1 /* 2 * QEMU SEV support 3 * 4 * Copyright Advanced Micro Devices 2016-2018 5 * 6 * Author: 7 * Brijesh Singh <brijesh.singh@amd.com> 8 * 9 * This work is licensed under the terms of the GNU GPL, version 2 or later. 10 * See the COPYING file in the top-level directory. 11 * 12 */ 13 14 #include "qemu/osdep.h" 15 16 #include <linux/kvm.h> 17 #include <linux/psp-sev.h> 18 19 #include <sys/ioctl.h> 20 21 #include "qapi/error.h" 22 #include "qom/object_interfaces.h" 23 #include "qemu/base64.h" 24 #include "qemu/module.h" 25 #include "qemu/uuid.h" 26 #include "crypto/hash.h" 27 #include "sysemu/kvm.h" 28 #include "sev.h" 29 #include "sysemu/sysemu.h" 30 #include "sysemu/runstate.h" 31 #include "trace.h" 32 #include "migration/blocker.h" 33 #include "qom/object.h" 34 #include "monitor/monitor.h" 35 #include "monitor/hmp-target.h" 36 #include "qapi/qapi-commands-misc-target.h" 37 #include "qapi/qmp/qerror.h" 38 #include "exec/confidential-guest-support.h" 39 #include "hw/i386/pc.h" 40 41 #define TYPE_SEV_GUEST "sev-guest" 42 OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST) 43 44 45 /** 46 * SevGuestState: 47 * 48 * The SevGuestState object is used for creating and managing a SEV 49 * guest. 50 * 51 * # $QEMU \ 52 * -object sev-guest,id=sev0 \ 53 * -machine ...,memory-encryption=sev0 54 */ 55 struct SevGuestState { 56 ConfidentialGuestSupport parent_obj; 57 58 /* configuration parameters */ 59 char *sev_device; 60 uint32_t policy; 61 char *dh_cert_file; 62 char *session_file; 63 uint32_t cbitpos; 64 uint32_t reduced_phys_bits; 65 66 /* runtime state */ 67 uint32_t handle; 68 uint8_t api_major; 69 uint8_t api_minor; 70 uint8_t build_id; 71 int sev_fd; 72 SevState state; 73 gchar *measurement; 74 75 uint32_t reset_cs; 76 uint32_t reset_ip; 77 bool reset_data_valid; 78 }; 79 80 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ 81 #define DEFAULT_SEV_DEVICE "/dev/sev" 82 83 #define SEV_INFO_BLOCK_GUID "00f771de-1a7e-4fcb-890e-68c77e2fb44e" 84 typedef struct __attribute__((__packed__)) SevInfoBlock { 85 /* SEV-ES Reset Vector Address */ 86 uint32_t reset_addr; 87 } SevInfoBlock; 88 89 #define SEV_HASH_TABLE_RV_GUID "7255371f-3a3b-4b04-927b-1da6efa8d454" 90 typedef struct QEMU_PACKED SevHashTableDescriptor { 91 /* SEV hash table area guest address */ 92 uint32_t base; 93 /* SEV hash table area size (in bytes) */ 94 uint32_t size; 95 } SevHashTableDescriptor; 96 97 /* hard code sha256 digest size */ 98 #define HASH_SIZE 32 99 100 typedef struct QEMU_PACKED SevHashTableEntry { 101 QemuUUID guid; 102 uint16_t len; 103 uint8_t hash[HASH_SIZE]; 104 } SevHashTableEntry; 105 106 typedef struct QEMU_PACKED SevHashTable { 107 QemuUUID guid; 108 uint16_t len; 109 SevHashTableEntry cmdline; 110 SevHashTableEntry initrd; 111 SevHashTableEntry kernel; 112 uint8_t padding[]; 113 } SevHashTable; 114 115 static SevGuestState *sev_guest; 116 static Error *sev_mig_blocker; 117 118 static const char *const sev_fw_errlist[] = { 119 [SEV_RET_SUCCESS] = "", 120 [SEV_RET_INVALID_PLATFORM_STATE] = "Platform state is invalid", 121 [SEV_RET_INVALID_GUEST_STATE] = "Guest state is invalid", 122 [SEV_RET_INAVLID_CONFIG] = "Platform configuration is invalid", 123 [SEV_RET_INVALID_LEN] = "Buffer too small", 124 [SEV_RET_ALREADY_OWNED] = "Platform is already owned", 125 [SEV_RET_INVALID_CERTIFICATE] = "Certificate is invalid", 126 [SEV_RET_POLICY_FAILURE] = "Policy is not allowed", 127 [SEV_RET_INACTIVE] = "Guest is not active", 128 [SEV_RET_INVALID_ADDRESS] = "Invalid address", 129 [SEV_RET_BAD_SIGNATURE] = "Bad signature", 130 [SEV_RET_BAD_MEASUREMENT] = "Bad measurement", 131 [SEV_RET_ASID_OWNED] = "ASID is already owned", 132 [SEV_RET_INVALID_ASID] = "Invalid ASID", 133 [SEV_RET_WBINVD_REQUIRED] = "WBINVD is required", 134 [SEV_RET_DFFLUSH_REQUIRED] = "DF_FLUSH is required", 135 [SEV_RET_INVALID_GUEST] = "Guest handle is invalid", 136 [SEV_RET_INVALID_COMMAND] = "Invalid command", 137 [SEV_RET_ACTIVE] = "Guest is active", 138 [SEV_RET_HWSEV_RET_PLATFORM] = "Hardware error", 139 [SEV_RET_HWSEV_RET_UNSAFE] = "Hardware unsafe", 140 [SEV_RET_UNSUPPORTED] = "Feature not supported", 141 [SEV_RET_INVALID_PARAM] = "Invalid parameter", 142 [SEV_RET_RESOURCE_LIMIT] = "Required firmware resource depleted", 143 [SEV_RET_SECURE_DATA_INVALID] = "Part-specific integrity check failure", 144 }; 145 146 #define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist) 147 148 static