rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity

Accepting request 579209 from home:bfrogers:branches:Virtualization

Browse Source 
Update to 2.11.1, plus a few other fixes.

OBS-URL: https://build.opensuse.org/request/show/579209
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=392
This commit is contained in:
Bruce Rogers 2018-02-22 22:01:24 +00:00 committed by Git OBS Bridge
parent f3c3b22dd7
commit 672f70aa3d
92 changed files with 1520 additions and 1180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0001-XXX-dont-dump-core-on-sigabort.patch
View File

@ -1,4 +1,4 @@
From caaf3654f521627c6c669667a34b022d7aaf6d98 Mon Sep 17 00:00:00 2001
From 1a51a6b423402ce1cf03188d5b47d47c07854349 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 21 Nov 2011 23:50:36 +0100
Subject: [PATCH] XXX dont dump core on sigabort
@ -8,7 +8,7 @@ Subject: [PATCH] XXX dont dump core on sigabort
1 file changed, 6 insertions(+)
diff --git a/linux-user/signal.c b/linux-user/signal.c
index cf35473671..9fd0155498 100644
index b858f1b0f1..752e814bc4 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -560,6 +560,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)

2
0002-qemu-binfmt-conf-Modify-default-pat.patch
View File

@ -1,4 +1,4 @@
From b34188124a7c7d2a59fcf25f69fde293dd46e639 Mon Sep 17 00:00:00 2001
From 4f39ca8b4bfa8077b05faf7cfe5e15f326e7b5c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 10 Aug 2016 19:00:24 +0200
Subject: [PATCH] qemu-binfmt-conf: Modify default path

2
0003-qemu-cvs-gettimeofday.patch
View File

@ -1,4 +1,4 @@
From dc56d2a61411efc8ba57905117e2adc126a8e5c7 Mon Sep 17 00:00:00 2001
From 1fcc7fdc072463a0954e7c0c934080058a8fb0d4 Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:25:41 +0200
Subject: [PATCH] qemu-cvs-gettimeofday

2
0004-qemu-cvs-ioctl_debug.patch
View File

@ -1,4 +1,4 @@
From 28b90ae8573a1b760f80ba928157d6df563d6c8b Mon Sep 17 00:00:00 2001
From 22461f1aeea83aecb71dfeaf8b90ffb74216fa6a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:26:33 +0200
Subject: [PATCH] qemu-cvs-ioctl_debug

2
0005-qemu-cvs-ioctl_nodirection.patch
View File

@ -1,4 +1,4 @@
From ef7b5a6e1179b26e10461ffcc619e405f6e5adef Mon Sep 17 00:00:00 2001
From 66779c72be83467bd5053d40f6c189c5238fc97a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:27:36 +0200
Subject: [PATCH] qemu-cvs-ioctl_nodirection

2
0006-linux-user-add-binfmt-wrapper-for-a.patch
View File

@ -1,4 +1,4 @@
From b9c2beb358233531af35e2583fec914dc11545f8 Mon Sep 17 00:00:00 2001
From 66515950d58fda6057d0d17dbea2490d60f5bd0b Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 30 Sep 2011 19:40:36 +0200
Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling

2
0007-PPC-KVM-Disable-mmu-notifier-check.patch
View File

@ -1,4 +1,4 @@
From 7b5988dd911b6af4745d34e0c8cfc1e95518d80a Mon Sep 17 00:00:00 2001
From 954d17d5ccae3340de3893872bc306542c2ad492 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 6 Jan 2012 01:05:55 +0100
Subject: [PATCH] PPC: KVM: Disable mmu notifier check

2
0008-linux-user-fix-segfault-deadlock.patch
View File

@ -1,4 +1,4 @@
From d7114fd9a14209b60ba65f1990034dc8e9670d32 Mon Sep 17 00:00:00 2001
From e61d37b1ec17800a82e06a9231a4708f232da4ea Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 13 Jan 2012 17:05:41 +0100
Subject: [PATCH] linux-user: fix segfault deadlock

2
0009-linux-user-binfmt-support-host-bina.patch
View File

@ -1,4 +1,4 @@
From 61aab3ec914ad269f11f6c2a34f738b839b3e495 Mon Sep 17 00:00:00 2001
From 9ae09852f058ac34d118cdde08082cbd37f86c2b Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 2 Feb 2012 18:02:33 +0100
Subject: [PATCH] linux-user: binfmt: support host binaries

2
0010-linux-user-Fake-proc-cpuinfo.patch
View File

@ -1,4 +1,4 @@
From c323c1f97f0fe389da384e64a35c9307735a1cd5 Mon Sep 17 00:00:00 2001
From 09f0630a44d60be34c6fae2a875e57ac72e4d276 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 23 Jul 2012 10:24:14 +0200
Subject: [PATCH] linux-user: Fake /proc/cpuinfo

2
0011-linux-user-XXX-disable-fiemap.patch
View File

@ -1,4 +1,4 @@
From 22681343ff83b0ab4664fd741145cb098398c366 Mon Sep 17 00:00:00 2001
From 5cd617b2b651852a98f5e3c4f3631fd461349410 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 21 Aug 2012 14:20:40 +0200
Subject: [PATCH] linux-user: XXX disable fiemap

2
0012-linux-user-use-target_ulong.patch
View File

@ -1,4 +1,4 @@
From 48f19b6362b58c5fef53965b5b7a136f42fe78a9 Mon Sep 17 00:00:00 2001
From 9a7bc05f85db8f058793c5d5709b453ad0d0542b Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 9 Oct 2012 09:06:49 +0200
Subject: [PATCH] linux-user: use target_ulong

2
0013-Make-char-muxer-more-robust-wrt-sma.patch
View File

@ -1,4 +1,4 @@
From 0bfbec0356fcf27a378144048a5dbc5bc97b6d94 Mon Sep 17 00:00:00 2001
From 87982f31e45440ef105d24afffbfd3023ce80331 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 1 Apr 2010 17:36:23 +0200
Subject: [PATCH] Make char muxer more robust wrt small FIFOs

2
0014-linux-user-lseek-explicitly-cast-no.patch
View File

@ -1,4 +1,4 @@
From 261a9b540c31dc0812158924bbae63e5ce50baf3 Mon Sep 17 00:00:00 2001
From 5e10b103a7060771d8314aa50f809a5097a7288c Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 13 Dec 2012 14:29:22 +0100
Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed

2
0015-AIO-Reduce-number-of-threads-for-32.patch
View File

@ -1,4 +1,4 @@
From dd9661d5900c9eb71a17be2d8b31078dac418296 Mon Sep 17 00:00:00 2001
From 0fc340f81a8d6ef82e99d1767103a1e775400ed1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 14 Jan 2015 01:32:11 +0100
Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts

2
0016-xen_disk-Add-suse-specific-flush-di.patch
View File

@ -1,4 +1,4 @@
From 6474f499d5e3b489aab3ef145d4b35c0ba298a45 Mon Sep 17 00:00:00 2001
From 45783db0ed8628cb9cdb4d3ebbf7471f2f88db9b Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 9 Mar 2016 15:18:11 -0700
Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to

2
0017-qemu-bridge-helper-reduce-security-.patch
View File

@ -1,4 +1,4 @@
From f60bc92930645ca449a5711300fac7ef22f37127 Mon Sep 17 00:00:00 2001
From 7d8219b4427779376c0d6405c169fb950ea1f43b Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 2 Aug 2016 11:36:02 -0600
Subject: [PATCH] qemu-bridge-helper: reduce security profile

2
0018-qemu-binfmt-conf-use-qemu-ARCH-binf.patch
View File

@ -1,4 +1,4 @@
From d688c4968074f983fde5be296487bb540e9a3396 Mon Sep 17 00:00:00 2001
From 467907dc59bb7b955d78f37a190958cbb4cc837d Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Fri, 12 Aug 2016 18:20:49 +0200
Subject: [PATCH] qemu-binfmt-conf: use qemu-ARCH-binfmt

2
0019-linux-user-properly-test-for-infini.patch
View File

@ -1,4 +1,4 @@
From 182bbee4da8555984ca47867e035e62a943d6ed8 Mon Sep 17 00:00:00 2001
From f885b1a3afadad00b6a28af2ce25ecebe4cc32cb Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Thu, 8 Sep 2016 11:21:05 +0200
Subject: [PATCH] linux-user: properly test for infinite timeout in poll (#8)

2
0020-roms-Makefile-pass-a-packaging-time.patch
View File

@ -1,4 +1,4 @@
From d9fe5283089876e70d7d5d37bc37c772d991fbee Mon Sep 17 00:00:00 2001
From 6d5775e5a6a2ef48703c545772c6f0a0ab9ed887 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Sat, 19 Nov 2016 08:06:30 -0700
Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with

2
0021-Raise-soft-address-space-limit-to-h.patch
View File

@ -1,4 +1,4 @@
From 7c7cdde1614864ef3304fd5f28a6e2a7b3de9ae4 Mon Sep 17 00:00:00 2001
From 34dc5aecd47ac65b43fda0d85c17ea33f333b9ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Sun, 15 Jan 2012 19:53:49 +0100
Subject: [PATCH] Raise soft address space limit to hard limit

6
0022-increase-x86_64-physical-bits-to-42.patch
View File

@ -1,4 +1,4 @@
From e4e996c7352a5563dae701ee9880ed48a132f696 Mon Sep 17 00:00:00 2001
From 43638ed256283e67877d0c18f38f0b8b2a132116 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 17 May 2013 16:49:58 -0600
Subject: [PATCH] increase x86_64 physical bits to 42
@ -19,10 +19,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index b086b1528b..cbdd631e2e 100644
index f3d0ebb673..4e66a0404e 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1501,7 +1501,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
@@ -1508,7 +1508,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
/* XXX: This value should match the one returned by CPUID
* and in exec.c */
# if defined(TARGET_X86_64)

2
0023-vga-Raise-VRAM-to-16-MiB-for-pc-0.1.patch
View File

@ -1,4 +1,4 @@
From ec1a9384505f5e372b3d5225fcada36ea35ac045 Mon Sep 17 00:00:00 2001
From 46f00361392e6b37f7784759fa0bafaba4f53ccc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 12 Jun 2013 19:26:37 +0200
Subject: [PATCH] vga: Raise VRAM to 16 MiB for pc-0.15 and below

2
0024-i8254-Fix-migration-from-SLE11-SP2.patch
View File

@ -1,4 +1,4 @@
From 745af73eab8459b7b8d6889850943afba3aeb6fd Mon Sep 17 00:00:00 2001
From cb942fa994767ed596877a74d12c07469941e4a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 31 Jul 2013 17:05:29 +0200
Subject: [PATCH] i8254: Fix migration from SLE11 SP2

2
0025-acpi_piix4-Fix-migration-from-SLE11.patch
View File

@ -1,4 +1,4 @@
From cc5b2a3c40b43326c1f555e8f46f61bb10812cd3 Mon Sep 17 00:00:00 2001
From b95747d42aadcc6555a98eb2c5db15cae291b0b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 31 Jul 2013 17:32:35 +0200
Subject: [PATCH] acpi_piix4: Fix migration from SLE11 SP2

6
0026-Fix-tigervnc-long-press-issue.patch
View File

@ -1,4 +1,4 @@
From ea79d0cc0c448c2d04bba7cdcf686ea18aa3a0ae Mon Sep 17 00:00:00 2001
From 14812344beb127d20d9fc58d9283d78946b432e6 Mon Sep 17 00:00:00 2001
From: Chunyan Liu <cyliu@suse.com>
Date: Thu, 3 Mar 2016 16:48:17 +0800
Subject: [PATCH] Fix tigervnc long press issue
@ -24,10 +24,10 @@ Signed-off-by: Chunyan Liu <cyliu@suse.com>
1 file changed, 19 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index 9f8d5a1b1f..5bf1130486 100644
index 06abe7360e..cb425f0aed 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1662,6 +1662,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
@@ -1802,6 +1802,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
if (down)
vs->modifiers_state[keycode] ^= 1;
break;

2
0027-string-input-visitor-Fix-uint64-par.patch
View File

@ -1,4 +1,4 @@
From 594154fd98941c5740ce595a252834040f6ae655 Mon Sep 17 00:00:00 2001
From 467310d802cf7790129dbd2f0559da13c08c4718 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 24 Sep 2015 19:21:11 +0200
Subject: [PATCH] string-input-visitor: Fix uint64 parsing

2
0028-test-string-input-visitor-Add-int-t.patch
View File

@ -1,4 +1,4 @@
From d98ad37e0fa5c3d254a016b5a2de2bc5a36ac603 Mon Sep 17 00:00:00 2001
From 33c5e0f025d380144fcd310fc67d69cf57e2100f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 24 Sep 2015 19:23:50 +0200
Subject: [PATCH] test-string-input-visitor: Add int test case

2
0029-test-string-input-visitor-Add-uint6.patch
View File

@ -1,4 +1,4 @@
From 7b6711a0a89635a57773ed8dff4e8543b199b161 Mon Sep 17 00:00:00 2001
From 5f820fc473f23dc626d0314082072a8fccdb43f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 24 Sep 2015 19:24:23 +0200
Subject: [PATCH] test-string-input-visitor: Add uint64 test

2
0030-tests-Add-QOM-property-unit-tests.patch
View File

@ -1,4 +1,4 @@
From b7f197720e170281c479d2b892c45e598f428a27 Mon Sep 17 00:00:00 2001
From 466bf8436ac9720529c5a9baae4a901f4988da0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Sun, 6 Sep 2015 20:12:42 +0200
Subject: [PATCH] tests: Add QOM property unit tests

2
0031-tests-Add-scsi-disk-test.patch
View File

@ -1,4 +1,4 @@
From a3cb893add9ad07fd3c971aed8e38f11496f9b9c Mon Sep 17 00:00:00 2001
From e500d6e4a2f964c2718686731113336da7c013c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Fri, 25 Sep 2015 12:31:11 +0200
Subject: [PATCH] tests: Add scsi-disk test

2
0032-Switch-order-of-libraries-for-mpath.patch
View File

@ -1,4 +1,4 @@
From da5c27969ecbaf94d9615a2bff11447e479382a7 Mon Sep 17 00:00:00 2001
From df14b8456cc69b8948786a8008840418d5008fa5 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 3 Nov 2017 11:12:40 -0600
Subject: [PATCH] Switch order of libraries for mpath support

160
0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
View File

@ -1,160 +0,0 @@
From 386bbf8992317f3106d45dbfdb4b577029e9091f Mon Sep 17 00:00:00 2001
From: Wei Wang <wei.w.wang@intel.com>
Date: Tue, 7 Nov 2017 16:39:49 +0800
Subject: [PATCH] i386/kvm: MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD
CPUID(EAX=0X7,ECX=0).EDX[26]/[27] indicates the support of
MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD. Expose the CPUID
to the guest. Also add the support of transferring the MSRs during live
migration.
Signed-off-by: Wei Wang <wei.w.wang@intel.com>
[BR: BSC#1068032 CVE-2017-5715]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 3 ++-
target/i386/cpu.h | 4 ++++
target/i386/kvm.c | 14 +++++++++++++-
target/i386/machine.c | 20 ++++++++++++++++++++
4 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 045d66191f..4a403b1e7b 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2880,13 +2880,14 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
case 7:
/* Structured Extended Feature Flags Enumeration Leaf */
if (count == 0) {
+ host_cpuid(index, 0, eax, ebx, ecx, edx);
*eax = 0; /* Maximum ECX value for sub-leaves */
*ebx = env->features[FEAT_7_0_EBX]; /* Feature flags */
*ecx = env->features[FEAT_7_0_ECX]; /* Feature flags */
if ((*ecx & CPUID_7_0_ECX_PKU) && env->cr[4] & CR4_PKE_MASK) {
*ecx |= CPUID_7_0_ECX_OSPKE;
}
- *edx = env->features[FEAT_7_0_EDX]; /* Feature flags */
+ *edx = env->features[FEAT_7_0_EDX] | *edx;
} else {
*eax = 0;
*ebx = 0;
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index cbdd631e2e..d9ecf7a368 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -335,6 +335,7 @@
#define MSR_IA32_APICBASE_BASE (0xfffffU<<12)
#define MSR_IA32_FEATURE_CONTROL 0x0000003a
#define MSR_TSC_ADJUST 0x0000003b
+#define MSR_IA32_SPEC_CTRL 0x00000048
#define MSR_IA32_TSCDEADLINE 0x6e0
#define FEATURE_CONTROL_LOCKED (1<<0)
@@ -641,6 +642,8 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26)
+#define CPUID_7_0_EDX_PRED_CMD (1U << 27)
#define CPUID_XSAVE_XSAVEOPT (1U << 0)
#define CPUID_XSAVE_XSAVEC (1U << 1)
@@ -1183,6 +1186,7 @@ typedef struct CPUX86State {
uint64_t xss;
+ uint64_t spec_ctrl;
TPRAccess tpr_access_type;
} CPUX86State;
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index b1e32e95d3..d0041e6285 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -76,6 +76,7 @@ static bool has_msr_star;
static bool has_msr_hsave_pa;
static bool has_msr_tsc_aux;
static bool has_msr_tsc_adjust;
+static bool has_msr_spec_ctrl;
static bool has_msr_tsc_deadline;
static bool has_msr_feature_control;
static bool has_msr_misc_enable;
@@ -1108,6 +1109,9 @@ static int kvm_get_supported_msrs(KVMState *s)
case MSR_TSC_ADJUST:
has_msr_tsc_adjust = true;
break;
+ case MSR_IA32_SPEC_CTRL:
+ has_msr_spec_ctrl = true;
+ break;
case MSR_IA32_TSCDEADLINE:
has_msr_tsc_deadline = true;
break;
@@ -1626,6 +1630,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
if (has_msr_xss) {
kvm_msr_entry_add(cpu, MSR_IA32_XSS, env->xss);
}
+ if (has_msr_spec_ctrl) {
+ kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl);
+ }
#ifdef TARGET_X86_64
if (lm_capable_kernel) {
kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar);
@@ -1998,7 +2005,9 @@ static int kvm_get_msrs(X86CPU *cpu)
if (has_msr_xss) {
kvm_msr_entry_add(cpu, MSR_IA32_XSS, 0);
}
-
+ if (has_msr_spec_ctrl) {
+ kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0);
+ }
if (!env->tsc_valid) {
kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0);
@@ -2220,6 +2229,9 @@ static int kvm_get_msrs(X86CPU *cpu)
case MSR_IA32_XSS:
env->xss = msrs[i].data;
break;
+ case MSR_IA32_SPEC_CTRL:
+ env->spec_ctrl = msrs[i].data;
+ break;
default:
if (msrs[i].index >= MSR_MC0_CTL &&
msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
diff --git a/target/i386/machine.c b/target/i386/machine.c
index df5ec359eb..d561a65153 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -759,6 +759,25 @@ static const VMStateDescription vmstate_xss = {
}
};
+static bool spec_ctrl_needed(void *opaque)
+{
+ X86CPU *cpu = opaque;
+ CPUX86State *env = &cpu->env;
+
+ return env->spec_ctrl != 0;
+}
+
+static const VMStateDescription vmstate_spec_ctrl = {
+ .name = "cpu/spec_ctrl",
+ .version_id = 1,
+ .minimum_version_id = 1,
+ .needed = spec_ctrl_needed,
+ .fields = (VMStateField[]) {
+ VMSTATE_UINT64(env.spec_ctrl, X86CPU),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
#ifdef TARGET_X86_64
static bool pkru_needed(void *opaque)
{
@@ -932,6 +951,7 @@ VMStateDescription vmstate_x86_cpu = {
&vmstate_msr_hyperv_stimer,
&vmstate_avx512,
&vmstate_xss,
+ &vmstate_spec_ctrl,
&vmstate_tsc_khz,
#ifdef TARGET_X86_64
&vmstate_pkru,

