| Quellcodebibliothek Statistik Leitseite products/sources/formale Sprachen/C/Linux/arch/x86/kvm/svm/ (Open Source Betriebssystem Version 6.17.9©) Datei vom 24.10.2025 mit Größe 136 kB |
|
Quelle sev.c Sprache: C |
|||||||||||||||
|
// SPDX-License-Identifier: GPL-2.0-only /* * Kernel-based Virtual Machine driver for Linux * * AMD SVM-SEV support * * Copyright 2010 Red Hat, Inc. and/or its affiliates. */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include <linux/kvm_types.h> #include <linux/kvm_host.h> #include <linux/kernel.h> #include <linux/highmem.h> #include <linux/psp.h> #include <linux/psp-sev.h> #include <linux/pagemap.h> #include <linux/swap.h> #include <linux/misc_cgroup.h> #include <linux/processor.h> #include <linux/trace_events.h> #include <uapi/linux/sev-guest.h> #include <asm/pkru.h> #include <asm/trapnr.h> #include <asm/fpu/xcr.h> #include <asm/fpu/xstate.h> #include <asm/debugreg.h> #include <asm/msr.h> #include <asm/sev.h> #include "mmu.h" #include "x86.h" #include "svm.h" #include "svm_ops.h" #include "cpuid.h" #include "trace.h" #define GHCB_VERSION_MAX 2ULL #define GHCB_VERSION_DEFAULT 2ULL #define GHCB_VERSION_MIN 1ULL #define GHCB_HV_FT_SUPPORTED (GHCB_HV_FT_SNP | GHCB_HV_FT_SNP_AP_CREATION) /* enable/disable SEV support */ static bool sev_enabled = true; module_param_named(sev, sev_enabled, bool, 0444); /* enable/disable SEV-ES support */ static bool sev_es_enabled = true; module_param_named(sev_es, sev_es_enabled, bool, 0444); /* enable/disable SEV-SNP support */ static bool sev_snp_enabled = true; module_param_named(sev_snp, sev_snp_enabled, bool, 0444); /* enable/disable SEV-ES DebugSwap support */ static bool sev_es_debug_swap_enabled = true; module_param_named(debug_swap, sev_es_debug_swap_enabled, bool, 0444); static u64 sev_supported_vmsa_features; #define AP_RESET_HOLD_NONE 0 #define AP_RESET_HOLD_NAE_EVENT 1 #define AP_RESET_HOLD_MSR_PROTO 2 /* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */ #define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0) #define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8) #define SNP_POLICY_MASK_SMT BIT_ULL(16) #define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17) #define SNP_POLICY_MASK_DEBUG BIT_ULL(19) #define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20) #define SNP_POLICY_MASK_VALID (SNP_POLICY_MASK_API_MINOR | \ SNP_POLICY_MASK_API_MAJOR | \ SNP_POLICY_MASK_SMT | \ SNP_POLICY_MASK_RSVD_MBO | \ SNP_POLICY_MASK_DEBUG | \ SNP_POLICY_MASK_SINGLE_SOCKET) #define INITIAL_VMSA_GPA 0xFFFFFFFFF000 static u8 sev_enc_bit; static DECLARE_RWSEM(sev_deactivate_lock); static DEFINE_MUTEX(sev_bitmap_lock); unsigned int max_sev_asid; static unsigned int min_sev_asid; static unsigned long sev_me_mask; static unsigned int nr_asids; static unsigned long *sev_asid_bitmap; static unsigned long *sev_reclaim_asid_bitmap; static int snp_decommission_context(struct kvm *kvm); struct enc_region { struct list_head list; unsigned long npages; struct page **pages; unsigned long uaddr; unsigned long size; }; /* Called with the sev_bitmap_lock held, or on shutdown */ static int sev_flush_asids(unsigned int min_asid, unsigned int max_asid) { int ret, error = 0; unsigned int asid; /* Check if there are any ASIDs to reclaim before performing a flush */ asid = find_next_bit(sev_reclaim_asid_bitmap, nr_asids, min_asid); if (asid > max_asid) return -EBUSY; /* * DEACTIVATE will clear the WBINVD indicator causing DF_FLUSH to fail, * so it must be guarded. */ down_write(&sev_deactivate_lock); /* SNP firmware requires use of WBINVD for ASID recycling. */ wbinvd_on_all_cpus(); if (sev_snp_enabled) ret = sev_do_cmd(SEV_CMD_SNP_DF_FLUSH, NULL, &error); else ret = sev_guest_df_flush(&error); up_write(&sev_deactivate_lock); if (ret) pr_err("SEV%s: DF_FLUSH failed, ret=%d, error=%#x\n", sev_snp_enabled ? "-SNP" : "", ret, error); return ret; } static inline bool is_mirroring_enc_context(struct kvm *kvm) { return !!to_kvm_sev_info(kvm)->enc_context_owner; } static bool sev_vcpu_has_debug_swap(struct vcpu_svm *svm) { struct kvm_vcpu *vcpu = &svm->vcpu; struct kvm_sev_info *sev = to_kvm_sev_info(vcpu->kvm); return sev->vmsa_features & SVM_SEV_FEAT_DEBUG_SWAP; } /* Must be called with the sev_bitmap_lock held */ static bool __sev_recycle_asids(unsigned int min_asid, unsigned int max_asid) { if (sev_flush_asids(min_asid, max_asid)) return false; /* The flush process will flush all reclaimable SEV and SEV-ES ASIDs */ bitmap_xor(sev_asid_bitmap, sev_asid_bitmap, sev_reclaim_asid_bitmap, nr_asids); bitmap_zero(sev_reclaim_asid_bitmap, nr_asids); return true; } static int sev_misc_cg_try_charge(struct kvm_sev_info *sev) { enum misc_res_type type = sev->es_active ? MISC_CG_RES_SEV_ES : MISC_CG_RES_SEV; return misc_cg_try_charge(type, sev->misc_cg, 1); } static void sev_misc_cg_uncharge(struct kvm_sev_info *sev) { enum misc_res_type type = sev->es_active ? MISC_CG_RES_SEV_ES : MISC_CG_RES_SEV; misc_cg_uncharge(type, sev->misc_cg, 1); } static int sev_asid_new(struct kvm_sev_info *sev) { /* * SEV-enabled guests must use asid from min_sev_asid to max_sev_asid. * SEV-ES-enabled guest can use from 1 to min_sev_asid - 1. * Note: min ASID can end up larger than the max if basic SEV support is * effectively disabled by disallowing use of ASIDs for SEV guests. */ unsigned int min_asid = sev->es_active ? 1 : min_sev_asid; unsigned int max_asid = sev->es_active ? min_sev_asid - 1 : max_sev_asid; unsigned int asid; bool retry = true; int ret; if (min_asid > max_asid) return -ENOTTY; WARN_ON(sev->misc_cg); sev->misc_cg = get_current_misc_cg(); ret = sev_misc_cg_try_charge(sev); if (ret) { put_misc_cg(sev->misc_cg); sev->misc_cg = NULL; return ret; } mutex_lock(&sev_bitmap_lock); again: asid = find_next_zero_bit(sev_asid_bitmap, max_asid + 1, min_asid); if (asid > max_asid) { if (retry && __sev_recycle_asids(min_asid, max_asid)) { retry = false; goto again; } mutex_unlock(&sev_bitmap_lock); ret = -EBUSY; goto e_uncharge; } __set_bit(asid, sev_asid_bitmap); mutex_unlock(&sev_bitmap_lock); sev->asid = asid; return 0; e_uncharge: sev_misc_cg_uncharge(sev); put_misc_cg(sev->misc_cg); sev->misc_cg = NULL; return ret; } static unsigned int sev_get_asid(struct kvm *kvm) { return to_kvm_sev_info(kvm)->asid; } static void sev_asid_free(struct kvm_sev_info *sev) { struct svm_cpu_data *sd; int cpu; mutex_lock(&sev_bitmap_lock); __set_bit(sev->asid, sev_reclaim_asid_bitmap); for_each_possible_cpu(cpu) { sd = per_cpu_ptr(&svm_data, cpu); sd->sev_vmcbs[sev->asid] = NULL; } mutex_unlock(&sev_bitmap_lock); sev_misc_cg_uncharge(sev); put_misc_cg(sev->misc_cg); sev->misc_cg = NULL; } static void sev_decommission(unsigned int handle) { struct sev_data_decommission decommission; if (!handle) return; decommission.handle = handle; sev_guest_decommission(&decommission, NULL); } /* * Transition a page to hypervisor-owned/shared state in the RMP table. This * should not fail under normal conditions, but leak the page should that * happen since it will no longer be usable by the host due to RMP protections. */ static int kvm_rmp_make_shared(struct kvm *kvm, u64 pfn, enum pg_level level) { if (KVM_BUG_ON(rmp_make_shared(pfn, level), kvm)) { snp_leak_pages(pfn, page_level_size(level) >> PAGE_SHIFT); return -EIO; } return 0; } /* * Certain page-states, such as Pre-Guest and Firmware pages (as documented * in Chapter 5 of the SEV-SNP Firmware ABI under "Page States") cannot be * directly transitioned back to normal/hypervisor-owned state via RMPUPDATE * unless they are reclaimed first. * * Until they are reclaimed and subsequently transitioned via RMPUPDATE, they * might not be usable by the host due to being set as immutable or still * being associated with a guest ASID. * * Bug the VM and leak the page if reclaim fails, or if the RMP entry can't be * converted back to shared, as the page is no longer usable due to RMP * protections, and it's infeasible for the guest to continue on. */ static int snp_page_reclaim(struct kvm *kvm, u64 pfn) { struct sev_data_snp_page_reclaim data = {0}; int fw_err, rc; data.paddr = __sme_set(pfn << PAGE_SHIFT); rc = sev_do_cmd(SEV_CMD_SNP_PAGE_RECLAIM, &data, &fw_err); if (KVM_BUG(rc, kvm, "Failed to reclaim PFN %llx, rc %d fw_err %d", pfn, rc, fw_err)) { snp_leak_pages(pfn, 1); return -EIO; } if (kvm_rmp_make_shared(kvm, pfn, PG_LEVEL_4K)) return -EIO; return rc; } static void sev_unbind_asid(struct kvm *kvm, unsigned int handle) { struct sev_data_deactivate deactivate; if (!handle) return; deactivate.handle = handle; /* Guard DEACTIVATE against WBINVD/DF_FLUSH used in ASID recycling */ down_read(&sev_deactivate_lock); sev_guest_deactivate(&deactivate, NULL); up_read(&sev_deactivate_lock); sev_decommission(handle); } /* * This sets up bounce buffers/firmware pages to handle SNP Guest Request * messages (e.g. attestation requests). See "SNP Guest Request" in the GHCB * 2.0 specification for more details. * * Technically, when an SNP Guest Request is issued, the guest will provide its * own request/response pages, which could in theory be passed along directly * to firmware rather than using bounce pages. However, these pages would need * special care: * * - Both pages are from shared guest memory, so they need to be protected * from migration/etc. occurring while firmware reads/writes to them. At a * minimum, this requires elevating the ref counts and potentially needing * an explicit pinning of the memory. This places additional restrictions * on what type of memory backends userspace can use for shared guest * memory since there is some reliance on using refcounted pages. * * - The response page needs to be switched to Firmware-owned[1] state * before the firmware can write to it, which can lead to potential * host RMP #PFs if the guest is misbehaved and hands the host a * guest page that KVM might write to for other reasons (e.g. virtio * buffers/etc.). * * Both of these issues can be avoided completely by using separately-allocated * bounce pages for both the request/response pages and passing those to * firmware instead. So that's what is being set up here. * * Guest requests rely on message sequence numbers to ensure requests are * issued to firmware in the order the guest issues them, so concurrent guest * requests generally shouldn't happen. But a misbehaved guest could issue * concurrent guest requests in theory, so a mutex is used to serialize * access to the bounce buffers. * * [1] See the "Page States" section of the SEV-SNP Firmware ABI for more * details on Firmware-owned pages, along with "RMP and VMPL Access Checks" * in the APM for details on the related RMP restrictions. */ static int snp_guest_req_init(struct kvm *kvm) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct page *req_page; req_page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO); if (!req_page) return -ENOMEM; sev->guest_resp_buf = snp_alloc_firmware_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO); if (!sev->guest_resp_buf) { __free_page(req_page); return -EIO; } sev->guest_req_buf = page_address(req_page); mutex_init(&sev->guest_req_mutex); return 0; } static void snp_guest_req_cleanup(struct kvm *kvm) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); if (sev->guest_resp_buf) snp_free_firmware_page(sev->guest_resp_buf); if (sev->guest_req_buf) __free_page(virt_to_page(sev->guest_req_buf)); sev->guest_req_buf = NULL; sev->guest_resp_buf = NULL; } static int __sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp, struct kvm_sev_init *data, unsigned long vm_type) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_platform_init_args init_args = {0}; bool es_active = vm_type != KVM_X86_SEV_VM; u64 valid_vmsa_features = es_active ? sev_supported_vmsa_features : 0; int ret; if (kvm->created_vcpus) return -EINVAL; if (data->flags) return -EINVAL; if (data->vmsa_features & ~valid_vmsa_features) return -EINVAL; if (data->ghcb_version > GHCB_VERSION_MAX || (!es_active && data->ghcb_version)) return -EINVAL; if (unlikely(sev->active)) return -EINVAL; sev->active = true; sev->es_active = es_active; sev->vmsa_features = data->vmsa_features; sev->ghcb_version = data->ghcb_version; /* * Currently KVM supports the full range of mandatory features defined * by version 2 of the GHCB protocol, so default to that for SEV-ES * guests created via KVM_SEV_INIT2. */ if (sev->es_active && !sev->ghcb_version) sev->ghcb_version = GHCB_VERSION_DEFAULT; if (vm_type == KVM_X86_SNP_VM) sev->vmsa_features |= SVM_SEV_FEAT_SNP_ACTIVE; ret = sev_asid_new(sev); if (ret) goto e_no_asid; init_args.probe = false; ret = sev_platform_init(&init_args); if (ret) goto e_free_asid; if (!zalloc_cpumask_var(&sev->have_run_cpus, GFP_KERNEL_ACCOUNT)) { ret = -ENOMEM; goto e_free_asid; } /* This needs to happen after SEV/SNP firmware initialization. */ if (vm_type == KVM_X86_SNP_VM) { ret = snp_guest_req_init(kvm); if (ret) goto e_free; } INIT_LIST_HEAD(&sev->regions_list); INIT_LIST_HEAD(&sev->mirror_vms); sev->need_init = false; kvm_set_apicv_inhibit(kvm, APICV_INHIBIT_REASON_SEV); return 0; e_free: free_cpumask_var(sev->have_run_cpus); e_free_asid: argp->error = init_args.error; sev_asid_free(sev); sev->asid = 0; e_no_asid: sev->vmsa_features = 0; sev->es_active = false; sev->active = false; return ret; } static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_init data = { .vmsa_features = 0, .ghcb_version = 0, }; unsigned long vm_type; if (kvm->arch.vm_type != KVM_X86_DEFAULT_VM) return -EINVAL; vm_type = (argp->id == KVM_SEV_INIT ? KVM_X86_SEV_VM : KVM_X86_SEV_ES_VM); /* * KVM_SEV_ES_INIT has been deprecated by KVM_SEV_INIT2, so it will * continue to only ever support the minimal GHCB protocol version. */ if (vm_type == KVM_X86_SEV_ES_VM) data.ghcb_version = GHCB_VERSION_MIN; return __sev_guest_init(kvm, argp, &data, vm_type); } static int sev_guest_init2(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_init data; if (!to_kvm_sev_info(kvm)->need_init) return -EINVAL; if (kvm->arch.vm_type != KVM_X86_SEV_VM && kvm->arch.vm_type != KVM_X86_SEV_ES_VM && kvm->arch.vm_type != KVM_X86_SNP_VM) return -EINVAL; if (copy_from_user(&data, u64_to_user_ptr(argp->data), sizeof(data))) return -EFAULT; return __sev_guest_init(kvm, argp, &data, kvm->arch.vm_type); } static int sev_bind_asid(struct kvm *kvm, unsigned int handle, int *error) { unsigned int asid = sev_get_asid(kvm); struct sev_data_activate activate; int ret; /* activate ASID on the given handle */ activate.handle = handle; activate.asid = asid; ret = sev_guest_activate(&activate, error); return ret; } static int __sev_issue_cmd(int fd, int id, void *data, int *error) { CLASS(fd, f)(fd); if (fd_empty(f)) return -EBADF; return sev_issue_cmd_external_user(fd_file(f), id, data, error); } static int sev_issue_cmd(struct kvm *kvm, int id, void *data, int *error) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); return __sev_issue_cmd(sev->fd, id, data, error); } static int sev_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_data_launch_start start; struct kvm_sev_launch_start params; void *dh_blob, *session_blob; int *error = &argp->error; int ret; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params))) return -EFAULT; sev->policy = params.policy; memset(&start, 0, sizeof(start)); dh_blob = NULL; if (params.dh_uaddr) { dh_blob = psp_copy_user_blob(params.dh_uaddr, params.dh_len); if (IS_ERR(dh_blob)) return PTR_ERR(dh_blob); start.dh_cert_address = __sme_set(__pa(dh_blob)); start.dh_cert_len = params.dh_len; } session_blob = NULL; if (params.session_uaddr) { session_blob = psp_copy_user_blob(params.session_uaddr, params.session_len); if (IS_ERR(session_blob)) { ret = PTR_ERR(session_blob); goto e_free_dh; } start.session_address = __sme_set(__pa(session_blob)); start.session_len = params.session_len; } start.handle = params.handle; start.policy = params.policy; /* create memory encryption context */ ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_LAUNCH_START, &start, error); if (ret) goto e_free_session; /* Bind ASID to this guest */ ret = sev_bind_asid(kvm, start.handle, error); if (ret) { sev_decommission(start.handle); goto e_free_session; } /* return handle to userspace */ params.handle = start.handle; if (copy_to_user(u64_to_user_ptr(argp->data), ¶ms, sizeof(params))) { sev_unbind_asid(kvm, start.handle); ret = -EFAULT; goto e_free_session; } sev->handle = start.handle; sev->fd = argp->sev_fd; e_free_session: kfree(session_blob); e_free_dh: kfree(dh_blob); return ret; } static struct page **sev_pin_memory(struct kvm *kvm, unsigned long uaddr, unsigned long ulen, unsigned long *n, unsigned int flags) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); unsigned long npages, size; int npinned; unsigned long locked, lock_limit; struct page **pages; unsigned long first, last; int ret; lockdep_assert_held(&kvm->lock); if (ulen == 0 || uaddr + ulen < uaddr) return ERR_PTR(-EINVAL); /* Calculate number of pages. */ first = (uaddr & PAGE_MASK) >> PAGE_SHIFT; last = ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT; npages = (last - first + 1); locked = sev->pages_locked + npages; lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; if (locked > lock_limit && !capable(CAP_IPC_LOCK)) { pr_err("SEV: %lu locked pages exceed the lock limit of %lu.\n", locked, lock_limit return ERR_PTR(-ENOMEM); } if (WARN_ON_ONCE(npages > INT_MAX)) return ERR_PTR(-EINVAL); /* Avoid using vmalloc for smaller buffers. */ size = npages * sizeof(struct page *); if (size > PAGE_SIZE) pages = __vmalloc(size, GFP_KERNEL_ACCOUNT); else pages = kmalloc(size, GFP_KERNEL_ACCOUNT); if (!pages) return ERR_PTR(-ENOMEM); /* Pin the user virtual address. */ npinned = pin_user_pages_fast(uaddr, npages, flags, pages); if (npinned != npages) { pr_err("SEV: Failure locking %lu pages.\n", npages); ret = -ENOMEM; goto err; } *n = npages; sev->pages_locked = locked; return pages; err: if (npinned > 0) unpin_user_pages(pages, npinned); kvfree(pages); return ERR_PTR(ret); } static void sev_unpin_memory(struct kvm *kvm, struct page **pages, unsigned long npages) { unpin_user_pages(pages, npages); kvfree(pages); to_kvm_sev_info(kvm)->pages_locked -= npages; } static void sev_clflush_pages(struct page *pages[], unsigned long npages) { uint8_t *page_virtual; unsigned long i; if (this_cpu_has(X86_FEATURE_SME_COHERENT) || npages == 0 || pages == NULL) return; for (i = 0; i < npages; i++) { page_virtual = kmap_local_page(pages[i]); clflush_cache_range(page_virtual, PAGE_SIZE); kunmap_local(page_virtual); cond_resched(); } } static void sev_writeback_caches(struct kvm *kvm) { /* * Ensure that all dirty guest tagged cache entries are written back * before releasing the pages back to the system for use. CLFLUSH will * not do this without SME_COHERENT, and flushing many cache lines * individually is slower than blasting WBINVD for large VMs, so issue * WBNOINVD (or WBINVD if the "no invalidate" variant is unsupported) * on CPUs that have done VMRUN, i.e. may have dirtied data using the * VM's ASID. * * For simplicity, never remove CPUs from the bitmap. Ideally, KVM * would clear the mask when flushing caches, but doing so requires * serializing multiple calls and having responding CPUs (to the IPI) * mark themselves as still running if they are running (or about to * run) a vCPU for the VM. * * Note, the caller is responsible for ensuring correctness if the mask * can be modified, e.g. if a CPU could be doing VMRUN. */ wbnoinvd_on_cpus_mask(to_kvm_sev_info(kvm)->have_run_cpus); } static unsigned long get_num_contig_pages(unsigned long idx, struct page **inpages, unsigned long npages) { unsigned long paddr, next_paddr; unsigned long i = idx + 1, pages = 1; /* find the number of contiguous pages starting from idx */ paddr = __sme_page_pa(inpages[idx]); while (i < npages) { next_paddr = __sme_page_pa(inpages[i++]); if ((paddr + PAGE_SIZE) == next_paddr) { pages++; paddr = next_paddr; continue; } break; } return pages; } static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) { unsigned long vaddr, vaddr_end, next_vaddr, npages, pages, size, i; struct kvm_sev_launch_update_data params; struct sev_data_launch_update_data data; struct page **inpages; int ret; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params))) return -EFAULT; vaddr = params.uaddr; size = params.len; vaddr_end = vaddr + size; /* Lock the user memory. */ inpages = sev_pin_memory(kvm, vaddr, size, &npages, FOLL_WRITE); if (IS_ERR(inpages)) return PTR_ERR(inpages); /* * Flush (on non-coherent CPUs) before LAUNCH_UPDATE encrypts pages in * place; the cache may contain the data that was written unencrypted. */ sev_clflush_pages(inpages, npages); data.reserved = 0; data.handle = to_kvm_sev_info(kvm)->handle; for (i = 0; vaddr < vaddr_end; vaddr = next_vaddr, i += pages) { int offset, len; /* * If the user buffer is not page-aligned, calculate the offset * within the page. */ offset = vaddr & (PAGE_SIZE - 1); /* Calculate the number of pages that can be encrypted in one go. */ pages = get_num_contig_pages(i, inpages, npages); len = min_t(size_t, ((pages * PAGE_SIZE) - offset), size); data.len = len; data.address = __sme_page_pa(inpages[i]) + offset; ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_DATA, &data, &argp->error); if (ret) goto e_unpin; size -= len; next_vaddr = vaddr + len; } e_unpin: /* content of memory is updated, mark pages dirty */ for (i = 0; i < npages; i++) { set_page_dirty_lock(inpages[i]); mark_page_accessed(inpages[i]); } /* unlock the user pages */ sev_unpin_memory(kvm, inpages, npages); return ret; } static int sev_es_sync_vmsa(struct vcpu_svm *svm) { struct kvm_vcpu *vcpu = &svm->vcpu; struct kvm_sev_info *sev = to_kvm_sev_info(vcpu->kvm); struct sev_es_save_area *save = svm->sev_es.vmsa; struct xregs_state *xsave; const u8 *s; u8 *d; int i; /* Check some debug related fields before encrypting the VMSA */ if (svm->vcpu.guest_debug || (svm->vmcb->save.dr7 & ~DR7_FIXED_1)) return -EINVAL; /* * SEV-ES will use a VMSA that is pointed to by the VMCB, not * the traditional VMSA that is part of the VMCB. Copy the * traditional VMSA as it has been built so far (in prep * for LAUNCH_UPDATE_VMSA) to be the initial SEV-ES state. */ memcpy(save, &svm->vmcb->save, sizeof(svm->vmcb->save)); /* Sync registgers */ save->rax = svm->vcpu.arch.regs[VCPU_REGS_RAX]; save->rbx = svm->vcpu.arch.regs[VCPU_REGS_RBX]; save->rcx = svm->vcpu.arch.regs[VCPU_REGS_RCX]; save->rdx = svm->vcpu.arch.regs[VCPU_REGS_RDX]; save->rsp = svm->vcpu.arch.regs[VCPU_REGS_RSP]; save->rbp = svm->vcpu.arch.regs[VCPU_REGS_RBP]; save->rsi = svm->vcpu.arch.regs[VCPU_REGS_RSI]; save->rdi = svm->vcpu.arch.regs[VCPU_REGS_RDI]; #ifdef CONFIG_X86_64 save->r8 = svm->vcpu.arch.regs[VCPU_REGS_R8]; save->r9 = svm->vcpu.arch.regs[VCPU_REGS_R9]; save->r10 = svm->vcpu.arch.regs[VCPU_REGS_R10]; save->r11 = svm->vcpu.arch.regs[VCPU_REGS_R11]; save->r12 = svm->vcpu.arch.regs[VCPU_REGS_R12]; save->r13 = svm->vcpu.arch.regs[VCPU_REGS_R13]; save->r14 = svm->vcpu.arch.regs[VCPU_REGS_R14]; save->r15 = svm->vcpu.arch.regs[VCPU_REGS_R15]; #endif save->rip = svm->vcpu.arch.regs[VCPU_REGS_RIP]; /* Sync some non-GPR registers before encrypting */ save->xcr0 = svm->vcpu.arch.xcr0; save->pkru = svm->vcpu.arch.pkru; save->xss = svm->vcpu.arch.ia32_xss; save->dr6 = svm->vcpu.arch.dr6; save->sev_features = sev->vmsa_features; /* * Skip FPU and AVX setup with KVM_SEV_ES_INIT to avoid * breaking older measurements. */ if (vcpu->kvm->arch.vm_type != KVM_X86_DEFAULT_VM) { xsave = &vcpu->arch.guest_fpu.fpstate->regs.xsave; save->x87_dp = xsave->i387.rdp; save->mxcsr = xsave->i387.mxcsr; save->x87_ftw = xsave->i387.twd; save->x87_fsw = xsave->i387.swd; save->x87_fcw = xsave->i387.cwd; save->x87_fop = xsave->i387.fop; save->x87_ds = 0; save->x87_cs = 0; save->x87_rip = xsave->i387.rip; for (i = 0; i < 8; i++) { /* * The format of the x87 save area is undocumented and * definitely not what you would expect. It consists of * an 8*8 bytes area with bytes 0-7, and an 8*2 bytes * area with bytes 8-9 of each register. */ d = save->fpreg_x87 + i * 8; s = ((u8 *)xsave->i387.st_space) + i * 16; memcpy(d, s, 8); save->fpreg_x87[64 + i * 2] = s[8]; save->fpreg_x87[64 + i * 2 + 1] = s[9]; } memcpy(save->fpreg_xmm, xsave->i387.xmm_space, 256); s = get_xsave_addr(xsave, XFEATURE_YMM); if (s) memcpy(save->fpreg_ymm, s, 256); else memset(save->fpreg_ymm, 0, 256); } pr_debug("Virtual Machine Save Area (VMSA):\n"); print_hex_dump_debug("", DUMP_PREFIX_NONE, 16, 1, save, sizeof(*save), false); return 0; } static int __sev_launch_update_vmsa(struct kvm *kvm, struct kvm_vcpu *vcpu, int *error) { struct sev_data_launch_update_vmsa vmsa; struct vcpu_svm *svm = to_svm(vcpu); int ret; if (vcpu->guest_debug) { pr_warn_once("KVM_SET_GUEST_DEBUG for SEV-ES guest is not supported"); return -EINVAL; } /* Perform some pre-encryption checks against the VMSA */ ret = sev_es_sync_vmsa(svm); if (ret) return ret; /* * The LAUNCH_UPDATE_VMSA command will perform in-place encryption of * the VMSA memory content (i.e it will write the same memory region * with the guest's key), so invalidate it first. */ clflush_cache_range(svm->sev_es.vmsa, PAGE_SIZE); vmsa.reserved = 0; vmsa.handle = to_kvm_sev_info(kvm)->handle; vmsa.address = __sme_pa(svm->sev_es.vmsa); vmsa.len = PAGE_SIZE; ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_VMSA, &vmsa, error); if (ret) return ret; /* * SEV-ES guests maintain an encrypted version of their FPU * state which is restored and saved on VMRUN and VMEXIT. * Mark vcpu->arch.guest_fpu->fpstate as scratch so it won't * do xsave/xrstor on it. */ fpstate_set_confidential(&vcpu->arch.guest_fpu); vcpu->arch.guest_state_protected = true; /* * SEV-ES guest mandates LBR Virtualization to be _always_ ON. Enable it * only after setting guest_state_protected because KVM_SET_MSRS allows * dynamic toggling of LBRV (for performance reason) on write access to * MSR_IA32_DEBUGCTLMSR when guest_state_protected is not set. */ svm_enable_lbrv(vcpu); return 0; } static int sev_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_vcpu *vcpu; unsigned long i; int ret; if (!sev_es_guest(kvm)) return -ENOTTY; kvm_for_each_vcpu(i, vcpu, kvm) { ret = mutex_lock_killable(&vcpu->mutex); if (ret) return ret; ret = __sev_launch_update_vmsa(kvm, vcpu, &argp->error); mutex_unlock(&vcpu->mutex); if (ret) return ret; } return 0; } static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp) { void __user *measure = u64_to_user_ptr(argp->data); struct sev_data_launch_measure data; struct kvm_sev_launch_measure params; void __user *p = NULL; void *blob = NULL; int ret; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, measure, sizeof(params))) return -EFAULT; memset(&data, 0, sizeof(data)); /* User wants to query the blob length */ if (!params.len) goto cmd; p = u64_to_user_ptr(params.uaddr); if (p) { if (params.len > SEV_FW_BLOB_MAX_SIZE) return -EINVAL; blob = kzalloc(params.len, GFP_KERNEL_ACCOUNT); if (!blob) return -ENOMEM; data.address = __psp_pa(blob); data.len = params.len; } cmd: data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_MEASURE, &data, &argp->error); /* * If we query the session length, FW responded with expected data. */ if (!params.len) goto done; if (ret) goto e_free_blob; if (blob) { if (copy_to_user(p, blob, params.len)) ret = -EFAULT; } done: params.len = data.len; if (copy_to_user(measure, ¶ms, sizeof(params))) ret = -EFAULT; e_free_blob: kfree(blob); return ret; } static int sev_launch_finish(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_launch_finish data; if (!sev_guest(kvm)) return -ENOTTY; data.handle = to_kvm_sev_info(kvm)->handle; return sev_issue_cmd(kvm, SEV_CMD_LAUNCH_FINISH, &data, &argp->error); } static int sev_guest_status(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_guest_status params; struct sev_data_guest_status data; int ret; if (!sev_guest(kvm)) return -ENOTTY; memset(&data, 0, sizeof(data)); data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_GUEST_STATUS, &data, &argp->error); if (ret) return ret; params.policy = data.policy; params.state = data.state; params.handle = data.handle; if (copy_to_user(u64_to_user_ptr(argp->data), ¶ms, sizeof(params))) ret = -EFAULT; return ret; } static int __sev_issue_dbg_cmd(struct kvm *kvm, unsigned long src, unsigned long dst, int size, int *error, bool enc) { struct sev_data_dbg data; data.reserved = 0; data.handle = to_kvm_sev_info(kvm)->handle; data.dst_addr = dst; data.src_addr = src; data.len = size; return sev_issue_cmd(kvm, enc ? SEV_CMD_DBG_ENCRYPT : SEV_CMD_DBG_DECRYPT, &data, error); } static int __sev_dbg_decrypt(struct kvm *kvm, unsigned long src_paddr, unsigned long dst_paddr, int sz, int *err) { int offset; /* * Its safe to read more than we are asked, caller should ensure that * destination has enough space. */ offset = src_paddr & 15; src_paddr = round_down(src_paddr, 16); sz = round_up(sz + offset, 16); return __sev_issue_dbg_cmd(kvm, src_paddr, dst_paddr, sz, err, false); } static int __sev_dbg_decrypt_user(struct kvm *kvm, unsigned long paddr, void __user *dst_uaddr, unsigned long dst_paddr, int size, int *err) { struct page *tpage = NULL; int ret, offset; /* if inputs are not 16-byte then use intermediate buffer */ if (!IS_ALIGNED(dst_paddr, 16) || !IS_ALIGNED(paddr, 16) || !IS_ALIGNED(size, 16)) { tpage = (void *)alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO); if (!tpage) return -ENOMEM; dst_paddr = __sme_page_pa(tpage); } ret = __sev_dbg_decrypt(kvm, paddr, dst_paddr, size, err); if (ret) goto e_free; if (tpage) { offset = paddr & 15; if (copy_to_user(dst_uaddr, page_address(tpage) + offset, size)) ret = -EFAULT; } e_free: if (tpage) __free_page(tpage); return ret; } static int __sev_dbg_encrypt_user(struct kvm *kvm, unsigned long paddr, void __user *vaddr, unsigned long dst_paddr, void __user *dst_vaddr, int size, int *error) { struct page *src_tpage = NULL; struct page *dst_tpage = NULL; int ret, len = size; /* If source buffer is not aligned then use an intermediate buffer */ if (!IS_ALIGNED((unsigned long)vaddr, 16)) { src_tpage = alloc_page(GFP_KERNEL_ACCOUNT); if (!src_tpage) return -ENOMEM; if (copy_from_user(page_address(src_tpage), vaddr, size)) { __free_page(src_tpage); return -EFAULT; } paddr = __sme_page_pa(src_tpage); } /* * If destination buffer or length is not aligned then do read-modify-write: * - decrypt destination in an intermediate buffer * - copy the source buffer in an intermediate buffer * - use the intermediate buffer as source buffer */ if (!IS_ALIGNED((unsigned long)dst_vaddr, 16) || !IS_ALIGNED(size, 16)) { int dst_offset; dst_tpage = alloc_page(GFP_KERNEL_ACCOUNT); if (!dst_tpage) { ret = -ENOMEM; goto e_free; } ret = __sev_dbg_decrypt(kvm, dst_paddr, __sme_page_pa(dst_tpage), size, error); if (ret) goto e_free; /* * If source