xref: /openbmc/qemu/target/i386/sev.c (revision 7f6c3d1a)
1 /*
2  * QEMU SEV support
3  *
4  * Copyright Advanced Micro Devices 2016-2018
5  *
6  * Author:
7  *      Brijesh Singh <brijesh.singh@amd.com>
8  *
9  * This work is licensed under the terms of the GNU GPL, version 2 or later.
10  * See the COPYING file in the top-level directory.
11  *
12  */
13 
14 #include "qemu/osdep.h"
15 
16 #include <linux/kvm.h>
17 #include <linux/psp-sev.h>
18 
19 #include <sys/ioctl.h>
20 
21 #include "qapi/error.h"
22 #include "qom/object_interfaces.h"
23 #include "qemu/base64.h"
24 #include "qemu/module.h"
25 #include "sysemu/kvm.h"
26 #include "sev_i386.h"
27 #include "sysemu/sysemu.h"
28 #include "sysemu/runstate.h"
29 #include "trace.h"
30 #include "migration/blocker.h"
31 #include "qom/object.h"
32 
33 #define TYPE_SEV_GUEST "sev-guest"
34 OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST)
35 
36 
37 /**
38  * SevGuestState:
39  *
40  * The SevGuestState object is used for creating and managing a SEV
41  * guest.
42  *
43  * # $QEMU \
44  *         -object sev-guest,id=sev0 \
45  *         -machine ...,memory-encryption=sev0
46  */
47 struct SevGuestState {
48     Object parent_obj;
49 
50     /* configuration parameters */
51     char *sev_device;
52     uint32_t policy;
53     char *dh_cert_file;
54     char *session_file;
55     uint32_t cbitpos;
56     uint32_t reduced_phys_bits;
57 
58     /* runtime state */
59     uint32_t handle;
60     uint8_t api_major;
61     uint8_t api_minor;
62     uint8_t build_id;
63     uint64_t me_mask;
64     int sev_fd;
65     SevState state;
66     gchar *measurement;
67 };
68 
69 #define DEFAULT_GUEST_POLICY    0x1 /* disable debug */
70 #define DEFAULT_SEV_DEVICE      "/dev/sev"
71 
72 static SevGuestState *sev_guest;
73 static Error *sev_mig_blocker;
74 
75 static const char *const sev_fw_errlist[] = {
76     "",
77     "Platform state is invalid",
78     "Guest state is invalid",
79     "Platform configuration is invalid",
80     "Buffer too small",
81     "Platform is already owned",
82     "Certificate is invalid",
83     "Policy is not allowed",
84     "Guest is not active",
85     "Invalid address",
86     "Bad signature",
87     "Bad measurement",
88     "Asid is already owned",
89     "Invalid ASID",
90     "WBINVD is required",
91     "DF_FLUSH is required",
92     "Guest handle is invalid",
93     "Invalid command",
94     "Guest is active",
95     "Hardware error",
96     "Hardware unsafe",
97     "Feature not supported",
98     "Invalid parameter"
99 };
100 
101 #define SEV_FW_MAX_ERROR      ARRAY_SIZE(sev_fw_errlist)
102 
103 static int
104 sev_ioctl(int fd, int cmd, void *data, int *error)
105 {
106     int r;
107     struct kvm_sev_cmd input;
108 
109     memset(&input, 0x0, sizeof(input));
110 
111     input.id = cmd;
112     input.sev_fd = fd;
113     input.data = (__u64)(unsigned long)data;
114 
115     r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input);
116 
117     if (error) {
118         *error = input.error;
119     }
120 
121     return r;
122 }
123 
124 static int
125 sev_platform_ioctl(int fd, int cmd, void *data, int *error)
126 {
127     int r;
128     struct sev_issue_cmd arg;
129 
130     arg.cmd = cmd;
131     arg.data = (unsigned long)data;
132     r = ioctl(fd, SEV_ISSUE_CMD, &arg);
133     if (error) {
134         *error = arg.error;
135     }
136 
137     return r;
138 }
139 
140 static const char *
141 fw_error_to_str(int code)
142 {
143     if (code < 0 || code >= SEV_FW_MAX_ERROR) {
144         return "unknown error";
145     }
146 
147     return sev_fw_errlist[code];
148 }
149 
150 static bool
151 sev_check_state(const SevGuestState *sev, SevState state)
152 {
153     assert(sev);
154     return sev->state == state ? true : false;
155 }
156 
157 static void
158 sev_set_guest_state(SevGuestState *sev, SevState new_state)
159 {
160     assert(new_state < SEV_STATE__MAX);
161     assert(sev);
162 
163     trace_kvm_sev_change_state(SevState_str(sev->state),
164                                SevState_str(new_state));
165     sev->state = new_state;
166 }
167 
168 static void
169 sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size)
170 {
171     int r;
172     struct kvm_enc_region range;
173     ram_addr_t offset;
174     MemoryRegion *mr;
175 
176     /*
177      * The RAM device presents a memory region that should be treated
178      * as IO region and should not be pinned.