int 149 sev_ioctl(int fd, int cmd, void *data, int *error) 150 { 151 int r; 152 struct kvm_sev_cmd input; 153 154 memset(&input, 0x0, sizeof(input)); 155 156 input.id = cmd; 157 input.sev_fd = fd; 158 input.data = (__u64)(unsigned long)data; 159 160 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input); 161 162 if (error) { 163 *error = input.error; 164 } 165 166 return r; 167 } 168 169 static int 170 sev_platform_ioctl(int fd, int cmd, void *data, int *error) 171 { 172 int r; 173 struct sev_issue_cmd arg; 174 175 arg.cmd = cmd; 176 arg.data = (unsigned long)data; 177 r = ioctl(fd, SEV_ISSUE_CMD, &arg); 178 if (error) { 179 *error = arg.error; 180 } 181 182 return r; 183 } 184 185 static const char * 186 fw_error_to_str(int code) 187 { 188 if (code < 0 || code >= SEV_FW_MAX_ERROR) { 189 return "unknown error"; 190 } 191 192 return sev_fw_errlist[code]; 193 } 194 195 static bool 196 sev_check_state(const SevGuestState *sev, SevState state) 197 { 198 assert(sev); 199 return sev->state == state ? true : false; 200 } 201 202 static void 203 sev_set_guest_state(SevGuestState *sev, SevState new_state) 204 { 205 assert(new_state < SEV_STATE__MAX); 206 assert(sev); 207 208 trace_kvm_sev_change_state(SevState_str(sev->state), 209 SevState_str(new_state)); 210 sev->state = new_state; 211 } 212 213 static void 214 sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size, 215 size_t max_size) 216 { 217 int r; 218 struct kvm_enc_region range; 219 ram_addr_t offset; 220 MemoryRegion *mr; 221 222 /* 223 * The RAM device presents a memory region that should be treated 224 * as IO region and should not be pinned. 225 */ 226 mr = memory_region_from_host(host, &offset); 227 if (mr && memory_region_is_ram_device(mr)) { 228 return; 229 } 230 231 range.addr = (__u64)(unsigned long)host; 232 range.size = max_size; 233 234 trace_kvm_memcrypt_register_region(host, max_size); 235 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_REG_REGION, &range); 236 if (r) { 237 error_report("%s: failed to register region (%p+%#zx) error '%s'", 238 __func__, host, max_size, strerror(errno)); 239 exit(1); 240 } 241 } 242 243 static void 244 sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size, 245 size_t max_size) 246 { 247 int r; 248 struct kvm_enc_region range; 249 ram_addr_t offset; 250 MemoryRegion *mr; 251 252 /* 253 * The RAM device presents a memory region that should be treated 254 * as IO region and should not have been pinned. 255 */ 256 mr = memory_region_from_host(host, &offset); 257 if (mr && memory_region_is_ram_device(mr)) { 258 return; 259 } 260 261 range.addr = (__u64)(unsigned long)host; 262 range.size = max_size; 263 264 trace_kvm_memcrypt_unregister_region(host, max_size); 265 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_UNREG_REGION, &range); 266 if (r) { 267 error_report("%s: failed to unregister region (%p+%#zx)", 268 __func__, host, max_size); 269 } 270 } 271 272 static struct RAMBlockNotifier sev_ram_notifier = { 273 .ram_block_added = sev_ram_block_added, 274 .ram_block_removed = sev_ram_block_removed, 275 }; 276 277 static void 278 sev_guest_finalize(Object *obj) 279 { 280 } 281 282 static char * 283 sev_guest_get_session_file(Object *obj, Error **errp) 284 { 285 SevGuestState *s = SEV_GUEST(obj); 286 287 return s->session_file ? g_strdup(s->session_file) : NULL; 288 } 289 290 static void 291 sev_guest_set_session_file(Object *obj, const char *value, Error **errp) 292 { 293 SevGuestState *s = SEV_GUEST(obj); 294 295 s->session_file = g_strdup(value); 296 } 297 298 static char * 299 sev_guest_get_dh_cert_file(Object *obj, Error **errp) 300 { 301 SevGuestState *s = SEV_GUEST(obj); 302 303 return g_strdup(s->dh_cert_file); 304 } 305 306 static void 307 sev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp) 308 { 309 SevGuestState *s = SEV_GUEST(obj); 310 311 s->dh_cert_file = g_strdup(value); 312 } 313 314 static char * 315 sev_guest_get_sev_device(Object *obj, Error **errp) 316 { 317 SevGuestState *sev = SEV_GUEST(obj); 318 319 return g_strdup(sev->sev_device); 320 } 321 322 static void 323 sev_guest_set_sev_device(Object *obj, const char *value, Error **errp) 324 { 325 SevGuestState *sev = SEV_GUEST(obj); 326 327 sev->sev_device = g_strdup(value); 328 } 329 330 static void 331 sev_guest_class_init(ObjectClass *oc, void *data) 332 { 333 object_class_property_add_str(oc, "sev-device", 334 sev_guest_get_sev_device, 335 