Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753512AbdIEVj1 (ORCPT ); Tue, 5 Sep 2017 17:39:27 -0400 Received: from mail-bn3nam01on0088.outbound.protection.outlook.com ([104.47.33.88]:29888 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752312AbdIEVjX (ORCPT ); Tue, 5 Sep 2017 17:39:23 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Cc: brijesh.singh@amd.com, linux-kernel@vger.kernel.org, x86@kernel.org, kvm@vger.kernel.org, Thomas Gleixner , Joerg Roedel , "Michael S . Tsirkin" , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Tom Lendacky Subject: Re: [RFC Part2 PATCH v3 01/26] Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization (SEV) To: Borislav Petkov References: <20170724200303.12197-1-brijesh.singh@amd.com> <20170724200303.12197-2-brijesh.singh@amd.com> <20170905172130.24fgl6xsrfovsbsp@pd.tnic> From: Brijesh Singh Message-ID: Date: Tue, 5 Sep 2017 16:39:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20170905172130.24fgl6xsrfovsbsp@pd.tnic> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DM5PR2001CA0011.namprd20.prod.outlook.com (10.172.43.21) To BY2PR12MB0146.namprd12.prod.outlook.com (10.162.82.19) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1f6bf80e-68d0-4404-3ea9-08d4f4a6916b X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BY2PR12MB0146; X-Microsoft-Exchange-Diagnostics: 1;BY2PR12MB0146;3:Wf3KEPSBYxUbkHJLvMLU1Y6ORFNeIw/ERUMfxYha06+YEtsbbmhK/XlH4uKVxqwl/MpAUolqpNLdewK1WwoFeTxvC9tRf3TAdGxv2za+//R7rwOWtNW/OCmAZK/e+C2D+wsmr6TLgsqpCABJ28TKvkErYdOcvYY2IRISR0KH6rBpmIActv7BGmNnMF2hPuS5NddNIZw5ssDhWkRlsAOWmcfDVaiKkD/f+eArhkXCQI9dUHotBisOUWlblltYtktq;25:4AYUJcjbyRRy1uSrm7mnnksHdXEsAyyQ1qhDq9r6ReCRVjXMBK+oycWC9zs7IEq9FX0LIZxBJ+snaceUw1cyhDElu2OPNPOtnxw5yWY0iEYPb0u/v9oMQRlKiXept9x01Sh96ji2VRQrPQfLFmGg1k819JBmrccnMQSmGOCDluhEKvlFkg50S9WErz8yS/6IrEJ4HNe57OMWXcTJKmpsqS3NZbCFt0VklFtRkSyApm2mFeXAKvhzq7sgauCqHH9dWyBy6/nr81/JRJ/3ujzonQvhIeI0ZZnzf/T/aN4/PzMrYXTa/GKAC8ATpxtJT2gOR/7+uHrHnu1WscQ7vOuuQw==;31:IVI/5AzHqGiSgHBbkFy8lZv/LzZK/2oFgZ4hrscZo3VsUTlMxxGiHhK3GsBU3PsX3vz2CkhU/vYdW7/DspdphCVBNbfGkJ/Yf/rD2fDl/ZUOjHsW6V949PcrSBQtG3z3IUuFhDAR7dYKbEFR9nKGy0I1ZG9+8Z22e1NM5NxerlJV83CorP6w3qCE97B9mcu0HYVIWm3IY1T5zJyteltENbOiMzyIH3Jh74Or5w0ws/I= X-MS-TrafficTypeDiagnostic: BY2PR12MB0146: X-Microsoft-Exchange-Diagnostics: 1;BY2PR12MB0146;20:/QBdmkvtlH74nIzpW71T0IXkIUivw4o4YXX3pBvvqPZ+rLtn068LhJXDUNZFRc9km7tKf1D6KPD2nJPAjJDJuG33O9Uomx3AsaubToyakxQCwcvMoegcMjJlTyH1bhLK9VxxknVZrz1Vi+UmUvmy5Hk/fXz5yM8+x2uyvLXr4nQtfeDAUIMWdZCW0chnZh1MdeXaktbUIiWLMTBvCyl5xSealTbwRdIMkqOQIU8Vm/ImwOIO+ku4tbo1jsupxNSQVLilQlZOgqCs8nH8r4e86gPbmjoMYt99V6AS4Jw3i3biDUQ1MQOXRmgXEhJgYzZUF9bOPZAmoxyQPnPuTHH/iHBHGlQfaLu/XW4CJLhvb/pEEn2bwPwZu+uzHZidfztQzt7Q4srb/wRC3Y4xSdyXmk+TPz2zJx0DdXu7uo5W/4+aVRtMn2HzOVogGJCBE3rIRBMWsTpkJBl6vVhGvE0M/1bS0/us9UK3N3R9QNUdQcKb63SM4FkvgXZdyd2BOHeT;4:TsPczmoQPC2Dm6awrowvqhEX1mTwwt60n47ft5mxO/IaNCMwK6gT2iCXtgIEWIiqoqQVcgiSSvJ+jiGy2axc27T53f0r7vjltyu5THKCuP8Ud6y1W4ZDLC/VKBhHwV7Y9Q9F56azv0laapq8QSamgpvVUG6XgUKRxaRdiVS0s+JHqDVUKpkYcOD6osBELmDZGXS3cdM9Cwf6h3kLEw116cQ4rshFfoge1QXyI6WGbuNELXX0xwTBRynyhEltGKVWLzzTDkXaYwuzbA/JhYJZiyUbh8f2D4ce3GWAs06O8eo= X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123564025)(20161123562025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BY2PR12MB0146;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2PR12MB0146; X-Forefront-PRVS: 