1 /*
2  * QEMU Confidential Guest support
3  *   This interface describes the common pieces between various
4  *   schemes for protecting guest memory or other state against a
5  *   compromised hypervisor.  This includes memory encryption (AMD's
6  *   SEV and Intel's MKTME) or special protection modes (PEF on POWER,
7  *   or PV on s390x).
8  *
9  * Copyright Red Hat.
10  *
11  * Authors:
12  *  David Gibson <david@gibson.dropbear.id.au>
13  *
14  * This work is licensed under the terms of the GNU GPL, version 2 or
15  * later.  See the COPYING file in the top-level directory.
16  *
17  */
18 #ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
19 #define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
20 
21 #ifndef CONFIG_USER_ONLY
22 
23 #include "qom/object.h"
24 
25 #define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
26 OBJECT_DECLARE_TYPE(ConfidentialGuestSupport,
27                     ConfidentialGuestSupportClass,
28                     CONFIDENTIAL_GUEST_SUPPORT)
29 
30 
31 struct ConfidentialGuestSupport {
32     Object parent;
33 
34     /*
35      * True if the machine should use guest_memfd for RAM.
36      */
37     bool require_guest_memfd;
38 
39     /*
40      * ready: flag set by CGS initialization code once it's ready to
41      *        start executing instructions in a potentially-secure
42      *        guest
43      *
44      * The definition here is a bit fuzzy, because this is essentially
45      * part of a self-sanity-check, rather than a strict mechanism.
46      *
47      * It's not feasible to have a single point in the common machine
48      * init path to configure confidential guest support, because
49      * different mechanisms have different interdependencies requiring
50      * initialization in different places, often in arch or machine
51      * type specific code.  It's also usually not possible to check
52      * for invalid configurations until that initialization code.
53      * That means it would be very easy to have a bug allowing CGS
54      * init to be bypassed entirely in certain configurations.
55      *
56      * Silently ignoring a requested security feature would be bad, so
57      * to avoid that we check late in init that this 'ready' flag is
58      * set if CGS was requested.  If the CGS init hasn't happened, and
59      * so 'ready' is not set, we'll abort.
60      */
61     bool ready;
62 };
63 
64 typedef struct ConfidentialGuestSupportClass {
65     ObjectClass parent;
66 
67     int (*kvm_init)(ConfidentialGuestSupport *cgs, Error **errp);
68     int (*kvm_reset)(ConfidentialGuestSupport *cgs, Error **errp);
69 } ConfidentialGuestSupportClass;
70 
confidential_guest_kvm_init(ConfidentialGuestSupport * cgs,Error ** errp)71 static inline int confidential_guest_kvm_init(ConfidentialGuestSupport *cgs,
72                                               Error **errp)
73 {
74     ConfidentialGuestSupportClass *klass;
75 
76     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
77     if (klass->kvm_init) {
78         return klass->kvm_init(cgs, errp);
79     }
80 
81     return 0;
82 }
83 
confidential_guest_kvm_reset(ConfidentialGuestSupport * cgs,Error ** errp)84 static inline int confidential_guest_kvm_reset(ConfidentialGuestSupport *cgs,
85                                                Error **errp)
86 {
87     ConfidentialGuestSupportClass *klass;
88 
89     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
90     if (klass->kvm_reset) {
91         return klass->kvm_reset(cgs, errp);
92     }
93 
94     return 0;
95 }
96 
97 #endif /* !CONFIG_USER_ONLY */
98 
99 #endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */
100