qemu/include/qemu
Peter Maydell 6f0e9c26db Generalize memory encryption models
A number of hardware platforms are implementing mechanisms whereby the
 hypervisor does not have unfettered access to guest memory, in order
 to mitigate the security impact of a compromised hypervisor.
 
 AMD's SEV implements this with in-cpu memory encryption, and Intel has
 its own memory encryption mechanism.  POWER has an upcoming mechanism
 to accomplish this in a different way, using a new memory protection
 level plus a small trusted ultravisor.  s390 also has a protected
 execution environment.
 
 The current code (committed or draft) for these features has each
 platform's version configured entirely differently.  That doesn't seem
 ideal for users, or particularly for management layers.
 
 AMD SEV introduces a notionally generic machine option
 "machine-encryption", but it doesn't actually cover any cases other
 than SEV.
 
 This series is a proposal to at least partially unify configuration
 for these mechanisms, by renaming and generalizing AMD's
 "memory-encryption" property.  It is replaced by a
 "confidential-guest-support" property pointing to a platform specific
 object which configures and manages the specific details.
 
 Note to Ram Pai: the documentation I've included for PEF is very
 minimal.  If you could send a patch expanding on that, it would be
 very helpful.
 
 Changes since v8:
  * Rebase
  * Fixed some cosmetic typos
 Changes since v7:
  * Tweaked and clarified meaning of the 'ready' flag
  * Polished the interface to the PEF internals
  * Shifted initialization for s390 PV later (I hope I've finally got
    this after apply_cpu_model() where it needs to be)
 Changes since v6:
  * Moved to using OBJECT_DECLARE_TYPE and OBJECT_DEFINE_TYPE macros
  * Assorted minor fixes
 Changes since v5:
  * Renamed from "securable guest memory" to "confidential guest
    support"
  * Simpler reworking of x86 boot time flash encryption
  * Added a bunch of documentation
  * Fixed some compile errors on POWER
 Changes since v4:
  * Renamed from "host trust limitation" to "securable guest memory",
    which I think is marginally more descriptive
  * Re-organized initialization, because the previous model called at
    kvm_init didn't work for s390
  * Assorted fixes to the s390 implementation; rudimentary testing
    (gitlab CI) only
 Changes since v3:
  * Rebased
  * Added first cut at handling of s390 protected virtualization
 Changes since RFCv2:
  * Rebased
  * Removed preliminary SEV cleanups (they've been merged)
  * Changed name to "host trust limitation"
  * Added migration blocker to the PEF code (based on SEV's version)
 Changes since RFCv1:
  * Rebased
  * Fixed some errors pointed out by Dave Gilbert
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEdfRlhq5hpmzETofcbDjKyiDZs5IFAmAg1R8ACgkQbDjKyiDZ
 s5KCVRAAgm/xlgEv2hDZ7z+MuOTNesCpR3uU4iX02xNktox96Qai7XlrA7bhDf1v
 y/0FLnOOL6Kn5OHeS2CiDPIgWIUfapSwDsTPooZ6GqfzCI+r0jIaSBu59IBhvJRh
 o3ZTfT2fsckY9Gy2YN29ssN87ovDTPNlvRAxGH/71mMKEGJcK6QWxGcsyJDmeKq4
 0/tOQaLMFRRagTpwqCT1eacMzyQwkoDcywQHfi0Is+Q4voWPKgDY0qPqLd1OG2XI
 cMQ8fagums3NkPpVbKAW7sIvDiHtH1HNDoHKTiwKtTUsN5LBz+LN87LoKAdBasV0
 AiRm8gi+CkF/NOA2RjwaFmThxt7sr8kTKVuIqTo5m8agqkhJr97+gBxUym49CxTx
 1Zjo9TWsprKXnXl8vfGtAIZ4pkYQzomMDT3AilEST3+zbpRuwTMGOJ5vLF7RrKtF
 AtF2XBiPGZ/NztpbmaukuG/R49wwW5we4dR1zySMcoTsAl1rIzxpfwBnYatOY0Hg
 sVc9gABwQ0kacsseVIX72c+30U02cR8f6uRfuqNAEUW13vdAo/5/PXxGVlevMkw5
 33MYr16CkGnYgtgJtORK+x8/vPlAYiBzZrn71Wym7yKCamf8LMbzPNXKjUaD/GT8
 TZG7abTV8vuS0m7V/hGgV8nTVaG/6VLEyAtO6YpjQ+1p+dO8xBc=
 =TTeT
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/dg-gitlab/tags/cgs-pull-request' into staging

Generalize memory encryption models

A number of hardware platforms are implementing mechanisms whereby the
hypervisor does not have unfettered access to guest memory, in order
to mitigate the security impact of a compromised hypervisor.

AMD's SEV implements this with in-cpu memory encryption, and Intel has
its own memory encryption mechanism.  POWER has an upcoming mechanism
to accomplish this in a different way, using a new memory protection
level plus a small trusted ultravisor.  s390 also has a protected
execution environment.