179      */
180     mr = memory_region_from_host(host, &offset);
181     if (mr && memory_region_is_ram_device(mr)) {
182         return;
183     }
184 
185     range.addr = (__u64)(unsigned long)host;
186     range.size = size;
187 
188     trace_kvm_memcrypt_register_region(host, size);
189     r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
190     if (r) {
191         error_report("%s: failed to register region (%p+%#zx) error '%s'",
192                      __func__, host, size, strerror(errno));
193         exit(1);
194     }
195 }
196 
197 static void
198 sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size)
199 {
200     int r;
201     struct kvm_enc_region range;
202     ram_addr_t offset;
203     MemoryRegion *mr;
204 
205     /*
206      * The RAM device presents a memory region that should be treated
207      * as IO region and should not have been pinned.
208      */
209     mr = memory_region_from_host(host, &offset);
210     if (mr && memory_region_is_ram_device(mr)) {
211         return;
212     }
213 
214     range.addr = (__u64)(unsigned long)host;
215     range.size = size;
216 
217     trace_kvm_memcrypt_unregister_region(host, size);
218     r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_UNREG_REGION, &range);
219     if (r) {
220         error_report("%s: failed to unregister region (%p+%#zx)",
221                      __func__, host, size);
222     }
223 }
224 
225 static struct RAMBlockNotifier sev_ram_notifier = {
226     .ram_block_added = sev_ram_block_added,
227     .ram_block_removed = sev_ram_block_removed,
228 };
229 
230 static void
231 sev_guest_finalize(Object *obj)
232 {
233 }
234 
235 static char *
236 sev_guest_get_session_file(Object *obj, Error **errp)
237 {
238     SevGuestState *s = SEV_GUEST(obj);
239 
240     return s->session_file ? g_strdup(s->session_file) : NULL;
241 }
242 
243 static void
244 sev_guest_set_session_file(Object *obj, const char *value, Error **errp)
245 {
246     SevGuestState *s = SEV_GUEST(obj);
247 
248     s->session_file = g_strdup(value);
249 }
250 
251 static char *
252 sev_guest_get_dh_cert_file(Object *obj, Error **errp)
253 {
254     SevGuestState *s = SEV_GUEST(obj);
255 
256     return g_strdup(s->dh_cert_file);
257 }
258 
259 static void
260 sev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
261 {
262     SevGuestState *s = SEV_GUEST(obj);
263 
264     s->dh_cert_file = g_strdup(value);
265 }
266 
267 static char *
268 sev_guest_get_sev_device(Object *obj, Error **errp)
269 {
270     SevGuestState *sev = SEV_GUEST(obj);
271 
272     return g_strdup(sev->sev_device);
273 }
274 
275 static void
276 sev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
277 {
278     SevGuestState *sev = SEV_GUEST(obj);
279 
280     sev->sev_device = g_strdup(value);
281 }
282 
283 static void
284 sev_guest_class_init(ObjectClass *oc, void *data)
285 {
286     object_class_property_add_str(oc, "sev-device",
287                                   sev_guest_get_sev_device,
288                                   sev_guest_set_sev_device);