55
0033-memfd-fix-configure-test.patch Normal file
View File

@ -0,0 +1,55 @@
From 7c2613d2ed9d35c8634248204acdffcf96e1e6b2 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 28 Nov 2017 11:51:27 +0100
Subject: [PATCH] memfd: fix configure test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recent glibc added memfd_create in sys/mman.h. This conflicts with
the definition in util/memfd.c:
/builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration
Fix the configure test, and remove the sys/memfd.h inclusion since the
file actually does not exist---it is a typo in the memfd_create(2) man
page.
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 75e5b70e6b5dcc4f2219992d7cffa462aa406af0)
[BR: BOO#1081154]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
configure | 2 +-
util/memfd.c | 4 +---
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/configure b/configure
index 01e1d15fa4..71b8b473fc 100755
--- a/configure
+++ b/configure
@@ -3920,7 +3920,7 @@ fi
# check if memfd is supported
memfd=no
cat > $TMPC << EOF
-#include <sys/memfd.h>
+#include <sys/mman.h>
int main(void)
{
diff --git a/util/memfd.c b/util/memfd.c
index 4571d1aba8..412e94a405 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -31,9 +31,7 @@
#include "qemu/memfd.h"
-#ifdef CONFIG_MEMFD
-#include <sys/memfd.h>
-#elif defined CONFIG_LINUX
+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
#include <sys/syscall.h>
#include <asm/unistd.h>

2
0034-qapi-use-items-values-intead-of-ite.patch
View File

@ -1,4 +1,4 @@
From 3d847a60ddc9b6310b08c4264d1cbdbee4cfb0ef Mon Sep 17 00:00:00 2001
From b644653df5e25a922d5bb7d9fb9c86bfe9dda86c Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:05 +0000
Subject: [PATCH] qapi: use items()/values() intead of iteritems()/itervalues()

2
0035-qapi-Use-OrderedDict-from-standard-.patch
View File

@ -1,4 +1,4 @@
From f38441aecb1a927d05b3fc47c34852169eb9c8c6 Mon Sep 17 00:00:00 2001
From a1cd35be6c021ebea74d43da4ebb3b92b7064b72 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:06 +0000
Subject: [PATCH] qapi: Use OrderedDict from standard library if available

2
0036-qapi-adapt-to-moved-location-of-Str.patch
View File

@ -1,4 +1,4 @@
From 16d6ac6a4239900f57ce871bd447c7371c3e07ca Mon Sep 17 00:00:00 2001
From 474475499831d76f92dcdde71ff2d0a29205f2ff Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:07 +0000
Subject: [PATCH] qapi: adapt to moved location of StringIO module in py3

2
0037-qapi-Adapt-to-moved-location-of-mak.patch
View File

@ -1,4 +1,4 @@
From d4df07ca6bc5fb2ff8faa2d74c854be921b1f5bf Mon Sep 17 00:00:00 2001
From 038a061ce8a984ae6de48ceb247033e7799a72fb Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:08 +0000
Subject: [PATCH] qapi: Adapt to moved location of 'maketrans' function in py3

2
0038-qapi-remove-q-arg-to-diff-when-comp.patch
View File

@ -1,4 +1,4 @@
From 0b18b7d8af17cb10779ca45efd40d791595d7cf5 Mon Sep 17 00:00:00 2001
From c3577e33fd92f1d5d3632620f0b74f38b3b23ed8 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:09 +0000
Subject: [PATCH] qapi: remove '-q' arg to diff when comparing QAPI output

2
0039-qapi-ensure-stable-sort-ordering-wh.patch
View File

@ -1,4 +1,4 @@
From a16a7259aace92ff5cf815b31e1201310fc344a0 Mon Sep 17 00:00:00 2001
From 23ef1eee49f51e6fcae2c1676e9b71b0a9d1436b Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:10 +0000
Subject: [PATCH] qapi: ensure stable sort ordering when checking QAPI entities

2
0040-qapi-force-a-UTF-8-locale-for-runni.patch
View File

@ -1,4 +1,4 @@
From 125a29fae71588b8857f1a513bf03ec6ef52f713 Mon Sep 17 00:00:00 2001
From 178826a44b2d08e69dc7128cb3f47cea32912e37 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:11 +0000
Subject: [PATCH] qapi: force a UTF-8 locale for running Python

2
0041-scripts-ensure-signrom-treats-data-.patch
View File

@ -1,4 +1,4 @@
From 680774bf1e3bfd349b503e375f01244a04ca975b Mon Sep 17 00:00:00 2001
From 93a3811284417987034a0c72387db589760fcaaa Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:12 +0000
Subject: [PATCH] scripts: ensure signrom treats data as bytes

4
0042-configure-allow-use-of-python-3.patch
View File

@ -1,4 +1,4 @@
From bb4e9dd3678fe461b85345736cb296641be01413 Mon Sep 17 00:00:00 2001
From 9ef8e6f7a53e7790187a810495e428a7556ead6e Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 16 Jan 2018 13:42:13 +0000
Subject: [PATCH] configure: allow use of python 3
@ -15,7 +15,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/configure b/configure
index 01e1d15fa4..46e2853ee3 100755
index 71b8b473fc..62d66a6819 100755
--- a/configure
+++ b/configure
@@ -1573,9 +1573,8 @@ fi

2
0043-input-add-missing-JIS-keys-to-virti.patch
View File

@ -1,4 +1,4 @@
From 88c1526efb8132cc1ea6d4dcb8ef84daa08a1d9d Mon Sep 17 00:00:00 2001
From 47dfdc212f68d2ab3d06db162bff907c4922e67d Mon Sep 17 00:00:00 2001
From: Miika S <miika9764@gmail.com>
Date: Tue, 16 Jan 2018 13:42:14 +0000
Subject: [PATCH] input: add missing JIS keys to virtio input

2
0044-Make-installed-scripts-explicitly-p.patch
View File

@ -1,4 +1,4 @@
From 8bcfb45ee625f82a7324491c2640c5dfb60465a9 Mon Sep 17 00:00:00 2001
From 8635ebbf94af8dbcd20da8f52e8081f1be8c977c Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 25 Jan 2018 14:16:10 -0700
Subject: [PATCH] Make installed scripts explicitly python2

2
0045-pc-fail-memory-hot-plug-unplug-with.patch
View File

@ -1,4 +1,4 @@
From c97089489583ab5e1b748a5731915bc3727931b4 Mon Sep 17 00:00:00 2001
From 097f317248eb261968efb30755e3c91fd9311cea Mon Sep 17 00:00:00 2001
From: Haozhong Zhang <haozhong.zhang@intel.com>
Date: Fri, 22 Dec 2017 09:51:20 +0800
Subject: [PATCH] pc: fail memory hot-plug/unplug with -no-acpi and Q35 machine

8
0046-memattrs-add-debug-attribute.patch
View File

@ -1,6 +1,6 @@
From 8e76b032dc33ce4330da6ec73c10113cdc172b25 Mon Sep 17 00:00:00 2001
From 631811d80a534654f23009e86cf9b9b942d53a48 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:07 -0600
Date: Thu, 15 Feb 2018 09:03:19 -0600
Subject: [PATCH] memattrs: add debug attribute
Extend the MemTxAttrs to include 'debug' flag. The flag can be used as
@ -13,10 +13,10 @@ will need to use encryption APIs to access the guest memory.
Cc: Alistair Francis <alistair.francis@xilinx.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
Cc: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
Reviewed-by: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>

104
0047-exec-add-ram_debug_ops-support.patch
View File

@ -1,6 +1,6 @@
From faf4862946a9e236e8e4fb956adad2dc11577fe0 Mon Sep 17 00:00:00 2001
From a8955ac9aa33e2d3edb4ea948d74cf52fc9771a2 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:07 -0600
Date: Thu, 15 Feb 2018 09:03:19 -0600
Subject: [PATCH] exec: add ram_debug_ops support
Currently, the guest memory access for the debug purpose is performed
@ -30,12 +30,12 @@ Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
exec.c | 66 ++++++++++++++++++++++++++++++++++++++-------------
include/exec/memory.h | 28 ++++++++++++++++++++++
2 files changed, 78 insertions(+), 16 deletions(-)
exec.c | 43 ++++++++++++++++++++++++++++++++-----------
include/exec/memory.h | 30 +++++++++++++++++++++++++++++-
2 files changed, 61 insertions(+), 12 deletions(-)
diff --git a/exec.c b/exec.c
index 1ca0f9e0ab..5da6a782e1 100644
index 1ca0f9e0ab..fe49807f58 100644
--- a/exec.c
+++ b/exec.c
@@ -2983,7 +2983,11 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
@ -64,47 +64,19 @@ index 1ca0f9e0ab..5da6a782e1 100644
}
if (release_lock) {
@@ -3151,11 +3159,13 @@ void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf,
enum write_rom_type {
WRITE_DATA,
+ READ_DATA,
FLUSH_CACHE,
@@ -3155,7 +3163,8 @@ enum write_rom_type {
};
-static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
- hwaddr addr, const uint8_t *buf, int len, enum write_rom_type type)
+static inline void cpu_physical_memory_rw_internal(AddressSpace *as,
+ hwaddr addr, uint8_t *buf, int len, MemTxAttrs attrs,
+ hwaddr addr, const uint8_t *buf, int len, MemTxAttrs attrs,
+ enum write_rom_type type)
{
hwaddr l;
uint8_t *ptr;
@@ -3170,12 +3180,33 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
if (!(memory_region_is_ram(mr) ||
memory_region_is_romd(mr))) {
l = memory_access_size(mr, l, addr1);
+ /* Pass MMIO down to address address_space_rw */
+ switch (type) {
+ case READ_DATA:
+ case WRITE_DATA:
+ address_space_rw(as, addr1, attrs, buf, l,
+ type == WRITE_DATA);
+ break;
+ case FLUSH_CACHE:
+ break;
+ }
} else {
/* ROM/RAM case */
@@ -3175,7 +3184,11 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (type) {
+ case READ_DATA:
+ if (mr->ram_debug_ops) {
+ mr->ram_debug_ops->read(buf, ptr, l, attrs);
+ } else {
+ memcpy(buf, ptr, l);
+ }
+ break;
case WRITE_DATA:
- memcpy(ptr, buf, l);
+ if (mr->ram_debug_ops) {
@ -115,38 +87,30 @@ index 1ca0f9e0ab..5da6a782e1 100644
invalidate_and_set_dirty(mr, addr1, l);
break;
case FLUSH_CACHE:
@@ -3194,7 +3225,8 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
@@ -3194,7 +3207,9 @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
void cpu_physical_memory_write_rom(AddressSpace *as, hwaddr addr,
const uint8_t *buf, int len)
{
- cpu_physical_memory_write_rom_internal(as, addr, buf, len, WRITE_DATA);
+ cpu_physical_memory_rw_internal(as, addr, (uint8_t *)buf, len,
+ MEMTXATTRS_UNSPECIFIED, WRITE_DATA);
+ cpu_physical_memory_write_rom_internal(as, addr, buf, len,
+ MEMTXATTRS_UNSPECIFIED,
+ WRITE_DATA);
}
void cpu_flush_icache_range(hwaddr start, int len)
@@ -3209,8 +3241,10 @@ void cpu_flush_icache_range(hwaddr start, int len)
@@ -3209,8 +3224,9 @@ void cpu_flush_icache_range(hwaddr start, int len)
return;
}
- cpu_physical_memory_write_rom_internal(&address_space_memory,
- start, NULL, len, FLUSH_CACHE);
+ cpu_physical_memory_rw_internal(&address_space_memory,
+ start, NULL, len,
+ MEMTXATTRS_UNSPECIFIED,
+ FLUSH_CACHE);
+ cpu_physical_memory_write_rom_internal(&address_space_memory, start, NULL,
+ len, MEMTXATTRS_UNSPECIFIED,
+ FLUSH_CACHE);
}
typedef struct {
@@ -3516,6 +3550,7 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
int l;
hwaddr phys_addr;
target_ulong page;
+ int type = is_write ? WRITE_DATA : READ_DATA;
cpu_synchronize_state(cpu);
while (len > 0) {
@@ -3525,6 +3560,10 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
@@ -3525,6 +3541,10 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
page = addr & TARGET_PAGE_MASK;
phys_addr = cpu_get_phys_page_attrs_debug(cpu, page, &attrs);
asidx = cpu_asidx_from_attrs(cpu, attrs);
@ -157,26 +121,27 @@ index 1ca0f9e0ab..5da6a782e1 100644
/* if no physical page mapped, return an error */
if (phys_addr == -1)
return -1;
@@ -3532,14 +3571,9 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
if (l > len)
@@ -3533,13 +3553,14 @@ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr,
l = len;
phys_addr += (addr & ~TARGET_PAGE_MASK);
- if (is_write) {
if (is_write) {
- cpu_physical_memory_write_rom(cpu->cpu_ases[asidx].as,
- phys_addr, buf, l);
- } else {
- address_space_rw(cpu->cpu_ases[asidx].as, phys_addr,
+ cpu_physical_memory_write_rom_internal(cpu->cpu_ases[asidx].as,
+ phys_addr, buf, l, attrs,
+ WRITE_DATA);
} else {
address_space_rw(cpu->cpu_ases[asidx].as, phys_addr,
- MEMTXATTRS_UNSPECIFIED,
- buf, l, 0);
- }
+ cpu_physical_memory_rw_internal(cpu->cpu_ases[asidx].as,
+ phys_addr, buf, l, attrs,
+ type);
+ attrs, buf, l, 0);
}
+
len -= l;
buf += l;
addr += l;
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 5ed4042f87..557f75c7ae 100644
index 5ed4042f87..8d3b99cba8 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -215,6 +215,18 @@ typedef struct IOMMUMemoryRegionClass {
@ -228,3 +193,12 @@ index 5ed4042f87..557f75c7ae 100644
/**
* memory_region_init_reservation: Initialize a memory region that reserves
* I/O space.
@@ -1928,7 +1956,7 @@ MemTxResult flatview_read(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
void *ptr;
MemoryRegion *mr;
- if (__builtin_constant_p(len)) {
+ if (__builtin_constant_p(len) && !attrs.debug) {
if (len) {
rcu_read_lock();
l = len;

23
0048-exec-add-debug-version-of-physical-.patch
View File

@ -1,6 +1,6 @@
From 8c55cf176a4b6d6411e8b1e6385ff6a78b0e55f2 Mon Sep 17 00:00:00 2001
From bb5805ddc9a5bfbf78d4ce81b6395452c783ca77 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:07 -0600
Date: Thu, 15 Feb 2018 09:03:20 -0600
Subject: [PATCH] exec: add debug version of physical memory read and write API
Adds the following new APIs
@ -18,15 +18,15 @@ Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
exec.c | 41 +++++++++++++++++++++++++++++++++++++++++
exec.c | 40 ++++++++++++++++++++++++++++++++++++++++
include/exec/cpu-common.h | 15 +++++++++++++++
2 files changed, 56 insertions(+)
2 files changed, 55 insertions(+)
diff --git a/exec.c b/exec.c
index 5da6a782e1..561e4290dc 100644
index fe49807f58..2a297de819 100644
--- a/exec.c
+++ b/exec.c
@@ -3543,6 +3543,47 @@ void address_space_cache_destroy(MemoryRegionCache *cache)
@@ -3525,6 +3525,46 @@ void address_space_cache_destroy(MemoryRegionCache *cache)
#define RCU_READ_UNLOCK() rcu_read_unlock()
#include "memory_ldst.inc.c"
@ -39,9 +39,9 @@ index 5da6a782e1..561e4290dc 100644
+ /* set debug attrs to indicate memory access is from the debugger */
+ attrs.debug = 1;
+
+ cpu_physical_memory_rw_internal(cpu->cpu_ases[asidx].as,
+ addr, (void *) &val,
+ 4, attrs, READ_DATA);
+ address_space_rw(cpu->cpu_ases[asidx].as, addr, attrs,
+ (void *) &val, 4, 0);
+
+ return tswap32(val);
+}
+
@ -54,9 +54,8 @@ index 5da6a782e1..561e4290dc 100644
+ /* set debug attrs to indicate memory access is from the debugger */
+ attrs.debug = 1;
+
+ cpu_physical_memory_rw_internal(cpu->cpu_ases[asidx].as,
+ addr, (void *) &val,
+ 8, attrs, READ_DATA);
+ address_space_rw(cpu->cpu_ases[asidx].as, addr, attrs,
+ (void *) &val, 8, 0);
+ return val;
+}
+

