SEV-ES Remote attestation#2
Draft
Th0rOnDoR wants to merge 54 commits intoxcp-ng:xen-fastabi-sevesfrom
Draft
Conversation
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
SYSCFG_MEM_ENCRYPT is the AMD SME MSR used to enable SME and AMD SEV. Signed-off-by: Andrei Semenov <andrei.semenov@vates.tech>
struct svm_domain was in vmcb.h which is meant for VMCB specific operations and values, move it to svm.h where it belongs. Signed-off-by: Teddy Astie <teddy.astie@vates.tech> --- v2: - remove unneeded vmcb.h include
Introduce vpid_sync_vcpu_context to do a single-context invalidation on the vpid attached to the vcpu as a alternative to per-gva and all-context invlidations. Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
From: Vaishali Thakkar <vaishali.thakkar@vates.tech> Currently ASID generation and management is done per-PCPU. This scheme is incompatible with SEV technologies as SEV VMs need to have a fixed ASID associated with all vcpus of the VM throughout it's lifetime. This commit introduces a Xen-wide allocator which initializes the asids at the start of xen and allows to have a fixed asids throughout the lifecycle of all domains. Having a fixed asid for non-SEV domains also presents us with the opportunity to further take use of AMD instructions like TLBSYNC and INVLPGB for broadcasting the TLB invalidations. Introduce vcpu->needs_tlb_flush attribute to schedule a guest TLB flush for the next VMRUN/VMENTER. This will be later be done using either TLB_CONTROL field (AMD) or INVEPT (Intel). This flush method is used in place of the current ASID swapping logic. TODO: - Intel: Don't assign the VPID at each VMENTER, though we need to rethink how we manage VMCS with nested virtualization / altp2m for changing this behavior. - AMD: Consider hot-plug of CPU with ERRATA_170. (is it possible ?) - Consider cases where we don't have enough ASIDs (e.g Xen as nested guest) - Nested virtualization ASID management Signed-off-by: Teddy Astie <teddy.astie@vates.tech> Signed-off-by: Vaishali Thakkar <vaishali.thakkar@vates.tech> --- Changes since v4: - track vCPU migrations and flush TLB after them - add missing TLB flushes in guest_flush_tlb_flags Changes since v3: - Simplified asid bitmap management It is only called once per domain, so it doesn't need to have a complicated logic. - Drop hvm_asid_data structure which doesn't serve a purpose anymore. - Introduce and use vcpu->needs_tlb_flush to indicate that a guest TLB flush is needed before waking the vcpu. It is used to set TLB_CONTROL (AMD) field properly or make a appropriate invept (Intel). - Only assign ASID once (see TODO for Intel side) - Check the ERRATA_170 for each CPU present. Changes since v2: - Moved hvm_asid_domain_create to hvm_domain_initialise - Added __ro_after_init for bitmaps - Make hvm_asid_init unsigned int __init - Remove functions hvm_asid_flush_domain_asid and hvm_asid_flush_vcpu - Mark ASID 0 permenantly - Remove the irrelevant tracking of generation - Add hvm_domain_asid_destroy to avoid layering violation - Remove unnecessary fixups touching the same code - Add a logic to move asids from reclaim_bitmap->asid_bitmap - Misc styling fixes - remove unncessary trailing spaces/printks Changes since v1: - Introudce hvm_asid_bitmap as discussed at Xen-summit - Introduce hvm_reclaim_bitmap for reusing ASIDs - Assign the asid to the domain at the domain creation via hvm_asid_domain_create - Corrected the use of CPUID in the svm_asid_init function - Adjusted the code in nested virtualization related files to use new scheme. As discussed at the Xen-summit, this is not tested. - Addressed Jan's comments about using uniform style for accessing domains via v->domain - Allow to flush at the vcpu level in HAP code - Documented the sketch of implementation for the new scheme - Remove min_asid as for this patch, we are not demonstarting it's usecase - Arrange includes in multiple files as per Jan's feedback
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
From: Andrei Semenov <andrei.semenov@vates.tech> Introduce a basic PSP driver with focus on SEV commands. Signed-off-by: Andrei Semenov <andrei.semenov@vates.tech> Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Introduce a subsystem that is used for future confidential computing platforms. This subsystem manages and provides hooks for domain management and exposes various informations for toolstack (COCO platform, supported features, ...). Add a domain creation flag to build a confidential computing guest. Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
From: Vaishali Thakkar <vaishali.thakkar@vates.tech> Signed-off-by: Vaishali Thakkar <vaishali.thakkar@vates.tech> Signed-off-by: Teddy Astie <teddy.astie@vates.tech> Fix wrong size initrd
Those bits are used to enable SEV-related features in VMCB. Signed-off-by: Andrei Semenov <andrei.semenov@vates.tech> Signed-off-by: Teddy Astie <teddy.astie@vates.tech> (commit)
Signed-off-by: Teddy Astie <teddy.astie@vates.tech> --- v2 - backport cpuid fixups
From: Andrei Semenov <andrei.semenov@vates.tech> AMD-SEV is AMD implementation of confidential computing. (TODO: say more regarding this) Signed-off-by: Andrei Semenov <andrei.semenov@vates.tech> Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
From: Andrei Semenov <andrei.semenov@vates.tech> Some code paths are not emulable under SEV or needs special handling. Signed-off-by: Andrei Semenov <andrei.semenov@vates.tech> Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Thomas Courrege <thomas.courrege@vates.tech>
Signed-off-by: Thomas Courrege <thomas.courrege@vates.tech>
Signed-off-by: Thomas Courrege <thomas.courrege@vates.tech>
Signed-off-by: Thomas Courrege <thomas.courrege@vates.tech>
Signed-off-by: Thomas Courrege <thomas.courrege@vates.tech>
Signed-off-by: Thomas Courrege <thomas.courrege@vates.tech>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add the following xen coco hypercalls:
XEN_COCO_domain_attestation_report- get an attestation report for a domainXEN_COCO_platform_get_certificates- get the psp certificateXEN_COCO_platform_regenerate_certificate- generate the platform certificateXEN_COCO_platform_get_certificate_signing_request- get a certificate to signXEN_COCO_platform_import_certificate- import the signed certificate to the platformXEN_COCO_platform_update- provide the platform with a new firmwareXEN_COCO_domain_finish_initial_mem- make the launch_measureXEN_COCO_domain_update_secrets- provide secrets to a domainXEN_COCO_domain_set_secrets_area- set the secret dedicated areaAdd a
xl cococommand and the following subcommands:xl coco attestation- get an attestation for a domainxl coco platform- get the platform informations and certificatesxl coco csr- get the certificate to sign (certificate signing request)xl coco import- import the newly signed certificatexl coco regen- regenerate the platform certificatexl coco update- update the firmwarexl coco secrets- set a guest secret