289     object_class_property_set_description(oc, "sev-device",
290             "SEV device to use");
291     object_class_property_add_str(oc, "dh-cert-file",
292                                   sev_guest_get_dh_cert_file,
293                                   sev_guest_set_dh_cert_file);
294     object_class_property_set_description(oc, "dh-cert-file",
295             "guest owners DH certificate (encoded with base64)");
296     object_class_property_add_str(oc, "session-file",
297                                   sev_guest_get_session_file,
298                                   sev_guest_set_session_file);
299     object_class_property_set_description(oc, "session-file",
300             "guest owners session parameters (encoded with base64)");
301 }
302 
303 static void
304 sev_guest_instance_init(Object *obj)
305 {
306     SevGuestState *sev = SEV_GUEST(obj);
307 
308     sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
309     sev->policy = DEFAULT_GUEST_POLICY;
310     object_property_add_uint32_ptr(obj, "policy", &sev->policy,
311                                    OBJ_PROP_FLAG_READWRITE);
312     object_property_add_uint32_ptr(obj, "handle", &sev->handle,
313                                    OBJ_PROP_FLAG_READWRITE);
314     object_property_add_uint32_ptr(obj, "cbitpos", &sev->cbitpos,
315                                    OBJ_PROP_FLAG_READWRITE);
316     object_property_add_uint32_ptr(obj, "reduced-phys-bits",
317                                    &sev->reduced_phys_bits,
318                                    OBJ_PROP_FLAG_READWRITE);
319 }
320 
321 /* sev guest info */
322 static const TypeInfo sev_guest_info = {
323     .parent = TYPE_OBJECT,
324     .name = TYPE_SEV_GUEST,
325     .instance_size = sizeof(SevGuestState),
326     .instance_finalize = sev_guest_finalize,
327     .class_init = sev_guest_class_init,
328     .instance_init = sev_guest_instance_init,
329     .interfaces = (InterfaceInfo[]) {
330         { TYPE_USER_CREATABLE },
331         { }
332     }
333 };
334 
335 static SevGuestState *
336 lookup_sev_guest_info(const char *id)
337 {
338     Object *obj;
339     SevGuestState *info;
340 
341     obj = object_resolve_path_component(object_get_objects_root(), id);
342     if (!obj) {
343         return NULL;
344     }
345 
346     info = (SevGuestState *)
347             object_dynamic_cast(obj, TYPE_SEV_GUEST);
348     if (!info) {
349         return NULL;
350     }
351 
352     return info;
353 }
354 
355 bool
356 sev_enabled(void)
357 {
358     return !!sev_guest;
359 }
360 
361 uint64_t
362 sev_get_me_mask(void)
363 {
364     return sev_guest ? sev_guest->me_mask : ~0;
365 }
366 
367 uint32_t
368 sev_get_cbit_position(void)
369 {
370     return sev_guest ? sev_guest->cbitpos : 0;
371 }
372 
373 uint32_t
374 sev_get_reduced_phys_bits(void)
375 {
376     return sev_guest ? sev_guest->reduced_phys_bits : 0;
377 }
378 
379 SevInfo *
380 sev_get_info(void)
381 {
382     SevInfo *info;
383 
384     info = g_new0(SevInfo, 1);
385     info->enabled = sev_enabled();
386 
387     if (info->enabled) {
388         info->api_major = sev_guest->api_major;