16
0049-monitor-i386-use-debug-APIs-when-ac.patch
View File

@ -1,6 +1,6 @@
From 5a0c3e3ff1a772c572b810851e04e0deb2930367 Mon Sep 17 00:00:00 2001
From 6dd6cff79148e79a45da6277fd7f9b5de4f41d20 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:07 -0600
Date: Thu, 15 Feb 2018 09:03:20 -0600
Subject: [PATCH] monitor/i386: use debug APIs when accessing guest memory
Updates HMP commands to use the debug version of APIs when accessing the
@ -18,10 +18,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
---
cpus.c | 2 +-
disas.c | 2 +-
monitor.c | 8 ++++---
monitor.c | 6 +++---
target/i386/helper.c | 14 ++++++------
target/i386/monitor.c | 60 +++++++++++++++++++++++++++------------------------
5 files changed, 46 insertions(+), 40 deletions(-)
5 files changed, 44 insertions(+), 40 deletions(-)
diff --git a/cpus.c b/cpus.c
index 114c29b6a0..d1e7e28993 100644
@ -50,7 +50,7 @@ index d4ad1089ef..fcedbf2633 100644
}
diff --git a/monitor.c b/monitor.c
index e36fb5308d..3b456fc6c5 100644
index e36fb5308d..6b484e3e0d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1359,7 +1359,7 @@ static void memory_dump(Monitor *mon, int count, int format, int wsize,
@ -62,16 +62,14 @@ index e36fb5308d..3b456fc6c5 100644
} else {
if (cpu_memory_rw_debug(cs, addr, buf, l, 0) < 0) {
monitor_printf(mon, " Cannot access memory\n");
@@ -1565,8 +1565,10 @@ static void hmp_sum(Monitor *mon, const QDict *qdict)
@@ -1565,8 +1565,8 @@ static void hmp_sum(Monitor *mon, const QDict *qdict)
sum = 0;
for(addr = start; addr < (start + size); addr++) {
- uint8_t val = address_space_ldub(&address_space_memory, addr,
- MEMTXATTRS_UNSPECIFIED, NULL);
+ uint8_t buf[0];
+ uint8_t val;
+ cpu_physical_memory_read_debug(addr, buf, 1);
+ val = ldub_p(buf);
+ cpu_physical_memory_read_debug(addr, &val, 1);
/* BSD sum algorithm ('sum' Unix command) */
sum = (sum >> 1) | (sum << 15);
sum += val;

6
0051-machine-add-memory-encryption-prope.patch → 0050-machine-add-memory-encryption-prope.patch
View File

@ -1,6 +1,6 @@
From 80b31eed583af21eee2e2f152d2c24e6aa13b2b7 Mon Sep 17 00:00:00 2001
From 969964dd7f15ac507887f58fccbb2623110bd8f6 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:08 -0600
Date: Thu, 15 Feb 2018 09:03:20 -0600
Subject: [PATCH] machine: add -memory-encryption property
When CPU supports memory encryption feature, the property can be used to
@ -72,7 +72,7 @@ index 156b16f7a6..41fa577955 100644
ram_addr_t ram_size;
ram_addr_t maxram_size;
diff --git a/qemu-options.hx b/qemu-options.hx
index f11c4ac960..5385832707 100644
index 57f2c6a75f..617e5d5c20 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -104,6 +104,8 @@ code to send configuration section even if the machine-type sets the

137
0050-target-i386-add-memory-encryption-f.patch
View File

@ -1,137 +0,0 @@
From 7fee871608f1ab458151d03712fb0b89cf5c5668 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:07 -0600
Subject: [PATCH] target/i386: add memory encryption feature cpuid support
AMD EPYC processors support memory encryption feature. The feature
is reported through CPUID 8000_001F[EAX].
Fn8000_001F [EAX]:
Bit 0 Secure Memory Encryption (SME) supported
Bit 1 Secure Encrypted Virtualization (SEV) supported
Bit 2 Page flush MSR supported
Bit 3 Ecrypted State (SEV-ES) support
when memory encryption feature is reported, CPUID 8000_001F[EBX] should
provide additional information regarding the feature (such as which page
table bit is used to mark pages as encrypted etc). The information in EBX
and ECX may vary from one family to another hence we use the host cpuid
to populate the EBX information.
The details for memory encryption CPUID is available in AMD APM
(https://support.amd.com/TechDocs/24594.pdf) Section E.4.17
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 36 ++++++++++++++++++++++++++++++++++++
target/i386/cpu.h | 6 ++++++
2 files changed, 42 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 4a403b1e7b..98cd293c4f 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -233,6 +233,7 @@ static void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1,
#define TCG_EXT4_FEATURES 0
#define TCG_SVM_FEATURES 0
#define TCG_KVM_FEATURES 0
+#define TCG_MEM_ENCRYPT_FEATURES 0
#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX | \
CPUID_7_0_EBX_PCOMMIT | CPUID_7_0_EBX_CLFLUSHOPT | \
@@ -528,6 +529,20 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.cpuid_reg = R_EDX,
.tcg_features = ~0U,
},
+ [FEAT_MEM_ENCRYPT] = {
+ .feat_names = {
+ "sme", "sev", "page-flush-msr", "sev-es",
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+ .cpuid_eax = 0x8000001F, .cpuid_reg = R_EAX,
+ .tcg_features = TCG_MEM_ENCRYPT_FEATURES,
+ }
};
typedef struct X86RegisterInfo32 {
@@ -1562,6 +1577,9 @@ static X86CPUDefinition builtin_x86_defs[] = {
CPUID_XSAVE_XGETBV1,
.features[FEAT_6_EAX] =
CPUID_6_EAX_ARAT,
+ /* Missing: SEV_ES */
+ .features[FEAT_MEM_ENCRYPT] =
+ CPUID_8000_001F_EAX_SME | CPUID_8000_001F_EAX_SEV,
.xlevel = 0x8000000A,
.model_id = "AMD EPYC Processor",
},
@@ -3111,6 +3129,19 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
*edx = 0;
}
break;
+ case 0x8000001F:
+ if (env->features[FEAT_MEM_ENCRYPT] & CPUID_8000_001F_EAX_SEV) {
+ *eax = env->features[FEAT_MEM_ENCRYPT];
+ host_cpuid(0x8000001F, 0, NULL, ebx, NULL, NULL);
+ *ecx = 0;
+ *edx = 0;
+ } else {
+ *eax = 0;
+ *ebx = 0;
+ *ecx = 0;
+ *edx = 0;
+ }
+ break;
case 0xC0000000:
*eax = env->cpuid_xlevel2;
*ebx = 0;
@@ -3550,10 +3581,15 @@ static void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
x86_cpu_adjust_feat_level(cpu, FEAT_C000_0001_EDX);
x86_cpu_adjust_feat_level(cpu, FEAT_SVM);
x86_cpu_adjust_feat_level(cpu, FEAT_XSAVE);
+ x86_cpu_adjust_feat_level(cpu, FEAT_MEM_ENCRYPT);
/* SVM requires CPUID[0x8000000A] */
if (env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM) {
x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000000A);
}
+ /* SEV requires CPUID[0x8000001F] */
+ if ((env->features[FEAT_MEM_ENCRYPT] & CPUID_8000_001F_EAX_SEV)) {
+ x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000001F);
+ }
}
/* Set cpuid_*level* based on cpuid_min_*level, if not explicitly set */
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d9ecf7a368..224ac5413f 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -464,6 +464,7 @@ typedef enum FeatureWord {
FEAT_6_EAX, /* CPUID[6].EAX */
FEAT_XSAVE_COMP_LO, /* CPUID[EAX=0xd,ECX=0].EAX */
FEAT_XSAVE_COMP_HI, /* CPUID[EAX=0xd,ECX=0].EDX */
+ FEAT_MEM_ENCRYPT, /* CPUID[8000_001F].EAX */
FEATURE_WORDS,
} FeatureWord;
@@ -652,6 +653,11 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
#define CPUID_6_EAX_ARAT (1U << 2)
+#define CPUID_8000_001F_EAX_SME (1U << 0) /* SME */
+#define CPUID_8000_001F_EAX_SEV (1U << 1) /* SEV */
+#define CPUID_8000_001F_EAX_PAGE_FLUSH_MSR (1U << 2) /* Page flush MSR */
+#define CPUID_8000_001F_EAX_SEV_ES (1U << 3) /* SEV-ES */
+
/* CPUID[0x80000007].EDX flags: */
#define CPUID_APM_INVTSC (1U << 8)

8
0052-kvm-update-kvm.h-to-include-memory-.patch → 0051-kvm-update-kvm.h-to-include-memory-.patch
View File

@ -1,6 +1,6 @@
From fd981d8bae5ef3b9056845add32a0830356b3b7f Mon Sep 17 00:00:00 2001
From f62e734e8cbb2b31f23b9c0e8cb69ae1500a200b Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:08 -0600
Date: Thu, 15 Feb 2018 09:03:20 -0600
Subject: [PATCH] kvm: update kvm.h to include memory encryption ioctls
Updates kmv.h to include memory encryption ioctls and SEV commands.
@ -16,10 +16,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 90 insertions(+)
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index dd8a91801e..04b5801d03 100644
index d92c9b2f0e..aed2230995 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -1356,6 +1356,96 @@ struct kvm_s390_ucas_mapping {
@@ -1362,6 +1362,96 @@ struct kvm_s390_ucas_mapping {
/* Available with KVM_CAP_S390_CMMA_MIGRATION */
#define KVM_S390_GET_CMMA_BITS _IOWR(KVMIO, 0xb8, struct kvm_s390_cmma_log)
#define KVM_S390_SET_CMMA_BITS _IOW(KVMIO, 0xb9, struct kvm_s390_cmma_log)

4
0053-docs-add-AMD-Secure-Encrypted-Virtu.patch → 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
View File

@ -1,6 +1,6 @@
From e31dff17694578d6f14f94fce81f446827502318 Mon Sep 17 00:00:00 2001
From 23745abd0c79cea6c85622263a46a33c3a96fefb Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:08 -0600
Date: Thu, 15 Feb 2018 09:03:20 -0600
Subject: [PATCH] docs: add AMD Secure Encrypted Virtualization (SEV)
Create a documentation entry to describe the AMD Secure Encrypted

368
0054-accel-add-Secure-Encrypted-Virtuliz.patch → 0053-target-i386-add-Secure-Encrypted-Vi.patch
View File

@ -1,7 +1,7 @@
From 725b55269e39ee0c64daf556b019d1eb70940b21 Mon Sep 17 00:00:00 2001
From 3ab22b287a2ea323cb0b4d6daf9fc2177b6dec1c Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:08 -0600
Subject: [PATCH] accel: add Secure Encrypted Virtulization (SEV) object
Date: Thu, 15 Feb 2018 09:03:21 -0600
Subject: [PATCH] target/i386: add Secure Encrypted Virtulization (SEV) object
Add a new memory encryption object 'sev-guest'. The object will be used
to create enrypted VMs on AMD EPYC CPU. The object provides the properties
@ -15,32 +15,186 @@ e.g to launch SEV guest
-machine ....,memory-encryption=sev0
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/Makefile.objs | 2 +-
accel/kvm/sev.c | 214 +++++++++++++++++++++++++++++++++++++++++
docs/amd-memory-encryption.txt | 17 ++++
include/sysemu/sev.h | 54 +++++++++++
docs/amd-memory-encryption.txt | 17 +++
include/sysemu/sev.h | 54 ++++++++++
qemu-options.hx | 36 +++++++
5 files changed, 322 insertions(+), 1 deletion(-)
create mode 100644 accel/kvm/sev.c
target/i386/Makefile.objs | 2 +-
target/i386/sev.c | 228 +++++++++++++++++++++++++++++++++++++++++
5 files changed, 336 insertions(+), 1 deletion(-)
create mode 100644 include/sysemu/sev.h
create mode 100644 target/i386/sev.c
diff --git a/accel/kvm/Makefile.objs b/accel/kvm/Makefile.objs
index 85351e7de7..666ceef3da 100644
--- a/accel/kvm/Makefile.objs
+++ b/accel/kvm/Makefile.objs
@@ -1 +1 @@
-obj-$(CONFIG_KVM) += kvm-all.o
+obj-$(CONFIG_KVM) += kvm-all.o sev.o
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 72a92b6c63..1527f603ea 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing
several flags that restricts what can be done on running SEV guest.
See KM Spec section 3 and 6.2 for more details.
+The guest policy can be provided via the 'policy' property (see below)
+
+# ${QEMU} \
+ sev-guest,id=sev0,policy=0x1...\
+
Guest owners provided DH certificate and session parameters will be used to
establish a cryptographic session with the guest owner to negotiate keys used
for the attestation.
+The DH certificate and session blob can be provided via 'dh-cert-file' and
+'session-file' property (see below
+
+# ${QEMU} \
+ sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
+
LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
created via LAUNCH_START command. If required, this command can be called
multiple times to encrypt different memory regions. The command also calculates
@@ -59,6 +70,12 @@ context.
See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
complete flow chart.
+To launch a SEV guest
+
+# ${QEMU} \
+ -machine ...,memory-encryption=sev0 \
+ -object sev-guest,id=sev0
+
Debugging
-----------
Since memory contents of SEV guest is encrypted hence hypervisor access to the
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
new file mode 100644
index 0000000000..57e092a0bd
index 0000000000..a1936a7a79
--- /dev/null
+++ b/accel/kvm/sev.c
@@ -0,0 +1,214 @@
+++ b/include/sysemu/sev.h
@@ -0,0 +1,54 @@
+/*
+ * QEMU Secure Encrypted Virutualization (SEV) support
+ *
+ * Copyright: Advanced Micro Devices, 2016-2018
+ *
+ * Authors:
+ * Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_SEV_H
+#define QEMU_SEV_H
+
+#include "qom/object.h"
+#include "qapi/error.h"
+#include "sysemu/kvm.h"
+#include "qemu/error-report.h"
+
+#define TYPE_QSEV_GUEST_INFO "sev-guest"
+#define QSEV_GUEST_INFO(obj) \
+ OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+
+typedef struct QSevGuestInfo QSevGuestInfo;
+typedef struct QSevGuestInfoClass QSevGuestInfoClass;
+
+/**
+ * QSevGuestInfo:
+ *
+ * The QSevGuestInfo object is used for creating a SEV guest.
+ *
+ * # $QEMU \
+ * -object sev-guest,id=sev0 \
+ * -machine ...,memory-encryption=sev0
+ */
+struct QSevGuestInfo {
+ Object parent_obj;
+
+ char *sev_device;
+ uint32_t policy;
+ uint32_t handle;
+ char *dh_cert_file;
+ char *session_file;
+ uint32_t cbitpos;
+ uint32_t reduced_phys_bits;
+};
+
+struct QSevGuestInfoClass {
+ ObjectClass parent_class;
+};
+
+#endif
diff --git a/qemu-options.hx b/qemu-options.hx
index 617e5d5c20..ab8d089f29 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4471,6 +4471,42 @@ contents of @code{iv.b64} to the second secret
data=$SECRET,iv=$(<iv.b64)
@end example
+@item -object sev-guest,id=@var{id},sev-device=@var{string}[cbitpos=@var{cbitpos},policy=@var{policy},handle=@var{handle},dh-cert-file=@var{file},session-file=@var{file}]
+
+Create a Secure Encrypted Virtualization (SEV) guest object, which can be used
+to provide the guest memory encryption support on AMD processors.
+
+The @option{sev-device} provides the device file to use for communicating with
+the SEV firmware running inside AMD Secure Processor. The default device is
+'/dev/sev'. If hardware supports memory encryption then /dev/sev devices are
+created by CCP driver.
+
+The @option{cbitpos} provide the C-bit location in guest page table entry to use.
+
+The @option{policy} provides the guest policy to be enforced by the SEV firmware
+and restrict what configuration and operational commands can be performed on this
+guest by the hypervisor. The policy should be provided by the guest owner and is
+bound to the guest and cannot be changed throughout the lifetime of the guest.
+The default is 0.
+
+If guest @option{policy} allows sharing the key with another SEV guest then
+@option{handle} can be use to provide handle of the guest from which to share
+the key.
+
+The @option{dh-cert-file} and @option{session-file} provides the guest owner's
+Public Diffie-Hillman key defined in SEV spec. The PDH and session parameters
+are used for establishing a cryptographic session with the guest owner to
+negotiate keys used for attestation. The file must be encoded in base64.
+
+e.g to launch a SEV guest
+@example
+ # $QEMU \
+ ......
+ -object sev-guest,id=sev0 \
+ -machine ...,memory-encryption=sev0
+ .....
+
+@end example
@end table
ETEXI
diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs
index 6a26e9d9f0..682f029c45 100644
--- a/target/i386/Makefile.objs
+++ b/target/i386/Makefile.objs
@@ -4,7 +4,7 @@ obj-$(CONFIG_TCG) += bpt_helper.o cc_helper.o excp_helper.o fpu_helper.o
obj-$(CONFIG_TCG) += int_helper.o mem_helper.o misc_helper.o mpx_helper.o
obj-$(CONFIG_TCG) += seg_helper.o smm_helper.o svm_helper.o
obj-$(CONFIG_SOFTMMU) += machine.o arch_memory_mapping.o arch_dump.o monitor.o
-obj-$(CONFIG_KVM) += kvm.o hyperv.o
+obj-$(CONFIG_KVM) += kvm.o hyperv.o sev.o
obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
# HAX support
ifdef CONFIG_WIN32
diff --git a/target/i386/sev.c b/target/i386/sev.c
new file mode 100644
index 0000000000..f07c646577
--- /dev/null
+++ b/target/i386/sev.c
@@ -0,0 +1,228 @@
+/*
+ * QEMU SEV support
+ *
@ -175,6 +329,17 @@ index 0000000000..57e092a0bd
+}
+
+static void
+qsev_guest_set_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
+ void *opaque, Error **errp)
+{
+ QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+ uint32_t value;
+
+ visit_type_uint32(v, name, &value, errp);
+ sev->reduced_phys_bits = value;
+}
+
+static void
+qsev_guest_get_policy(Object *obj, Visitor *v, const char *name,
+ void *opaque, Error **errp)
+{
@ -207,14 +372,15 @@ index 0000000000..57e092a0bd
+ visit_type_uint32(v, name, &value, errp);
+}
+
+static uint32_t
+sev_get_host_cbitpos(void)
+static void
+qsev_guest_get_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
+ void *opaque, Error **errp)
+{
+ uint32_t ebx;
+ uint32_t value;
+ QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+
+ return ebx & 0x3f;
+ value = sev->reduced_phys_bits;
+ visit_type_uint32(v, name, &value, errp);
+}
+
+static void
@ -224,13 +390,15 @@ index 0000000000..57e092a0bd
+
+ sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
+ sev->policy = DEFAULT_GUEST_POLICY;
+ sev->cbitpos = sev_get_host_cbitpos();
+ object_property_add(obj, "policy", "uint32", qsev_guest_get_policy,
+ qsev_guest_set_policy, NULL, NULL, NULL);
+ object_property_add(obj, "handle", "uint32", qsev_guest_get_handle,
+ qsev_guest_set_handle, NULL, NULL, NULL);
+ object_property_add(obj, "cbitpos", "uint32", qsev_guest_get_cbitpos,
+ qsev_guest_set_cbitpos, NULL, NULL, NULL);
+ object_property_add(obj, "reduced-phys-bits", "uint32",
+ qsev_guest_get_reduced_phys_bits,
+ qsev_guest_set_reduced_phys_bits, NULL, NULL, NULL);
+}
+
+/* sev guest info */
@ -255,149 +423,3 @@ index 0000000000..57e092a0bd
+}
+
+type_init(sev_register_types);
diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 72a92b6c63..1527f603ea 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing
several flags that restricts what can be done on running SEV guest.
See KM Spec section 3 and 6.2 for more details.
+The guest policy can be provided via the 'policy' property (see below)
+
+# ${QEMU} \
+ sev-guest,id=sev0,policy=0x1...\
+
Guest owners provided DH certificate and session parameters will be used to
establish a cryptographic session with the guest owner to negotiate keys used
for the attestation.
+The DH certificate and session blob can be provided via 'dh-cert-file' and
+'session-file' property (see below
+
+# ${QEMU} \
+ sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
+
LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
created via LAUNCH_START command. If required, this command can be called
multiple times to encrypt different memory regions. The command also calculates
@@ -59,6 +70,12 @@ context.
See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
complete flow chart.
+To launch a SEV guest
+
+# ${QEMU} \
+ -machine ...,memory-encryption=sev0 \
+ -object sev-guest,id=sev0
+
Debugging
-----------
Since memory contents of SEV guest is encrypted hence hypervisor access to the
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
new file mode 100644
index 0000000000..eed679653d
--- /dev/null
+++ b/include/sysemu/sev.h
@@ -0,0 +1,54 @@
+/*
+ * QEMU Secure Encrypted Virutualization (SEV) support
+ *
+ * Copyright: Advanced Micro Devices, 2016-2018
+ *
+ * Authors:
+ * Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_SEV_H
+#define QEMU_SEV_H
+
+#include "qom/object.h"
+#include "qapi/error.h"
+#include "sysemu/kvm.h"
+#include "qemu/error-report.h"
+
+#define TYPE_QSEV_GUEST_INFO "sev-guest"
+#define QSEV_GUEST_INFO(obj) \
+ OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+
+typedef struct QSevGuestInfo QSevGuestInfo;
+typedef struct QSevGuestInfoClass QSevGuestInfoClass;
+
+/**
+ * QSevGuestInfo:
+ *
+ * The QSevGuestInfo object is used for creating a SEV guest.
+ *
+ * # $QEMU \
+ * -object sev-guest,id=sev0 \
+ * -machine ...,memory-encryption=sev0
+ */
+struct QSevGuestInfo {
+ Object parent_obj;
+
+ char *sev_device;
+ uint32_t policy;
+ uint32_t handle;
+ char *dh_cert_file;
+ char *session_file;
+ uint32_t cbitpos;
+};
+
+struct QSevGuestInfoClass {
+ ObjectClass parent_class;
+};
+
+#endif
+
diff --git a/qemu-options.hx b/qemu-options.hx
index 5385832707..5acf180991 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4470,6 +4470,42 @@ contents of @code{iv.b64} to the second secret
data=$SECRET,iv=$(<iv.b64)
@end example
+@item -object sev-guest,id=@var{id},sev-device=@var{string}[cbitpos=@var{cbitpos},policy=@var{policy},handle=@var{handle},dh-cert-file=@var{file},session-file=@var{file}]
+
+Create a Secure Encrypted Virtualization (SEV) guest object, which can be used
+to provide the guest memory encryption support on AMD processors.
+
+The @option{sev-device} provides the device file to use for communicating with
+the SEV firmware running inside AMD Secure Processor. The default device is
+'/dev/sev'. If hardware supports memory encryption then /dev/sev devices are
+created by CCP driver.
+
+The @option{cbitpos} provide the C-bit location in guest page table entry to use.
+
+The @option{policy} provides the guest policy to be enforced by the SEV firmware
+and restrict what configuration and operational commands can be performed on this
+guest by the hypervisor. The policy should be provided by the guest owner and is
+bound to the guest and cannot be changed throughout the lifetime of the guest.
+The default is 0.
+
+If guest @option{policy} allows sharing the key with another SEV guest then
+@option{handle} can be use to provide handle of the guest from which to share
+the key.
+
+The @option{dh-cert-file} and @option{session-file} provides the guest owner's
+Public Diffie-Hillman key defined in SEV spec. The PDH and session parameters
+are used for establishing a cryptographic session with the guest owner to
+negotiate keys used for attestation. The file must be encoded in base64.
+
+e.g to launch a SEV guest
+@example
+ # $QEMU \
+ ......
+ -object sev-guest,id=sev0 \
+ -machine ...,memory-encryption=sev0
+ .....
+
+@end example
@end table
ETEXI

