2024-03-18 18:07:43 +03:00
|
|
|
/*
|
|
|
|
* x86-specific confidential guest methods.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2024 Red Hat Inc.
|
|
|
|
*
|
|
|
|
* Authors:
|
|
|
|
* Paolo Bonzini <pbonzini@redhat.com>
|
|
|
|
*
|
|
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or later.
|
|
|
|
* See the COPYING file in the top-level directory.
|
|
|
|
*/
|
|
|
|
#ifndef TARGET_I386_CG_H
|
|
|
|
#define TARGET_I386_CG_H
|
|
|
|
|
|
|
|
#include "qom/object.h"
|
|
|
|
|
|
|
|
#include "exec/confidential-guest-support.h"
|
|
|
|
|
|
|
|
#define TYPE_X86_CONFIDENTIAL_GUEST "x86-confidential-guest"
|
|
|
|
|
|
|
|
OBJECT_DECLARE_TYPE(X86ConfidentialGuest,
|
|
|
|
X86ConfidentialGuestClass,
|
|
|
|
X86_CONFIDENTIAL_GUEST)
|
|
|
|
|
|
|
|
struct X86ConfidentialGuest {
|
|
|
|
/* <private> */
|
|
|
|
ConfidentialGuestSupport parent_obj;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* X86ConfidentialGuestClass:
|
|
|
|
*
|
|
|
|
* Class to be implemented by confidential-guest-support concrete objects
|
|
|
|
* for the x86 target.
|
|
|
|
*/
|
|
|
|
struct X86ConfidentialGuestClass {
|
|
|
|
/* <private> */
|
|
|
|
ConfidentialGuestSupportClass parent;
|
target/i386: Implement mc->kvm_type() to get VM type
KVM is introducing a new API to create confidential guests, which
will be used by TDX and SEV-SNP but is also available for SEV and
SEV-ES. The API uses the VM type argument to KVM_CREATE_VM to
identify which confidential computing technology to use.
Since there are no other expected uses of VM types, delegate
mc->kvm_type() for x86 boards to the confidential-guest-support
object pointed to by ms->cgs.
For example, if a sev-guest object is specified to confidential-guest-support,
like,
qemu -machine ...,confidential-guest-support=sev0 \
-object sev-guest,id=sev0,...
it will check if a VM type KVM_X86_SEV_VM or KVM_X86_SEV_ES_VM
is supported, and if so use them together with the KVM_SEV_INIT2
function of the KVM_MEMORY_ENCRYPT_OP ioctl. If not, it will fall back to
KVM_SEV_INIT and KVM_SEV_ES_INIT.
This is a preparatory work towards TDX and SEV-SNP support, but it
will also enable support for VMSA features such as DebugSwap, which
are only available via KVM_SEV_INIT2.
Co-developed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-03-19 17:29:33 +03:00
|
|
|
|
|
|
|
/* <public> */
|
|
|
|
int (*kvm_type)(X86ConfidentialGuest *cg);
|
2024-07-03 12:12:06 +03:00
|
|
|
uint32_t (*mask_cpuid_features)(X86ConfidentialGuest *cg, uint32_t feature, uint32_t index,
|
|
|
|
int reg, uint32_t value);
|
2024-03-18 18:07:43 +03:00
|
|
|
};
|
target/i386: Implement mc->kvm_type() to get VM type
KVM is introducing a new API to create confidential guests, which
will be used by TDX and SEV-SNP but is also available for SEV and
SEV-ES. The API uses the VM type argument to KVM_CREATE_VM to
identify which confidential computing technology to use.
Since there are no other expected uses of VM types, delegate
mc->kvm_type() for x86 boards to the confidential-guest-support
object pointed to by ms->cgs.
For example, if a sev-guest object is specified to confidential-guest-support,
like,
qemu -machine ...,confidential-guest-support=sev0 \
-object sev-guest,id=sev0,...
it will check if a VM type KVM_X86_SEV_VM or KVM_X86_SEV_ES_VM
is supported, and if so use them together with the KVM_SEV_INIT2
function of the KVM_MEMORY_ENCRYPT_OP ioctl. If not, it will fall back to
KVM_SEV_INIT and KVM_SEV_ES_INIT.
This is a preparatory work towards TDX and SEV-SNP support, but it
will also enable support for VMSA features such as DebugSwap, which
are only available via KVM_SEV_INIT2.
Co-developed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-03-19 17:29:33 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* x86_confidential_guest_kvm_type:
|
|
|
|
*
|
|
|
|
* Calls #X86ConfidentialGuestClass.unplug callback of @plug_handler.
|
|
|
|
*/
|
|
|
|
static inline int x86_confidential_guest_kvm_type(X86ConfidentialGuest *cg)
|
|
|
|
{
|
|
|
|
X86ConfidentialGuestClass *klass = X86_CONFIDENTIAL_GUEST_GET_CLASS(cg);
|
|
|
|
|
|
|
|
if (klass->kvm_type) {
|
|
|
|
return klass->kvm_type(cg);
|
|
|
|
} else {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
2024-07-03 12:12:06 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* x86_confidential_guest_mask_cpuid_features:
|
|
|
|
*
|
|
|
|
* Removes unsupported features from a confidential guest's CPUID values, returns
|
|
|
|
* the value with the bits removed. The bits removed should be those that KVM
|
|
|
|
* provides independent of host-supported CPUID features, but are not supported by
|
|
|
|
* the confidential computing firmware.
|
|
|
|
*/
|
|
|
|
static inline int x86_confidential_guest_mask_cpuid_features(X86ConfidentialGuest *cg,
|
|
|
|
uint32_t feature, uint32_t index,
|
|
|
|
int reg, uint32_t value)
|
|
|
|
{
|
|
|
|
X86ConfidentialGuestClass *klass = X86_CONFIDENTIAL_GUEST_GET_CLASS(cg);
|
|
|
|
|
|
|
|
if (klass->mask_cpuid_features) {
|
|
|
|
return klass->mask_cpuid_features(cg, feature, index, reg, value);
|
|
|
|
} else {
|
|
|
|
return value;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-03-18 18:07:43 +03:00
|
|
|
#endif
|