Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp875421rdb;
        Fri, 23 Feb 2024 02:57:52 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUEQvTjID7BRkyr8I0kVnY6F/XJ5pBY4R2RttnGWYfL1rqBJrPrnQUXMc7iyPLFdwIITkhc0rD+CxGcTloALqllRK9YJG4nAvCx+uXMCA==
X-Google-Smtp-Source: AGHT+IFAqPf5yegHuXNHTKaaS0OliIsG4iJ8xG7QlZ7FwDO0ognKFg4iehChm23NaohCUJGSvt6G
X-Received: by 2002:a05:6830:1e9b:b0:6e2:af09:af29 with SMTP id n27-20020a0568301e9b00b006e2af09af29mr1583911otr.10.1708685872253;
        Fri, 23 Feb 2024 02:57:52 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708685872; cv=pass;
        d=google.com; s=arc-20160816;
        b=teLoRGrgU+m4KxbXlgn/bOHy0WFhUvGQa3JOseUWjDwzCjPiSz40OSOwa+stF7u5FP
         V+r2aHq87C/8IqUihJinvFa3OC/33f5iIfQmsfWRL2vfSY7pfDASdiDUDuNc2TRtnOD5
         3u478hUavJlvhJYkwWh5NN7uTxjv7ka83dVP9q4k+PlNkS0/k9TNwe8ARlZFKXu/hc67
         Y196B1cFNpuTknATXCN3NxhkbVyaZgLfnhxfkMhRmG+lDxuDqZMqZ6T3hmC9KY/xlDxA
         Dn4OmAAxN4xyPnjg2N2jYlSBn80Xjxdm9J03HbTTz2lnLXkZ0ewI3J1vMGNnbYbvqfgr
         j+yw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=oynZG24uRHfx+IPkhc4um2RyGrLEMnq7IRNosym5KAE=;
        fh=TLdZJsFzSA0fpm6Q4iUv+uB0sG0oU+h3Bp6HiSGyZm8=;
        b=XlXkeBQIZ+lIFPYwV7yzj25TcDAhGBNe8kMAFCSE2X7t2vNfgLiE10wos+pWzrPXF+
         ykikYaTXidMFANIytfa1nUvMUOIoMMof2sjA/mQjn/pxoVVudjP7Gj9Il0K6yHBOVgG+
         jrKtyg79YL0ssLNdQnKLn6HzgKmJRmosnV0h0Hvt5VxKDtXnWz5uMgox7boCjEtirGOQ
         J5+eUq8NqSRJ1Khwg+QJCIQfXoNWIoMwdHi5970ooMTkWbuB0WGRnAsYcmG+0n8I2mjx
         Guh5RFB2cklz3+dqCD7M8Gk5NsZCd1290qaAA2eS3AB4e9yJ4PtY2oCMNsOJGeQzMtRX
         kLKQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O2YNUluN;
       arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
       spf=pass (google.com: domain of linux-kernel+bounces-78159-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78159-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel+bounces-78159-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id l29-20020a63701d000000b005dcbb8409ecsi11768300pgc.611.2024.02.23.02.57.51
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Feb 2024 02:57:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-78159-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O2YNUluN;
       arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
       spf=pass (google.com: domain of linux-kernel+bounces-78159-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78159-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 0A02CB23A32
	for <linux.lists.archive@gmail.com>; Fri, 23 Feb 2024 10:42:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E8E636166C;
	Fri, 23 Feb 2024 10:40:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="O2YNUluN"
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 005907A712
	for <linux-kernel@vger.kernel.org>; Fri, 23 Feb 2024 10:40:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708684820; cv=none; b=XyZLxGZ86Ukd7GVs86GvsUuHhlg3LNcCmrZODT0Wy58vynrUMPItFjn2JUxD0xuH7HvDEXRGu39fbfSRPWILUA4ov1+CP15u8nStg2hk2nSJAYdx7dx2oXrAc3hwluyGSPdLTaSSS8Z/oVcdBFR0pTNANLlB9+Fp/MXoTSQuDmY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708684820; c=relaxed/simple;
	bh=Xfk36w848FnfrA1lN/seVSB+qKcPGYoneE2jqWKAdxM=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=un29JgDfwO+sq56imYcQnMNMam9hGfjEX2SJFlO90QUw2aExcuHA573VzaLCEdMbrwpO5F68bewxMBV/EU3wOQO86s3l7C5Nkw5N9hmuQQeO2iJNba3wb+xJQrJFweEkTiYptd2D6WG4BE6aCtx6pbGMTxhFaghycGu8R7itqaE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=O2YNUluN; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1708684816;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=oynZG24uRHfx+IPkhc4um2RyGrLEMnq7IRNosym5KAE=;
	b=O2YNUluNgRVRDQ7uIgcsoZ78XHWhRFmXYv0dWn3YsRvIS69HvDS81Dtwt9I7v8apYSGrkd
	oKi6w36fkR55kacM3yuxCWUJL2ffnKxdKIp4D5V1rka53+WuVnM9iLTv0jVc4SD/oFK4eI
	DkT9PHTJzaWt6khTAivk05tdafsbXMY=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-493-6AQzrZmlM5i5BhH_NQO1hw-1; Fri,
 23 Feb 2024 05:40:10 -0500
X-MC-Unique: 6AQzrZmlM5i5BhH_NQO1hw-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6CD853C0ED47;
	Fri, 23 Feb 2024 10:40:10 +0000 (UTC)
Received: from virtlab701.virt.lab.eng.bos.redhat.com (virtlab701.virt.lab.eng.bos.redhat.com [10.19.152.228])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 3A050112132A;
	Fri, 23 Feb 2024 10:40:10 +0000 (UTC)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	michael.roth@amd.com,
	aik@amd.com
Subject: [PATCH v2 00/11] KVM: SEV: allow customizing VMSA features
Date: Fri, 23 Feb 2024 05:39:58 -0500
Message-Id: <20240223104009.632194-1-pbonzini@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3

The idea that no parameter would ever be necessary when enabling SEV or
SEV-ES for a VM was decidedly optimistic.  The first source of variability
that was encountered is the desired set of VMSA features, as that affects
the measurement of the VM's initial state and cannot be changed
arbitrarily by the hypervisor.

This series adds all the APIs that are needed to customize the features,
with room for future enhancements:

- a new /dev/kvm device attribute to retrieve the set of supported
  features (right now, only debug swap)

- a new sub-operation for KVM_MEM_ENCRYPT_OP that can take a struct,
  replacing the existing KVM_SEV_INIT and KVM_SEV_ES_INIT

It then puts the new op to work by including the VMSA features as a field
of the The existing KVM_SEV_INIT and KVM_SEV_ES_INIT use the full set of
supported VMSA features for backwards compatibility; but I am considering
also making them use zero as the feature mask, and will gladly adjust the
patches if so requested.

In order to avoid creating *two* new KVM_MEM_ENCRYPT_OPs, I decided that
I could as well make SEV and SEV-ES use VM types.  And then, why not make
a SEV-ES VM, when created with the new VM type instead of KVM_SEV_ES_INIT,
reject KVM_GET_REGS/KVM_SET_REGS and friends on the vCPU file descriptor
once the VMSA has been encrypted...  Which is how the API should have
always behaved.

The series is defined as follows:

- patches 1 and 2 are unrelated fixes and improvements for the SEV API

- patches 3 to 5 introduce the new device attribute to retrieve supported
  VMSA features

- patch 6 (new in v2) disables DEBUG_SWAP by default

- patches 7 and 8 introduce new infrastructure for VM types, partly lifted
  out of the TDX patches

- patches 9 and 10 introduce respectively the new VM types for SEV and
  SEV-ES, and KVM_SEV_INIT2 as a new sub-operation for KVM_MEM_ENCRYPT_OP.

- patch 11 tests the new ioctl.

The idea is that SEV SNP will only ever support KVM_SEV_INIT2.  I have
patches in progress for QEMU to support this new API.

Thanks,

Paolo

v1->v2:
- fix compilation with SEV disabled (patch 4)
- new patch "KVM: SEV: disable DEBUG_SWAP by default" (patch 6)
- move definition of __KVM_X86_*_TYPE outside uapi headers (patch 7)
- do not export __kvm_is_vm_type_supported (patch 8)
- fixes to documentation (patch 10)
- reject all features for SEV (patch 10)
- do not enable any features for legacy KVM_SEV_INIT/KVM_SEV_ES_INIT (patch 10)


Paolo Bonzini (11):
  KVM: SEV: fix compat ABI for KVM_MEMORY_ENCRYPT_OP
  KVM: introduce new vendor op for KVM_GET_DEVICE_ATTR
  Documentation: kvm/sev: separate description of firmware
  KVM: SEV: publish supported VMSA features
  KVM: SEV: store VMSA features in kvm_sev_info
  KVM: SEV: disable DEBUG_SWAP by default
  KVM: x86: define standard behavior for bits 0/1 of VM type
  KVM: x86: Add is_vm_type_supported callback
  KVM: SEV: define VM types for SEV and SEV-ES
  KVM: SEV: introduce KVM_SEV_INIT2 operation
  selftests: kvm: add tests for KVM_SEV_INIT2

 Documentation/virt/kvm/api.rst                |   2 +
 .../virt/kvm/x86/amd-memory-encryption.rst    |  81 +++++++--
 arch/x86/include/asm/kvm-x86-ops.h            |   2 +
 arch/x86/include/asm/kvm_host.h               |  11 +-
 arch/x86/include/uapi/asm/kvm.h               |  35 ++++
 arch/x86/kvm/svm/sev.c                        | 110 +++++++++++-
 arch/x86/kvm/svm/svm.c                        |  14 +-
 arch/x86/kvm/svm/svm.h                        |   6 +-
 arch/x86/kvm/x86.c                            | 157 ++++++++++++++----
 tools/testing/selftests/kvm/Makefile          |   1 +
 .../selftests/kvm/include/kvm_util_base.h     |   6 +-
 .../selftests/kvm/set_memory_region_test.c    |   8 +-
 .../selftests/kvm/x86_64/sev_init2_tests.c    | 146 ++++++++++++++++
 13 files changed, 510 insertions(+), 69 deletions(-)
 create mode 100644 tools/testing/selftests/kvm/x86_64/sev_init2_tests.c

-- 
2.39.1