55
0058-qmp-add-query-sev-command.patch → 0054-qmp-add-query-sev-command.patch
View File

@ -1,6 +1,6 @@
From 839e76e0c43407cff82395ee6d4e3eb94fd07fa3 Mon Sep 17 00:00:00 2001
From 25703182278f403f2d8ff608aadabb5c4f0f3398 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:09 -0600
Date: Thu, 15 Feb 2018 09:03:21 -0600
Subject: [PATCH] qmp: add query-sev command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -9,6 +9,7 @@ Content-Transfer-Encoding: 8bit
The QMP query command can used to retrieve the SEV information when
memory encryption is enabled on AMD platform.
Cc: Eric Blake <eblake@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
@ -16,31 +17,41 @@ Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
qapi-schema.json | 47 +++++++++++++++++++++++++++++++++++++++++++++++
qmp.c | 16 ++++++++++++++++
qapi-schema.json | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
qmp.c | 6 ++++++
2 files changed, 63 insertions(+)
diff --git a/qapi-schema.json b/qapi-schema.json
index 18457954a8..40c2de3026 100644
index 18457954a8..91a8a74f81 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3200,3 +3200,50 @@
@@ -3200,3 +3200,60 @@
# Since: 2.11
##
{ 'command': 'watchdog-set-action', 'data' : {'action': 'WatchdogAction'} }
+
+##
+# @SevState:
+#
+# An enumeration of SEV state information used during @query-sev.
+#
+# Since: 2.12
+##
+{ 'enum': 'SevState',
+ 'data': ['uninit', 'lupdate', 'lsecret', 'running', 'supdate', 'rupdate' ] }
+
+##
+# @SevInfo:
+#
+# Information about SEV support
+# Information about Secure Encrypted Virtualization (SEV) support
+#
+# @enabled: true if SEV is active
+#
+# @api_major: SEV API major version
+# @api-major: SEV API major version
+#
+# @api_minor: SEV API minor version
+# @api-minor: SEV API minor version
+#
+# @build_id: SEV FW build id
+# @build-id: SEV FW build id
+#
+# @policy: SEV policy value
+#
@ -50,11 +61,11 @@ index 18457954a8..40c2de3026 100644
+##
+{ 'struct': 'SevInfo',
+ 'data': { 'enabled': 'bool',
+ 'api_major': 'uint8',
+ 'api_minor' : 'uint8',
+ 'build_id' : 'uint8',
+ 'api-major': 'uint8',
+ 'api-minor' : 'uint8',
+ 'build-id' : 'uint8',
+ 'policy' : 'uint32',
+ 'state' : 'str'
+ 'state' : 'SevState'
+ }
+}
+
@ -76,7 +87,7 @@ index 18457954a8..40c2de3026 100644
+##
+{ 'command': 'query-sev', 'returns': 'SevInfo' }
diff --git a/qmp.c b/qmp.c
index e8c303116a..4cd01ea666 100644
index e8c303116a..75b5a349b0 100644
--- a/qmp.c
+++ b/qmp.c
@@ -37,6 +37,7 @@
@ -87,22 +98,12 @@ index e8c303116a..4cd01ea666 100644
NameInfo *qmp_query_name(Error **errp)
{
@@ -722,3 +723,18 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp)
@@ -722,3 +723,8 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp)
return mem_info;
}
+
+SevInfo *qmp_query_sev(Error **errp)
+{
+ SevInfo *info = g_malloc0(sizeof(*info));
+
+ info->enabled = sev_enabled();
+ if (info->enabled) {
+ sev_get_fw_version(&info->api_major,
+ &info->api_minor, &info->build_id);
+ sev_get_policy(&info->policy);
+ sev_get_current_state(&info->state);
+ }
+
+ return info;
+ return NULL;
+}

304
0055-sev-add-command-to-initialize-the-m.patch → 0055-sev-i386-add-command-to-initialize-.patch
View File

@ -1,7 +1,8 @@
From 8ed2f96e975993d82495273bca7be2e6a8eb81ed Mon Sep 17 00:00:00 2001
From dcba83a5b2ba19c6b143734ac392e678e8e710c2 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:08 -0600
Subject: [PATCH] sev: add command to initialize the memory encryption context
Date: Thu, 15 Feb 2018 09:03:21 -0600
Subject: [PATCH] sev/i386: add command to initialize the memory encryption
context
When memory encryption is enabled, KVM_SEV_INIT command is used to
initialize the platform. The command loads the SEV related persistent
@ -10,16 +11,20 @@ This command should be first issued before invoking any other guest
commands provided by the SEV firmware.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/kvm-all.c | 15 +++++
accel/kvm/sev.c | 161 +++++++++++++++++++++++++++++++++++++++++++++++++
accel/kvm/trace-events | 2 +
accel/stubs/kvm-stub.c | 28 +++++++++
include/sysemu/sev.h | 16 +++++
5 files changed, 222 insertions(+)
accel/kvm/kvm-all.c | 15 ++++
include/sysemu/sev.h | 19 +++++
stubs/Makefile.objs | 1 +
stubs/sev.c | 54 ++++++++++++++
target/i386/sev.c | 191 +++++++++++++++++++++++++++++++++++++++++++++++
target/i386/trace-events | 3 +
6 files changed, 283 insertions(+)
create mode 100644 stubs/sev.c
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index f290f487a5..6e5f3fd650 100644
@ -61,11 +66,124 @@ index f290f487a5..6e5f3fd650 100644
ret = kvm_arch_init(ms, s);
if (ret < 0) {
goto err;
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 57e092a0bd..d5fd975792 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -18,10 +18,74 @@
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index a1936a7a79..5c8c549b68 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -14,15 +14,26 @@
#ifndef QEMU_SEV_H
#define QEMU_SEV_H
+#include <linux/kvm.h>
+
#include "qom/object.h"
#include "qapi/error.h"
#include "sysemu/kvm.h"
#include "qemu/error-report.h"
+#include "qapi-types.h"
#define TYPE_QSEV_GUEST_INFO "sev-guest"
#define QSEV_GUEST_INFO(obj) \
OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+extern bool sev_enabled(void);
+extern uint64_t sev_get_me_mask(void);
+extern SevState sev_get_current_state(void);
+extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build);
+extern void sev_get_policy(uint32_t *policy);
+extern uint32_t sev_get_cbit_position(void);
+extern uint32_t sev_get_reduced_phys_bits(void);
+
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
@@ -51,4 +62,12 @@ struct QSevGuestInfoClass {
ObjectClass parent_class;
};
+struct SEVState {
+ QSevGuestInfo *sev_info;
+};
+
+typedef struct SEVState SEVState;
+
+void *sev_guest_init(const char *id);
+
#endif
diff --git a/stubs/Makefile.objs b/stubs/Makefile.objs
index 8cfe34328a..b3bbbe62c0 100644
--- a/stubs/Makefile.objs
+++ b/stubs/Makefile.objs
@@ -42,3 +42,4 @@ stub-obj-y += vmgenid.o
stub-obj-y += xen-common.o
stub-obj-y += xen-hvm.o
stub-obj-y += pci-host-piix.o
+stub-obj-y += sev.o
diff --git a/stubs/sev.c b/stubs/sev.c
new file mode 100644
index 0000000000..24c7b0c3e0
--- /dev/null
+++ b/stubs/sev.c
@@ -0,0 +1,54 @@
+/*
+ * QEMU SEV stub
+ *
+ * Copyright Advanced Micro Devices 2018
+ *
+ * Authors:
+ * Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "sysemu/sev.h"
+
+SevState sev_get_current_state(void)
+{
+ return SEV_STATE_UNINIT;
+}
+
+bool sev_enabled(void)
+{
+ return false;
+}
+
+void *sev_guest_init(const char *id)
+{
+ return NULL;
+}
+
+uint64_t sev_get_me_mask(void)
+{
+ return ~0UL;
+}
+
+uint32_t sev_get_cbit_position(void)
+{
+ return 0;
+}
+
+uint32_t sev_get_reduced_phys_bits(void)
+{
+ return 0;
+}
+
+void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build)
+{
+}
+
+void sev_get_policy(uint32_t *policy)
+{
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index f07c646577..f9a8748d19 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -18,10 +18,76 @@
#include "sysemu/kvm.h"
#include "sysemu/sev.h"
#include "sysemu/sysemu.h"
@ -77,8 +195,8 @@ index 57e092a0bd..d5fd975792 100644
+static uint64_t me_mask;
+static bool sev_active;
+static int sev_fd;
+
+#define SEV_FW_MAX_ERROR 0x17
+static uint32_t x86_cbitpos;
+static uint32_t x86_reduced_phys_bits;
+
+static const char *const sev_fw_errlist[] = {
+ "",
@ -106,6 +224,8 @@ index 57e092a0bd..d5fd975792 100644
+ "Invalid parameter"
+};
+
+#define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist)
+
+static int
+sev_ioctl(int cmd, void *data, int *error)
+{
@ -140,7 +260,7 @@ index 57e092a0bd..d5fd975792 100644
static void
qsev_guest_finalize(Object *obj)
{
@@ -205,6 +269,103 @@ static const TypeInfo qsev_guest_info = {
@@ -219,6 +285,131 @@ static const TypeInfo qsev_guest_info = {
}
};
@ -170,9 +290,22 @@ index 57e092a0bd..d5fd975792 100644
+ return ~me_mask;
+}
+
+void
+sev_get_current_state(char **state)
+uint32_t
+sev_get_cbit_position(void)
+{
+ return x86_cbitpos;
+}
+
+uint32_t
+sev_get_reduced_phys_bits(void)
+{
+ return x86_reduced_phys_bits;
+}
+
+SevState
+sev_get_current_state(void)
+{
+ return SEV_STATE_UNINIT;
+}
+
+bool
@ -197,7 +330,9 @@ index 57e092a0bd..d5fd975792 100644
+ SEVState *s;
+ char *devname;
+ int ret, fw_error;
+ uint32_t ebx;
+ uint32_t host_cbitpos, cbitpos;
+ uint32_t host_reduced_phys_bits, reduced_phys_bits;
+
+ s = g_new0(SEVState, 1);
+ s->sev_info = lookup_sev_guest_info(id);
@ -207,15 +342,25 @@ index 57e092a0bd..d5fd975792 100644
+ goto err;
+ }
+
+ host_cbitpos = sev_get_host_cbitpos();
+ host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+ host_cbitpos = ebx & 0x3f;
+ host_reduced_phys_bits = (ebx >> 6) & 0x3f;
+
+ cbitpos = object_property_get_int(OBJECT(s->sev_info), "cbitpos", NULL);
+ if (host_cbitpos != cbitpos) {
+ error_report("%s: cbitpos check failed, host '%d' request '%d'",
+ error_report("%s: cbitpos check failed, host '%d' requested '%d'",
+ __func__, host_cbitpos, cbitpos);
+ goto err;
+ }
+
+ me_mask = (1UL << cbitpos);
+ reduced_phys_bits = object_property_get_int(OBJECT(s->sev_info),
+ "reduced-phys-bits", NULL);
+ if (host_reduced_phys_bits != reduced_phys_bits) {
+ error_report("%s: reduced_phys_bits check failed,"
+ "host '%d' requested '%d'", __func__,
+ host_reduced_phys_bits, reduced_phys_bits);
+ goto err;
+ }
+
+ devname = object_property_get_str(OBJECT(s->sev_info), "sev-device", NULL);
+ sev_fd = open(devname, O_RDWR);
@ -234,6 +379,9 @@ index 57e092a0bd..d5fd975792 100644
+ goto err;
+ }
+
+ me_mask = (1UL << cbitpos);
+ x86_reduced_phys_bits = reduced_phys_bits;
+ x86_cbitpos = cbitpos;
+ sev_active = true;
+ return s;
+err:
@ -244,106 +392,14 @@ index 57e092a0bd..d5fd975792 100644
static void
sev_register_types(void)
{
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index f89ba5578d..ea487e5a59 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -13,3 +13,5 @@ kvm_irqchip_add_msi_route(char *name, int vector, int virq) "dev %s vector %d vi
kvm_irqchip_update_msi_route(int virq) "Updating MSI route virq=%d"
kvm_irqchip_release_virq(int virq) "virq %d"
+# sev.c
diff --git a/target/i386/trace-events b/target/i386/trace-events
index 3153fd4454..797b716751 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -5,3 +5,6 @@ kvm_x86_fixup_msi_error(uint32_t gsi) "VT-d failed to remap interrupt for GSI %"
kvm_x86_add_msi_route(int virq) "Adding route entry for virq %d"
kvm_x86_remove_msi_route(int virq) "Removing route entry for virq %d"
kvm_x86_update_msi_routes(int num) "Updated %d MSI routes"
+
+# target/i386/sev.c
+kvm_sev_init(void) ""
diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c
index c964af3e1c..bb78a1f1b9 100644
--- a/accel/stubs/kvm-stub.c
+++ b/accel/stubs/kvm-stub.c
@@ -14,6 +14,7 @@
#include "qemu-common.h"
#include "cpu.h"
#include "sysemu/kvm.h"
+#include "sysemu/sev.h"
#ifndef CONFIG_USER_ONLY
#include "hw/pci/msi.h"
@@ -33,6 +34,11 @@ bool kvm_readonly_mem_allowed;
bool kvm_ioeventfd_any_length_allowed;
bool kvm_msi_use_devid;
+bool sev_allowed;
+uint8_t sev_fw_major;
+uint8_t sev_fw_minor;
+uint8_t sev_fw_build;
+
int kvm_destroy_vcpu(CPUState *cpu)
{
return -ENOSYS;
@@ -105,6 +111,28 @@ int kvm_on_sigbus(int code, void *addr)
return 1;
}
+void sev_get_current_state(char **state)
+{
+}
+
+bool sev_enabled(void)
+{
+ return false;
+}
+
+uint64_t sev_get_me_mask(void)
+{
+ return ~0UL;
+}
+
+void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build)
+{
+}
+
+void sev_get_policy(uint32_t *policy)
+{
+}
+
#ifndef CONFIG_USER_ONLY
int kvm_irqchip_add_msi_route(KVMState *s, int vector, PCIDevice *dev)
{
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index eed679653d..121e7e4aa4 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -14,6 +14,8 @@
#ifndef QEMU_SEV_H
#define QEMU_SEV_H
+#include <linux/kvm.h>
+
#include "qom/object.h"
#include "qapi/error.h"
#include "sysemu/kvm.h"
@@ -23,6 +25,12 @@
#define QSEV_GUEST_INFO(obj) \
OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+extern bool sev_enabled(void);
+extern uint64_t sev_get_me_mask(void);
+extern void sev_get_current_state(char **state);
+extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build);
+extern void sev_get_policy(uint32_t *policy);
+
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
@@ -50,5 +58,13 @@ struct QSevGuestInfoClass {
ObjectClass parent_class;
};
+struct SEVState {
+ QSevGuestInfo *sev_info;
+};
+
+typedef struct SEVState SEVState;
+
+void *sev_guest_init(const char *id);
+
#endif

