[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 15/22] target/arm/kvm-rme: Add measurement algorithm property
From: |
Jean-Philippe Brucker |
Subject: |
[PATCH v2 15/22] target/arm/kvm-rme: Add measurement algorithm property |
Date: |
Fri, 19 Apr 2024 16:57:03 +0100 |
This option selects which measurement algorithm to use for attestation.
Supported values are SHA256 and SHA512. Default to SHA512 arbitrarily.
SHA512 is generally faster on 64-bit architectures. On a few arm64 CPUs
I tested SHA256 is much faster, but that's most likely because they only
support acceleration via FEAT_SHA256 (Armv8.0) and not FEAT_SHA512
(Armv8.2). Future CPUs supporting RME are likely to also support
FEAT_SHA512.
Cc: Eric Blake <eblake@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Cc: Daniel P. Berrangé <berrange@redhat.com>
Cc: Eduardo Habkost <eduardo@habkost.net>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
---
v1->v2: use enum, pick default
---
qapi/qom.json | 18 +++++++++++++++++-
target/arm/kvm-rme.c | 39 ++++++++++++++++++++++++++++++++++++++-
2 files changed, 55 insertions(+), 2 deletions(-)
diff --git a/qapi/qom.json b/qapi/qom.json
index 91654aa267..84dce666b2 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -931,18 +931,34 @@
'data': { '*cpu-affinity': ['uint16'],
'*node-affinity': ['uint16'] } }
+##
+# @RmeGuestMeasurementAlgo:
+#
+# @sha256: Use the SHA256 algorithm
+# @sha512: Use the SHA512 algorithm
+#
+# Algorithm to use for realm measurements
+#
+# Since: FIXME
+##
+{ 'enum': 'RmeGuestMeasurementAlgo',
+ 'data': ['sha256', 'sha512'] }
+
##
# @RmeGuestProperties:
#
# Properties for rme-guest objects.
#
+# @measurement-algo: Realm measurement algorithm (default: sha512)
+#
# @personalization-value: Realm personalization value, as a 64-byte hex string
# (default: 0)
#
# Since: FIXME
##
{ 'struct': 'RmeGuestProperties',
- 'data': { '*personalization-value': 'str' } }
+ 'data': { '*personalization-value': 'str',
+ '*measurement-algo': 'RmeGuestMeasurementAlgo' } }
##
# @ObjectType:
diff --git a/target/arm/kvm-rme.c b/target/arm/kvm-rme.c
index cb5c3f7a22..8f39e54aaa 100644
--- a/target/arm/kvm-rme.c
+++ b/target/arm/kvm-rme.c
@@ -23,13 +23,14 @@ OBJECT_DECLARE_SIMPLE_TYPE(RmeGuest, RME_GUEST)
#define RME_PAGE_SIZE qemu_real_host_page_size()
-#define RME_MAX_CFG 1
+#define RME_MAX_CFG 2
struct RmeGuest {
ConfidentialGuestSupport parent_obj;
Notifier rom_load_notifier;
GSList *ram_regions;
uint8_t *personalization_value;
+ RmeGuestMeasurementAlgo measurement_algo;
};
typedef struct {
@@ -73,6 +74,19 @@ static int rme_configure_one(RmeGuest *guest, uint32_t cfg,
Error **errp)
memcpy(args.rpv, guest->personalization_value,
KVM_CAP_ARM_RME_RPV_SIZE);
cfg_str = "personalization value";
break;
+ case KVM_CAP_ARM_RME_CFG_HASH_ALGO:
+ switch (guest->measurement_algo) {
+ case RME_GUEST_MEASUREMENT_ALGO_SHA256:
+ args.hash_algo = KVM_CAP_ARM_RME_MEASUREMENT_ALGO_SHA256;
+ break;
+ case RME_GUEST_MEASUREMENT_ALGO_SHA512:
+ args.hash_algo = KVM_CAP_ARM_RME_MEASUREMENT_ALGO_SHA512;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+ cfg_str = "hash algorithm";
+ break;
default:
g_assert_not_reached();
}
@@ -338,12 +352,34 @@ static void rme_set_rpv(Object *obj, const char *value,
Error **errp)
}
}
+static int rme_get_measurement_algo(Object *obj, Error **errp)
+{
+ RmeGuest *guest = RME_GUEST(obj);
+
+ return guest->measurement_algo;
+}
+
+static void rme_set_measurement_algo(Object *obj, int algo, Error **errp)
+{
+ RmeGuest *guest = RME_GUEST(obj);
+
+ guest->measurement_algo = algo;
+}
+
static void rme_guest_class_init(ObjectClass *oc, void *data)
{
object_class_property_add_str(oc, "personalization-value", rme_get_rpv,
rme_set_rpv);
object_class_property_set_description(oc, "personalization-value",
"Realm personalization value (512-bit hexadecimal number)");
+
+ object_class_property_add_enum(oc, "measurement-algo",
+ "RmeGuestMeasurementAlgo",
+ &RmeGuestMeasurementAlgo_lookup,
+ rme_get_measurement_algo,
+ rme_set_measurement_algo);
+ object_class_property_set_description(oc, "measurement-algo",
+ "Realm measurement algorithm ('sha256', 'sha512')");
}
static void rme_guest_instance_init(Object *obj)
@@ -353,6 +389,7 @@ static void rme_guest_instance_init(Object *obj)
exit(1);
}
rme_guest = RME_GUEST(obj);
+ rme_guest->measurement_algo = RME_GUEST_MEASUREMENT_ALGO_SHA512;
}
static const TypeInfo rme_guest_info = {
--
2.44.0
- Re: [PATCH v2 14/22] target/arm/kvm-rme: Add Realm Personalization Value parameter, (continued)
- [PATCH v2 19/22] target/arm/cpu: Inform about reading confidential CPU registers, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 21/22] hw/arm/virt: Move virt_flash_create() to machvirt_init(), Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 22/22] hw/arm/virt: Use RAM instead of flash for confidential guest firmware, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 17/22] target/arm/cpu: Set number of PMU counters in KVM, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 01/22] kvm: Merge kvm_check_extension() and kvm_vm_check_extension(), Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 05/22] hw/arm/virt: Add support for Arm RME, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 15/22] target/arm/kvm-rme: Add measurement algorithm property,
Jean-Philippe Brucker <=
- [PATCH v2 08/22] target/arm/kvm: Split kvm_arch_get/put_registers, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 07/22] hw/arm/virt: Reserve one bit of guest-physical address for RME, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 03/22] target/arm/kvm: Return immediately on error in kvm_arch_init(), Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 09/22] target/arm/kvm-rme: Initialize vCPU, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 10/22] target/arm/kvm: Create scratch VM as Realm if necessary, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 11/22] hw/core/loader: Add ROM loader notifier, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 13/22] hw/arm/boot: Register Linux BSS section for confidential guests, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 12/22] target/arm/kvm-rme: Populate Realm memory, Jean-Philippe Brucker, 2024/04/19
- [PATCH v2 18/22] target/arm/kvm: Disable Realm reboot, Jean-Philippe Brucker, 2024/04/19