sev_guest_set_sev_device); 336 object_class_property_set_description(oc, "sev-device", 337 "SEV device to use"); 338 object_class_property_add_str(oc, "dh-cert-file", 339 sev_guest_get_dh_cert_file, 340 sev_guest_set_dh_cert_file); 341 object_class_property_set_description(oc, "dh-cert-file", 342 "guest owners DH certificate (encoded with base64)"); 343 object_class_property_add_str(oc, "session-file", 344 sev_guest_get_session_file, 345 sev_guest_set_session_file); 346 object_class_property_set_description(oc, "session-file", 347 "guest owners session parameters (encoded with base64)"); 348 } 349 350 static void 351 sev_guest_instance_init(Object *obj) 352 { 353 SevGuestState *sev = SEV_GUEST(obj); 354 355 sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE); 356 sev->policy = DEFAULT_GUEST_POLICY; 357 object_property_add_uint32_ptr(obj, "policy", &sev->policy, 358 OBJ_PROP_FLAG_READWRITE); 359 object_property_add_uint32_ptr(obj, "handle", &sev->handle, 360 OBJ_PROP_FLAG_READWRITE); 361 object_property_add_uint32_ptr(obj, "cbitpos", &sev->cbitpos, 362 OBJ_PROP_FLAG_READWRITE); 363 object_property_add_uint32_ptr(obj, "reduced-phys-bits", 364 &sev->reduced_phys_bits, 365 OBJ_PROP_FLAG_READWRITE); 366 } 367 368 /* sev guest info */ 369 static const TypeInfo sev_guest_info = { 370 .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT, 371 .name = TYPE_SEV_GUEST, 372 .instance_size = sizeof(SevGuestState), 373 .instance_finalize = sev_guest_finalize, 374 .class_init = sev_guest_class_init, 375 .instance_init = sev_guest_instance_init, 376 .interfaces = (InterfaceInfo[]) { 377 { TYPE_USER_CREATABLE }, 378 { } 379 } 380 }; 381 382 bool 383 sev_enabled(void) 384 { 385 return !!sev_guest; 386 } 387 388 bool 389 sev_es_enabled(void) 390 { 391 return sev_enabled() && (sev_guest->policy & SEV_POLICY_ES); 392 } 393 394 uint32_t 395 sev_get_cbit_position(void) 396 { 397 return sev_guest ? sev_guest->cbitpos : 0; 398 } 399 400 uint32_t 401 sev_get_reduced_phys_bits(void) 402 { 403 return sev_guest ? sev_guest->reduced_phys_bits : 0; 404 } 405 406 static SevInfo *sev_get_info(void) 407 { 408 SevInfo *info; 409 410 info = g_new0(SevInfo, 1); 411 info->enabled = sev_enabled(); 412 413 if (info->enabled) { 414 info->api_major = sev_guest->api_major; 415 info->api_minor = sev_guest->api_minor; 416 info->build_id = sev_guest->build_id; 417 info->policy = sev_guest->policy; 418 info->state = sev_guest->state; 419 info->handle = sev_guest->handle; 420 } 421 422 return info; 423 } 424 425 SevInfo *qmp_query_sev(Error **errp) 426 { 427 SevInfo *info; 428 429 info = sev_get_info(); 430 if (!info) { 431 error_setg(errp, "SEV feature is not available"); 432 return NULL; 433 } 434 435 return info; 436 } 437 438 void hmp_info_sev(Monitor *mon, const QDict *qdict) 439 { 440 SevInfo *info = sev_get_info(); 441 442 if (info && info->enabled) { 443 monitor_printf(mon, "handle: %d\n", info->handle); 444 monitor_printf(mon, "state: %s\n", SevState_str(info->state)); 445 monitor_printf(mon, "build: %d\n", info->build_id); 446 monitor_printf(mon, "api version: %d.%d\n", 447 info->api_major, info->api_minor); 448 monitor_printf(mon, "debug: %s\n", 449 info->policy & SEV_POLICY_NODBG ? "off" : "on"); 450 monitor_printf(mon, "key-sharing: %s\n", 451 info->policy & SEV_POLICY_NOKS ? "off" : "on"); 452 } else { 453 monitor_printf(mon, "SEV is not enabled\n"); 454 } 455 456 qapi_free_SevInfo(info); 457 } 458 459 static int 460 sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain, 461 size_t *cert_chain_len, Error **errp) 462 { 463 guchar *pdh_data = NULL; 464 guchar *cert_chain_data = NULL; 465 struct sev_user_data_pdh_cert_export export = {}; 466 int err, r; 467 468 /* query the certificate length */ 469 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err); 470 if (r < 0) { 471 if (err != SEV_RET_INVALID_LEN) { 472 error_setg(errp, "SEV: Failed to export PDH cert" 473 " ret=%d fw_err=%d (%s)", 474 r, err, fw_error_to_str(err)); 475 return 1; 476 } 477 } 478 479 pdh_data = g_new(guchar, export.pdh_cert_len); 480 cert_chain_data = g_new(guchar, export.cert_chain_len); 481 export.pdh_cert_address = (unsigned long)pdh_data; 482 export.cert_chain_address = (unsigned long)cert_chain_data; 483 484 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err); 485 if (r < 0) { 486 error_setg(errp, "SEV: Failed to export PDH cert ret=%d fw_err=%d (%s)", 487 r, err, fw_error_to_str(err)); 