43
0056-qmp-populate-SevInfo-fields-with-SE.patch Normal file
View File

@ -0,0 +1,43 @@
From 0b770bea4deaa363b1eff696402057d55d9721b6 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Thu, 15 Feb 2018 09:03:21 -0600
Subject: [PATCH] qmp: populate SevInfo fields with SEV guest information
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
query-sev command is used to get the SEV guest information, fill the
SevInfo fields with SEV guest information.
Cc: Eric Blake <eblake@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
qmp.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/qmp.c b/qmp.c
index 75b5a349b0..3c2d573384 100644
--- a/qmp.c
+++ b/qmp.c
@@ -726,5 +726,15 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp)
SevInfo *qmp_query_sev(Error **errp)
{
- return NULL;
+ SevInfo *info = g_malloc0(sizeof(*info));
+
+ info->enabled = sev_enabled();
+ if (info->enabled) {
+ sev_get_fw_version(&info->api_major,
+ &info->api_minor, &info->build_id);
+ sev_get_policy(&info->policy);
+ info->state = sev_get_current_state();
+ }
+
+ return info;
}

40
0056-sev-register-the-guest-memory-range.patch → 0057-sev-i386-register-the-guest-memory-.patch
View File

@ -1,7 +1,7 @@
From 127890da09ac0ebb4945f52b0e23e582d93fc698 Mon Sep 17 00:00:00 2001
From c6101a4c186abcc2d3b78972a534cbe1907bea57 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:09 -0600
Subject: [PATCH] sev: register the guest memory range which may contain
Date: Thu, 15 Feb 2018 09:03:21 -0600
Subject: [PATCH] sev/i386: register the guest memory range which may contain
encrypted data
When SEV is enabled, the hardware encryption engine uses a tweak such
@ -15,19 +15,21 @@ encrypted data. KVM driver will internally handle the relocating physical
backing pages of registered memory regions.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 41 +++++++++++++++++++++++++++++++++++++++++
accel/kvm/trace-events | 2 ++
target/i386/sev.c | 41 +++++++++++++++++++++++++++++++++++++++++
target/i386/trace-events | 2 ++
2 files changed, 43 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index d5fd975792..2c4bbba3c3 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -86,6 +86,45 @@ fw_error_to_str(int code)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index f9a8748d19..de5c8d4675 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -88,6 +88,45 @@ fw_error_to_str(int code)
return sev_fw_errlist[code];
}
@ -73,22 +75,22 @@ index d5fd975792..2c4bbba3c3 100644
static void
qsev_guest_finalize(Object *obj)
{
@@ -360,6 +399,8 @@ sev_guest_init(const char *id)
}
@@ -404,6 +443,8 @@ sev_guest_init(const char *id)
x86_reduced_phys_bits = reduced_phys_bits;
x86_cbitpos = cbitpos;
sev_active = true;
+ ram_block_notifier_add(&sev_ram_notifier);
+
return s;
err:
g_free(s);
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index ea487e5a59..364c84bd7a 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -15,3 +15,5 @@ kvm_irqchip_release_virq(int virq) "virq %d"
diff --git a/target/i386/trace-events b/target/i386/trace-events
index 797b716751..ffa3d22504 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -8,3 +8,5 @@ kvm_x86_update_msi_routes(int num) "Updated %d MSI routes"
# sev.c
# target/i386/sev.c
kvm_sev_init(void) ""
+kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu"
+kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu"

10
0057-kvm-introduce-memory-encryption-API.patch → 0058-kvm-introduce-memory-encryption-API.patch
View File

@ -1,6 +1,6 @@
From f2a1359c865cf33fc5960e1b9e6912827075f567 Mon Sep 17 00:00:00 2001
From da8eb76eb09a056b7107bc27f790c715fba088d7 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:09 -0600
Date: Thu, 15 Feb 2018 09:03:22 -0600
Subject: [PATCH] kvm: introduce memory encryption APIs
Inorder to integerate the Secure Encryption Virtualization (SEV) support
@ -67,11 +67,11 @@ index 6e5f3fd650..f1fb826f06 100644
{
KVMState *s = kvm_state;
diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c
index bb78a1f1b9..e7d579e3e5 100644
index c964af3e1c..5739712a67 100644
--- a/accel/stubs/kvm-stub.c
+++ b/accel/stubs/kvm-stub.c
@@ -133,6 +133,20 @@ void sev_get_policy(uint32_t *policy)
{
@@ -105,6 +105,20 @@ int kvm_on_sigbus(int code, void *addr)
return 1;
}
+bool kvm_memcrypt_enabled(void)

9
0059-hmp-add-info-sev-command.patch
View File

@ -1,6 +1,6 @@
From d363eb37dad9acacbcd688f8275c16334ca69fbe Mon Sep 17 00:00:00 2001
From ae854a2255006d807366a2b2529311b1dcaaed17 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:09 -0600
Date: Thu, 15 Feb 2018 09:03:22 -0600
Subject: [PATCH] hmp: add 'info sev' command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -9,6 +9,7 @@ Content-Transfer-Encoding: 8bit
The command can be used to show the SEV information when memory
encryption is enabled on AMD platform.
Cc: Eric Blake <eblake@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
@ -47,7 +48,7 @@ index 54c3e5eac6..83491f84f6 100644
STEXI
diff --git a/hmp.c b/hmp.c
index 35a7041824..7214a904dd 100644
index 35a7041824..f3898347b8 100644
--- a/hmp.c
+++ b/hmp.c
@@ -2918,3 +2918,22 @@ void hmp_info_memory_size_summary(Monitor *mon, const QDict *qdict)
@ -64,7 +65,7 @@ index 35a7041824..7214a904dd 100644
+ monitor_printf(mon, "%s\n", info->enabled ? "enabled" : "disabled");
+
+ if (info->enabled) {
+ monitor_printf(mon, "state: %s\n", info->state);
+ monitor_printf(mon, "state: %s\n", SevState_str(info->state));
+ monitor_printf(mon, "policy: 0x%x\n", info->policy);
+ monitor_printf(mon, "build id: %u\n", info->build_id);
+ monitor_printf(mon, "api version: %u.%u\n",

102
0060-sev-add-command-to-create-launch-me.patch → 0060-sev-i386-add-command-to-create-laun.patch
View File

@ -1,71 +1,64 @@
From 5abfa90f247fb546167b2f3a8d201f10707cca30 Mon Sep 17 00:00:00 2001
From 0c5346f2b8f38e938f277c9df91068cbcad12ad2 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:09 -0600
Subject: [PATCH] sev: add command to create launch memory encryption context
Date: Thu, 15 Feb 2018 09:03:22 -0600
Subject: [PATCH] sev/i386: add command to create launch memory encryption
context
The KVM_SEV_LAUNCH_START command creates a new VM encryption key (VEK).
The encryption key created with the command will be used for encrypting
the bootstrap images (such as guest bios).
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++
accel/kvm/trace-events | 2 +
include/sysemu/sev.h | 10 +++++
3 files changed, 111 insertions(+)
target/i386/sev.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++-
target/i386/trace-events | 2 ++
2 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 2c4bbba3c3..2ecc6a1d1a 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -29,6 +29,17 @@ static int sev_fd;
diff --git a/target/i386/sev.c b/target/i386/sev.c
index de5c8d4675..6f767084fd 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -29,6 +29,8 @@ static int sev_fd;
static uint32_t x86_cbitpos;
static uint32_t x86_reduced_phys_bits;
#define SEV_FW_MAX_ERROR 0x17
+static SevGuestState current_sev_guest_state = SEV_STATE_UNINIT;
+
+static const char *const sev_state_str[] = {
+ "uninit",
+ "lupdate",
+ "secret",
+ "running",
+ "supdate",
+ "rupdate",
+};
+static SevState current_sev_guest_state = SEV_STATE_UNINIT;
+
static const char *const sev_fw_errlist[] = {
"",
"Platform state is invalid",
@@ -86,6 +97,16 @@ fw_error_to_str(int code)
@@ -88,6 +90,16 @@ fw_error_to_str(int code)
return sev_fw_errlist[code];
}
+static void
+sev_set_guest_state(SevGuestState new_state)
+sev_set_guest_state(SevState new_state)
+{
+ assert(new_state < SEV_STATE_MAX);
+ assert(new_state < SEV_STATE__MAX);
+
+ trace_kvm_sev_change_state(sev_state_str[current_sev_guest_state],
+ sev_state_str[new_state]);
+ trace_kvm_sev_change_state(SevState_str(current_sev_guest_state),
+ SevState_str(new_state));
+ current_sev_guest_state = new_state;
+}
+
static void
sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
{
@@ -337,6 +358,7 @@ sev_get_me_mask(void)
void
sev_get_current_state(char **state)
@@ -365,7 +377,7 @@ sev_get_reduced_phys_bits(void)
SevState
sev_get_current_state(void)
{
+ *state = g_strdup(sev_state_str[current_sev_guest_state]);
- return SEV_STATE_UNINIT;
+ return current_sev_guest_state;
}
bool
@@ -355,6 +377,76 @@ sev_get_policy(uint32_t *policy)
@@ -384,6 +396,76 @@ sev_get_policy(uint32_t *policy)
{
}
@ -142,7 +135,7 @@ index 2c4bbba3c3..2ecc6a1d1a 100644
void *
sev_guest_init(const char *id)
{
@@ -398,6 +490,13 @@ sev_guest_init(const char *id)
@@ -439,6 +521,13 @@ sev_guest_init(const char *id)
goto err;
}
@ -153,37 +146,16 @@ index 2c4bbba3c3..2ecc6a1d1a 100644
+ }
+
+
sev_active = true;
ram_block_notifier_add(&sev_ram_notifier);
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index 364c84bd7a..5d993ca08e 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -17,3 +17,5 @@ kvm_irqchip_release_virq(int virq) "virq %d"
me_mask = (1UL << cbitpos);
x86_reduced_phys_bits = reduced_phys_bits;
x86_cbitpos = cbitpos;
diff --git a/target/i386/trace-events b/target/i386/trace-events
index ffa3d22504..9402251e99 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -10,3 +10,5 @@ kvm_x86_update_msi_routes(int num) "Updated %d MSI routes"
kvm_sev_init(void) ""
kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu"
kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu"
+kvm_sev_change_state(const char *old, const char *new) "%s -> %s"
+kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p"
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index 121e7e4aa4..08014a9c94 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -58,6 +58,16 @@ struct QSevGuestInfoClass {
ObjectClass parent_class;
};
+typedef enum {
+ SEV_STATE_UNINIT = 0,
+ SEV_STATE_LUPDATE,
+ SEV_STATE_SECRET,
+ SEV_STATE_RUNNING,
+ SEV_STATE_SUPDATE,
+ SEV_STATE_RUPDATE,
+ SEV_STATE_MAX
+} SevGuestState;
+
struct SEVState {
QSevGuestInfo *sev_info;
};

87
0061-sev-add-command-to-encrypt-guest-me.patch → 0061-sev-i386-add-command-to-encrypt-gue.patch
View File

@ -1,20 +1,24 @@
From bcbe925e0f93234b0f0f6ecf4e5b8d400a46a691 Mon Sep 17 00:00:00 2001
From b7326c19d0504bb913c80075648a71c9830cda10 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:10 -0600
Subject: [PATCH] sev: add command to encrypt guest memory region
Date: Thu, 15 Feb 2018 09:03:22 -0600
Subject: [PATCH] sev/i386: add command to encrypt guest memory region
The KVM_SEV_LAUNCH_UPDATE_DATA command is used to encrypt a guest memory
region using the VM Encryption Key created using LAUNCH_START.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/kvm-all.c | 2 ++
accel/kvm/sev.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
accel/kvm/trace-events | 1 +
include/sysemu/sev.h | 1 +
4 files changed, 53 insertions(+)
accel/kvm/kvm-all.c | 2 ++
include/sysemu/sev.h | 1 +
stubs/sev.c | 5 +++++
target/i386/sev.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/trace-events | 1 +
5 files changed, 58 insertions(+)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index f1fb826f06..37f7c442dc 100644
@ -29,24 +33,51 @@ index f1fb826f06..37f7c442dc 100644
}
ret = kvm_arch_init(ms, s);
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 2ecc6a1d1a..4414bda255 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -97,6 +97,12 @@ fw_error_to_str(int code)
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index 5c8c549b68..c16102b05e 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -69,5 +69,6 @@ struct SEVState {
typedef struct SEVState SEVState;
void *sev_guest_init(const char *id);
+int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
#endif
diff --git a/stubs/sev.c b/stubs/sev.c
index 24c7b0c3e0..74182bb545 100644
--- a/stubs/sev.c
+++ b/stubs/sev.c
@@ -15,6 +15,11 @@
#include "qemu-common.h"
#include "sysemu/sev.h"
+int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len)
+{
+ return 1;
+}
+
SevState sev_get_current_state(void)
{
return SEV_STATE_UNINIT;
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 6f767084fd..04a64b5bc6 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -90,6 +90,12 @@ fw_error_to_str(int code)
return sev_fw_errlist[code];
}
+static bool
+sev_check_state(SevGuestState state)
+sev_check_state(SevState state)
+{
+ return current_sev_guest_state == state ? true : false;
+}
+
static void
sev_set_guest_state(SevGuestState new_state)
sev_set_guest_state(SevState new_state)
{
@@ -447,6 +453,36 @@ sev_launch_start(SEVState *s)
@@ -466,6 +472,36 @@ sev_launch_start(SEVState *s)
return 0;
}
@ -83,7 +114,7 @@ index 2ecc6a1d1a..4414bda255 100644
void *
sev_guest_init(const char *id)
{
@@ -506,6 +542,19 @@ err:
@@ -540,6 +576,19 @@ err:
return NULL;
}
@ -103,24 +134,12 @@ index 2ecc6a1d1a..4414bda255 100644
static void
sev_register_types(void)
{
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index 5d993ca08e..bd92f868b7 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -19,3 +19,4 @@ kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu"
diff --git a/target/i386/trace-events b/target/i386/trace-events
index 9402251e99..c0cd8e9321 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -12,3 +12,4 @@ kvm_memcrypt_register_region(void *addr, size_t len) "addr %p len 0x%lu"
kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu"
kvm_sev_change_state(const char *old, const char *new) "%s -> %s"
kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p"
+kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index 08014a9c94..f7af1a00c5 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -75,6 +75,7 @@ struct SEVState {
typedef struct SEVState SEVState;
void *sev_guest_init(const char *id);
+int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
#endif

4
0062-target-i386-encrypt-bios-rom.patch
View File

@ -1,6 +1,6 @@
From 6301b846ebcf3ff2afb0cefbb480447383dc2814 Mon Sep 17 00:00:00 2001
From e6990d56a3b6d4702cec1c3d35c037e906eb39c0 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:10 -0600
Date: Thu, 15 Feb 2018 09:03:22 -0600
Subject: [PATCH] target/i386: encrypt bios rom
SEV requires that guest bios must be encrypted before booting the guest.

127
0063-sev-add-support-to-LAUNCH_MEASURE-c.patch → 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
View File