0421BF7135 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6049001)(6009001)(39860400002)(189002)(377454003)(199003)(24454002)(68736007)(31686004)(77096006)(6486002)(189998001)(65826007)(90366009)(966005)(5660300001)(229853002)(478600001)(305945005)(54906002)(8936002)(101416001)(345774005)(50986999)(64126003)(54356999)(7736002)(8676002)(83506001)(6306002)(53546010)(81156014)(81166006)(50466002)(76176999)(25786009)(6916009)(47776003)(36756003)(97736004)(105586002)(4326008)(2950100002)(230700001)(4001350100001)(110136004)(3846002)(2906002)(65956001)(66066001)(65806001)(42186005)(53936002)(106356001)(6116002)(6246003)(6666003)(86362001)(23676002)(33646002)(31696002);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR12MB0146;H:[10.236.136.62];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCWTJQUjEyTUIwMTQ2OzIzOm9HajdhUytCN2VWTzVlY3RnK2JxbUNXUkhT?= =?utf-8?B?QmswK1FZVDkrcXdlMEpYWHRnRklkZkN6a3d5NURXdy9xR2hJa1ZSS3ZNMDFv?= =?utf-8?B?R2Q5NWFHZVgyQnVjQ1ZEYWYxYVAwUnBPZjl3VlkrMXlDYzBLcnpMdisvemVQ?= =?utf-8?B?N0hPRTdGTGRvVnZFTUprUERyVDRCMFNxY1N1ZGJ2aGtYUGd5eWhIdFFiNnhS?= =?utf-8?B?M2hkclJxcGZ2dnhjc04rdkJubkZDUkFkdlk2NURKYTVSL3U0UEU4cEN4OWVW?= =?utf-8?B?dVNvNUtxWHF6VjU0Nmt6eVRkZmVYdXI5LzBlNDFSRlFrOUxVWUpFY0xQT1Jr?= =?utf-8?B?TTdJRTVhdGRUbnBtNWxoZUpUclhwdEUvdy8wTkt2cEtJcC9XcDFPeno0SlhY?= =?utf-8?B?UUszeWVVaFJ0QWd5aU5iTitwNjMwS0pGajhJdEdQM2NXZ0phQzJaUWNyV2tu?= =?utf-8?B?WWQ3MGRsT3ltWXBVRk0vQzVEUERnR1lieWRvbzJNYlJXM1J3YzlTdXdDS2Fq?= =?utf-8?B?cVU0dUVKb1Y1UXcrdDBZTlFXdkRPYkRYbFhQRm91cHNyeXI4N2k5Y05MTko0?= =?utf-8?B?RXo2WEpucTAyUUM4QTNzUmxrMndWc1RXV0k3aFlxRW1yZkFwZTFSS3RBZk9k?= =?utf-8?B?QzU2SitZTnlBWGxVZnhiQlRGNnNXQkJIZC9UNi8weFp5MXF0cmJobWlwdDBr?= =?utf-8?B?Y0sxWnBWZURndnNBdU80TDFyWnNIVFRzWDVtMWtnR0t5am9TanpXenR1N1ow?= =?utf-8?B?eUYzYldEK1lwUDhlc3I3aWQwR3VPdEQ5dGRSQ3FobGRWcnhPUTYyNFY3T1d1?= =?utf-8?B?VTVNRmFzYjliM0xPVnZQUUdDTWJBZmF1UW1seGV4Y3h4QWFXSy9jSDM3K29q?= =?utf-8?B?enRDWnM3WjFiUER5dlo1d2xFK084bmlSUllkYldMcllaeG4remErc3N3Nnpl?= =?utf-8?B?SUY4VFB5eVZQODh3NFJzeWFQeU5lZFQ1KzBzdkYwekFMUnZMaTFJT0xrczRr?= =?utf-8?B?anBRVnZBMjBxaDkwLzkxS0NJZllYMUN1dUtET1M2SHlVTWxZTkFkOVZuc0l2?= =?utf-8?B?NXk2czBTL1ZZa2s0VTJoMDUzRG03ZWRMeHVNa0JJeXlGMXNEc1BLbnNCdi8x?= =?utf-8?B?bnorTjYxQURnYVZxRDk5aktmSEVnUWI1ak01azZYdkVWbjdmOCt0TXI1a3h6?= =?utf-8?B?aUdISXoweHNrN0pVUkFIL0pOMzlsZGxDSlNYN0ltcTVGMnlBcTJ3WjZhSG5N?= =?utf-8?B?bVR0Ymd0cGJReXBQWDhiZ0FFRlZZbUJjQ052ZS94U0RNNG83UHRSNmh1Zisx?= =?utf-8?B?TTZQMzVrSkFQNlFldldtanZjUzRwWVdNR0NFWEV5VzdvMHEwYThWY29tNEY3?= =?utf-8?B?Vjc1WnRnbHhDeHZDRDcvVDdUaDErd1JRSnNZUE9RalRPVjNYSE9uRnNmcVlV?= =?utf-8?B?dVVpNzdjNGVRaUo1RVBxV0dlcGRZQ0RhOW9tK0lWaTVXdHVKbHlJb3k1QjNm?