488 goto e_free; 489 } 490 491 *pdh = pdh_data; 492 *pdh_len = export.pdh_cert_len; 493 *cert_chain = cert_chain_data; 494 *cert_chain_len = export.cert_chain_len; 495 return 0; 496 497 e_free: 498 g_free(pdh_data); 499 g_free(cert_chain_data); 500 return 1; 501 } 502 503 static SevCapability *sev_get_capabilities(Error **errp) 504 { 505 SevCapability *cap = NULL; 506 guchar *pdh_data = NULL; 507 guchar *cert_chain_data = NULL; 508 size_t pdh_len = 0, cert_chain_len = 0; 509 uint32_t ebx; 510 int fd; 511 512 if (!kvm_enabled()) { 513 error_setg(errp, "KVM not enabled"); 514 return NULL; 515 } 516 if (kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, NULL) < 0) { 517 error_setg(errp, "SEV is not enabled in KVM"); 518 return NULL; 519 } 520 521 fd = open(DEFAULT_SEV_DEVICE, O_RDWR); 522 if (fd < 0) { 523 error_setg_errno(errp, errno, "SEV: Failed to open %s", 524 DEFAULT_SEV_DEVICE); 525 return NULL; 526 } 527 528 if (sev_get_pdh_info(fd, &pdh_data, &pdh_len, 529 &cert_chain_data, &cert_chain_len, errp)) { 530 goto out; 531 } 532 533 cap = g_new0(SevCapability, 1); 534 cap->pdh = g_base64_encode(pdh_data, pdh_len); 535 cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len); 536 537 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); 538 cap->cbitpos = ebx & 0x3f; 539 540 /* 541 * When SEV feature is enabled, we loose one bit in guest physical 542 * addressing. 543 */ 544 cap->reduced_phys_bits = 1; 545 546 out: 547 g_free(pdh_data); 548 g_free(cert_chain_data); 549 close(fd); 550 return cap; 551 } 552 553 SevCapability *qmp_query_sev_capabilities(Error **errp) 554 { 555 return sev_get_capabilities(errp); 556 } 557 558 static SevAttestationReport *sev_get_attestation_report(const char *mnonce, 559 Error **errp) 560 { 561 struct kvm_sev_attestation_report input = {}; 562 SevAttestationReport *report = NULL; 563 SevGuestState *sev = sev_guest; 564 g_autofree guchar *data = NULL; 565 g_autofree guchar *buf = NULL; 566 gsize len; 567 int err = 0, ret; 568 569 if (!sev_enabled()) { 570 error_setg(errp, "SEV is not enabled"); 571 return NULL; 572 } 573 574 /* lets decode the mnonce string */ 575 buf = g_base64_decode(mnonce, &len); 576 if (!buf) { 577 error_setg(errp, "SEV: failed to decode mnonce input"); 578 return NULL; 579 } 580 581 /* verify the input mnonce length */ 582 if (len != sizeof(input.mnonce)) { 583 error_setg(errp, "SEV: mnonce must be %zu bytes (got %" G_GSIZE_FORMAT ")", 584 sizeof(input.mnonce), len); 585 return NULL; 586 } 587 588 /* Query the report length */ 589 ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, 590 &input, &err); 591 if (ret < 0) { 592 if (err != SEV_RET_INVALID_LEN) { 593 error_setg(errp, "SEV: Failed to query the attestation report" 594 " length ret=%d fw_err=%d (%s)", 595 ret, err, fw_error_to_str(err)); 596 return NULL; 597 } 598 } 599 600 data = g_malloc(input.len); 601 input.uaddr = (unsigned long)data; 602 memcpy(input.mnonce, buf, sizeof(input.mnonce)); 603 604 /* Query the report */ 605 ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, 606 &input, &err); 607 if (ret) { 608 error_setg_errno(errp, errno, "SEV: Failed to get attestation report" 609 " ret=%d fw_err=%d (%s)", ret, err, fw_error_to_str(err)); 610 return NULL; 611 } 612 613 report = g_new0(SevAttestationReport, 1); 614 report->data = g_base64_encode(data, input.len); 615 616 trace_kvm_sev_attestation_report(mnonce, report->data); 617 618 return report; 619 } 620 621 SevAttestationReport *qmp_query_sev_attestation_report(const char *mnonce, 622 Error **errp) 623 { 624 return sev_get_attestation_report(mnonce, errp); 625 } 626 627 static int 628 sev_read_file_base64(const char *filename, guchar **data, gsize *len) 629 { 630 gsize sz; 631 g_autofree gchar *base64 = NULL; 632 GError *error = NULL; 633 634 if (!g_file_get_contents(filename, &base64, &sz, &error)) { 635 error_report("SEV: Failed to read '%s' (%s)", filename, error->message); 636 g_error_free(error); 637 return -1; 638 } 639 640 *data = g_base64_decode(base64, len); 641 return 0; 642 } 643 644 static int 645 sev_launch_start(SevGuestState *sev) 646 { 647 gsize sz; 648 int ret = 1; 649 int fw_error, rc; 650 struct kvm_sev_launch_start *start; 651 guchar *session = NULL, *dh_cert = NULL; 652 653 start = g_new0(struct kvm_sev_launch_start, 1); 654 655 start->handle = sev->handle; 656 start->policy = sev->policy; 657 if (sev->session_file) { 658 