@ -1,7 +1,7 @@
From 8593c38925a2c54bceb27e16f1ad9f02789afbf4 Mon Sep 17 00:00:00 2001
From 0bc4fd78361c340ad4ee0c77bfde2d487fb580f5 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:10 -0600
Subject: [PATCH] sev: add support to LAUNCH_MEASURE command
Date: Thu, 15 Feb 2018 09:03:23 -0600
Subject: [PATCH] sev/i386: add support to LAUNCH_MEASURE command
During machine creation we encrypted the guest bios image, the
LAUNCH_MEASURE command can be used to retrieve the measurement of
@ -9,24 +9,58 @@ the encrypted memory region. This measurement is a signature of
the memory contents that can be sent to the guest owner as an
attestation that the memory was encrypted correctly by the firmware.
VM management tools like libvirt can query the measurement using
query-launch-measure QMP command.
query-sev-launch-measure QMP command.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++
accel/kvm/trace-events | 1 +
accel/stubs/kvm-stub.c | 5 ++++
include/sysemu/sev.h | 2 ++
4 files changed, 75 insertions(+)
include/sysemu/sev.h | 2 ++
stubs/sev.c | 5 ++++
target/i386/sev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/trace-events | 1 +
4 files changed, 76 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 4414bda255..8d99c6cda4 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index c16102b05e..ad4a1f1338 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -33,6 +33,7 @@ extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build);
extern void sev_get_policy(uint32_t *policy);
extern uint32_t sev_get_cbit_position(void);
extern uint32_t sev_get_reduced_phys_bits(void);
+extern char *sev_get_launch_measurement(void);
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
@@ -64,6 +65,7 @@ struct QSevGuestInfoClass {
struct SEVState {
QSevGuestInfo *sev_info;
+ gchar *measurement;
};
typedef struct SEVState SEVState;
diff --git a/stubs/sev.c b/stubs/sev.c
index 74182bb545..5420ada7fd 100644
--- a/stubs/sev.c
+++ b/stubs/sev.c
@@ -57,3 +57,8 @@ void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build)
void sev_get_policy(uint32_t *policy)
{
}
+
+char *sev_get_launch_measurement(void)
+{
+ return NULL;
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 04a64b5bc6..401b2a33d7 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -19,6 +19,7 @@
#include "sysemu/sev.h"
#include "sysemu/sysemu.h"
@ -35,15 +69,15 @@ index 4414bda255..8d99c6cda4 100644
#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
#define DEFAULT_SEV_DEVICE "/dev/sev"
@@ -26,6 +27,7 @@
static uint64_t me_mask;
static bool sev_active;
@@ -28,6 +29,7 @@ static bool sev_active;
static int sev_fd;
static uint32_t x86_cbitpos;
static uint32_t x86_reduced_phys_bits;
+static SEVState *sev_state;
#define SEV_FW_MAX_ERROR 0x17
static SevState current_sev_guest_state = SEV_STATE_UNINIT;
@@ -483,6 +485,68 @@ err:
@@ -502,6 +504,69 @@ err:
return ret;
}
@ -87,7 +121,7 @@ index 4414bda255..8d99c6cda4 100644
+ goto free_data;
+ }
+
+ sev_set_guest_state(SEV_STATE_SECRET);
+ sev_set_guest_state(SEV_STATE_LSECRET);
+
+ /* encode the measurement value and emit the event */
+ s->measurement = g_base64_encode(data, measurement->len);
@ -102,7 +136,8 @@ index 4414bda255..8d99c6cda4 100644
+char *
+sev_get_launch_measurement(void)
+{
+ return g_strdup(sev_state->measurement);
+ return current_sev_guest_state >= SEV_STATE_LSECRET ?
+ g_strdup(sev_state->measurement) : NULL;
+}
+
+static Notifier sev_machine_done_notify = {
@ -112,8 +147,8 @@ index 4414bda255..8d99c6cda4 100644
void *
sev_guest_init(const char *id)
{
@@ -535,6 +599,9 @@ sev_guest_init(const char *id)
@@ -569,6 +634,9 @@ sev_guest_init(const char *id)
x86_cbitpos = cbitpos;
sev_active = true;
ram_block_notifier_add(&sev_ram_notifier);
+ qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
@ -122,48 +157,12 @@ index 4414bda255..8d99c6cda4 100644
return s;
err:
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index bd92f868b7..19742bf9dd 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -20,3 +20,4 @@ kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu"
diff --git a/target/i386/trace-events b/target/i386/trace-events
index c0cd8e9321..f7a1a1e6b8 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -13,3 +13,4 @@ kvm_memcrypt_unregister_region(void *addr, size_t len) "addr %p len 0x%lu"
kvm_sev_change_state(const char *old, const char *new) "%s -> %s"
kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p"
kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64
+kvm_sev_launch_measurement(const char *value) "data %s"
diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c
index e7d579e3e5..d0f1aa6d6f 100644
--- a/accel/stubs/kvm-stub.c
+++ b/accel/stubs/kvm-stub.c
@@ -133,6 +133,11 @@ void sev_get_policy(uint32_t *policy)
{
}
+char *sev_get_launch_measurement(void)
+{
+ return NULL;
+}
+
bool kvm_memcrypt_enabled(void)
{
return false;
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index f7af1a00c5..c173ad33f8 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -30,6 +30,7 @@ extern uint64_t sev_get_me_mask(void);
extern void sev_get_current_state(char **state);
extern void sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build);
extern void sev_get_policy(uint32_t *policy);
+extern char *sev_get_launch_measurement(void);
typedef struct QSevGuestInfo QSevGuestInfo;
typedef struct QSevGuestInfoClass QSevGuestInfoClass;
@@ -70,6 +71,7 @@ typedef enum {
struct SEVState {
QSevGuestInfo *sev_info;
+ gchar *measurement;
};
typedef struct SEVState SEVState;

35
0064-sev-Finalize-the-SEV-guest-launch-f.patch → 0064-sev-i386-finalize-the-SEV-guest-lau.patch
View File

@ -1,26 +1,27 @@
From 5f926f58bd02e7c42d7840a653cc33d83c90a5af Mon Sep 17 00:00:00 2001
From 15ba1a246b2e68d9dbb6d8db3e065f26b33062cc Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:10 -0600
Subject: [PATCH] sev: Finalize the SEV guest launch flow
Date: Thu, 15 Feb 2018 09:03:23 -0600
Subject: [PATCH] sev/i386: finalize the SEV guest launch flow
SEV launch flow requires us to issue LAUNCH_FINISH command before guest
is ready to run.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 29 +++++++++++++++++++++++++++++
accel/kvm/trace-events | 1 +
target/i386/sev.c | 29 +++++++++++++++++++++++++++++
target/i386/trace-events | 1 +
2 files changed, 30 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 8d99c6cda4..e422f43caa 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -547,6 +547,34 @@ static Notifier sev_machine_done_notify = {
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 401b2a33d7..305ef65191 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -567,6 +567,34 @@ static Notifier sev_machine_done_notify = {
.notify = sev_launch_get_measure,
};
@ -55,7 +56,7 @@ index 8d99c6cda4..e422f43caa 100644
void *
sev_guest_init(const char *id)
{
@@ -600,6 +628,7 @@ sev_guest_init(const char *id)
@@ -635,6 +663,7 @@ sev_guest_init(const char *id)
sev_active = true;
ram_block_notifier_add(&sev_ram_notifier);
qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
@ -63,11 +64,11 @@ index 8d99c6cda4..e422f43caa 100644
sev_state = s;
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index 19742bf9dd..e810d75ea1 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -21,3 +21,4 @@ kvm_sev_change_state(const char *old, const char *new) "%s -> %s"
diff --git a/target/i386/trace-events b/target/i386/trace-events
index f7a1a1e6b8..b1fbde6e40 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -14,3 +14,4 @@ kvm_sev_change_state(const char *old, const char *new) "%s -> %s"
kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session %p pdh %p"
kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64
kvm_sev_launch_measurement(const char *value) "data %s"

6
0065-hw-i386-set-ram_debug_ops-when-memo.patch
View File

@ -1,7 +1,7 @@
From 730e2bc55583c1ae7ba0aff4b26975f51c2442cd Mon Sep 17 00:00:00 2001
From 6d17c0a5da11a757f26db7763823fcb53a79d445 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:10 -0600
Subject: [PATCH] hw: i386: set ram_debug_ops when memory encryption is enabled
Date: Thu, 15 Feb 2018 09:03:23 -0600
Subject: [PATCH] hw/i386: set ram_debug_ops when memory encryption is enabled
When memory encryption is enabled, the guest RAM and boot flash ROM will
contain the encrypted data. By setting the debug ops allow us to invoke

88
0066-sev-add-debug-encrypt-and-decrypt-c.patch → 0066-sev-i386-add-debug-encrypt-and-decr.patch
View File

@ -1,23 +1,25 @@
From ed8f2531e1b008cedfaca01980641c2432693fb3 Mon Sep 17 00:00:00 2001
From 42f8013adf0a5f8ca17212ee54a8009471d6c8f3 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:11 -0600
Subject: [PATCH] sev: add debug encrypt and decrypt commands
Date: Thu, 15 Feb 2018 09:03:23 -0600
Subject: [PATCH] sev/i386: add debug encrypt and decrypt commands
KVM_SEV_DBG_DECRYPT and KVM_SEV_DBG_ENCRYPT commands are used for
decrypting and encrypting guest memory region. The command works only if
the guest policy allows the debugging.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/kvm-all.c | 1 +
accel/kvm/sev.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++
accel/kvm/trace-events | 1 +
include/sysemu/sev.h | 1 +
4 files changed, 75 insertions(+)
accel/kvm/kvm-all.c | 1 +
include/sysemu/sev.h | 1 +
stubs/sev.c | 4 +++
target/i386/sev.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
target/i386/trace-events | 1 +
5 files changed, 79 insertions(+)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 37f7c442dc..7d3b7b4107 100644
@ -31,11 +33,37 @@ index 37f7c442dc..7d3b7b4107 100644
}
ret = kvm_arch_init(ms, s);
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index e422f43caa..7b57575e2f 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -23,11 +23,13 @@
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index ad4a1f1338..ac70c7a00b 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -72,5 +72,6 @@ typedef struct SEVState SEVState;
void *sev_guest_init(const char *id);
int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
+void sev_set_debug_ops(void *handle, MemoryRegion *mr);
#endif
diff --git a/stubs/sev.c b/stubs/sev.c
index 5420ada7fd..8ea167031e 100644
--- a/stubs/sev.c
+++ b/stubs/sev.c
@@ -15,6 +15,10 @@
#include "qemu-common.h"
#include "sysemu/sev.h"
+void sev_set_debug_ops(void *handle, MemoryRegion *mr)
+{
+}
+
int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len)
{
return 1;
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 305ef65191..1fbc3beb16 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -23,6 +23,7 @@
#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
#define DEFAULT_SEV_DEVICE "/dev/sev"
@ -43,13 +71,15 @@ index e422f43caa..7b57575e2f 100644
static uint64_t me_mask;
static bool sev_active;
static int sev_fd;
@@ -30,6 +31,7 @@ static int sev_fd;
static uint32_t x86_cbitpos;
static uint32_t x86_reduced_phys_bits;
static SEVState *sev_state;
+static MemoryRegionRAMReadWriteOps sev_ops;
#define SEV_FW_MAX_ERROR 0x17
static SevState current_sev_guest_state = SEV_STATE_UNINIT;
@@ -575,6 +577,51 @@ sev_vm_state_change(void *opaque, int running, RunState state)
@@ -595,6 +597,51 @@ sev_vm_state_change(void *opaque, int running, RunState state)
}
}
@ -101,7 +131,7 @@ index e422f43caa..7b57575e2f 100644
void *
sev_guest_init(const char *id)
{
@@ -651,6 +698,31 @@ sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len)
@@ -686,6 +733,31 @@ sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len)
return 0;
}
@ -133,24 +163,12 @@ index e422f43caa..7b57575e2f 100644
static void
sev_register_types(void)
{
diff --git a/accel/kvm/trace-events b/accel/kvm/trace-events
index e810d75ea1..de6a12c51e 100644
--- a/accel/kvm/trace-events
+++ b/accel/kvm/trace-events
@@ -22,3 +22,4 @@ kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session
diff --git a/target/i386/trace-events b/target/i386/trace-events
index b1fbde6e40..00aa6e98d8 100644
--- a/target/i386/trace-events
+++ b/target/i386/trace-events
@@ -15,3 +15,4 @@ kvm_sev_launch_start(int policy, void *session, void *pdh) "policy 0x%x session
kvm_sev_launch_update_data(void *addr, uint64_t len) "addr %p len 0x%" PRIu64
kvm_sev_launch_measurement(const char *value) "data %s"
kvm_sev_launch_finish(void) ""
+kvm_sev_debug(const char *op, const uint8_t *src, uint8_t *dst, int len) "(%s) src %p dst %p len %d"
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index c173ad33f8..186ebca0f9 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -78,6 +78,7 @@ typedef struct SEVState SEVState;
void *sev_guest_init(const char *id);
int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
+void sev_set_debug_ops(void *handle, MemoryRegion *mr);
#endif

4
0067-target-i386-clear-C-bit-when-walkin.patch
View File

@ -1,6 +1,6 @@
From 5be49d786b9d9a39cd2bae56032a6f92a59de93a Mon Sep 17 00:00:00 2001
From a8962df0b33d17e6af91ec6c3d0f2bf0e866c84e Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:11 -0600
Date: Thu, 15 Feb 2018 09:03:23 -0600
Subject: [PATCH] target/i386: clear C-bit when walking SEV guest page table
In SEV-enabled guest the pte entry will have C-bit set, we need to

7
0068-include-add-psp-sev.h-header-file.patch
View File

@ -1,13 +1,14 @@
From 94e76aa9e24ad99ae746fa717ab4c721160128c1 Mon Sep 17 00:00:00 2001
From 8ff5e32ef7eb6d2a9a34dbdf78003a6e1cb9fa42 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:11 -0600
Date: Thu, 15 Feb 2018 09:03:23 -0600
Subject: [PATCH] include: add psp-sev.h header file
The header file provide the ioctl command and structure to communicate
with /dev/sev device.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>

23
0069-sev-add-support-to-query-PLATFORM_S.patch → 0069-sev-i386-add-support-to-query-PLATF.patch
View File

@ -1,23 +1,24 @@
From 8798ba8f4a4ba43cf7a34960ed70b32cbe69a4f6 Mon Sep 17 00:00:00 2001
From fea1c51414bedfc61e5ee31b15e58d638acee4fe Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:11 -0600
Subject: [PATCH] sev: add support to query PLATFORM_STATUS command
Date: Thu, 15 Feb 2018 09:03:24 -0600
Subject: [PATCH] sev/i386: add support to query PLATFORM_STATUS command
The command is used to query the SEV API version and build id.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 33 +++++++++++++++++++++++++++++++++
target/i386/sev.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 7b57575e2f..186834364e 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 1fbc3beb16..e3236f5bb7 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -21,6 +21,9 @@
#include "trace.h"
#include "qapi-event.h"
@ -28,7 +29,7 @@ index 7b57575e2f..186834364e 100644
#define DEFAULT_GUEST_POLICY 0x1 /* disable debug */
#define DEFAULT_SEV_DEVICE "/dev/sev"
#define GUEST_POLICY_DBG_BIT 0x1
@@ -91,6 +94,22 @@ sev_ioctl(int cmd, void *data, int *error)
@@ -84,6 +87,22 @@ sev_ioctl(int cmd, void *data, int *error)
return r;
}
@ -51,7 +52,7 @@ index 7b57575e2f..186834364e 100644
static const char *
fw_error_to_str(int code)
{
@@ -380,6 +399,20 @@ sev_enabled(void)
@@ -399,6 +418,20 @@ sev_enabled(void)
void
sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build)
{

27
0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch → 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
View File

@ -1,31 +1,36 @@
From 0139a4366095226b25d4f3f819fc0b0c260ce46b Mon Sep 17 00:00:00 2001
From b4998b726af3a1da2dc346cac8796ca8fd6b88cd Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:11 -0600
Subject: [PATCH] sev: add support to KVM_SEV_GUEST_STATUS
Date: Thu, 15 Feb 2018 09:03:24 -0600
Subject: [PATCH] sev/i386: add support to KVM_SEV_GUEST_STATUS
The command is used to query the current SEV guest status. We use this
command to query the guest policy for QMP query-sev command.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
target/i386/sev.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index 186834364e..b149f4ae64 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -418,6 +418,18 @@ sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index e3236f5bb7..559881084d 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -437,6 +437,22 @@ sev_get_fw_version(uint8_t *major, uint8_t *minor, uint8_t *build)
void
sev_get_policy(uint32_t *policy)
{
+ struct kvm_sev_guest_status status = {};
+ int r, err;
+
+ if (current_sev_guest_state == SEV_STATE_UNINIT) {
+ return;
+ }
+
+ r = sev_ioctl(KVM_SEV_GUEST_STATUS, &status, &err);
+ if (r) {
+ error_report("%s: failed to get platform status ret=%d "

34
0071-qmp-add-query-sev-launch-measure-co.patch
View File

@ -1,6 +1,6 @@
From 49a869039c960dbc02e6bbee9d0f0d0ce39003d5 Mon Sep 17 00:00:00 2001
From 53ad8885ec786df6820288255a312e802839ecc4 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Tue, 6 Feb 2018 19:08:11 -0600
Date: Thu, 15 Feb 2018 09:03:24 -0600
Subject: [PATCH] qmp: add query-sev-launch-measure command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -17,15 +17,15 @@ Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
qapi-schema.json | 30 ++++++++++++++++++++++++++++++
qmp.c | 14 ++++++++++++++
2 files changed, 44 insertions(+)
qapi-schema.json | 29 +++++++++++++++++++++++++++++
qmp.c | 17 +++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/qapi-schema.json b/qapi-schema.json
index 40c2de3026..8ab8e74956 100644
index 91a8a74f81..215681fbd7 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3247,3 +3247,33 @@
@@ -3257,3 +3257,32 @@
#
##
{ 'command': 'query-sev', 'returns': 'SevInfo' }
@ -39,7 +39,6 @@ index 40c2de3026..8ab8e74956 100644
+#
+# Since: 2.12
+#
+# Notes: If measurement is not available then a null measurement is returned.
+##
+{ 'struct': 'SevLaunchMeasureInfo', 'data': {'data': 'str'} }
+
@ -60,24 +59,27 @@ index 40c2de3026..8ab8e74956 100644
+##
+{ 'command': 'query-sev-launch-measure', 'returns': 'SevLaunchMeasureInfo' }
diff --git a/qmp.c b/qmp.c
index 4cd01ea666..d9ec4bf18e 100644
index 3c2d573384..445c668428 100644
--- a/qmp.c
+++ b/qmp.c
@@ -738,3 +738,17 @@ SevInfo *qmp_query_sev(Error **errp)
@@ -738,3 +738,20 @@ SevInfo *qmp_query_sev(Error **errp)
return info;
}
+
+SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp)
+{
+ SevLaunchMeasureInfo *info = NULL;
+ char *data;
+ SevLaunchMeasureInfo *info;
+
+ if (sev_enabled()) {
+ info = g_malloc0(sizeof(*info));
+ info->data = sev_get_launch_measurement();
+ } else {
+ error_setg(errp, "SEV is not enabled");
+ data = sev_get_launch_measurement();
+ if (!data) {
+ error_setg(errp, "Measurement is not available");
+ return NULL;
+ }
+
+ info = g_malloc0(sizeof(*info));
+ info->data = data;
+
+ return info;
+}

45
0072-sev-Fix-build-for-non-x86-hosts.patch
View File

@ -1,45 +0,0 @@
From 5c1a357744cfd2917705907bc3d50efd1184b7d9 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 7 Feb 2018 14:01:55 -0700
Subject: [PATCH] sev: Fix build for non-x86 hosts
I imagine the upstream code will still change in a way to not
require this work around, but for now this works.
Also bypass the test for query-sev-launch-measure qmp command test,
since it causes the qemu-testsuite package to fail to build.
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
accel/kvm/sev.c | 4 ++++
tests/qmp-test.c | 1 +
2 files changed, 5 insertions(+)
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
index b149f4ae64..0e48d1f249 100644
--- a/accel/kvm/sev.c
+++ b/accel/kvm/sev.c
@@ -322,7 +322,11 @@ sev_get_host_cbitpos(void)
{
uint32_t ebx;
+#ifdef TARGET_X86_64
host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
+#else
+ ebx = 0;
+#endif
return ebx & 0x3f;
}
diff --git a/tests/qmp-test.c b/tests/qmp-test.c
index c5a5c10b41..2b2d9b2a4a 100644
--- a/tests/qmp-test.c
+++ b/tests/qmp-test.c
@@ -200,6 +200,7 @@ static bool query_is_blacklisted(const char *cmd)
"query-gic-capabilities", /* arm */
/* Success depends on target-specific build configuration: */
"query-pci", /* CONFIG_PCI */
+ "query-sev-launch-measure", /* not fully cooked yet */
NULL
};
int i;