= =?utf-8?B?QlIxZXo0b0oyOXhCWmZKM0FFcFI0YlR6U2hpUUtSN0RFelg1NHQ1UmFFQ0lK?= =?utf-8?B?ZDlvRHd0aHY3SnpYRGRVa0xtWjBEb1lydmxvRFFwejBaK3BTVnRqWmV0V25t?= =?utf-8?B?UmxkRXA3MnQzWUFjcVp2NDYwVU9wUWhvWjdDNks3NmY4L1MwMGs3MCtCUkgv?= =?utf-8?B?ZnBVeitWdDVUc2hhWWtZQTAxNmVoR0pYRkY1dEVQUXBJQ2pwYThaYUFpOE56?= =?utf-8?B?MW1SM1MrdC93MDNCbDVjOUNTYmZxRnR3OG1XK1pXbkhVQ1BqQzJrdmQ2SGtm?= =?utf-8?B?WVpyaTB0ZjVGdHMvc2M2REo2ZkVZZFNVTEtFT2MxYWFhRndhTlNZeGdsWTNt?= =?utf-8?B?eFRiaVhFY3NtbFpSWjJFT1JOSWZKOGRqZkI4Mk85bHgrUiswUUlKMm81d0ZX?= =?utf-8?Q?yb1YAAFzw9GbgoWLX+tiHhid6Dj7EY=3D?= X-Microsoft-Exchange-Diagnostics: 1;BY2PR12MB0146;6:EvY55r/L6HULT0EZFHpqZI8FcoZW9SADIjuxbQ/s9LPKdkhr8gkoO8dEQ76AzgJZTMwOFqCdJTPB5gS91OJT+3iRoI631GoPNJy7ZJbdm4IPA636ug/SgxxLaqf6pQQM4MMZfYbbMkDk90EdaGLcZk/EcxbEVMuWCohsMQ0ljI+JJ4lKyhnVAqiMTOuvT7CUfRbjbaqB1jXWMy7L38OCYT06wbg3ohXcuYFiGKXYYrsjeYDHdSXwgmUupl7PywXg6WfKjXhDt13NYTKK7Bm5p5phNFF6l+1Mnt6NJh9NDlwDtDTPGjEi2YqdKvaJSvpKNzZHVeeCmfTNTpfKtjt5lw==;5:GP9O1SunhZxauFEaD6jeoSwYTjjY1s7pmMyyvoOvroAbKZMI4HUf81xgVdQ5VjB8SDgq4/DW4pYQSVPBGSV0otFcOuzYDmdEH9UrPoo4cudwb+8iD0lU1uY2VzekqAlh3Jjec9y2Y4fbmOE77u4Jqw==;24:z7koK5lXDIGsJX8mKi+d/f+pjN4IQyu44I4DX+ocua4XXkIesP0LeYURArXo2rGvP1HP5jiBlFrRemIxzllJ1/StohmGOhK6+YvDjsr/OgQ=;7:6P6v1Y6mRHmzoVK4k0KLMRAd7XM/GjUmonKBCZOQOzDE+ITM1TaSz2xNleefdhO6K19CigxIqhyFJtIY7aEDIETdwgYSN3kEI3g1vWUAz27324BloOfoIZ5ynjWNnWRWx2424PRczzySj6yGAmr9qktvbdUeSpODzQrCiKs1wiPqoQb0gg+JxmL6ZPhr1R3pDff5QJj0fVlv7G///gd3bkf0GW++X90MCa4xfAoN1+U= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BY2PR12MB0146;20:Ey4pFqSyaA8vPzb3KxO5YnFViHP8/ed2ujTtWi6Z41hu2E3bfacOwqhwZZxDL++enbpY9g+JKqFZGi/nL6P40NZrdFloiyOTuRYlUEO66nVQAe/bzevlzhP14HNKTMsP4tvR0oupro5J224E3Ew3vupdgftB7o1PPDoVNpS5sSHvTiWOtA04Bbxf1Z2MoJ0bbpl+qQs5gty820WkHU8B1ilRvAA1iosFQvzpj0KIXaieb4Po/VH3Ir4XmD5riNy7 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Sep 2017 21:39:19.3805 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR12MB0146 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4163 Lines: 142 Hi Boris, Thanks for detail review, I have incorporate the spell check in my work flow and will be fixing all those spell check errors innext rev. On 09/05/2017 12:21 PM, Borislav Petkov wrote: [...] >> +3. KVM_SEV_LAUNCH_MEASURE >> + >> +Parameters (in): struct kvm_sev_launch_measure >> +Returns: 0 on success, -negative on error >> + >> +LAUNCH_MEASURE returns the measurement of the memory region encrypted with >> +LAUNCH_UPDATE_DATA. The measurement is keyed with the TIK so that the guest >> +owner can use the measurement to verify the guest was properly launched without >> +tempering. > > So this could use a bit more text as it is such an important aspect of > the whole verification of the guest. > >> + >> +struct kvm_sev_launch_measure { >> + /* where to copy the measurement blob */ >> + __u64 address; >> + >> + /* length of memory region containing measurement */ >> + __u32 length; >> +}; >> + >> +If measurement length is too small, the required length is returned in the >> +length field. >> + >> +On