389         info->api_minor = sev_guest->api_minor;
390         info->build_id = sev_guest->build_id;
391         info->policy = sev_guest->policy;
392         info->state = sev_guest->state;
393         info->handle = sev_guest->handle;
394     }
395 
396     return info;
397 }
398 
399 static int
400 sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain,
401                  size_t *cert_chain_len, Error **errp)
402 {
403     guchar *pdh_data = NULL;
404     guchar *cert_chain_data = NULL;
405     struct sev_user_data_pdh_cert_export export = {};
406     int err, r;
407 
408     /* query the certificate length */
409     r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
410     if (r < 0) {
411         if (err != SEV_RET_INVALID_LEN) {
412             error_setg(errp, "failed to export PDH cert ret=%d fw_err=%d (%s)",
413                        r, err, fw_error_to_str(err));
414             return 1;
415         }
416     }
417 
418     pdh_data = g_new(guchar, export.pdh_cert_len);
419     cert_chain_data = g_new(guchar, export.cert_chain_len);
420     export.pdh_cert_address = (unsigned long)pdh_data;
421     export.cert_chain_address = (unsigned long)cert_chain_data;
422 
423     r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err);
424     if (r < 0) {
425         error_setg(errp, "failed to export PDH cert ret=%d fw_err=%d (%s)",
426                    r, err, fw_error_to_str(err));
427         goto e_free;
428     }
429 
430     *pdh = pdh_data;
431     *pdh_len = export.pdh_cert_len;
432     *cert_chain = cert_chain_data;
433     *cert_chain_len = export.cert_chain_len;
434     return 0;
435 
436 e_free:
437     g_free(pdh_data);
438     g_free(cert_chain_data);
439     return 1;
440 }
441 
442 SevCapability *
443 sev_get_capabilities(Error **errp)
444 {
445     SevCapability *cap = NULL;
446     guchar *pdh_data = NULL;
447     guchar *cert_chain_data = NULL;
448     size_t pdh_len = 0, cert_chain_len = 0;
449     uint32_t ebx;
450     int fd;
451 
452     if (!kvm_enabled()) {
453         error_setg(errp, "KVM not enabled");
454         return NULL;
455     }
456     if (kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, NULL) < 0) {
457         error_setg(errp, "SEV is not enabled in KVM");
458         return NULL;
459     }
460 
461     fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
462     if (fd < 0) {
463         error_setg_errno(errp, errno, "Failed to open %s",
464                          DEFAULT_SEV_DEVICE);
465         return NULL;
466     }
467 
468     if (sev_get_pdh_info(fd, &pdh_data, &pdh_len,
469                          &cert_chain_data, &cert_chain_len, errp)) {
470         goto out;
471     }
472 
473     cap = g_new0(SevCapability, 1);
474     cap->pdh = g_base64_encode(pdh_data, pdh_len);
475     cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
476 
477     host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
478     cap->cbitpos = ebx & 0x3f;
479 
480     /*
481      * When SEV feature is enabled, we loose one bit in guest physical
482      * addressing.