if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) { 659 goto out; 660 } 661 start->session_uaddr = (unsigned long)session; 662 start->session_len = sz; 663 } 664 665 if (sev->dh_cert_file) { 666 if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) { 667 goto out; 668 } 669 start->dh_uaddr = (unsigned long)dh_cert; 670 start->dh_len = sz; 671 } 672 673 trace_kvm_sev_launch_start(start->policy, session, dh_cert); 674 rc = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_START, start, &fw_error); 675 if (rc < 0) { 676 error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'", 677 __func__, ret, fw_error, fw_error_to_str(fw_error)); 678 goto out; 679 } 680 681 sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE); 682 sev->handle = start->handle; 683 ret = 0; 684 685 out: 686 g_free(start); 687 g_free(session); 688 g_free(dh_cert); 689 return ret; 690 } 691 692 static int 693 sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len) 694 { 695 int ret, fw_error; 696 struct kvm_sev_launch_update_data update; 697 698 if (!addr || !len) { 699 return 1; 700 } 701 702 update.uaddr = (__u64)(unsigned long)addr; 703 update.len = len; 704 trace_kvm_sev_launch_update_data(addr, len); 705 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA, 706 &update, &fw_error); 707 if (ret) { 708 error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'", 709 __func__, ret, fw_error, fw_error_to_str(fw_error)); 710 } 711 712 return ret; 713 } 714 715 static int 716 sev_launch_update_vmsa(SevGuestState *sev) 717 { 718 int ret, fw_error; 719 720 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_VMSA, NULL, &fw_error); 721 if (ret) { 722 error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'", 723 __func__, ret, fw_error, fw_error_to_str(fw_error)); 724 } 725 726 return ret; 727 } 728 729 static void 730 sev_launch_get_measure(Notifier *notifier, void *unused) 731 { 732 SevGuestState *sev = sev_guest; 733 int ret, error; 734 g_autofree guchar *data = NULL; 735 g_autofree struct kvm_sev_launch_measure *measurement = NULL; 736 737 if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) { 738 return; 739 } 740 741 if (sev_es_enabled()) { 742 /* measure all the VM save areas before getting launch_measure */ 743 ret = sev_launch_update_vmsa(sev); 744 if (ret) { 745 exit(1); 746 } 747 } 748 749 measurement = g_new0(struct kvm_sev_launch_measure, 1); 750 751 /* query the measurement blob length */ 752 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, 753 measurement, &error); 754 if (!measurement->len) { 755 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", 756 __func__, ret, error, fw_error_to_str(errno)); 757 return; 758 } 759 760 data = g_new0(guchar, measurement->len); 761 measurement->uaddr = (unsigned long)data; 762 763 /* get the measurement blob */ 764 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, 765 measurement, &error); 766 if (ret) { 767 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", 768 __func__, ret, error, fw_error_to_str(errno)); 769 return; 770 } 771 772 sev_set_guest_state(sev, SEV_STATE_LAUNCH_SECRET); 773 774 /* encode the measurement value and emit the event */ 775 sev->measurement = g_base64_encode(data, measurement->len); 776 trace_kvm_sev_launch_measurement(sev->measurement); 777 } 778 779 static char *sev_get_launch_measurement(void) 780 { 781 if (sev_guest && 782 sev_guest->state >= SEV_STATE_LAUNCH_SECRET) { 783 return g_strdup(sev_guest->measurement); 784 } 785 786 return NULL; 787 } 788 789 SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp) 790 { 791 char *data; 792 SevLaunchMeasureInfo *info; 793 794 data = sev_get_launch_measurement(); 795 if (!data) { 796 error_setg(errp, "SEV launch measurement is not available"); 797 return NULL; 798 } 799 800 info = g_malloc0(sizeof(*info)); 801 info->data = data; 802 803 return info; 804 } 805 806 static Notifier sev_machine_done_notify = { 807 .notify = sev_launch_get_measure, 808 }; 809 810 static void 811 sev_launch_finish(SevGuestState *sev) 812 { 813 int ret, error; 814 815 trace_kvm_sev_launch_finish(); 816 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error); 817 if (ret) { 818 error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'", 819 __func__, ret, error, fw_error_to_str(error)); 820 exit(1); 821 } 822 823 sev_set_guest_state(sev, SEV_STATE_RUNNING); 824 825 /* add migration blocker */ 826 error_setg(&sev_mig_blocker, 827 "SEV: Migration is not implemented"); 828 migrate_add_blocker(sev_mig_blocker, &error_fatal); 829 } 830 831 static void 832 sev_vm_state_change(void *opaque, bool running, RunState state) 833 { 834 SevGuestState *sev = opaque; 835 836 if (running) { 837 if (!sev_check_state(sev, SEV_STATE_RUNNING)) { 838 sev_launch_finish(sev); 839 } 840 } 841 } 842 843 int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) 844 { 845 SevGuestState *sev 846 = (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); 847 char *devname; 848 int ret, fw_error, cmd; 849 uint32_t ebx; 850 uint32_t host_cbitpos; 851 struct sev_user_data_status status = {}; 852 853 if (!sev) { 854 return 0; 855 } 856 857 ret = ram_block_discard_disable(true); 858 if (ret) { 859 error_report("%s: cannot disable RAM discard", __func__); 860 return -1; 861 } 862 863 sev_guest = sev; 864 sev->state = SEV_STATE_UNINIT; 865 866 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); 867 host_cbitpos = ebx & 0x3f; 868 869 if (host_cbitpos != sev->cbitpos) { 870 error_setg(errp, "%s: cbitpos check failed, host '%d' requested '%d'", 871 __func__, host_cbitpos, sev->cbitpos); 872 goto err; 873 } 874 875 if (sev->reduced_phys_bits < 1) { 876 error_setg(errp, "%s: reduced_phys_bits check failed, it should be >=1," 877 " requested '%d'", __func__, sev->reduced_phys_bits); 878 goto err; 879 } 880 881 devname = object_property_get_str(OBJECT(sev), "sev-device", NULL); 882 sev->sev_fd = open(devname, O_RDWR); 883 if (sev->sev_fd < 0) { 884 error_setg(errp, "%s: Failed to open %s '%s'", __func__, 885 devname, strerror(errno)); 886 g_free(devname); 887 goto err; 888 } 889 g_free(devname); 890 891 ret = sev_platform_ioctl(sev->sev_fd, SEV_PLATFORM_STATUS, &status, 892 &fw_error); 893 if (ret) { 894 error_setg(errp, "%s: failed to get platform status ret=%d " 895 "fw_error='%d: %s'", __func__, ret, fw_error, 896 fw_error_to_str(fw_error)); 897 goto err; 898 } 899 sev->build_id = status.build; 900 sev->api_major = status.api_major; 901 sev->api_minor = status.api_minor; 902 903 if (sev_es_enabled()) { 904 if (!kvm_kernel_irqchip_allowed()) { 905 error_report("%s: SEV-ES guests require in-kernel irqchip support", 906 __func__); 907 goto err; 908 } 909 910 if (!(status.flags & SEV_STATUS_FLAGS_CONFIG_ES)) { 911 error_report("%s: guest policy requires SEV-ES, but " 912 "host SEV-ES support unavailable", 913 __func__); 914 goto err; 915 } 916 cmd = KVM_SEV_ES_INIT; 917 } else { 918 cmd = KVM_SEV_INIT; 919 } 920 921 trace_kvm_sev_init(); 922 ret = sev_ioctl(sev->sev_fd, cmd, NULL, &fw_error); 923 if (ret) { 924 error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'", 925 __func__, ret, fw_error, fw_error_to_str(fw_error)); 926 goto err; 927 } 928 929 ret = sev_launch_start(sev); 930 if (ret) { 931 error_setg(errp, "%s: failed to create encryption context", __func__); 932 goto err; 933 } 934 935 ram_block_notifier_add(&sev_ram_notifier); 936 qemu_add_machine_init_done_notifier(&sev_machine_done_notify); 937 qemu_add_vm_change_state_handler(sev_vm_state_change, sev); 938 939 cgs->ready = true; 940 941 return 0; 942 err: 943 sev_guest = NULL; 944 ram_block_discard_disable(false); 945 return -1; 946 } 947 948 int 949 sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp) 950 { 951 if (!sev_guest) { 952 return 0; 953 } 954 955 /* if SEV is in update state then encrypt the data else do nothing */ 956 if (sev_check_state(sev_guest, SEV_STATE_LAUNCH_UPDATE)) { 957 int ret = sev_launch_update_data(sev_guest, ptr, len); 958 if (ret < 0) { 959 error_setg(errp, "SEV: Failed to encrypt pflash rom"); 960 return ret; 961 } 962 } 963 964 return 0; 965 } 966 967 int sev_inject_launch_secret(const char *packet_hdr, const char *secret, 968 uint64_t gpa, Error **errp) 969 { 970 struct kvm_sev_launch_secret input; 971 g_autofree guchar *data = NULL, *hdr = NULL; 972 int error, ret = 1; 973 void *hva; 974 gsize hdr_sz = 0, data_sz = 0; 975 MemoryRegion *mr = NULL; 976 977 if (!sev_guest) { 978 error_setg(errp, "SEV not enabled for guest"); 979 return 1; 980 } 981 982 /* secret can be injected only in this state */ 983 if (!sev_check_state(sev_guest, SEV_STATE_LAUNCH_SECRET)) { 984 error_setg(errp, "SEV: Not in correct state. (LSECRET) %x", 985 sev_guest->state); 986 return 1; 987 } 988 989 hdr = g_base64_decode(packet_hdr, &hdr_sz); 990 if (!hdr || !hdr_sz) { 991 error_setg(errp, "SEV: Failed to decode sequence