success, the measurement is copied to the address. > > And how is success signalled to the caller? > The measurement verification is performed outside the KVM/Qemu. From driver point of view, all we have to do is issues LAUNCH_MEASURE command when userspace asks for the measurement. I can see that command name is confusing - I am thinking of renaming it to "KVM_SEV_GET_LAUNCH_MEASUREMENT" The complete flow is listed in Appendix A of SEV firmware spec [1]. I will update the doc to give SEV spec section references for the details. Not sure if we need to document the complete measurement flow in the driver doc. [...] >> + >> +4. KVM_SEV_LAUNCH_FINISH >> + >> +Returns: 0 on success, -negative on error >> + >> +LAUNCH_FINISH command finalize the SEV guest launch process. > > "The KVM_SEV_LAUNCH_FINISH command..." > >> + >> +5. KVM_SEV_GUEST_STATUS >> + >> +Parameters (out): struct kvm_sev_guest_status > > This is an "out" command, so it should be called > KVM_SEV_GET_GUEST_STATUS. Or is it too late for that? I was trying map with SEV firmware spec command names but I see your point and will call it "KVM_SEV_GET_GUEST_STATUS". >> + >> +enum { >> + /* guest state is not known */ >> + SEV_STATE_INVALID = 0; > > not known or invalid? Again, was trying to follow the spec naming convention but I can go with UNKNOWN .. > > Btw, side-comments will make this much more readable: > > enum { > SEV_STATE_INVALID = 0, > SEV_STATE_LAUNCHING, > SEV_STATE_SECRET, /* guest is being launched and ready to accept the ciphertext data */ > SEV_STATE_RUNNING, /* guest is fully launched and running */ > SEV_STATE_RECEIVING, /* guest is being migrated in from another SEV machine */ > SEV_STATE_SENDING, /* guest is getting migrated out to another SEV machine */ > }; > I was trying to keep everything to 80 column limit but if that is not an issue for documentation then I like your recommendation. [...] >> +8. KVM_SEV_SEND_START >> + >> +Parameters (in): struct kvm_sev_send_start >> +Returns: 0 on success, -negative on error >> + >> +SEND_START command is used to export a SEV guest from one platform to another. > > Export or migrate? > >> +It can be used for saving a guest to disk to be resumed later, or it can be >> +used to migrate a guest across the network to a receiving platform. > > And how do I specify which of those actions needs to happen? > The command does not require explicit parameter to differentiate between live migration vs snapshot. All it needs is a destination platform PDH key. If its live migration case then VM management stack will probably communicate with remote platform and get its PDH keys before calling us. The KVM driver simply acts upon the request from the userspace. SEV firmware spec Appendix A [1] provides complete flow diagram which need to be implemented in userspace. The driver simply act upon when it asked to create SEND_START context. [1] http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf > > Phew, that took long. > Thank you for detail review.