483      */
484     cap->reduced_phys_bits = 1;
485 
486 out:
487     g_free(pdh_data);
488     g_free(cert_chain_data);
489     close(fd);
490     return cap;
491 }
492 
493 static int
494 sev_read_file_base64(const char *filename, guchar **data, gsize *len)
495 {
496     gsize sz;
497     gchar *base64;
498     GError *error = NULL;
499 
500     if (!g_file_get_contents(filename, &base64, &sz, &error)) {
501         error_report("failed to read '%s' (%s)", filename, error->message);
502         g_error_free(error);
503         return -1;
504     }
505 
506     *data = g_base64_decode(base64, len);
507     return 0;
508 }
509 
510 static int
511 sev_launch_start(SevGuestState *sev)
512 {
513     gsize sz;
514     int ret = 1;
515     int fw_error, rc;
516     struct kvm_sev_launch_start *start;
517     guchar *session = NULL, *dh_cert = NULL;
518 
519     start = g_new0(struct kvm_sev_launch_start, 1);
520 
521     start->handle = sev->handle;
522     start->policy = sev->policy;
523     if (sev->session_file) {
524         if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) {
525             goto out;
526         }
527         start->session_uaddr = (unsigned long)session;
528         start->session_len = sz;
529     }
530 
531     if (sev->dh_cert_file) {
532         if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) {
533             goto out;
534         }
535         start->dh_uaddr = (unsigned long)dh_cert;
536         start->dh_len = sz;
537     }
538 
539     trace_kvm_sev_launch_start(start->policy, session, dh_cert);
540     rc = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_START, start, &fw_error);
541     if (rc < 0) {
542         error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'",
543                 __func__, ret, fw_error, fw_error_to_str(fw_error));
544         goto out;
545     }
546 
547     sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE);
548     sev->handle = start->handle;
549     ret = 0;
550 
551 out:
552     g_free(start);
553     g_free(session);
554     g_free(dh_cert);
555     return ret;
556 }
557 
558 static int
559 sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len)
560 {
561     int ret, fw_error;
562     struct kvm_sev_launch_update_data update;
563 
564     if (!addr || !len) {
565         return 1;
566     }
567 
568     update.uaddr = (__u64)(unsigned long)addr;
569     update.len = len;
570     trace_kvm_sev_launch_update_data(addr, len);
571     ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA,
572                     &update, &fw_error);
573     if (ret) {
574         error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'",
575                 __func__, ret, fw_error, fw_error_to_str(fw_error));
576     }
577 
578     return ret;
579 }
580 
581 static void
582 sev_launch_get_measure(Notifier *notifier, void *unused)
583 {
584     SevGuestState *sev = sev_guest;
585     int ret, error;
586     guchar *data;
587     struct kvm_sev_launch_measure *measurement;
588 
589     if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) {
590         return;
591     }
592 
593     measurement = g_new0(struct kvm_sev_launch_measure, 1);
594 
595     /* query the measurement blob length */
596     ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE,
597                     measurement, &error);
598     if (!measurement->len) {
599         error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
600                      __func__, ret, error, fw_error_to_str(errno));
601         goto free_measurement;
602     }
603 
604     data = g_new0(guchar, measurement->len);
605     measurement->uaddr = (unsigned long)data;
606 
607     /* get the measurement blob */
608     ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE,
609                     measurement, &error);
610     if (ret) {
611         error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'",
612                      __func__, ret, error, fw_error_to_str(errno));
613         goto free_data;
614     }
615 
616     sev_set_guest_state(sev, SEV_STATE_LAUNCH_SECRET);
617 
618     /* encode the measurement value and emit the event */
619     sev->measurement = g_base64_encode(data, measurement->len);
620     trace_kvm_sev_launch_measurement(sev->measurement);
621 
622 free_data:
623     g_free(data);
624 free_measurement:
625     g_free(measurement);
626 }
627 
628 char *
629 sev_get_launch_measurement(void)
630 {
631     if (sev_guest &&
632         sev_guest->state >= SEV_STATE_LAUNCH_SECRET) {
633         return g_strdup(sev_guest->measurement);
634     }
635 
636     return NULL;
637 }
638 
639 static Notifier sev_machine_done_notify = {
640     .notify = sev_launch_get_measure,