is kernel buffer then use memcpy() otherwise * copy_from_user(). */ dst_offset = dst_paddr & 15; if (src_tpage) memcpy(page_address(dst_tpage) + dst_offset, page_address(src_tpage), size); else { if (copy_from_user(page_address(dst_tpage) + dst_offset, vaddr, size)) { ret = -EFAULT; goto e_free; } } paddr = __sme_page_pa(dst_tpage); dst_paddr = round_down(dst_paddr, 16); len = round_up(size, 16); } ret = __sev_issue_dbg_cmd(kvm, paddr, dst_paddr, len, error, true); e_free: if (src_tpage) __free_page(src_tpage); if (dst_tpage) __free_page(dst_tpage); return ret; } static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) { unsigned long vaddr, vaddr_end, next_vaddr; unsigned long dst_vaddr; struct page **src_p, **dst_p; struct kvm_sev_dbg debug; unsigned long n; unsigned int size; int ret; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(&debug, u64_to_user_ptr(argp->data), sizeof(debug))) return -EFAULT; if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr) return -EINVAL; if (!debug.dst_uaddr) return -EINVAL; vaddr = debug.src_uaddr; size = debug.len; vaddr_end = vaddr + size; dst_vaddr = debug.dst_uaddr; for (; vaddr < vaddr_end; vaddr = next_vaddr) { int len, s_off, d_off; /* lock userspace source and destination page */ src_p = sev_pin_memory(kvm, vaddr & PAGE_MASK, PAGE_SIZE, &n, 0); if (IS_ERR(src_p)) return PTR_ERR(src_p); dst_p = sev_pin_memory(kvm, dst_vaddr & PAGE_MASK, PAGE_SIZE, &n, FOLL_WRITE); if (IS_ERR(dst_p)) { sev_unpin_memory(kvm, src_p, n); return PTR_ERR(dst_p); } /* * Flush (on non-coherent CPUs) before DBG_{DE,EN}CRYPT read or modify * the pages; flush the destination too so that future accesses do not * see stale data. */ sev_clflush_pages(src_p, 1); sev_clflush_pages(dst_p, 1); /* * Since user buffer may not be page aligned, calculate the * offset within the page. */ s_off = vaddr & ~PAGE_MASK; d_off = dst_vaddr & ~PAGE_MASK; len = min_t(size_t, (PAGE_SIZE - s_off), size); if (dec) ret = __sev_dbg_decrypt_user(kvm, __sme_page_pa(src_p[0]) + s_off, (void __user *)dst_vaddr, __sme_page_pa(dst_p[0]) + d_off, len, &argp->error); else ret = __sev_dbg_encrypt_user(kvm, __sme_page_pa(src_p[0]) + s_off, (void __user *)vaddr, __sme_page_pa(dst_p[0]) + d_off, (void __user *)dst_vaddr, len, &argp->error); sev_unpin_memory(kvm, src_p, n); sev_unpin_memory(kvm, dst_p, n); if (ret) goto err; next_vaddr = vaddr + len; dst_vaddr = dst_vaddr + len; size -= len; } err: return ret; } static int sev_launch_secret(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_launch_secret data; struct kvm_sev_launch_secret params; struct page **pages; void *blob, *hdr; unsigned long n, i; int ret, offset; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params))) return -EFAULT; pages = sev_pin_memory(kvm, params.guest_uaddr, params.guest_len, &n, FOLL_WRITE); if (IS_ERR(pages)) return PTR_ERR(pages); /* * Flush (on non-coherent CPUs) before LAUNCH_SECRET encrypts pages in * place; the cache may contain the data that was written unencrypted. */ sev_clflush_pages(pages, n); /* * The secret must be copied into contiguous memory region, lets verify * that userspace memory pages are contiguous before we issue command. */ if (get_num_contig_pages(0, pages, n) != n) { ret = -EINVAL; goto e_unpin_memory; } memset(&data, 0, sizeof(data)); offset = params.guest_uaddr & (PAGE_SIZE - 1); data.guest_address = __sme_page_pa(pages[0]) + offset; data.guest_len = params.guest_len; blob = psp_copy_user_blob(params.trans_uaddr, params.trans_len); if (IS_ERR(blob)) { ret = PTR_ERR(blob); goto e_unpin_memory; } data.trans_address = __psp_pa(blob); data.trans_len = params.trans_len; hdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len); if (IS_ERR(hdr)) { ret = PTR_ERR(hdr); goto e_free_blob; } data.hdr_address = __psp_pa(hdr); data.hdr_len = params.hdr_len; data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_LAUNCH_UPDATE_SECRET, &data, &argp->error); kfree(hdr); e_free_blob: kfree(blob); e_unpin_memory: /* content of memory is updated, mark pages dirty */ for (i = 0; i < n; i++) { set_page_dirty_lock(pages[i]); mark_page_accessed(pages[i]); } sev_unpin_memory(kvm, pages, n); return ret; } static int sev_get_attestation_report(struct kvm *kvm, struct kvm_sev_cmd *argp) { void __user *report = u64_to_user_ptr(argp->data); struct sev_data_attestation_report data; struct kvm_sev_attestation_report params; void __user *p; void *blob = NULL; int ret; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params))) return -EFAULT; memset(&data, 0, sizeof(data)); /* User wants to query the blob length */ if (!params.len) goto cmd; p = u64_to_user_ptr(params.uaddr); if (p) { if (params.len > SEV_FW_BLOB_MAX_SIZE) return -EINVAL; blob = kzalloc(params.len, GFP_KERNEL_ACCOUNT); if (!blob) return -ENOMEM; data.address = __psp_pa(blob); data.len = params.len; memcpy(data.mnonce, params.mnonce, sizeof(params.mnonce)); } cmd: data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_ATTESTATION_REPORT, &data, &argp->error); /* * If we query the session length, FW responded with expected data. */ if (!params.len) goto done; if (ret) goto e_free_blob; if (blob) { if (copy_to_user(p, blob, params.len)) ret = -EFAULT; } done: params.len = data.len; if (copy_to_user(report, ¶ms, sizeof(params))) ret = -EFAULT; e_free_blob: kfree(blob); return ret; } /* Userspace wants to query session length. */ static int __sev_send_start_query_session_length(struct kvm *kvm, struct kvm_sev_cmd *argp, struct kvm_sev_send_start *params) { struct sev_data_send_start data; int ret; memset(&data, 0, sizeof(data)); data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, &data, &argp->error); params->session_len = data.session_len; if (copy_to_user(u64_to_user_ptr(argp->data), params, sizeof(struct kvm_sev_send_start))) ret = -EFAULT; return ret; } static int sev_send_start(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_send_start data; struct kvm_sev_send_start params; void *amd_certs, *session_data; void *pdh_cert, *plat_certs; int ret; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(struct kvm_sev_send_start))) return -EFAULT; /* if session_len is zero, userspace wants to query the session length */ if (!params.session_len) return __sev_send_start_query_session_length(kvm, argp, ¶ms); /* some sanity checks */ if (!params.pdh_cert_uaddr || !params.pdh_cert_len || !params.session_uaddr || params.session_len > SEV_FW_BLOB_MAX_SIZE) return -EINVAL; /* allocate the memory to hold the session data blob */ session_data = kzalloc(params.session_len, GFP_KERNEL_ACCOUNT); if (!session_data) return -ENOMEM; /* copy the certificate blobs from userspace */ pdh_cert = psp_copy_user_blob(params.pdh_cert_uaddr, params.pdh_cert_len); if (IS_ERR(pdh_cert)) { ret = PTR_ERR(pdh_cert); goto e_free_session; } plat_certs = psp_copy_user_blob(params.plat_certs_uaddr, params.plat_certs_len); if (IS_ERR(plat_certs)) { ret = PTR_ERR(plat_certs); goto e_free_pdh; } amd_certs = psp_copy_user_blob(params.amd_certs_uaddr, params.amd_certs_len); if (IS_ERR(amd_certs)) { ret = PTR_ERR(amd_certs); goto e_free_plat_cert; } /* populate the FW SEND_START field with system physical address */ memset(&data, 0, sizeof(data)); data.pdh_cert_address = __psp_pa(pdh_cert); data.pdh_cert_len = params.pdh_cert_len; data.plat_certs_address = __psp_pa(plat_certs); data.plat_certs_len = params.plat_certs_len; data.amd_certs_address = __psp_pa(amd_certs); data.amd_certs_len = params.amd_certs_len; data.session_address = __psp_pa(session_data); data.session_len = params.session_len; data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_SEND_START, &data, &argp->error); if (!ret && copy_to_user(u64_to_user_ptr(params.session_uaddr), session_data, params.session_len)) { ret = -EFAULT; goto e_free_amd_cert; } params.policy = data.policy; params.session_len = data.session_len; if (copy_to_user(u64_to_user_ptr(argp->data), ¶ms, sizeof(struct kvm_sev_send_start))) ret = -EFAULT; e_free_amd_cert: kfree(amd_certs); e_free_plat_cert: kfree(plat_certs); e_free_pdh: kfree(pdh_cert); e_free_session: kfree(session_data); return ret; } /* Userspace wants to query either header or trans length. */ static int __sev_send_update_data_query_lengths(struct kvm *kvm, struct kvm_sev_cmd *argp, struct kvm_sev_send_update_data *params) { struct sev_data_send_update_data data; int ret; memset(&data, 0, sizeof(data)); data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_SEND_UPDATE_DATA, &data, &argp->error); params->hdr_len = data.hdr_len; params->trans_len = data.trans_len; if (copy_to_user(u64_to_user_ptr(argp->data), params, sizeof(struct kvm_sev_send_update_data))) ret = -EFAULT; return ret; } static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_send_update_data data; struct kvm_sev_send_update_data params; void *hdr, *trans_data; struct page **guest_page; unsigned long n; int ret, offset; if (!sev_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(struct kvm_sev_send_update_data))) return -EFAULT; /* userspace wants to query either header or trans length */ if (!params.trans_len || !params.hdr_len) return __sev_send_update_data_query_lengths(kvm, argp, ¶ms); if (!params.trans_uaddr || !params.guest_uaddr || !params.guest_len || !params.hdr_uaddr) return -EINVAL; /* Check if we are crossing the page boundary */ offset = params.guest_uaddr & (PAGE_SIZE - 1); if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE) return -EINVAL; /* Pin guest memory */ guest_page = sev_pin_memory(kvm, params.guest_uaddr & PAGE_MASK, PAGE_SIZE, &n, 0); if (IS_ERR(guest_page)) return PTR_ERR(guest_page); /* allocate memory for header and transport buffer */ ret = -ENOMEM; hdr = kzalloc(params.hdr_len, GFP_KERNEL); if (!hdr) goto e_unpin; trans_data = kzalloc(params.trans_len, GFP_KERNEL); if (!trans_data) goto e_free_hdr; memset(&data, 0, sizeof(data)); data.hdr_address = __psp_pa(hdr); data.hdr_len = params.hdr_len; data.trans_address = __psp_pa(trans_data); data.trans_len = params.trans_len; /* The SEND_UPDATE_DATA command requires C-bit to be always set. */ data.guest_address = (page_to_pfn(guest_page[0]) << PAGE_SHIFT) + offset; data.guest_address |= sev_me_mask; data.guest_len = params.guest_len; data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_SEND_UPDATE_DATA, &data, &argp->error); if (ret) goto e_free_trans_data; /* copy transport buffer to user space */ if (copy_to_user(u64_to_user_ptr(params.trans_uaddr), trans_data, params.trans_len)) { ret = -EFAULT; goto e_free_trans_data; } /* Copy packet header to userspace. */ if (copy_to_user(u64_to_user_ptr(params.hdr_uaddr), hdr, params.hdr_len)) ret = -EFAULT; e_free_trans_data: kfree(trans_data); e_free_hdr: kfree(hdr); e_unpin: sev_unpin_memory(kvm, guest_page, n); return ret; } static int sev_send_finish(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_send_finish data; if (!sev_guest(kvm)) return -ENOTTY; data.handle = to_kvm_sev_info(kvm)->handle; return sev_issue_cmd(kvm, SEV_CMD_SEND_FINISH, &data, &argp->error); } static int sev_send_cancel(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_send_cancel data; if (!sev_guest(kvm)) return -ENOTTY; data.handle = to_kvm_sev_info(kvm)->handle; return sev_issue_cmd(kvm, SEV_CMD_SEND_CANCEL, &data, &argp->error); } static int sev_receive_start(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_data_receive_start start; struct kvm_sev_receive_start params; int *error = &argp->error; void *session_data; void *pdh_data; int ret; if (!sev_guest(kvm)) return -ENOTTY; /* Get parameter from the userspace */ if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(struct kvm_sev_receive_start))) return -EFAULT; /* some sanity checks */ if (!params.pdh_uaddr || !params.pdh_len || !params.session_uaddr || !params.session_len) return -EINVAL; pdh_data = psp_copy_user_blob(params.pdh_uaddr, params.pdh_len); if (IS_ERR(pdh_data)) return PTR_ERR(pdh_data); session_data = psp_copy_user_blob(params.session_uaddr, params.session_len); if (IS_ERR(session_data)) { ret = PTR_ERR(session_data); goto e_free_pdh; } memset(&start, 0, sizeof(start)); start.handle = params.handle; start.policy = params.policy; start.pdh_cert_address = __psp_pa(pdh_data); start.pdh_cert_len = params.pdh_len; start.session_address = __psp_pa(session_data); start.session_len = params.session_len; /* create memory encryption context */ ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_RECEIVE_START, &start, error); if (ret) goto e_free_session; /* Bind ASID to this guest */ ret = sev_bind_asid(kvm, start.handle, error); if (ret) { sev_decommission(start.handle); goto e_free_session; } params.handle = start.handle; if (copy_to_user(u64_to_user_ptr(argp->data), ¶ms, sizeof(struct kvm_sev_receive_start))) { ret = -EFAULT; sev_unbind_asid(kvm, start.handle); goto e_free_session; } sev->handle = start.handle; sev->fd = argp->sev_fd; e_free_session: kfree(session_data); e_free_pdh: kfree(pdh_data); return ret; } static int sev_receive_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_receive_update_data params; struct sev_data_receive_update_data data; void *hdr = NULL, *trans = NULL; struct page **guest_page; unsigned long n; int ret, offset; if (!sev_guest(kvm)) return -EINVAL; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(struct kvm_sev_receive_update_data))) return -EFAULT; if (!params.hdr_uaddr || !params.hdr_len || !params.guest_uaddr || !params.guest_len || !params.trans_uaddr || !params.trans_len) return -EINVAL; /* Check if we are crossing the page boundary */ offset = params.guest_uaddr & (PAGE_SIZE - 1); if (params.guest_len > PAGE_SIZE || (params.guest_len + offset) > PAGE_SIZE) return -EINVAL; hdr = psp_copy_user_blob(params.hdr_uaddr, params.hdr_len); if (IS_ERR(hdr)) return PTR_ERR(hdr); trans = psp_copy_user_blob(params.trans_uaddr, params.trans_len); if (IS_ERR(trans)) { ret = PTR_ERR(trans); goto e_free_hdr; } memset(&data, 0, sizeof(data)); data.hdr_address = __psp_pa(hdr); data.hdr_len = params.hdr_len; data.trans_address = __psp_pa(trans); data.trans_len = params.trans_len; /* Pin guest memory */ guest_page = sev_pin_memory(kvm, params.guest_uaddr & PAGE_MASK, PAGE_SIZE, &n, FOLL_WRITE); if (IS_ERR(guest_page)) { ret = PTR_ERR(guest_page); goto e_free_trans; } /* * Flush (on non-coherent CPUs) before RECEIVE_UPDATE_DATA, the PSP * encrypts the written data with the guest's key, and the cache may * contain dirty, unencrypted data. */ sev_clflush_pages(guest_page, n); /* The RECEIVE_UPDATE_DATA command requires C-bit to be always set. */ data.guest_address = (page_to_pfn(guest_page[0]) << PAGE_SHIFT) + offset; data.guest_address |= sev_me_mask; data.guest_len = params.guest_len; data.handle = to_kvm_sev_info(kvm)->handle; ret = sev_issue_cmd(kvm, SEV_CMD_RECEIVE_UPDATE_DATA, &data, &argp->error); sev_unpin_memory(kvm, guest_page, n); e_free_trans: kfree(trans); e_free_hdr: kfree(hdr); return ret; } static int sev_receive_finish(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_receive_finish data; if (!sev_guest(kvm)) return -ENOTTY; data.handle = to_kvm_sev_info(kvm)->handle; return sev_issue_cmd(kvm, SEV_CMD_RECEIVE_FINISH, &data, &argp->error); } static bool is_cmd_allowed_from_mirror(u32 cmd_id) { /* * Allow mirrors VM to call KVM_SEV_LAUNCH_UPDATE_VMSA to enable SEV-ES * active mirror VMs. Also allow the debugging and status commands. */ if (cmd_id == KVM_SEV_LAUNCH_UPDATE_VMSA || cmd_id == KVM_SEV_GUEST_STATUS || cmd_id == KVM_SEV_DBG_DECRYPT || cmd_id == KVM_SEV_DBG_ENCRYPT) return true; return false; } static int sev_lock_two_vms(struct kvm *dst_kvm, struct kvm *src_kvm) { struct kvm_sev_info *dst_sev = to_kvm_sev_info(dst_kvm); struct kvm_sev_info *src_sev = to_kvm_sev_info(src_kvm); int r = -EBUSY; if (dst_kvm == src_kvm) return -EINVAL; /* * Bail if these VMs are already involved in a migration to avoid * deadlock between two VMs trying to migrate to/from each other. */ if (atomic_cmpxchg_acquire(&dst_sev->migration_in_progress, 0, 1)) return -EBUSY; if (atomic_cmpxchg_acquire(&src_sev->migration_in_progress, 0, 1)) goto release_dst; r = -EINTR; if (mutex_lock_killable(&dst_kvm->lock)) goto release_src; if (mutex_lock_killable_nested(&src_kvm->lock, SINGLE_DEPTH_NESTING)) goto unlock_dst; return 0; unlock_dst: mutex_unlock(&dst_kvm->lock); release_src: atomic_set_release(&src_sev->migration_in_progress, 0); release_dst: atomic_set_release(&dst_sev->migration_in_progress, 0); return r; } static void sev_unlock_two_vms(struct kvm *dst_kvm, struct kvm *src_kvm) { struct kvm_sev_info *dst_sev = to_kvm_sev_info(dst_kvm); struct kvm_sev_info *src_sev = to_kvm_sev_info(src_kvm); mutex_unlock(&dst_kvm->lock); mutex_unlock(&src_kvm->lock); atomic_set_release(&dst_sev->migration_in_progress, 0); atomic_set_release(&src_sev->migration_in_progress, 0); } static void sev_migrate_from(struct kvm *dst_kvm, struct kvm *src_kvm) { struct kvm_sev_info *dst = to_kvm_sev_info(dst_kvm); struct kvm_sev_info *src = to_kvm_sev_info(src_kvm); struct kvm_vcpu *dst_vcpu, *src_vcpu; struct vcpu_svm *dst_svm, *src_svm; struct kvm_sev_info *mirror; unsigned long i; dst->active = true; dst->asid = src->asid; dst->handle = src->handle; dst->pages_locked = src->pages_locked; dst->enc_context_owner = src->enc_context_owner; dst->es_active = src->es_active; dst->vmsa_features = src->vmsa_features; src->asid = 0; src->active = false; src->handle = 0; src->pages_locked = 0; src->enc_context_owner = NULL; src->es_active = false; list_cut_before(&dst->regions_list, &src->regions_list, &src->regions_list); /* * If this VM has mirrors, "transfer" each mirror's refcount of the * source to the destination (this KVM). The caller holds a reference * to the source, so there's no danger of use-after-free. */ list_cut_before(&dst->mirror_vms, &src->mirror_vms, &src->mirror_vms); list_for_each_entry(mirror, &dst->mirror_vms, mirror_entry) { kvm_get_kvm(dst_kvm); kvm_put_kvm(src_kvm); mirror->enc_context_owner = dst_kvm; } /* * If this VM is a mirror, remove the old mirror from the owners list * and add the new mirror to the list. */ if (is_mirroring_enc_context(dst_kvm)) { struct kvm_sev_info *owner_sev_info = to_kvm_sev_info(dst->enc_context_owner); list_del(&src->mirror_entry); list_add_tail(&dst->mirror_entry, &owner_sev_info->mirror_vms); } kvm_for_each_vcpu(i, dst_vcpu, dst_kvm) { dst_svm = to_svm(dst_vcpu); sev_init_vmcb(dst_svm); if (!dst->es_active) continue; /* * Note, the source is not required to have the same number of * vCPUs as the destination when migrating a vanilla SEV VM. */ src_vcpu = kvm_get_vcpu(src_kvm, i); src_svm = to_svm(src_vcpu); /* * Transfer VMSA and GHCB state to the destination. Nullify and * clear source fields as appropriate, the state now belongs to * the destination. */ memcpy(&dst_svm->sev_es, &src_svm->sev_es, sizeof(src_svm->sev_es)); dst_svm->vmcb->control.ghcb_gpa = src_svm->vmcb->control.ghcb_gpa; dst_svm->vmcb->control.vmsa_pa = src_svm->vmcb->control.vmsa_pa; dst_vcpu->arch.guest_state_protected = true; memset(&src_svm->sev_es, 0, sizeof(src_svm->sev_es)); src_svm->vmcb->control.ghcb_gpa = INVALID_PAGE; src_svm->vmcb->control.vmsa_pa = INVALID_PAGE; src_vcpu->arch.guest_state_protected = false; } } static int sev_check_source_vcpus(struct kvm *dst, struct kvm *src) { struct kvm_vcpu *src_vcpu; unsigned long i; if (src->created_vcpus != atomic_read(&src->online_vcpus) || dst->created_vcpus != atomic_read(&dst->online_vcpus)) return -EBUSY; if (!sev_es_guest(src)) return 0; if (atomic_read(&src->online_vcpus) != atomic_read(&dst->online_vcpus)) return -EINVAL; kvm_for_each_vcpu(i, src_vcpu, src) { if (!src_vcpu->arch.guest_state_protected) return -EINVAL; } return 0; } int sev_vm_move_enc_context_from(struct kvm *kvm, unsigned int source_fd) { struct kvm_sev_info *dst_sev = to_kvm_sev_info(kvm); struct kvm_sev_info *src_sev, *cg_cleanup_sev; CLASS(fd, f)(source_fd); struct kvm *source_kvm; bool charged = false; int ret; if (fd_empty(f)) return -EBADF; if (!file_is_kvm(fd_file(f))) return -EBADF; source_kvm = fd_file(f)->private_data; ret = sev_lock_two_vms(kvm, source_kvm); if (ret) return ret; if (kvm->arch.vm_type != source_kvm->arch.vm_type || sev_guest(kvm) || !sev_guest(source_kvm)) { ret = -EINVAL; goto out_unlock; } src_sev = to_kvm_sev_info(source_kvm); dst_sev->misc_cg = get_current_misc_cg(); cg_cleanup_sev = dst_sev; if (dst_sev->misc_cg != src_sev->misc_cg) { ret = sev_misc_cg_try_charge(dst_sev); if (ret) goto out_dst_cgroup; charged = true; } ret = kvm_lock_all_vcpus(kvm); if (ret) goto out_dst_cgroup; ret = kvm_lock_all_vcpus(source_kvm); if (ret) goto out_dst_vcpu; ret = sev_check_source_vcpus(kvm, source_kvm); if (ret) goto out_source_vcpu; /* * Allocate a new have_run_cpus for the destination, i.e. don't copy * the set of CPUs from the source. If a CPU was used to run a vCPU in * the source VM but is never used for the destination VM, then the CPU * can only have cached memory that was accessible to the source VM. */ if (!zalloc_cpumask_var(&dst_sev->have_run_cpus, GFP_KERNEL_ACCOUNT)) { ret = -ENOMEM; goto out_source_vcpu; } sev_migrate_from(kvm, source_kvm); kvm_vm_dead(source_kvm); cg_cleanup_sev = src_sev; ret = 0; out_source_vcpu: kvm_unlock_all_vcpus(source_kvm); out_dst_vcpu: kvm_unlock_all_vcpus(kvm); out_dst_cgroup: /* Operates on the source on success, on the destination on failure. */ if (charged) sev_misc_cg_uncharge(cg_cleanup_sev); put_misc_cg(cg_cleanup_sev->misc_cg); cg_cleanup_sev->misc_cg = NULL; out_unlock: sev_unlock_two_vms(kvm, source_kvm); return ret; } int sev_dev_get_attr(u32 group, u64 attr, u64 *val) { if (group != KVM_X86_GRP_SEV) return -ENXIO; switch (attr) { case KVM_X86_SEV_VMSA_FEATURES: *val = sev_supported_vmsa_features; return 0; default: return -ENXIO; } } /* * The guest context contains all the information, keys and metadata * associated with the guest that the firmware tracks to implement SEV * and SNP features. The firmware stores the guest context in hypervisor * provide page via the SNP_GCTX_CREATE command. */ static void *snp_context_create(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct sev_data_snp_addr data = {}; void *context; int rc; /* Allocate memory for context page */ context = snp_alloc_firmware_page(GFP_KERNEL_ACCOUNT); if (!context) return NULL; data.address = __psp_pa(context); rc = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_GCTX_CREATE, &data, &argp->error); if (rc) { pr_warn("Failed to create SEV-SNP context, rc %d fw_error %d", rc, argp->error); snp_free_firmware_page(context); return NULL; } return context; } static int snp_bind_asid(struct kvm *kvm, int *error) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_data_snp_activate data = {0}; data.gctx_paddr = __psp_pa(sev->snp_context); data.asid = sev_get_asid(kvm); return sev_issue_cmd(kvm, SEV_CMD_SNP_ACTIVATE, &data, error); } static int snp_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_data_snp_launch_start start = {0}; struct kvm_sev_snp_launch_start params; int rc; if (!sev_snp_guest(kvm)) return -ENOTTY; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params))) return -EFAULT; /* Don't allow userspace to allocate memory for more than 1 SNP context. */ if (sev->snp_context) return -EINVAL; if (params.flags) return -EINVAL; if (params.policy & ~SNP_POLICY_MASK_VALID) return -EINVAL; /* Check for policy bits that must be set */ if (!