds.
This patch adds correct handling for R_LDTR and R_TR in the function.
Signed-off-by: R
such as SEV.
This commit implements the required functions for SEV-ES and adds
support for processing IGVM files for configuring the guest.
Signed-off-by: Roy Hopkins
---
target/i386/sev.h | 2 +
target/i386/sev.c | 250 --
2 files changed, 242
the function takes an Error parameter which is not used
when an error is actually returned.
The return value is now checked for non-zero to indicate an error and
a suitable error message is logged.
Signed-off-by: Roy Hopkins
---
target/i386/sev.c | 9 +++--
1 file changed, 3 insertions(+)
have been configured when using
IGVM, exiting with an error message if this is not the case.
Signed-off-by: Roy Hopkins
---
hw/i386/pc_sysfw.c | 31 ---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index ef80281d28
guest before it is started.
If an IGVM configuration is provided then the IGVM file is processed at
the end of the board initialization, before the state transition to
PHASE_MACHINE_INITIALIZED.
Signed-off-by: Roy Hopkins
---
include/hw/i386/x86.h | 3 +++
hw/i386/pc.c | 12
system is used to encrypt
memory, apply the initial CPU state and perform other confidential guest
operations.
The loader is configured via a new IgvmCfg QOM object which allows the
user to provide a path to the IGVM file to process.
Signed-off-by: Roy Hopkins
---
qapi/qom.json
, which
attempts to locate and link against the IGVM library via pkgconfig and
sets CONFIG_IGVM if found.
The library is added to the system_ss target in backends/meson.build
where the IGVM parsing will be performed by the ConfidentialGuestSupport
object.
Signed-off-by: Roy Hopkins
On Sat, 2024-07-20 at 14:26 -0400, Michael S. Tsirkin wrote:
> On Wed, Jul 03, 2024 at 12:05:38PM +0100, Roy Hopkins wrote:
> > Here is v4 of the set of patches to add support for IGVM files to QEMU. This
> > is
> > based on commit 1a2d52c7fc of qemu.
> >
> >
On Wed, 2024-07-24 at 18:13 +0100, Daniel P. Berrangé wrote:
> On Wed, Jul 03, 2024 at 12:05:43PM +0100, Roy Hopkins wrote:
> > When using an IGVM file the configuration of the system firmware is
> > defined by IGVM directives contained in the file. In this case the user
> >
tly set an error condition if a non-zero value is
returned.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
---
target/i386/sev.c | 68 +++
1 file changed, 33 insertions(+), 35 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index
IGVM support has been implemented for Confidential Guests that support
AMD SEV and AMD SEV-ES. Add some documentation that gives some
background on the IGVM format and how to use it to configure a
confidential guest.
Signed-off-by: Roy Hopkins
Reviewed-by: Daniel P. Berrangé
Reviewed-by
confidential platform, such as AMD SEV to set the
policy. This will allow configuration of the policy from a
multi-platform resource such as an IGVM file without the IGVM processor
requiring specific implementation details for each platform.
Signed-off-by: Roy Hopkins
Reviewed-by: Daniel P. Berrangé
such as SEV.
This commit implements the required functions for SEV-ES and adds
support for processing IGVM files for configuring the guest.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
---
target/i386/sev.c | 254 --
target/i386/sev.h
lable here:
https://github.com/roy-hopkins/qemu/tree/igvm_master_v5
[3] `buildigvm` tool v0.2.0
https://github.com/roy-hopkins/buildigvm/releases/tag/v0.2.0
Roy Hopkins (16):
meson: Add optional dependency on IGVM library
backends/confidential-guest-support: Add functions to support IGVM
back
s and the
signatures are valid.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
---
target/i386/sev.c | 83 +++
target/i386/sev.h | 12 +++
2 files changed, 95 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 6db76
-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
---
backends/confidential-guest-support.c | 31 +++
include/exec/confidential-guest-support.h | 65 +++
2 files changed, 96 insertions(+)
diff --git a/backends/confidential-guest-support.c
b/backends/confidential
have been configured when using
IGVM, exiting with an error message if this is not the case.
Signed-off-by: Roy Hopkins
Reviewed-by: Daniel P. Berrangé
Reviewed-by: Michael S. Tsirkin
---
hw/i386/pc_sysfw.c | 31 ---
1 file changed, 28 insertions(+), 3 deletions
On Wed, 2024-07-24 at 17:29 +0100, Daniel P. Berrangé wrote:
> On Wed, Jul 03, 2024 at 12:05:38PM +0100, Roy Hopkins wrote:
> > Here is v4 of the set of patches to add support for IGVM files to QEMU. This
> > is
> > based on commit 1a2d52c7fc of qemu.
> >
> >
> Here is v6 of the set of patches to add support for IGVM files to QEMU. This
> is
> based on commit a5dd9ee060 of qemu.
>
> This version addresses all of the review comments from v5 [1].
Hi all. I'm just drawing attention to this series again. It has been through a
number of review cycles and a
On Tue, 2024-10-22 at 11:05 +0200, Stefano Garzarella wrote:
> On Mon, Oct 21, 2024 at 03:44:26PM +0100, Roy Hopkins wrote:
> > > Here is v6 of the set of patches to add support for IGVM files to QEMU.
> > > This
> > > is
> > > based on commit a5dd9e
system is used to encrypt
memory, apply the initial CPU state and perform other confidential guest
operations.
The loader is configured via a new IgvmCfg QOM object which allows the
user to provide a path to the IGVM file to process.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
, which
attempts to locate and link against the IGVM library via pkgconfig and
sets CONFIG_IGVM if found.
The library is added to the system_ss target in backends/meson.build
where the IGVM parsing will be performed by the ConfidentialGuestSupport
object.
Signed-off-by: Roy Hopkins
Acked-by
Create an enum entry within FirmwareDevice for 'igvm' to describe that
an IGVM file can be used to map firmware into memory as an alternative
to pre-existing firmware devices.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
Reviewed-by: Stefano Garzarella
---
do
such as SEV.
This commit implements the required functions for SEV-ES and adds
support for processing IGVM files for configuring the guest.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
Acked-by: Stefano Garzarella
---
target/i386/sev.c | 254
does cause the IGVM file to be processed twice. Firstly to extract
the sev_features then secondly to actually configure the guest. However,
the first pass is largely ignored meaning the overhead is minimal.
Signed-off-by: Roy Hopkins
Acked-by: Michael S. Tsirkin
Acked-by: Stefano Garzarella
ng of policy and SEV-SNP ID_BLOCK from IGVM file.
16: Add pre-processing of IGVM file to support synchronization of 'SEV_FEATURES'
from IGVM VMSA to KVM.
[1] Link to v5:
https://lore.kernel.org/all/cover.1723560001.git.roy.hopk...@suse.com/
[2] v6 patches also available here:
https://github.
1 - 100 of 143 matches
Mail list logo