641 };
642 
643 static void
644 sev_launch_finish(SevGuestState *sev)
645 {
646     int ret, error;
647     Error *local_err = NULL;
648 
649     trace_kvm_sev_launch_finish();
650     ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error);
651     if (ret) {
652         error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'",
653                      __func__, ret, error, fw_error_to_str(error));
654         exit(1);
655     }
656 
657     sev_set_guest_state(sev, SEV_STATE_RUNNING);
658 
659     /* add migration blocker */
660     error_setg(&sev_mig_blocker,
661                "SEV: Migration is not implemented");
662     ret = migrate_add_blocker(sev_mig_blocker, &local_err);
663     if (local_err) {
664         error_report_err(local_err);
665         error_free(sev_mig_blocker);
666         exit(1);
667     }
668 }
669 
670 static void
671 sev_vm_state_change(void *opaque, int running, RunState state)
672 {
673     SevGuestState *sev = opaque;
674 
675     if (running) {
676         if (!sev_check_state(sev, SEV_STATE_RUNNING)) {
677             sev_launch_finish(sev);
678         }
679     }
680 }
681 
682 void *
683 sev_guest_init(const char *id)
684 {
685     SevGuestState *sev;
686     char *devname;
687     int ret, fw_error;
688     uint32_t ebx;
689     uint32_t host_cbitpos;
690     struct sev_user_data_status status = {};
691 
692     ret = ram_block_discard_disable(true);
693     if (ret) {
694         error_report("%s: cannot disable RAM discard", __func__);
695         return NULL;
696     }
697 
698     sev = lookup_sev_guest_info(id);
699     if (!sev) {
700         error_report("%s: '%s' is not a valid '%s' object",
701                      __func__, id, TYPE_SEV_GUEST);
702         goto err;
703     }
704 
705     sev_guest = sev;
706     sev->state = SEV_STATE_UNINIT;
707 
708     host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
709     host_cbitpos = ebx & 0x3f;
710 
711     if (host_cbitpos != sev->cbitpos) {
712         error_report("%s: cbitpos check failed, host '%d' requested '%d'",
713                      __func__, host_cbitpos, sev->cbitpos);
714         goto err;
715     }
716 
717     if (sev->reduced_phys_bits < 1) {
718         error_report("%s: reduced_phys_bits check failed, it should be >=1,"
719                      " requested '%d'", __func__, sev->reduced_phys_bits);
720         goto err;
721     }
722 
723     sev->me_mask = ~(1UL << sev->cbitpos);
724 
725     devname = object_property_get_str(OBJECT(sev), "sev-device", NULL);
726     sev->sev_fd = open(devname, O_RDWR);
727     if (sev->sev_fd < 0) {
728         error_report("%s: Failed to open %s '%s'", __func__,
729                      devname, strerror(errno));
730     }
731     g_free(devname);
732     if (sev->sev_fd < 0) {
733         goto err;
734     }
735 
736     ret = sev_platform_ioctl(sev->sev_fd, SEV_PLATFORM_STATUS, &status,
737                              &fw_error);
738     if (ret) {
739         error_report("%s: failed to get platform status ret=%d "
740                      "fw_error='%d: %s'", __func__, ret, fw_error,
741                      fw_error_to_str(fw_error));
742         goto err;
743     }
744     sev->build_id = status.build;
745     sev->api_major = status.api_major;
746     sev->api_minor = status.api_minor;
747 
748     trace_kvm_sev_init();
749     ret = sev_ioctl(sev->sev_fd, KVM_SEV_INIT, NULL, &fw_error);
750     if (ret) {
751         error_report("%s: failed to initialize ret=%d fw_error=%d '%s'",
752                      __func__, ret, fw_error, fw_error_to_str(fw_error));
753         goto err;
754     }
755 
756     ret = sev_launch_start(sev);
757     if (ret) {
758         error_report("%s: failed to create encryption context", __func__);
759         goto err;
760     }
761 
762     ram_block_notifier_add(&sev_ram_notifier);
763     qemu_add_machine_init_done_notifier(&sev_machine_done_notify);
764     qemu_add_vm_change_state_handler(sev_vm_state_change, sev);
765 
766     return sev;
767 err:
768     sev_guest = NULL;
769     ram_block_discard_disable(false);
770     return NULL;
771 }
772 
773 int
774 sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len)
775 {
776     SevGuestState *sev = handle;
777 
778     assert(sev);
779 
780     /* if SEV is in update state then encrypt the data else do nothing */
781     if (sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) {
782         return sev_launch_update_data(sev, ptr, len);
783     }
784 
785     return 0;
786 }
787 
788 static void
789 sev_register_types(void)
790 {
791     type_register_static(&sev_guest_info);
792 }
793 
794 type_init(sev_register_types);
795