Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
qemu.18973
0057-sev-i386-add-support-to-LAUNCH_MEAS.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0057-sev-i386-add-support-to-LAUNCH_MEAS.patch of Package qemu.18973
From: Brijesh Singh <brijesh.singh@amd.com> Date: Thu, 8 Mar 2018 06:48:51 -0600 Subject: sev/i386: add support to LAUNCH_MEASURE command During machine creation we encrypted the guest bios image, the LAUNCH_MEASURE command can be used to retrieve the measurement of the encrypted memory region. This measurement is a signature of the memory contents that can be sent to the guest owner as an attestation that the memory was encrypted correctly by the firmware. VM management tools like libvirt can query the measurement using query-sev-launch-measure QMP command. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit c6c89c976dd654a943603396f1ea58b7a0eb3101) [BR: FATE#322124] Signed-off-by: Bruce Rogers <brogers@suse.com> --- target/i386/sev-stub.c | 5 ++++ target/i386/sev.c | 63 ++++++++++++++++++++++++++++++++++++++++ target/i386/sev_i386.h | 2 ++ target/i386/trace-events | 1 + 4 files changed, 71 insertions(+) diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c index c86d8c1392379e6a134d88f612fe..2f61c32ec975cc0b553e5e00a4ca 100644 --- a/target/i386/sev-stub.c +++ b/target/i386/sev-stub.c @@ -39,3 +39,8 @@ uint32_t sev_get_reduced_phys_bits(void) { return 0; } + +char *sev_get_launch_measurement(void) +{ + return NULL; +} diff --git a/target/i386/sev.c b/target/i386/sev.c index 2d14879166efeb77701a797b02fa..0132beaf24b4610d044d583f2b1c 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -516,6 +516,68 @@ sev_launch_update_data(uint8_t *addr, uint64_t len) return ret; } +static void +sev_launch_get_measure(Notifier *notifier, void *unused) +{ + int ret, error; + guchar *data; + SEVState *s = sev_state; + struct kvm_sev_launch_measure *measurement; + + if (!sev_check_state(SEV_STATE_LAUNCH_UPDATE)) { + return; + } + + measurement = g_new0(struct kvm_sev_launch_measure, 1); + + /* query the measurement blob length */ + ret = sev_ioctl(sev_state->sev_fd, KVM_SEV_LAUNCH_MEASURE, + measurement, &error); + if (!measurement->len) { + error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", + __func__, ret, error, fw_error_to_str(errno)); + goto free_measurement; + } + + data = g_new0(guchar, measurement->len); + measurement->uaddr = (unsigned long)data; + + /* get the measurement blob */ + ret = sev_ioctl(sev_state->sev_fd, KVM_SEV_LAUNCH_MEASURE, + measurement, &error); + if (ret) { + error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", + __func__, ret, error, fw_error_to_str(errno)); + goto free_data; + } + + sev_set_guest_state(SEV_STATE_LAUNCH_SECRET); + + /* encode the measurement value and emit the event */ + s->measurement = g_base64_encode(data, measurement->len); + trace_kvm_sev_launch_measurement(s->measurement); + +free_data: + g_free(data); +free_measurement: + g_free(measurement); +} + +char * +sev_get_launch_measurement(void) +{ + if (sev_state && + sev_state->state >= SEV_STATE_LAUNCH_SECRET) { + return g_strdup(sev_state->measurement); + } + + return NULL; +} + +static Notifier sev_machine_done_notify = { + .notify = sev_launch_get_measure, +}; + void * sev_guest_init(const char *id) { @@ -593,6 +655,7 @@ sev_guest_init(const char *id) } ram_block_notifier_add(&sev_ram_notifier); + qemu_add_machine_init_done_notifier(&sev_machine_done_notify); return s; err: diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h index eb82de5653bca177576d8c074474..e91ea8e15a60577ba43c571db4e0 100644 --- a/target/i386/sev_i386.h +++ b/target/i386/sev_i386.h @@ -37,6 +37,7 @@ extern uint64_t sev_get_me_mask(void); extern SevInfo *sev_get_info(void); extern uint32_t sev_get_cbit_position(void); extern uint32_t sev_get_reduced_phys_bits(void); +extern char *sev_get_launch_measurement(void); typedef struct QSevGuestInfo QSevGuestInfo; typedef struct QSevGuestInfoClass QSevGuestInfoClass; @@ -78,6 +79,7 @@ struct SEVState { uint32_t handle; int sev_fd; SevState state; + gchar *measurement; }; typedef struct SEVState SEVState; diff --git a/target/i386/trace-events b/target/i386/trace-events index 4aa87ef3eeb54483b8bd94daf5c2..ce6c71b375c2cd6b0ec9fdf6f2b4 100644 --- a/target/i386/trace-events +++ b/target/i386/trace-events @@ -13,3 +13,4 @@ kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%zu" kvm_sev_change_state(const char *old, const char *new) "%s -> %s" kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p" kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64 +kvm_sev_launch_measurement(const char *value) "data %s"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor