1. 24 3月, 2018 1 次提交
  2. 17 3月, 2018 5 次提交
  3. 02 3月, 2018 3 次提交
  4. 24 2月, 2018 3 次提交
    • B
      KVM: SVM: Fix SEV LAUNCH_SECRET command · 9c5e0afa
      Brijesh Singh 提交于
      The SEV LAUNCH_SECRET command fails with error code 'invalid param'
      because we missed filling the guest and header system physical address
      while issuing the command.
      
      Fixes: 9f5b5b95 (KVM: SVM: Add support for SEV LAUNCH_SECRET command)
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: linux-kernel@vger.kernel.org
      Cc: Joerg Roedel <joro@8bytes.org>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      9c5e0afa
    • B
      KVM: SVM: install RSM intercept · 7607b717
      Brijesh Singh 提交于
      RSM instruction is used by the SMM handler to return from SMM mode.
      Currently, rsm causes a #UD - which results in instruction fetch, decode,
      and emulate. By installing the RSM intercept we can avoid the instruction
      fetch since we know that #VMEXIT was due to rsm.
      
      The patch is required for the SEV guest, because in case of SEV guest
      memory is encrypted with guest-specific key and hypervisor will not
      able to fetch the instruction bytes from the guest memory.
      
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      7607b717
    • B
      KVM: SVM: no need to call access_ok() in LAUNCH_MEASURE command · 3e233385
      Brijesh Singh 提交于
      Using the access_ok() to validate the input before issuing the SEV
      command does not buy us anything in this case. If userland is
      giving us a garbage pointer then copy_to_user() will catch it when we try
      to return the measurement.
      Suggested-by: NAl Viro <viro@ZenIV.linux.org.uk>
      Fixes: 0d0736f7 (KVM: SVM: Add support for KVM_SEV_LAUNCH_MEASURE ...)
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: linux-kernel@vger.kernel.org
      Cc: Joerg Roedel <joro@8bytes.org>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      3e233385
  5. 23 2月, 2018 2 次提交
  6. 04 2月, 2018 2 次提交
    • K
      KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL · b2ac58f9
      KarimAllah Ahmed 提交于
      [ Based on a patch from Paolo Bonzini <pbonzini@redhat.com> ]
      
      ... basically doing exactly what we do for VMX:
      
      - Passthrough SPEC_CTRL to guests (if enabled in guest CPUID)
      - Save and restore SPEC_CTRL around VMExit and VMEntry only if the guest
        actually used it.
      Signed-off-by: NKarimAllah Ahmed <karahmed@amazon.de>
      Signed-off-by: NDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NDarren Kenny <darren.kenny@oracle.com>
      Reviewed-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Jun Nakajima <jun.nakajima@intel.com>
      Cc: kvm@vger.kernel.org
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Ashok Raj <ashok.raj@intel.com>
      Link: https://lkml.kernel.org/r/1517669783-20732-1-git-send-email-karahmed@amazon.de
      b2ac58f9
    • A
      KVM/x86: Add IBPB support · 15d45071
      Ashok Raj 提交于
      The Indirect Branch Predictor Barrier (IBPB) is an indirect branch
      control mechanism. It keeps earlier branches from influencing
      later ones.
      
      Unlike IBRS and STIBP, IBPB does not define a new mode of operation.
      It's a command that ensures predicted branch targets aren't used after
      the barrier. Although IBRS and IBPB are enumerated by the same CPUID
      enumeration, IBPB is very different.
      
      IBPB helps mitigate against three potential attacks:
      
      * Mitigate guests from being attacked by other guests.
        - This is addressed by issing IBPB when we do a guest switch.
      
      * Mitigate attacks from guest/ring3->host/ring3.
        These would require a IBPB during context switch in host, or after
        VMEXIT. The host process has two ways to mitigate
        - Either it can be compiled with retpoline
        - If its going through context switch, and has set !dumpable then
          there is a IBPB in that path.
          (Tim's patch: https://patchwork.kernel.org/patch/10192871)
        - The case where after a VMEXIT you return back to Qemu might make
          Qemu attackable from guest when Qemu isn't compiled with retpoline.
        There are issues reported when doing IBPB on every VMEXIT that resulted
        in some tsc calibration woes in guest.
      
      * Mitigate guest/ring0->host/ring0 attacks.
        When host kernel is using retpoline it is safe against these attacks.
        If host kernel isn't using retpoline we might need to do a IBPB flush on
        every VMEXIT.
      
