[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC v2 00/18] Refactor configuration of guest memory protection
From: |
Cornelia Huck |
Subject: |
Re: [RFC v2 00/18] Refactor configuration of guest memory protection |
Date: |
Fri, 5 Jun 2020 12:55:05 +0200 |
On Thu, 21 May 2020 13:42:46 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:
> A number of hardware platforms are implementing mechanisms whereby the
> hypervisor does not have unfettered access to guest memory, in order
> to mitigate the security impact of a compromised hypervisor.
>
> AMD's SEV implements this with in-cpu memory encryption, and Intel has
> its own memory encryption mechanism. POWER has an upcoming mechanism
> to accomplish this in a different way, using a new memory protection
> level plus a small trusted ultravisor. s390 also has a protected
> execution environment.
>
> The current code (committed or draft) for these features has each
> platform's version configured entirely differently. That doesn't seem
> ideal for users, or particularly for management layers.
>
> AMD SEV introduces a notionally generic machine option
> "machine-encryption", but it doesn't actually cover any cases other
> than SEV.
>
> This series is a proposal to at least partially unify configuration
> for these mechanisms, by renaming and generalizing AMD's
> "memory-encryption" property. It is replaced by a
> "guest-memory-protection" property pointing to a platform specific
> object which configures and manages the specific details.
>
> For now this series covers just AMD SEV and POWER PEF. I'm hoping it
> can be extended to cover the Intel and s390 mechanisms as well,
> though.
For s390, there's the 'unpack' cpu facility bit, which is indicated iff
the kernel indicates availability of the feature (depending on hardware
support). If that cpu facility is available, a guest can choose to
transition into protected mode. The current state (protected mode or
not) is tracked in the s390 ccw machine.
If I understand the series here correctly (I only did a quick
read-through), the user has to instruct QEMU to make protection
available, via a new machine property that links to an object?
>
> Note: I'm using the term "guest memory protection" throughout to refer
> to mechanisms like this. I don't particular like the term, it's both
> long and not really precise. If someone can think of a succinct way
> of saying "a means of protecting guest memory from a possibly
> compromised hypervisor", I'd be grateful for the suggestion.
>
> Changes since v1:
> * Rebased
> * Fixed some errors pointed out by Dave Gilbert
>
> David Gibson (18):
> target/i386: sev: Remove unused QSevGuestInfoClass
> target/i386: sev: Move local structure definitions into .c file
> target/i386: sev: Rename QSevGuestInfo
> target/i386: sev: Embed SEVState in SevGuestState
> target/i386: sev: Partial cleanup to sev_state global
> target/i386: sev: Remove redundant cbitpos and reduced_phys_bits
> fields
> target/i386: sev: Remove redundant policy field
> target/i386: sev: Remove redundant handle field
> target/i386: sev: Unify SEVState and SevGuestState
> guest memory protection: Add guest memory protection interface
> guest memory protection: Handle memory encrption via interface
> guest memory protection: Perform KVM init via interface
> guest memory protection: Move side effect out of
> machine_set_memory_encryption()
> guest memory protection: Rework the "memory-encryption" property
> guest memory protection: Decouple kvm_memcrypt_*() helpers from KVM
> guest memory protection: Add Error ** to
> GuestMemoryProtection::kvm_init
> spapr: Added PEF based guest memory protection
> guest memory protection: Alter virtio default properties for protected
> guests
>
> accel/kvm/kvm-all.c | 40 +--
> accel/kvm/sev-stub.c | 5 -
> accel/stubs/kvm-stub.c | 10 -
> backends/Makefile.objs | 2 +
> backends/guest-memory-protection.c | 29 ++
> hw/core/machine.c | 61 ++++-
> hw/i386/pc_sysfw.c | 6 +-
> include/exec/guest-memory-protection.h | 77 ++++++
> include/hw/boards.h | 4 +-
> include/sysemu/kvm.h | 17 --
> include/sysemu/sev.h | 6 +-
> target/i386/sev.c | 351 +++++++++++++------------
> target/i386/sev_i386.h | 49 ----
> target/ppc/Makefile.objs | 2 +-
> target/ppc/pef.c | 81 ++++++
> 15 files changed, 441 insertions(+), 299 deletions(-)
> create mode 100644 backends/guest-memory-protection.c
> create mode 100644 include/exec/guest-memory-protection.h
> create mode 100644 target/ppc/pef.c
>
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, (continued)
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, Paolo Bonzini, 2020/06/04
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, Thiago Jung Bauermann, 2020/06/04
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, Paolo Bonzini, 2020/06/04
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, Thiago Jung Bauermann, 2020/06/05
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, David Gibson, 2020/06/06
- Re: [RFC v2 00/18] Refactor configuration of guest memory protection, Thiago Jung Bauermann, 2020/06/08
Re: [RFC v2 00/18] Refactor configuration of guest memory protection, David Gibson, 2020/06/04
Re: [RFC v2 00/18] Refactor configuration of guest memory protection, David Gibson, 2020/06/04
Re: [RFC v2 00/18] Refactor configuration of guest memory protection,
Cornelia Huck <=