36
0072-tests-qmp-test-blacklist-query-sev-.patch Normal file
View File

@ -0,0 +1,36 @@
From 00751496fa11ed34f0849cb969d794ac1a0b1391 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Thu, 15 Feb 2018 09:03:24 -0600
Subject: [PATCH] tests/qmp-test: blacklist query-sev-launch-measure command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The query-sev-launch-measure command returns a measurement of encrypted
memory when SEV is enabled otherwise it returns an error. Blacklist the
command in qmp-test to fix the 'make check' failure.
Cc: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Reviewed-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
tests/qmp-test.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/qmp-test.c b/tests/qmp-test.c
index c5a5c10b41..06fe0b6f7a 100644
--- a/tests/qmp-test.c
+++ b/tests/qmp-test.c
@@ -200,6 +200,8 @@ static bool query_is_blacklisted(const char *cmd)
"query-gic-capabilities", /* arm */
/* Success depends on target-specific build configuration: */
"query-pci", /* CONFIG_PCI */
+ /* Success depends on launching SEV guest */
+ "query-sev-launch-measure",
NULL
};
int i;

60
0073-sev-i386-add-migration-blocker.patch Normal file
View File

@ -0,0 +1,60 @@
From 2957d1d9d2494b2a8582f778e342fb7430fc1406 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Thu, 15 Feb 2018 09:03:24 -0600
Subject: [PATCH] sev/i386: add migration blocker
SEV guest migration is not implemented yet.
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/sev.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 559881084d..a4f5a87e9b 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -20,6 +20,7 @@
#include "sysemu/sysemu.h"
#include "trace.h"
#include "qapi-event.h"
+#include "migration/blocker.h"
#include <sys/ioctl.h>
#include <linux/psp-sev.h>
@@ -35,6 +36,7 @@ static uint32_t x86_cbitpos;
static uint32_t x86_reduced_phys_bits;
static SEVState *sev_state;
static MemoryRegionRAMReadWriteOps sev_ops;
+static Error *sev_mig_blocker;
static SevState current_sev_guest_state = SEV_STATE_UNINIT;
@@ -622,6 +624,7 @@ static void
sev_launch_finish(SEVState *s)
{
int ret, error;
+ Error *local_err = NULL;
trace_kvm_sev_launch_finish();
ret = sev_ioctl(KVM_SEV_LAUNCH_FINISH, 0, &error);
@@ -632,6 +635,16 @@ sev_launch_finish(SEVState *s)
}
sev_set_guest_state(SEV_STATE_RUNNING);
+
+ /* add migration blocker */
+ error_setg(&sev_mig_blocker,
+ "SEV: Migration is not implemented");
+ ret = migrate_add_blocker(sev_mig_blocker, &local_err);
+ if (local_err) {
+ error_report_err(local_err);
+ error_free(sev_mig_blocker);
+ exit(1);
+ }
}
static void

60
0074-cpu-i386-populate-CPUID-0x8000_001F.patch Normal file
View File

@ -0,0 +1,60 @@
From 28839121aa98b7e126a7770200041203acd077bb Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Thu, 15 Feb 2018 09:03:25 -0600
Subject: [PATCH] cpu/i386: populate CPUID 0x8000_001F when SEV is active
When SEV is enabled, CPUID 0x8000_001F should provide additional
information regarding the feature (such as which page table bit is used
to mark the pages as encrypted etc).
The details for memory encryption CPUID is available in AMD APM
(https://support.amd.com/TechDocs/24594.pdf) Section E.4.17
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
[BR: FATE#322124]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 70c8ae82d5..a7e27f3bbf 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -23,6 +23,7 @@
#include "exec/exec-all.h"
#include "sysemu/kvm.h"
#include "sysemu/cpus.h"
+#include "sysemu/sev.h"
#include "kvm_i386.h"
#include "qemu/error-report.h"
@@ -3578,6 +3579,13 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
*ecx = 0;
*edx = 0;
break;
+ case 0x8000001F:
+ *eax = sev_enabled() ? 0x2 : 0;
+ *ebx = sev_get_cbit_position();
+ *ebx |= sev_get_reduced_phys_bits() << 6;
+ *ecx = 0;
+ *edx = 0;
+ break;
default:
/* reserved values: zero */
*eax = 0;
@@ -4000,6 +4008,11 @@ static void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
if (env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM) {
x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000000A);
}
+
+ /* SEV requires CPUID[0x8000001F] */
+ if (sev_enabled()) {
+ x86_cpu_adjust_level(cpu, &env->cpuid_min_xlevel, 0x8000001F);
+ }
}
/* Set cpuid_*level* based on cpuid_min_*level, if not explicitly set */

75
0075-migration-warn-about-inconsistent-s.patch Normal file
View File

@ -0,0 +1,75 @@
From 2b3e17db667199d2df374f2537f0ef60c86add2f Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 21 Feb 2018 14:00:52 -0700
Subject: [PATCH] migration: warn about inconsistent spec_ctrl state
As an attempt to help the user do the right thing, warn if we
detect spec_ctrl data in the migration stream, but where the
cpu defined doesn't have the feature. This would indicate the
migration is from the quick and dirty qemu produced in January
2018 to handle Spectre v2. That qemu version exposed the IBRS
cpu feature to all vcpu types, which helped in the short term
but wasn't a well designed approach.
Warn the user that the now migrated guest needs to be restarted
as soon as possible, using the spec_ctrl cpu feature flag or a
*-IBRS vcpu model specified as appropriate.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
cpus.c | 12 ++++++++++++
include/qemu/thread.h | 1 +
migration/migration.c | 8 ++++++++
3 files changed, 21 insertions(+)
diff --git a/cpus.c b/cpus.c
index d1e7e28993..238570badc 100644
--- a/cpus.c
+++ b/cpus.c
@@ -2039,6 +2039,18 @@ exit:
fclose(f);
}
+bool spec_ctrl_is_inconsistent(void)
+{
+#if defined(TARGET_I386)
+ X86CPU *x86_cpu = X86_CPU(current_cpu);
+ CPUX86State *env = &x86_cpu->env;
+ if (!(env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_SPEC_CTRL) &&
+ env->spec_ctrl)
+ return true;
+#endif
+ return false;
+}
+
void qmp_inject_nmi(Error **errp)
{
nmi_monitor_handle(monitor_get_cpu_index(), errp);
diff --git a/include/qemu/thread.h b/include/qemu/thread.h
index 9910f49b3a..c5803bfacc 100644
--- a/include/qemu/thread.h
+++ b/include/qemu/thread.h
@@ -210,4 +210,5 @@ void qemu_lockcnt_inc_and_unlock(QemuLockCnt *lockcnt);
*/
unsigned qemu_lockcnt_count(QemuLockCnt *lockcnt);
+bool spec_ctrl_is_inconsistent(void);
#endif
diff --git a/migration/migration.c b/migration/migration.c
index d780601f0c..d39c43c6b7 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2121,6 +2121,14 @@ static void migration_completion(MigrationState *s, int current_active_state,
migrate_set_state(&s->state, current_active_state,
MIGRATION_STATUS_COMPLETED);
}
+ if (spec_ctrl_is_inconsistent()) {
+ fprintf(stderr, "WARNING! Migration from qemu with rudimentary "
+ "Spectre v2 support to newer qemu\ndetected! To "
+ "maintain proper protection, restart the guest as "
+ "soon as possible\nusing the spec_ctrl cpu feature "
+ "flag or a *-IBRS vcpu model specified\nas appropriate."
+ "\n");
+ }
return;

37
0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch Normal file
View File

@ -0,0 +1,37 @@
From d3e377d2c0d2ab163482f3eaccdfc4c7e291ac7e Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 22 Feb 2018 04:48:07 -0700
Subject: [PATCH] i386: Compensate for KVM SPEC_CTRL feature availability bug
As we move away from the quick and dirty qemu solution for
Spectre v2, it was found that KVM wasn't reporting the SPEC_CTRL
feature when it in fact was present due to microcode update.
This patch compensates for that bug by checking for the feature
in QEMU code (like the quick and dirty solution did), instead of
simply relying on KVM for that information.
[BR: BSC#1082276]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index a7e27f3bbf..5c34175f3f 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2824,6 +2824,14 @@ static uint32_t x86_cpu_get_supported_feature_word(FeatureWord w,
r = kvm_arch_get_supported_cpuid(kvm_state, wi->cpuid_eax,
wi->cpuid_ecx,
wi->cpuid_reg);
+ // BUG!!! We need to compensate for a KVM bug where it doesn't
+ // correctly report support for IBRS (bsc#1082276)
+ if (w == FEAT_7_0_EDX) {
+ uint32_t edx;
+ host_cpuid(7, 0, NULL, NULL, NULL, &edx);
+#define CPUID_7_0_EDX_PRED_CMD (1U << 27)
+ r |= edx & (CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_PRED_CMD);
+ }
} else if (tcg_enabled()) {
r = wi->tcg_features;
} else {

3
qemu-2.11.0.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c9d34a79024eae080ce3853aa9afe503824520eefb440190383003081ce7f437
size 28984736

BIN
qemu-2.11.0.tar.xz.sig
View File

Binary file not shown.

3
qemu-2.11.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8a5145d1f8bd2eadc6776f3e13c68cd28d01349e30639bdbcb26ac588d668686
size 28992188

BIN
qemu-2.11.1.tar.xz.sig Normal file
View File

Binary file not shown.

48
qemu-linux-user.changes
View File

@ -1,3 +1,51 @@
-------------------------------------------------------------------
Thu Feb 22 12:01:25 UTC 2018 - brogers@suse.com
- Update to v2.11.1, a stable, (mostly) bug-fix-only release
* Patches dropped:
0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
0050-target-i386-add-memory-encryption-f.patch
0054-accel-add-Secure-Encrypted-Virtuliz.patch
0055-sev-add-command-to-initialize-the-m.patch
0072-sev-Fix-build-for-non-x86-hosts.patch
* Patches added:
0033-memfd-fix-configure-test.patch
0053-target-i386-add-Secure-Encrypted-Vi.patch
0056-qmp-populate-SevInfo-fields-with-SE.patch
0072-tests-qmp-test-blacklist-query-sev-.patch
0073-sev-i386-add-migration-blocker.patch
0074-cpu-i386-populate-CPUID-0x8000_001F.patch
0075-migration-warn-about-inconsistent-s.patch
0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
* Patches renamed (plus some minor code changes):
0051-machine-add-memory-encryption-prope.patch
-> 0050-machine-add-memory-encryption-prope.patch
0052-kvm-update-kvm.h-to-include-memory-.patch
-> 0051-kvm-update-kvm.h-to-include-memory-.patch
0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
-> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
0056-sev-register-the-guest-memory-range.patch
-> 0057-sev-i386-register-the-guest-memory-.patch
0057-kvm-introduce-memory-encryption-API.patch
-> 0058-kvm-introduce-memory-encryption-API.patch
0058-qmp-add-query-sev-command.patch
-> 0054-qmp-add-query-sev-command.patch
0060-sev-add-command-to-create-launch-me.patch
-> 0060-sev-i386-add-command-to-create-laun.patch
0061-sev-add-command-to-encrypt-guest-me.patch
-> 0061-sev-i386-add-command-to-encrypt-gue.patch
0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
-> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
0064-sev-Finalize-the-SEV-guest-launch-f.patch
-> 0064-sev-i386-finalize-the-SEV-guest-lau.patch
0066-sev-add-debug-encrypt-and-decrypt-c.patch
-> 0066-sev-i386-add-debug-encrypt-and-decr.patch
0069-sev-add-support-to-query-PLATFORM_S.patch
-> 0069-sev-i386-add-support-to-query-PLATF.patch
0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
-> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
-------------------------------------------------------------------
Thu Feb 8 18:30:53 UTC 2018 - brogers@suse.com

50
qemu-linux-user.spec
View File

@ -21,9 +21,9 @@ Url: http://www.qemu.org/
Summary: CPU emulator for user space
License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group: System/Emulators/PC
Version: 2.11.0
Version: 2.11.1
Release: 0
Source: qemu-2.11.0.tar.xz
Source: qemu-2.11.1.tar.xz
# Upstream First -- http://wiki.qemu-project.org/Contribute/SubmitAPatch
# This patch queue is auto-generated from https://github.com/openSUSE/qemu
Patch0001: 0001-XXX-dont-dump-core-on-sigabort.patch
@ -58,7 +58,7 @@ Patch0029: 0029-test-string-input-visitor-Add-uint6.patch
Patch0030: 0030-tests-Add-QOM-property-unit-tests.patch
Patch0031: 0031-tests-Add-scsi-disk-test.patch
Patch0032: 0032-Switch-order-of-libraries-for-mpath.patch
Patch0033: 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
Patch0033: 0033-memfd-fix-configure-test.patch
Patch0034: 0034-qapi-use-items-values-intead-of-ite.patch
Patch0035: 0035-qapi-Use-OrderedDict-from-standard-.patch
Patch0036: 0036-qapi-adapt-to-moved-location-of-Str.patch
@ -75,29 +75,33 @@ Patch0046: 0046-memattrs-add-debug-attribute.patch
Patch0047: 0047-exec-add-ram_debug_ops-support.patch
Patch0048: 0048-exec-add-debug-version-of-physical-.patch
Patch0049: 0049-monitor-i386-use-debug-APIs-when-ac.patch
Patch0050: 0050-target-i386-add-memory-encryption-f.patch
Patch0051: 0051-machine-add-memory-encryption-prope.patch
Patch0052: 0052-kvm-update-kvm.h-to-include-memory-.patch
Patch0053: 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
Patch0054: 0054-accel-add-Secure-Encrypted-Virtuliz.patch
Patch0055: 0055-sev-add-command-to-initialize-the-m.patch
Patch0056: 0056-sev-register-the-guest-memory-range.patch
Patch0057: 0057-kvm-introduce-memory-encryption-API.patch
Patch0058: 0058-qmp-add-query-sev-command.patch
Patch0050: 0050-machine-add-memory-encryption-prope.patch
Patch0051: 0051-kvm-update-kvm.h-to-include-memory-.patch
Patch0052: 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
Patch0053: 0053-target-i386-add-Secure-Encrypted-Vi.patch
Patch0054: 0054-qmp-add-query-sev-command.patch
Patch0055: 0055-sev-i386-add-command-to-initialize-.patch
Patch0056: 0056-qmp-populate-SevInfo-fields-with-SE.patch
Patch0057: 0057-sev-i386-register-the-guest-memory-.patch
Patch0058: 0058-kvm-introduce-memory-encryption-API.patch
Patch0059: 0059-hmp-add-info-sev-command.patch
Patch0060: 0060-sev-add-command-to-create-launch-me.patch
Patch0061: 0061-sev-add-command-to-encrypt-guest-me.patch
Patch0060: 0060-sev-i386-add-command-to-create-laun.patch
Patch0061: 0061-sev-i386-add-command-to-encrypt-gue.patch
Patch0062: 0062-target-i386-encrypt-bios-rom.patch
Patch0063: 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
Patch0064: 0064-sev-Finalize-the-SEV-guest-launch-f.patch
Patch0063: 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
Patch0064: 0064-sev-i386-finalize-the-SEV-guest-lau.patch
Patch0065: 0065-hw-i386-set-ram_debug_ops-when-memo.patch
Patch0066: 0066-sev-add-debug-encrypt-and-decrypt-c.patch
Patch0066: 0066-sev-i386-add-debug-encrypt-and-decr.patch
Patch0067: 0067-target-i386-clear-C-bit-when-walkin.patch
Patch0068: 0068-include-add-psp-sev.h-header-file.patch
Patch0069: 0069-sev-add-support-to-query-PLATFORM_S.patch
Patch0070: 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
Patch0069: 0069-sev-i386-add-support-to-query-PLATF.patch
Patch0070: 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
Patch0071: 0071-qmp-add-query-sev-launch-measure-co.patch
Patch0072: 0072-sev-Fix-build-for-non-x86-hosts.patch
Patch0072: 0072-tests-qmp-test-blacklist-query-sev-.patch
Patch0073: 0073-sev-i386-add-migration-blocker.patch
Patch0074: 0074-cpu-i386-populate-CPUID-0x8000_001F.patch
Patch0075: 0075-migration-warn-about-inconsistent-s.patch
Patch0076: 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Source400: update_git.sh
@ -126,7 +130,7 @@ architecture. The syscall interface is intercepted and execution below the
syscall layer occurs on the native hardware and operating system.
%prep
%setup -q -n qemu-2.11.0
%setup -q -n qemu-2.11.1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -199,6 +203,10 @@ syscall layer occurs on the native hardware and operating system.
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%build
./configure \

4
qemu-linux-user.spec.in
View File

@ -23,7 +23,7 @@ License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group: System/Emulators/PC
QEMU_VERSION
Release: 0
Source: qemu-2.11.0.tar.xz
Source: qemu-2.11.1.tar.xz
# Upstream First -- http://wiki.qemu-project.org/Contribute/SubmitAPatch
# This patch queue is auto-generated from https://github.com/openSUSE/qemu
PATCH_FILES
@ -55,7 +55,7 @@ architecture. The syscall interface is intercepted and execution below the
syscall layer occurs on the native hardware and operating system.
%prep
%setup -q -n qemu-2.11.0
%setup -q -n qemu-2.11.1
PATCH_EXEC
%build