header"); 992 return 1; 993 } 994 995 data = g_base64_decode(secret, &data_sz); 996 if (!data || !data_sz) { 997 error_setg(errp, "SEV: Failed to decode data"); 998 return 1; 999 } 1000 1001 hva = gpa2hva(&mr, gpa, data_sz, errp); 1002 if (!hva) { 1003 error_prepend(errp, "SEV: Failed to calculate guest address: "); 1004 return 1; 1005 } 1006 1007 input.hdr_uaddr = (uint64_t)(unsigned long)hdr; 1008 input.hdr_len = hdr_sz; 1009 1010 input.trans_uaddr = (uint64_t)(unsigned long)data; 1011 input.trans_len = data_sz; 1012 1013 input.guest_uaddr = (uint64_t)(unsigned long)hva; 1014 input.guest_len = data_sz; 1015 1016 trace_kvm_sev_launch_secret(gpa, input.guest_uaddr, 1017 input.trans_uaddr, input.trans_len); 1018 1019 ret = sev_ioctl(sev_guest->sev_fd, KVM_SEV_LAUNCH_SECRET, 1020 &input, &error); 1021 if (ret) { 1022 error_setg(errp, "SEV: failed to inject secret ret=%d fw_error=%d '%s'", 1023 ret, error, fw_error_to_str(error)); 1024 return ret; 1025 } 1026 1027 return 0; 1028 } 1029 1030 #define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" 1031 struct sev_secret_area { 1032 uint32_t base; 1033 uint32_t size; 1034 }; 1035 1036 void qmp_sev_inject_launch_secret(const char *packet_hdr, 1037 const char *secret, 1038 bool has_gpa, uint64_t gpa, 1039 Error **errp) 1040 { 1041 if (!sev_enabled()) { 1042 error_setg(errp, "SEV not enabled for guest"); 1043 return; 1044 } 1045 if (!has_gpa) { 1046 uint8_t *data; 1047 struct sev_secret_area *area; 1048 1049 if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, NULL)) { 1050 error_setg(errp, "SEV: no secret area found in OVMF," 1051 " gpa must be specified."); 1052 return; 1053 } 1054 area = (struct sev_secret_area *)data; 1055 gpa = area->base; 1056 } 1057 1058 sev_inject_launch_secret(packet_hdr, secret, gpa, errp); 1059 } 1060 1061 static int 1062 sev_es_parse_reset_block(SevInfoBlock *info, uint32_t *addr) 1063 { 1064 if (!info->reset_addr) { 1065 error_report("SEV-ES reset address is zero"); 1066 return 1; 1067 } 1068 1069 *addr = info->reset_addr; 1070 1071 return 0; 1072 } 1073 1074 static int 1075 sev_es_find_reset_vector(void *flash_ptr, uint64_t flash_size, 1076 uint32_t *addr) 1077 { 1078 QemuUUID info_guid, *guid; 1079 SevInfoBlock *info; 1080 uint8_t *data; 1081 uint16_t *len; 1082 1083 /* 1084 * Initialize the address to zero. An address of zero with a successful 1085 * return code indicates that SEV-ES is not active. 1086 */ 1087 *addr = 0; 1088 1089 /* 1090 * Extract the AP reset vector for SEV-ES guests by locating the SEV GUID. 1091 * The SEV GUID is located on its own (original implementation) or within 1092 * the Firmware GUID Table (new implementation), either of which are 1093 * located 32 bytes from the end of the flash. 1094 * 1095 * Check the Firmware GUID Table first. 1096 */ 1097 if (pc_system_ovmf_table_find(SEV_INFO_BLOCK_GUID, &data, NULL)) { 1098 return sev_es_parse_reset_block((SevInfoBlock *)data, addr); 1099 } 1100 1101 /* 1102 * SEV info block not found in the Firmware GUID Table (or there isn't 1103 * a Firmware GUID Table), fall back to the original implementation. 1104 */ 1105 data = flash_ptr + flash_size - 0x20; 1106 1107 qemu_uuid_parse(SEV_INFO_BLOCK_GUID, &info_guid); 1108 info_guid = qemu_uuid_bswap(info_guid); /* GUIDs are LE */ 1109 1110 guid = (QemuUUID *)(data - sizeof(info_guid)); 1111 if (!qemu_uuid_is_equal(guid, &info_guid)) { 1112 error_report("SEV information block/Firmware GUID Table block not found in pflash rom"); 1113 return 1; 1114 } 1115 1116 len = (uint16_t *)((uint8_t *)guid - sizeof(*len)); 1117 info = (SevInfoBlock *)(data - le16_to_cpu(*len)); 1118 1119 return sev_es_parse_reset_block(info, addr); 1120 } 1121 1122 void sev_es_set_reset_vector(CPUState *cpu) 1123 { 1124 X86CPU *x86; 1125 CPUX86State *env; 1126 1127 /* Only update if we have valid reset information */ 1128 if (!sev_guest || !sev_guest->reset_data_valid) { 1129 return; 1130 } 1131 1132 /* Do not update the BSP reset state */ 1133 if (cpu->cpu_index == 0) { 1134 return; 1135 } 1136 1137 x86 = X86_CPU(cpu); 1138 env = &x86->env; 1139 1140 cpu_x86_load_seg_cache(env, R_CS, 0xf000, sev_guest->reset_cs, 0xffff, 1141 DESC_P_MASK | DESC_S_MASK | DESC_CS_MASK | 1142 DESC_R_MASK | DESC_A_MASK); 1143 1144 env->eip = sev_guest->reset_ip; 1145 } 1146 1147 int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size) 1148 { 1149 CPUState *cpu; 1150 uint32_t addr; 1151 int ret; 