(params.policy & SNP_POLICY_MASK_RSVD_MBO)) return -EINVAL; sev->policy = params.policy; sev->snp_context = snp_context_create(kvm, argp); if (!sev->snp_context) return -ENOTTY; start.gctx_paddr = __psp_pa(sev->snp_context); start.policy = params.policy; memcpy(start.gosvw, params.gosvw, sizeof(params.gosvw)); rc = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_START, &start, &argp->error); if (rc) { pr_debug("%s: SEV_CMD_SNP_LAUNCH_START firmware command failed, rc %d\n", __func__, rc); goto e_free_context; } sev->fd = argp->sev_fd; rc = snp_bind_asid(kvm, &argp->error); if (rc) { pr_debug("%s: Failed to bind ASID to SEV-SNP context, rc %d\n", __func__, rc); goto e_free_context; } return 0; e_free_context: snp_decommission_context(kvm); return rc; } struct sev_gmem_populate_args { __u8 type; int sev_fd; int fw_error; }; static int sev_gmem_post_populate(struct kvm *kvm, gfn_t gfn_start, kvm_pfn_t pfn, void __user *src, int order, void *opaque) { struct sev_gmem_populate_args *sev_populate_args = opaque; struct kvm_sev_info *sev = to_kvm_sev_info(kvm); int n_private = 0, ret, i; int npages = (1 << order); gfn_t gfn; if (WARN_ON_ONCE(sev_populate_args->type != KVM_SEV_SNP_PAGE_TYPE_ZERO && !src)) return -EINVAL; for (gfn = gfn_start, i = 0; gfn < gfn_start + npages; gfn++, i++) { struct sev_data_snp_launch_update fw_args = {0}; bool assigned = false; int level; ret = snp_lookup_rmpentry((u64)pfn + i, &assigned, &level); if (ret || assigned) { pr_debug("%s: Failed to ensure GFN 0x%llx RMP entry is initial shared state, ret __func__, gfn, ret, assigned); ret = ret ? -EINVAL : -EEXIST; goto err; } if (src) { void *vaddr = kmap_local_pfn(pfn + i); if (copy_from_user(vaddr, src + i * PAGE_SIZE, PAGE_SIZE)) { ret = -EFAULT; goto err; } kunmap_local(vaddr); } ret = rmp_make_private(pfn + i, gfn << PAGE_SHIFT, PG_LEVEL_4K, sev_get_asid(kvm), true); if (ret) goto err; n_private++; fw_args.gctx_paddr = __psp_pa(sev->snp_context); fw_args.address = __sme_set(pfn_to_hpa(pfn + i)); fw_args.page_size = PG_LEVEL_TO_RMP(PG_LEVEL_4K); fw_args.page_type = sev_populate_args->type; ret = __sev_issue_cmd(sev_populate_args->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE, &fw_args, &sev_populate_args->fw_error); if (ret) goto fw_err; } return 0; fw_err: /* * If the firmware command failed handle the reclaim and cleanup of that * PFN specially vs. prior pages which can be cleaned up below without * needing to reclaim in advance. * * Additionally, when invalid CPUID function entries are detected, * firmware writes the expected values into the page and leaves it * unencrypted so it can be used for debugging and error-reporting. * * Copy this page back into the source buffer so userspace can use this * information to provide information on which CPUID leaves/fields * failed CPUID validation. */ if (!snp_page_reclaim(kvm, pfn + i) && sev_populate_args->type == KVM_SEV_SNP_PAGE_TYPE_CPUID && sev_populate_args->fw_error == SEV_RET_INVALID_PARAM) { void *vaddr = kmap_local_pfn(pfn + i); if (copy_to_user(src + i * PAGE_SIZE, vaddr, PAGE_SIZE)) pr_debug("Failed to write CPUID page back to userspace\n"); kunmap_local(vaddr); } /* pfn + i is hypervisor-owned now, so skip below cleanup for it. */ n_private--; err: pr_debug("%s: exiting with error ret %d (fw_error %d), restoring %d gmem PFNs to __func__, ret, sev_populate_args->fw_error, n_private); for (i = 0; i < n_private; i++) kvm_rmp_make_shared(kvm, pfn + i, PG_LEVEL_4K); return ret; } static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_gmem_populate_args sev_populate_args = {0}; struct kvm_sev_snp_launch_update params; struct kvm_memory_slot *memslot; long npages, count; void __user *src; int ret = 0; if (!sev_snp_guest(kvm) || !sev->snp_context) return -EINVAL; if (copy_from_user(¶ms, u64_to_user_ptr(argp->data), sizeof(params))) return -EFAULT; pr_debug("%s: GFN start 0x%llx length 0x%llx type %d flags %d\n", __func__, params.gfn_start, params.len, params.type, params.flags); if (!PAGE_ALIGNED(params.len) || params.flags || (params.type != KVM_SEV_SNP_PAGE_TYPE_NORMAL && params.type != KVM_SEV_SNP_PAGE_TYPE_ZERO && params.type != KVM_SEV_SNP_PAGE_TYPE_UNMEASURED && params.type != KVM_SEV_SNP_PAGE_TYPE_SECRETS && params.type != KVM_SEV_SNP_PAGE_TYPE_CPUID)) return -EINVAL; npages = params.len / PAGE_SIZE; /* * For each GFN that's being prepared as part of the initial guest * state, the following pre-conditions are verified: * * 1) The backing memslot is a valid private memslot. * 2) The GFN has been set to private via KVM_SET_MEMORY_ATTRIBUTES * beforehand. * 3) The PFN of the guest_memfd has not already been set to private * in the RMP table. * * The KVM MMU relies on kvm->mmu_invalidate_seq to retry nested page * faults if there's a race between a fault and an attribute update via * KVM_SET_MEMORY_ATTRIBUTES, and a similar approach could be utilized * here. However, kvm->slots_lock guards against both this as well as * concurrent memslot updates occurring while these checks are being * performed, so use that here to make it easier to reason about the * initial expected state and better guard against unexpected * situations. */ mutex_lock(&kvm->slots_lock); memslot = gfn_to_memslot(kvm, params.gfn_start); if (!kvm_slot_can_be_private(memslot)) { ret = -EINVAL; goto out; } sev_populate_args.sev_fd = argp->sev_fd; sev_populate_args.type = params.type; src = params.type == KVM_SEV_SNP_PAGE_TYPE_ZERO ? NULL : u64_to_user_ptr(params.uaddr); count = kvm_gmem_populate(kvm, params.gfn_start, src, npages, sev_gmem_post_populate, &sev_populate_args); if (count < 0) { argp->error = sev_populate_args.fw_error; pr_debug("%s: kvm_gmem_populate failed, ret %ld (fw_error %d)\n", __func__, count, argp->error); ret = -EIO; } else { params.gfn_start += count; params.len -= count * PAGE_SIZE; if (params.type != KVM_SEV_SNP_PAGE_TYPE_ZERO) params.uaddr += count * PAGE_SIZE; ret = 0; if (copy_to_user(u64_to_user_ptr(argp->data), ¶ms, sizeof(params))) ret = -EFAULT; } out: mutex_unlock(&kvm->slots_lock); return ret; } static int snp_launch_update_vmsa(struct kvm *kvm, struct kvm_sev_cmd *argp) { struct kvm_sev_info *sev = to_kvm_sev_info(kvm); struct sev_data_snp_launch_update data = {}; struct kvm_vcpu *vcpu; unsigned long i; int ret; data.gctx_paddr = __psp_pa(sev->snp_context); data.page_type = SNP_PAGE_TYPE_VMSA; kvm_for_each_vcpu(i, vcpu, kvm) { struct vcpu_svm *svm = to_svm(vcpu); u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT; ret = sev_es_sync_vmsa(svm); if (ret) return ret; /* Transition the VMSA page to a firmware state. */ ret = rmp_make_private(pfn, INITIAL_VMSA_GPA, PG_LEVEL_4K, sev->asid, true); if (ret) return ret; /* Issue the SNP command to encrypt the VMSA */ data.address = __sme_pa(svm->sev_es.vmsa); ret = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_UPDATE, &data, &argp->error); if (ret) { snp_page_reclaim(kvm, pfn); return ret; } svm->vcpu.arch.guest_state_protected = true; /* * SEV-ES (and thus SNP) guest mandates LBR Virtualization to * be _always_ ON. Enable it only after setting * guest_state_protected because KVM_SET_MSRS allows dynamic * toggling of LBRV (for performance reason) on write access to * MSR_IA32_DEBUGCTLMSR when guest_state_protected is not set. */ svm_enable_lbrv(vcpu); --> -------------------- --> maximum size reached --> --------------------
¤ Dauer der Verarbeitung: 0.11 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-04-06