1 /*
2  * QEMU Confidential Guest support
3  *   This interface describes the common pieces between various
4  *   schemes for protecting guest memory or other state against a
5  *   compromised hypervisor.  This includes memory encryption (AMD's
6  *   SEV and Intel's MKTME) or special protection modes (PEF on POWER,
7  *   or PV on s390x).
8  *
9  * Copyright Red Hat.
10  *
11  * Authors:
12  *  David Gibson <david@gibson.dropbear.id.au>
13  *
14  * This work is licensed under the terms of the GNU GPL, version 2 or
15  * later.  See the COPYING file in the top-level directory.
16  *
17  */
18 #ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
19 #define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
20 
21 #ifndef CONFIG_USER_ONLY
22 
23 #include "qom/object.h"
24 
25 #define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
26 OBJECT_DECLARE_TYPE(ConfidentialGuestSupport,
27                     ConfidentialGuestSupportClass,
28                     CONFIDENTIAL_GUEST_SUPPORT)
29 
30 
31 struct ConfidentialGuestSupport {
32     Object parent;
33 
34     /*
35      * ready: flag set by CGS initialization code once it's ready to
36      *        start executing instructions in a potentially-secure
37      *        guest
38      *
39      * The definition here is a bit fuzzy, because this is essentially
40      * part of a self-sanity-check, rather than a strict mechanism.
41      *
42      * It's not feasible to have a single point in the common machine
43      * init path to configure confidential guest support, because
44      * different mechanisms have different interdependencies requiring
45      * initialization in different places, often in arch or machine
46      * type specific code.  It's also usually not possible to check
47      * for invalid configurations until that initialization code.
48      * That means it would be very easy to have a bug allowing CGS
49      * init to be bypassed entirely in certain configurations.
50      *
51      * Silently ignoring a requested security feature would be bad, so
52      * to avoid that we check late in init that this 'ready' flag is
53      * set if CGS was requested.  If the CGS init hasn't happened, and
54      * so 'ready' is not set, we'll abort.
55      */
56     bool ready;
57 };
58 
59 typedef struct ConfidentialGuestSupportClass {
60     ObjectClass parent;
61 
62     int (*kvm_init)(ConfidentialGuestSupport *cgs, Error **errp);
63     int (*kvm_reset)(ConfidentialGuestSupport *cgs, Error **errp);
64 } ConfidentialGuestSupportClass;
65 
66 static inline int confidential_guest_kvm_init(ConfidentialGuestSupport *cgs,
67                                               Error **errp)
68 {
69     ConfidentialGuestSupportClass *klass;
70 
71     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
72     if (klass->kvm_init) {
73         return klass->kvm_init(cgs, errp);
74     }
75 
76     return 0;
77 }
78 
79 static inline int confidential_guest_kvm_reset(ConfidentialGuestSupport *cgs,
80                                                Error **errp)
81 {
82     ConfidentialGuestSupportClass *klass;
83 
84     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
85     if (klass->kvm_reset) {
86         return klass->kvm_reset(cgs, errp);
87     }
88 
89     return 0;
90 }
91 
92 #endif /* !CONFIG_USER_ONLY */
93 
94 #endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */
95