82
qemu-testsuite.changes
View File

@ -1,3 +1,85 @@
-------------------------------------------------------------------
Thu Feb 22 12:01:21 UTC 2018 - brogers@suse.com
- Update to v2.11.1, a stable, (mostly) bug-fix-only release
In addition to bug fixes, of necessity fixes are needed to
address the Spectre v2 vulnerability by passing along to the
guest new hardware features introduced by host microcode updates.
A January 2018 release of qemu initially addressed this issue
by exposing the feature for all x86 vcpu types, which was the
quick and dirty approach, but not the proper solution. We remove
that initial patch and now rely on the upstream solution. This
update instead defines spec_ctrl and ibpb cpu feature flags as
well as new cpu models which are clones of existing models with
either -IBRS or -IBPB added to the end of the model name. These
new vcpu models explicitly include the new feature(s), whereas
the feature flags can be added to the cpu parameter as with other
features. In short, for continued Spectre v2 protection, ensure
that either the appropriate cpu feature flag is added to the QEMU
command-line, or one of the new cpu models is used. Although
migration from older versions is supported, the new cpu features
won't be properly exposed to the guest until it is restarted with
the cpu features explicitly added. A reboot is insufficient.
A warning patch is added which attempts to detect a migration
from a qemu version which had the quick and dirty fix (it only
detects certain cases, but hopefully is helpful.)
s390x guest vulnerability to Spectre v2 is also addressed in this
update by including support for bpb and ppa/stfle.81 features.
(CVE-2017-5715 bsc#1068032)
For additional information on Spectre v2 as it relates to QEMU,
see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
- Unfortunately, it was found that our current KVM isn't correctly
indicating support for the spec-ctrl feature, so I've added a patch
to still detect that support within QEMU. This is of course a
temporary kludge until KVM gets fixed. (bsc#1082276)
- The SEV support patches are updated to the v9 series.
- Fix incompatibility with recent glibc (boo#1081154)
- Add Supplements tags for the guest agent package in an attempt to
auto-install for QEMU and Xen SUSE Linux guests (fate#323570)
* Patches dropped (subsumed by stable update, or reworked in v9):
0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
0050-target-i386-add-memory-encryption-f.patch
0054-accel-add-Secure-Encrypted-Virtuliz.patch
0055-sev-add-command-to-initialize-the-m.patch
0072-sev-Fix-build-for-non-x86-hosts.patch
* Patches added:
0033-memfd-fix-configure-test.patch
0053-target-i386-add-Secure-Encrypted-Vi.patch
0056-qmp-populate-SevInfo-fields-with-SE.patch
0072-tests-qmp-test-blacklist-query-sev-.patch
0073-sev-i386-add-migration-blocker.patch
0074-cpu-i386-populate-CPUID-0x8000_001F.patch
0075-migration-warn-about-inconsistent-s.patch
0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
* Patches renamed (plus some minor code changes):
0051-machine-add-memory-encryption-prope.patch
-> 0050-machine-add-memory-encryption-prope.patch
0052-kvm-update-kvm.h-to-include-memory-.patch
-> 0051-kvm-update-kvm.h-to-include-memory-.patch
0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
-> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
0056-sev-register-the-guest-memory-range.patch
-> 0057-sev-i386-register-the-guest-memory-.patch
0057-kvm-introduce-memory-encryption-API.patch
-> 0058-kvm-introduce-memory-encryption-API.patch
0058-qmp-add-query-sev-command.patch
-> 0054-qmp-add-query-sev-command.patch
0060-sev-add-command-to-create-launch-me.patch
-> 0060-sev-i386-add-command-to-create-laun.patch
0061-sev-add-command-to-encrypt-guest-me.patch
-> 0061-sev-i386-add-command-to-encrypt-gue.patch
0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
-> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
0064-sev-Finalize-the-SEV-guest-launch-f.patch
-> 0064-sev-i386-finalize-the-SEV-guest-lau.patch
0066-sev-add-debug-encrypt-and-decrypt-c.patch
-> 0066-sev-i386-add-debug-encrypt-and-decr.patch
0069-sev-add-support-to-query-PLATFORM_S.patch
-> 0069-sev-i386-add-support-to-query-PLATF.patch
0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
-> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
-------------------------------------------------------------------
Thu Feb 8 18:29:30 UTC 2018 - brogers@suse.com

55
qemu-testsuite.spec
View File

@ -109,10 +109,10 @@ Url: http://www.qemu.org/
Summary: Machine emulator and virtualizer
License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group: System/Emulators/PC
Version: 2.11.0
Version: 2.11.1
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz
Source99: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz.sig
Source: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz
Source99: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz.sig
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -162,7 +162,7 @@ Patch0029: 0029-test-string-input-visitor-Add-uint6.patch
Patch0030: 0030-tests-Add-QOM-property-unit-tests.patch
Patch0031: 0031-tests-Add-scsi-disk-test.patch
Patch0032: 0032-Switch-order-of-libraries-for-mpath.patch
Patch0033: 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
Patch0033: 0033-memfd-fix-configure-test.patch
Patch0034: 0034-qapi-use-items-values-intead-of-ite.patch
Patch0035: 0035-qapi-Use-OrderedDict-from-standard-.patch
Patch0036: 0036-qapi-adapt-to-moved-location-of-Str.patch
@ -179,29 +179,33 @@ Patch0046: 0046-memattrs-add-debug-attribute.patch
Patch0047: 0047-exec-add-ram_debug_ops-support.patch
Patch0048: 0048-exec-add-debug-version-of-physical-.patch
Patch0049: 0049-monitor-i386-use-debug-APIs-when-ac.patch
Patch0050: 0050-target-i386-add-memory-encryption-f.patch
Patch0051: 0051-machine-add-memory-encryption-prope.patch
Patch0052: 0052-kvm-update-kvm.h-to-include-memory-.patch
Patch0053: 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
Patch0054: 0054-accel-add-Secure-Encrypted-Virtuliz.patch
Patch0055: 0055-sev-add-command-to-initialize-the-m.patch
Patch0056: 0056-sev-register-the-guest-memory-range.patch
Patch0057: 0057-kvm-introduce-memory-encryption-API.patch
Patch0058: 0058-qmp-add-query-sev-command.patch
Patch0050: 0050-machine-add-memory-encryption-prope.patch
Patch0051: 0051-kvm-update-kvm.h-to-include-memory-.patch
Patch0052: 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
Patch0053: 0053-target-i386-add-Secure-Encrypted-Vi.patch
Patch0054: 0054-qmp-add-query-sev-command.patch
Patch0055: 0055-sev-i386-add-command-to-initialize-.patch
Patch0056: 0056-qmp-populate-SevInfo-fields-with-SE.patch
Patch0057: 0057-sev-i386-register-the-guest-memory-.patch
Patch0058: 0058-kvm-introduce-memory-encryption-API.patch
Patch0059: 0059-hmp-add-info-sev-command.patch
Patch0060: 0060-sev-add-command-to-create-launch-me.patch
Patch0061: 0061-sev-add-command-to-encrypt-guest-me.patch
Patch0060: 0060-sev-i386-add-command-to-create-laun.patch
Patch0061: 0061-sev-i386-add-command-to-encrypt-gue.patch
Patch0062: 0062-target-i386-encrypt-bios-rom.patch
Patch0063: 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
Patch0064: 0064-sev-Finalize-the-SEV-guest-launch-f.patch
Patch0063: 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
Patch0064: 0064-sev-i386-finalize-the-SEV-guest-lau.patch
Patch0065: 0065-hw-i386-set-ram_debug_ops-when-memo.patch
Patch0066: 0066-sev-add-debug-encrypt-and-decrypt-c.patch
Patch0066: 0066-sev-i386-add-debug-encrypt-and-decr.patch
Patch0067: 0067-target-i386-clear-C-bit-when-walkin.patch
Patch0068: 0068-include-add-psp-sev.h-header-file.patch
Patch0069: 0069-sev-add-support-to-query-PLATFORM_S.patch
Patch0070: 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
Patch0069: 0069-sev-i386-add-support-to-query-PLATF.patch
Patch0070: 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
Patch0071: 0071-qmp-add-query-sev-launch-measure-co.patch
Patch0072: 0072-sev-Fix-build-for-non-x86-hosts.patch
Patch0072: 0072-tests-qmp-test-blacklist-query-sev-.patch
Patch0073: 0073-sev-i386-add-migration-blocker.patch
Patch0074: 0074-cpu-i386-populate-CPUID-0x8000_001F.patch
Patch0075: 0075-migration-warn-about-inconsistent-s.patch
Patch0076: 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -722,6 +726,9 @@ Group: System/Emulators/PC
Provides: qemu:%_bindir/qemu-ga
Requires(pre): shadow
Requires(post): udev
Supplements: modalias(acpi*:QEMU0002:*)
Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*)
Supplements: modalias(pci:v00005853d00000001sv*sd*bc*sc*i*)
%{?systemd_requires}
%description guest-agent
@ -797,7 +804,7 @@ This package provides a service file for starting and stopping KSM.
%endif # !qemu-testsuite
%prep
%setup -q -n qemu-2.11.0
%setup -q -n qemu-2.11.1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -870,6 +877,10 @@ This package provides a service file for starting and stopping KSM.
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%if 0%{?suse_version} > 1320
%patch1000 -p1

82
qemu.changes
View File

@ -1,3 +1,85 @@
-------------------------------------------------------------------
Thu Feb 22 12:01:21 UTC 2018 - brogers@suse.com
- Update to v2.11.1, a stable, (mostly) bug-fix-only release
In addition to bug fixes, of necessity fixes are needed to
address the Spectre v2 vulnerability by passing along to the
guest new hardware features introduced by host microcode updates.
A January 2018 release of qemu initially addressed this issue
by exposing the feature for all x86 vcpu types, which was the
quick and dirty approach, but not the proper solution. We remove
that initial patch and now rely on the upstream solution. This
update instead defines spec_ctrl and ibpb cpu feature flags as
well as new cpu models which are clones of existing models with
either -IBRS or -IBPB added to the end of the model name. These
new vcpu models explicitly include the new feature(s), whereas
the feature flags can be added to the cpu parameter as with other
features. In short, for continued Spectre v2 protection, ensure
that either the appropriate cpu feature flag is added to the QEMU
command-line, or one of the new cpu models is used. Although
migration from older versions is supported, the new cpu features
won't be properly exposed to the guest until it is restarted with
the cpu features explicitly added. A reboot is insufficient.
A warning patch is added which attempts to detect a migration
from a qemu version which had the quick and dirty fix (it only
detects certain cases, but hopefully is helpful.)
s390x guest vulnerability to Spectre v2 is also addressed in this
update by including support for bpb and ppa/stfle.81 features.
(CVE-2017-5715 bsc#1068032)
For additional information on Spectre v2 as it relates to QEMU,
see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
- Unfortunately, it was found that our current KVM isn't correctly
indicating support for the spec-ctrl feature, so I've added a patch
to still detect that support within QEMU. This is of course a
temporary kludge until KVM gets fixed. (bsc#1082276)
- The SEV support patches are updated to the v9 series.
- Fix incompatibility with recent glibc (boo#1081154)
- Add Supplements tags for the guest agent package in an attempt to
auto-install for QEMU and Xen SUSE Linux guests (fate#323570)
* Patches dropped (subsumed by stable update, or reworked in v9):
0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
0050-target-i386-add-memory-encryption-f.patch
0054-accel-add-Secure-Encrypted-Virtuliz.patch
0055-sev-add-command-to-initialize-the-m.patch
0072-sev-Fix-build-for-non-x86-hosts.patch
* Patches added:
0033-memfd-fix-configure-test.patch
0053-target-i386-add-Secure-Encrypted-Vi.patch
0056-qmp-populate-SevInfo-fields-with-SE.patch
0072-tests-qmp-test-blacklist-query-sev-.patch
0073-sev-i386-add-migration-blocker.patch
0074-cpu-i386-populate-CPUID-0x8000_001F.patch
0075-migration-warn-about-inconsistent-s.patch
0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
* Patches renamed (plus some minor code changes):
0051-machine-add-memory-encryption-prope.patch
-> 0050-machine-add-memory-encryption-prope.patch
0052-kvm-update-kvm.h-to-include-memory-.patch
-> 0051-kvm-update-kvm.h-to-include-memory-.patch
0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
-> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
0056-sev-register-the-guest-memory-range.patch
-> 0057-sev-i386-register-the-guest-memory-.patch
0057-kvm-introduce-memory-encryption-API.patch
-> 0058-kvm-introduce-memory-encryption-API.patch
0058-qmp-add-query-sev-command.patch
-> 0054-qmp-add-query-sev-command.patch
0060-sev-add-command-to-create-launch-me.patch
-> 0060-sev-i386-add-command-to-create-laun.patch
0061-sev-add-command-to-encrypt-guest-me.patch
-> 0061-sev-i386-add-command-to-encrypt-gue.patch
0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
-> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
0064-sev-Finalize-the-SEV-guest-launch-f.patch
-> 0064-sev-i386-finalize-the-SEV-guest-lau.patch
0066-sev-add-debug-encrypt-and-decrypt-c.patch
-> 0066-sev-i386-add-debug-encrypt-and-decr.patch
0069-sev-add-support-to-query-PLATFORM_S.patch
-> 0069-sev-i386-add-support-to-query-PLATF.patch
0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
-> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
-------------------------------------------------------------------
Thu Feb 8 18:29:30 UTC 2018 - brogers@suse.com

55
qemu.spec
View File

@ -109,10 +109,10 @@ Url: http://www.qemu.org/
Summary: Machine emulator and virtualizer
License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group: System/Emulators/PC
Version: 2.11.0
Version: 2.11.1
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz
Source99: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz.sig
Source: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz
Source99: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz.sig
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -162,7 +162,7 @@ Patch0029: 0029-test-string-input-visitor-Add-uint6.patch
Patch0030: 0030-tests-Add-QOM-property-unit-tests.patch
Patch0031: 0031-tests-Add-scsi-disk-test.patch
Patch0032: 0032-Switch-order-of-libraries-for-mpath.patch
Patch0033: 0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
Patch0033: 0033-memfd-fix-configure-test.patch
Patch0034: 0034-qapi-use-items-values-intead-of-ite.patch
Patch0035: 0035-qapi-Use-OrderedDict-from-standard-.patch
Patch0036: 0036-qapi-adapt-to-moved-location-of-Str.patch
@ -179,29 +179,33 @@ Patch0046: 0046-memattrs-add-debug-attribute.patch
Patch0047: 0047-exec-add-ram_debug_ops-support.patch
Patch0048: 0048-exec-add-debug-version-of-physical-.patch
Patch0049: 0049-monitor-i386-use-debug-APIs-when-ac.patch
Patch0050: 0050-target-i386-add-memory-encryption-f.patch
Patch0051: 0051-machine-add-memory-encryption-prope.patch
Patch0052: 0052-kvm-update-kvm.h-to-include-memory-.patch
Patch0053: 0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
Patch0054: 0054-accel-add-Secure-Encrypted-Virtuliz.patch
Patch0055: 0055-sev-add-command-to-initialize-the-m.patch
Patch0056: 0056-sev-register-the-guest-memory-range.patch
Patch0057: 0057-kvm-introduce-memory-encryption-API.patch
Patch0058: 0058-qmp-add-query-sev-command.patch
Patch0050: 0050-machine-add-memory-encryption-prope.patch
Patch0051: 0051-kvm-update-kvm.h-to-include-memory-.patch
Patch0052: 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
Patch0053: 0053-target-i386-add-Secure-Encrypted-Vi.patch
Patch0054: 0054-qmp-add-query-sev-command.patch
Patch0055: 0055-sev-i386-add-command-to-initialize-.patch
Patch0056: 0056-qmp-populate-SevInfo-fields-with-SE.patch
Patch0057: 0057-sev-i386-register-the-guest-memory-.patch
Patch0058: 0058-kvm-introduce-memory-encryption-API.patch
Patch0059: 0059-hmp-add-info-sev-command.patch
Patch0060: 0060-sev-add-command-to-create-launch-me.patch
Patch0061: 0061-sev-add-command-to-encrypt-guest-me.patch
Patch0060: 0060-sev-i386-add-command-to-create-laun.patch
Patch0061: 0061-sev-i386-add-command-to-encrypt-gue.patch
Patch0062: 0062-target-i386-encrypt-bios-rom.patch
Patch0063: 0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
Patch0064: 0064-sev-Finalize-the-SEV-guest-launch-f.patch
Patch0063: 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
Patch0064: 0064-sev-i386-finalize-the-SEV-guest-lau.patch
Patch0065: 0065-hw-i386-set-ram_debug_ops-when-memo.patch
Patch0066: 0066-sev-add-debug-encrypt-and-decrypt-c.patch
Patch0066: 0066-sev-i386-add-debug-encrypt-and-decr.patch
Patch0067: 0067-target-i386-clear-C-bit-when-walkin.patch
Patch0068: 0068-include-add-psp-sev.h-header-file.patch
Patch0069: 0069-sev-add-support-to-query-PLATFORM_S.patch
Patch0070: 0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
Patch0069: 0069-sev-i386-add-support-to-query-PLATF.patch
Patch0070: 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
Patch0071: 0071-qmp-add-query-sev-launch-measure-co.patch
Patch0072: 0072-sev-Fix-build-for-non-x86-hosts.patch
Patch0072: 0072-tests-qmp-test-blacklist-query-sev-.patch
Patch0073: 0073-sev-i386-add-migration-blocker.patch
Patch0074: 0074-cpu-i386-populate-CPUID-0x8000_001F.patch
Patch0075: 0075-migration-warn-about-inconsistent-s.patch
Patch0076: 0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -722,6 +726,9 @@ Group: System/Emulators/PC
Provides: qemu:%_bindir/qemu-ga
Requires(pre): shadow
Requires(post): udev
Supplements: modalias(acpi*:QEMU0002:*)
Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*)
Supplements: modalias(pci:v00005853d00000001sv*sd*bc*sc*i*)
%{?systemd_requires}
%description guest-agent
@ -797,7 +804,7 @@ This package provides a service file for starting and stopping KSM.
%endif # !qemu-testsuite
%prep
%setup -q -n qemu-2.11.0
%setup -q -n qemu-2.11.1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -870,6 +877,10 @@ This package provides a service file for starting and stopping KSM.
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%if 0%{?suse_version} > 1320
%patch1000 -p1

9
qemu.spec.in
View File

@ -111,8 +111,8 @@ License: BSD-3-Clause AND GPL-2.0 AND GPL-2.0+ AND LGPL-2.1+ AND MIT
Group: System/Emulators/PC
QEMU_VERSION
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz
Source99: http://wiki.qemu.org/download/qemu-2.11.0.tar.xz.sig
Source: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz
Source99: http://wiki.qemu.org/download/qemu-2.11.1.tar.xz.sig
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -652,6 +652,9 @@ Group: System/Emulators/PC
Provides: qemu:%_bindir/qemu-ga
Requires(pre): shadow
Requires(post): udev
Supplements: modalias(acpi*:QEMU0002:*)
Supplements: modalias(pci:v0000FFFDd00000101sv*sd*bc*sc*i*)
Supplements: modalias(pci:v00005853d00000001sv*sd*bc*sc*i*)
%{?systemd_requires}
%description guest-agent
@ -727,7 +730,7 @@ This package provides a service file for starting and stopping KSM.
%endif # !qemu-testsuite
%prep
%setup -q -n qemu-2.11.0
%setup -q -n qemu-2.11.1
PATCH_EXEC
%if 0%{?suse_version} > 1320

2
update_git.sh
View File

@ -14,7 +14,7 @@ set -e
GIT_TREE=git://github.com/openSUSE/qemu.git
GIT_LOCAL_TREE=~/git/qemu-opensuse
GIT_BRANCH=opensuse-2.11
GIT_UPSTREAM_TAG=v2.11.0
GIT_UPSTREAM_TAG=v2.11.1
GIT_DIR=/dev/shm/qemu-factory-git-dir
CMP_DIR=/dev/shm/qemu-factory-cmp-dir