      Even when using retpoline for indirect calls, in certain conditions 'ret'
      can use the BTB on Skylake-era CPUs. There are other mitigations
      available like RSB stuffing/clearing.
      
      * IBPB is issued only for SVM during svm_free_vcpu().
        VMX has a vmclear and SVM doesn't.  Follow discussion here:
        https://lkml.org/lkml/2018/1/15/146
      
      Please refer to the following spec for more details on the enumeration
      and control.
      
      Refer here to get documentation about mitigations.
      
      https://software.intel.com/en-us/side-channel-security-support
      
      [peterz: rebase and changelog rewrite]
      [karahmed: - rebase
                 - vmx: expose PRED_CMD if guest has it in CPUID
                 - svm: only pass through IBPB if guest has it in CPUID
                 - vmx: support !cpu_has_vmx_msr_bitmap()]
                 - vmx: support nested]
      [dwmw2: Expose CPUID bit too (AMD IBPB only for now as we lack IBRS)
              PRED_CMD is a write-only MSR]
      Signed-off-by: NAshok Raj <ashok.raj@intel.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: NKarimAllah Ahmed <karahmed@amazon.de>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: kvm@vger.kernel.org
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Jun Nakajima <jun.nakajima@intel.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com
      Link: https://lkml.kernel.org/r/1517522386-18410-3-git-send-email-karahmed@amazon.de
      15d45071
  7. 16 1月, 2018 2 次提交
  8. 12 1月, 2018 1 次提交
  9. 11 1月, 2018 1 次提交
  10. 05 1月, 2018 1 次提交
  11. 14 12月, 2017 1 次提交
    • P
      KVM: x86: add support for emulating UMIP · 66336cab
      Paolo Bonzini 提交于
      The User-Mode Instruction Prevention feature present in recent Intel
      processor prevents a group of instructions (sgdt, sidt, sldt, smsw, and
      str) from being executed with CPL > 0. Otherwise, a general protection
      fault is issued.
      
      UMIP instructions in general are also able to trigger vmexits, so we can
      actually emulate UMIP on older processors.  This commit sets up the
      infrastructure so that kvm-intel.ko and kvm-amd.ko can set the UMIP
      feature bit for CPUID even if the feature is not actually available
      in hardware.
      Reviewed-by: NWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      66336cab
  12. 05 12月, 2017 18 次提交
    • B
      KVM: X86: Restart the guest when insn_len is zero and SEV is enabled · 00b10fe1
      Brijesh Singh 提交于
      On AMD platforms, under certain conditions insn_len may be zero on #NPF.
      This can happen if a guest gets a page-fault on data access but the HW
      table walker is not able to read the instruction page (e.g instruction
      page is not present in memory).
      
      Typically, when insn_len is zero, x86_emulate_instruction() walks the
      guest page table and fetches the instruction bytes from guest memory.
      When SEV is enabled, the guest memory is encrypted with guest-specific
      key hence hypervisor will not able to fetch the instruction bytes.
      In those cases we simply restart the guest.
      
