xref: /openbmc/qemu/hw/ppc/pef.c (revision 2bfd3c48) 
1 /*
2  * PEF (Protected Execution Facility) for POWER support
3  *
4  * Copyright Red Hat.
5  *
6  * This work is licensed under the terms of the GNU GPL, version 2 or later.
7  * See the COPYING file in the top-level directory.
8  *
9  */
10 
11 #include "qemu/osdep.h"
12 
13 #include "qapi/error.h"
14 #include "qom/object_interfaces.h"
15 #include "sysemu/kvm.h"
16 #include "migration/blocker.h"
17 #include "exec/confidential-guest-support.h"
18 
19 #define TYPE_PEF_GUEST "pef-guest"
20 OBJECT_DECLARE_SIMPLE_TYPE(PefGuest, PEF_GUEST)
21 
22 typedef struct PefGuest PefGuest;
23 typedef struct PefGuestClass PefGuestClass;
24 
25 struct PefGuestClass {
26     ConfidentialGuestSupportClass parent_class;
27 };
28 
29 /**
30  * PefGuest:
31  *
32  * The PefGuest object is used for creating and managing a PEF
33  * guest.
34  *
35  * # $QEMU \
36  *         -object pef-guest,id=pef0 \
37  *         -machine ...,confidential-guest-support=pef0
38  */
39 struct PefGuest {
40     ConfidentialGuestSupport parent_obj;
41 };
42 
43 static int kvmppc_svm_init(ConfidentialGuestSupport *cgs, Error **errp)
44 {
45 #ifdef CONFIG_KVM
46     static Error *pef_mig_blocker;
47 
48     if (!kvm_check_extension(kvm_state, KVM_CAP_PPC_SECURE_GUEST)) {
49         error_setg(errp,
50                    "KVM implementation does not support Secure VMs (is an ultravisor running?)");
51         return -1;
52     } else {
53         int ret = kvm_vm_enable_cap(kvm_state, KVM_CAP_PPC_SECURE_GUEST, 0, 1);
54 
55         if (ret < 0) {
56             error_setg(errp,
57                        "Error enabling PEF with KVM");
58             return -1;
59         }
60     }
61 
62     /* add migration blocker */
63     error_setg(&pef_mig_blocker, "PEF: Migration is not implemented");
64     /* NB: This can fail if --only-migratable is used */
65     migrate_add_blocker(&pef_mig_blocker, &error_fatal);
66 
67     cgs->ready = true;
68 
69     return 0;
70 #else
71     g_assert_not_reached();
72 #endif
73 }
74 
75 /*
76  * Don't set error if KVM_PPC_SVM_OFF ioctl is invoked on kernels
77  * that don't support this ioctl.
78  */
79 static int kvmppc_svm_off(Error **errp)
80 {
81 #ifdef CONFIG_KVM
82     int rc;
83 
84     rc = kvm_vm_ioctl(KVM_STATE(current_accel()), KVM_PPC_SVM_OFF);
85     if (rc && rc != -ENOTTY) {
86         error_setg_errno(errp, -rc, "KVM_PPC_SVM_OFF ioctl failed");
87         return rc;
88     }
89     return 0;
90 #else
91     g_assert_not_reached();
92 #endif
93 }
94 
95 static int pef_kvm_init(ConfidentialGuestSupport *cgs, Error **errp)
96 {
97     if (!object_dynamic_cast(OBJECT(cgs), TYPE_PEF_GUEST)) {
98         return 0;
99     }
100 
101     if (!kvm_enabled()) {
102         error_setg(errp, "PEF requires KVM");
103         return -1;
104     }
105 
106     return kvmppc_svm_init(cgs, errp);
107 }
108 
109 static int pef_kvm_reset(ConfidentialGuestSupport *cgs, Error **errp)
110 {
111     if (!object_dynamic_cast(OBJECT(cgs), TYPE_PEF_GUEST)) {
112         return 0;
113     }
114 
115     /*
116      * If we don't have KVM we should never have been able to
117      * initialize PEF, so we should never get this far
118      */
119     assert(kvm_enabled());
120 
121     return kvmppc_svm_off(errp);
122 }
123 
124 OBJECT_DEFINE_TYPE_WITH_INTERFACES(PefGuest,
125                                    pef_guest,
126                                    PEF_GUEST,
127                                    CONFIDENTIAL_GUEST_SUPPORT,
128                                    { TYPE_USER_CREATABLE },
129                                    { NULL })
130 
131 static void pef_guest_class_init(ObjectClass *oc, void *data)
132 {
133     ConfidentialGuestSupportClass *klass = CONFIDENTIAL_GUEST_SUPPORT_CLASS(oc);
134 
135     klass->kvm_init = pef_kvm_init;
136     klass->kvm_reset = pef_kvm_reset;
137 }
138 
139 static void pef_guest_init(Object *obj)
140 {
141 }
142 
143 static void pef_guest_finalize(Object *obj)
144 {
145 }
146