[PULL 31/45] i386/sev: Set CPU state to protected once SNP guest payload

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 31/45] i386/sev: Set CPU state to protected once SNP guest payload

From:	Paolo Bonzini
Subject:	[PULL 31/45] i386/sev: Set CPU state to protected once SNP guest payload is finalized
Date:	Tue, 4 Jun 2024 08:43:55 +0200

From: Michael Roth <michael.roth@amd.com>

Once KVM_SNP_LAUNCH_FINISH is called the vCPU state is copied into the
vCPU's VMSA page and measured/encrypted. Any attempt to read/write CPU
state afterward will only be acting on the initial data and so are
effectively no-ops.

Set the vCPU state to protected at this point so that QEMU don't
continue trying to re-sync vCPU data during guest runtime.

Signed-off-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Pankaj Gupta <pankaj.gupta@amd.com>
Message-ID: <20240530111643.1091816-18-pankaj.gupta@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/sev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index ef2e592ca76..e84e4395a53 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -997,6 +997,7 @@ sev_snp_launch_finish(SevCommonState *sev_common)
         exit(1);
     }
 
+    kvm_mark_guest_state_protected();
     sev_set_guest_state(sev_common, SEV_STATE_RUNNING);
 
     /* add migration blocker */
-- 
2.45.1

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PULL 30/45] i386/sev: Add handling to encrypt/finalize guest launch data, (continued)
- [PULL 26/45] i386/sev: Don't return launch measurements for SEV-SNP guests, Paolo Bonzini, 2024/06/04
- [PULL 25/45] i386/cpu: Set SEV-SNP CPUID bit when SNP enabled, Paolo Bonzini, 2024/06/04
- [PULL 34/45] i386/sev: Add support for SNP CPUID validation, Paolo Bonzini, 2024/06/04
- [PULL 37/45] i386/sev: Invoke launch_updata_data() for SNP class, Paolo Bonzini, 2024/06/04
- [PULL 35/45] hw/i386/sev: Add support to encrypt BIOS when SEV-SNP is enabled, Paolo Bonzini, 2024/06/04
- [PULL 38/45] i386/kvm: Add KVM_EXIT_HYPERCALL handling for KVM_HC_MAP_GPA_RANGE, Paolo Bonzini, 2024/06/04
- [PULL 40/45] i386/sev: Extract build_kernel_loader_hashes, Paolo Bonzini, 2024/06/04
- [PULL 43/45] memory: Introduce memory_region_init_ram_guest_memfd(), Paolo Bonzini, 2024/06/04
- [PULL 45/45] hw/i386: Add support for loading BIOS using guest_memfd, Paolo Bonzini, 2024/06/04
- [PULL 31/45] i386/sev: Set CPU state to protected once SNP guest payload is finalized, Paolo Bonzini <=
- [PULL 29/45] i386/sev: Add the SNP launch start context, Paolo Bonzini, 2024/06/04
- [PULL 33/45] i386/sev: Add support for populating OVMF metadata pages, Paolo Bonzini, 2024/06/04
- [PULL 39/45] i386/sev: Enable KVM_HC_MAP_GPA_RANGE hcall for SNP guests, Paolo Bonzini, 2024/06/04
- [PULL 42/45] i386/sev: Allow measured direct kernel boot on SNP, Paolo Bonzini, 2024/06/04
- [PULL 28/45] i386/sev: Update query-sev QAPI format to handle SEV-SNP, Paolo Bonzini, 2024/06/04
- [PULL 36/45] i386/sev: Invoke launch_updata_data() for SEV class, Paolo Bonzini, 2024/06/04
  - Re: [PULL 36/45] i386/sev: Invoke launch_updata_data() for SEV class, Peter Maydell, 2024/06/07
- [PULL 44/45] hw/i386/sev: Use guest_memfd for legacy ROMs, Paolo Bonzini, 2024/06/04

Prev by Date: [PULL 45/45] hw/i386: Add support for loading BIOS using guest_memfd
Next by Date: [PULL 29/45] i386/sev: Add the SNP launch start context
Previous by thread: [PULL 45/45] hw/i386: Add support for loading BIOS using guest_memfd
Next by thread: [PULL 29/45] i386/sev: Add the SNP launch start context
Index(es):
- Date
- Thread