      I have encountered this issue when running kernbench inside the guest.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      00b10fe1
    • B
      KVM: SVM: Do not install #UD intercept when SEV is enabled · 35c6f649
      Brijesh Singh 提交于
      On #UD, x86_emulate_instruction() fetches the data from guest memory and
      decodes the instruction bytes to assist further. When SEV is enabled, the
      instruction bytes will be encrypted using the guest-specific key and the
      hypervisor will no longer able to fetch the instruction bytes to assist
      UD handling. By not installing intercept we let the guest receive and
      handle #UD.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      35c6f649
    • B
      KVM: SVM: Clear C-bit from the page fault address · 0ede79e1
      Brijesh Singh 提交于
      When SEV is active, on #VMEXIT the  page fault address will contain the
      C-bit. We must clear the C-bit before handling the fault.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      0ede79e1
    • B
      KVM: SVM: Pin guest memory when SEV is active · 1e80fdc0
      Brijesh Singh 提交于
      The SEV memory encryption engine uses a tweak such that two identical
      plaintext pages at different location will have different ciphertext.
      So swapping or moving ciphertext of two pages will not result in
      plaintext being swapped. Relocating (or migrating) physical backing
      pages for a SEV guest will require some additional steps. The current SEV
      key management spec does not provide commands to swap or migrate (move)
      ciphertext pages. For now, we pin the guest memory registered through
      KVM_MEMORY_ENCRYPT_REG_REGION ioctl.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      1e80fdc0
    • B
      KVM: SVM: Add support for SEV LAUNCH_SECRET command · 9f5b5b95
      Brijesh Singh 提交于
      The command is used for injecting a secret into the guest memory region.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      9f5b5b95
    • B
      KVM: SVM: Add support for SEV DEBUG_ENCRYPT command · 7d1594f5
      Brijesh Singh 提交于
      The command copies a plaintext into guest memory and encrypts it using
      the VM encryption key. The command will be used for debug purposes
      (e.g setting breakpoints through gdbserver)
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      7d1594f5
    • B
      KVM: SVM: Add support for SEV DEBUG_DECRYPT command · 24f41fb2
      Brijesh Singh 提交于
      The command is used for decrypting a guest memory region for debug
      purposes.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      24f41fb2
    • B
      KVM: SVM: Add support for SEV GUEST_STATUS command · 255d9e75
      Brijesh Singh 提交于
      The command is used for querying the SEV guest information.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      255d9e75
    • B
      KVM: SVM: Add support for SEV LAUNCH_FINISH command · 5bdb0e2f
      Brijesh Singh 提交于
      The command is used for finializing the SEV guest launch process.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      5bdb0e2f
    • B
      KVM: SVM: Add support for KVM_SEV_LAUNCH_MEASURE command · 0d0736f7
      Brijesh Singh 提交于
      The command is used to retrieve the measurement of contents encrypted
      through the KVM_SEV_LAUNCH_UPDATE_DATA command.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      0d0736f7
    • B
      KVM: SVM: Add support for KVM_SEV_LAUNCH_UPDATE_DATA command · 89c50580
      Brijesh Singh 提交于
      The command is used for encrypting the guest memory region using the VM
      encryption key (VEK) created during KVM_SEV_LAUNCH_START.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Improvements-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      89c50580
    • B
      KVM: SVM: Add support for KVM_SEV_LAUNCH_START command · 59414c98
      Brijesh Singh 提交于
      The KVM_SEV_LAUNCH_START command is used to create a memory encryption
      context within the SEV firmware. In order to do so, the guest owner
      should provide the guest's policy, its public Diffie-Hellman (PDH) key
      and session information. The command implements the LAUNCH_START flow
      defined in SEV spec Section 6.2.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Improvements-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      59414c98
    • B
      KVM: SVM: VMRUN should use associated ASID when SEV is enabled · 70cd94e6
      Brijesh Singh 提交于
      SEV hardware uses ASIDs to associate a memory encryption key with a
      guest VM. During guest creation, a SEV VM uses the SEV_CMD_ACTIVATE
      command to bind a particular ASID to the guest. Lets make sure that the
      VMCB is programmed with the bound ASID before a VMRUN.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      70cd94e6
    • B
      KVM: SVM: Add KVM_SEV_INIT command · 1654efcb
      Brijesh Singh 提交于
      The command initializes the SEV platform context and allocates a new ASID
      for this guest from the SEV ASID pool. The firmware must be initialized
      before we issue any guest launch commands to create a new memory encryption
      context.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      1654efcb
    • B
      KVM: SVM: Add sev module_param · e9df0942
      Brijesh Singh 提交于
      The module parameter can be used to control the SEV feature support.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      e9df0942
    • B
      KVM: SVM: Reserve ASID range for SEV guest · ed3cd233
      Brijesh Singh 提交于
      A SEV-enabled guest must use ASIDs from the defined subset, while non-SEV
      guests can use the remaining ASID range. The range of allowed SEV guest
      ASIDs is [1 - CPUID_8000_001F[ECX][31:0]].
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Improvements-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      ed3cd233
    • B
      KVM: X86: Extend CPUID range to include new leaf · 8765d753
      Brijesh Singh 提交于
      This CPUID leaf provides the memory encryption support information on
      AMD Platform. Its complete description is available in APM volume 2,
      Section 15.34
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      8765d753
    • B
      KVM: SVM: Prepare to reserve asid for SEV guest · 4faefff3
      Brijesh Singh 提交于
      Currently, ASID allocation start at 1. Add a svm_vcpu_data.min_asid
      which allows supplying a dynamic start ASID.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: x86@kernel.org
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com>
      Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: NBorislav Petkov <bp@suse.de>
      4faefff3