1152 1153 if (!sev_es_enabled()) { 1154 return 0; 1155 } 1156 1157 addr = 0; 1158 ret = sev_es_find_reset_vector(flash_ptr, flash_size, 1159 &addr); 1160 if (ret) { 1161 return ret; 1162 } 1163 1164 if (addr) { 1165 sev_guest->reset_cs = addr & 0xffff0000; 1166 sev_guest->reset_ip = addr & 0x0000ffff; 1167 sev_guest->reset_data_valid = true; 1168 1169 CPU_FOREACH(cpu) { 1170 sev_es_set_reset_vector(cpu); 1171 } 1172 } 1173 1174 return 0; 1175 } 1176 1177 static const QemuUUID sev_hash_table_header_guid = { 1178 .data = UUID_LE(0x9438d606, 0x4f22, 0x4cc9, 0xb4, 0x79, 0xa7, 0x93, 1179 0xd4, 0x11, 0xfd, 0x21) 1180 }; 1181 1182 static const QemuUUID sev_kernel_entry_guid = { 1183 .data = UUID_LE(0x4de79437, 0xabd2, 0x427f, 0xb8, 0x35, 0xd5, 0xb1, 1184 0x72, 0xd2, 0x04, 0x5b) 1185 }; 1186 static const QemuUUID sev_initrd_entry_guid = { 1187 .data = UUID_LE(0x44baf731, 0x3a2f, 0x4bd7, 0x9a, 0xf1, 0x41, 0xe2, 1188 0x91, 0x69, 0x78, 0x1d) 1189 }; 1190 static const QemuUUID sev_cmdline_entry_guid = { 1191 .data = UUID_LE(0x97d02dd8, 0xbd20, 0x4c94, 0xaa, 0x78, 0xe7, 0x71, 1192 0x4d, 0x36, 0xab, 0x2a) 1193 }; 1194 1195 /* 1196 * Add the hashes of the linux kernel/initrd/cmdline to an encrypted guest page 1197 * which is included in SEV's initial memory measurement. 1198 */ 1199 bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp) 1200 { 1201 uint8_t *data; 1202 SevHashTableDescriptor *area; 1203 SevHashTable *ht; 1204 uint8_t cmdline_hash[HASH_SIZE]; 1205 uint8_t initrd_hash[HASH_SIZE]; 1206 uint8_t kernel_hash[HASH_SIZE]; 1207 uint8_t *hashp; 1208 size_t hash_len = HASH_SIZE; 1209 int aligned_len; 1210 1211 if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data, NULL)) { 1212 error_setg(errp, "SEV: kernel specified but OVMF has no hash table guid"); 1213 return false; 1214 } 1215 area = (SevHashTableDescriptor *)data; 1216 1217 /* 1218 * Calculate hash of kernel command-line with the terminating null byte. If 1219 * the user doesn't supply a command-line via -append, the 1-byte "\0" will 1220 * be used. 1221 */ 1222 hashp = cmdline_hash; 1223 if (qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256, ctx->cmdline_data, 1224 ctx->cmdline_size, &hashp, &hash_len, errp) < 0) { 1225 return false; 1226 } 1227 assert(hash_len == HASH_SIZE); 1228 1229 /* 1230 * Calculate hash of initrd. If the user doesn't supply an initrd via 1231 * -initrd, an empty buffer will be used (ctx->initrd_size == 0). 1232 */ 1233 hashp = initrd_hash; 1234 if (qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256, ctx->initrd_data, 1235 ctx->initrd_size, &hashp, &hash_len, errp) < 0) { 1236 return false; 1237 } 1238 assert(hash_len == HASH_SIZE); 1239 1240 /* Calculate hash of the kernel */ 1241 hashp = kernel_hash; 1242 struct iovec iov[2] = { 1243 { .iov_base = ctx->setup_data, .iov_len = ctx->setup_size }, 1244 { .iov_base = ctx->kernel_data, .iov_len = ctx->kernel_size } 1245 }; 1246 if (qcrypto_hash_bytesv(QCRYPTO_HASH_ALG_SHA256, iov, ARRAY_SIZE(iov), 1247 &hashp, &hash_len, errp) < 0) { 1248 return false; 1249 } 1250 assert(hash_len == HASH_SIZE); 1251 1252 /* 1253 * Populate the hashes table in the guest's memory at the OVMF-designated 1254 * area for the SEV hashes table 1255 */ 1256 ht = qemu_map_ram_ptr(NULL, area->base); 1257 1258 ht->guid = sev_hash_table_header_guid; 1259 ht->len = sizeof(*ht); 1260 1261 ht->cmdline.guid = sev_cmdline_entry_guid; 1262 ht->cmdline.len = sizeof(ht->cmdline); 1263 memcpy(ht->cmdline.hash, cmdline_hash, sizeof(ht->cmdline.hash)); 1264 1265 ht->initrd.guid = sev_initrd_entry_guid; 1266 ht->initrd.len = sizeof(ht->initrd); 1267 memcpy(ht->initrd.hash, initrd_hash, sizeof(ht->initrd.hash)); 1268 1269 ht->kernel.guid = sev_kernel_entry_guid; 1270 ht->kernel.len = sizeof(ht->kernel); 1271 memcpy(ht->kernel.hash, kernel_hash, sizeof(ht->kernel.hash)); 1272 1273 /* When calling sev_encrypt_flash, the length has to be 16 byte aligned */ 1274 aligned_len = ROUND_UP(ht->len, 16); 1275 if (aligned_len != ht->len) { 1276 /* zero the excess data so the measurement can be reliably calculated */ 1277 memset(ht->padding, 0, aligned_len - ht->len); 1278 } 1279 1280 if (sev_encrypt_flash((uint8_t *)ht, aligned_len, errp) < 0) { 1281 return false; 1282 } 1283 1284 return true; 1285 } 1286 1287 static void 1288 sev_register_types(void) 1289 { 1290 type_register_static(&sev_guest_info); 1291 } 1292 1293 type_init(sev_register_types); 1294