The current code (committed or draft) for these features has each
platform's version configured entirely differently.  That doesn't seem
ideal for users, or particularly for management layers.

AMD SEV introduces a notionally generic machine option
"machine-encryption", but it doesn't actually cover any cases other
than SEV.

This series is a proposal to at least partially unify configuration
for these mechanisms, by renaming and generalizing AMD's
"memory-encryption" property.  It is replaced by a
"confidential-guest-support" property pointing to a platform specific
object which configures and manages the specific details.

Note to Ram Pai: the documentation I've included for PEF is very
minimal.  If you could send a patch expanding on that, it would be
very helpful.

Changes since v8:
 * Rebase
 * Fixed some cosmetic typos
Changes since v7:
 * Tweaked and clarified meaning of the 'ready' flag
 * Polished the interface to the PEF internals
 * Shifted initialization for s390 PV later (I hope I've finally got
   this after apply_cpu_model() where it needs to be)
Changes since v6:
 * Moved to using OBJECT_DECLARE_TYPE and OBJECT_DEFINE_TYPE macros
 * Assorted minor fixes
Changes since v5:
 * Renamed from "securable guest memory" to "confidential guest
   support"
 * Simpler reworking of x86 boot time flash encryption
 * Added a bunch of documentation
 * Fixed some compile errors on POWER
Changes since v4:
 * Renamed from "host trust limitation" to "securable guest memory",
   which I think is marginally more descriptive
 * Re-organized initialization, because the previous model called at
   kvm_init didn't work for s390
 * Assorted fixes to the s390 implementation; rudimentary testing
   (gitlab CI) only
Changes since v3:
 * Rebased
 * Added first cut at handling of s390 protected virtualization
Changes since RFCv2:
 * Rebased
 * Removed preliminary SEV cleanups (they've been merged)
 * Changed name to "host trust limitation"
 * Added migration blocker to the PEF code (based on SEV's version)
Changes since RFCv1:
 * Rebased
 * Fixed some errors pointed out by Dave Gilbert

# gpg: Signature made Mon 08 Feb 2021 06:07:27 GMT
# gpg:                using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full]
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full]
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full]
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown]
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dg-gitlab/tags/cgs-pull-request:
  s390: Recognize confidential-guest-support option
  confidential guest support: Alter virtio default properties for protected guests
  spapr: PEF: prevent migration
  spapr: Add PEF based confidential guest support
  confidential guest support: Update documentation
  confidential guest support: Move SEV initialization into arch specific code
  confidential guest support: Introduce cgs "ready" flag
  sev: Add Error ** to sev_kvm_init()
  confidential guest support: Rework the "memory-encryption" property
  confidential guest support: Move side effect out of machine_set_memory_encryption()
  sev: Remove false abstraction of flash encryption
  confidential guest support: Introduce new confidential guest support class
  qom: Allow optional sugar props

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-02-08 11:11:26 +00:00
..
accel.h accel: replace struct CpusAccel with AccelOpsClass 2021-02-05 10:24:15 -10:00
atomic128.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
atomic.h qemu/atomic: Drop special case for unsupported compiler 2020-12-15 12:52:07 -05:00
base64.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
bcd.h Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
bitmap.h bitmap: Add bitmap_copy_with_{src|dst}_offset() 2019-07-15 15:39:02 +02:00
bitops.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
bswap.h qemu/bswap: Remove unused qemu_bswap_len() 2020-11-17 09:45:24 +01:00
buffer.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
cacheflush.h util: Enhance flush_icache_range with separate data pointer 2021-01-07 05:09:41 -10:00
co-shared-resource.h util: introduce SharedResource 2019-10-28 11:22:31 +01:00
compiler.h qemu/compiler: Split out qemu_build_not_reached_always 2021-01-22 12:48:01 -10:00
config-file.h config-file: move -set implementation to vl.c 2020-12-10 12:15:19 -05:00
coroutine_int.h coroutine: support SafeStack in ucontext backend 2020-06-23 15:46:05 +01:00
coroutine.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
cpuid.h util: add util function buffer_zero_avx512() 2020-03-16 23:02:21 +01:00
crc32c.h Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
crc-ccitt.h util: Add CRC16 (CCITT) calculation routines 2021-01-24 20:10:54 +01:00
ctype.h qemu-common: Move qemu_isalnum() etc. to qemu/ctype.h 2019-06-11 20:22:09 +02:00
cutils.h cutils: replace strdup with g_strdup 2020-11-03 09:42:52 -05:00
datadir.h vl: extract softmmu/datadir.c 2020-12-10 12:15:18 -05:00
dbus.h util: add dbus helper unit 2020-01-06 18:41:32 +04:00
drm.h Clean up ill-advised or unusual header guards 2019-05-13 08:58:55 +02:00
envlist.h
error-report.h error: rename error_with_timestamp to message_with_timestamp 2021-02-01 10:50:55 +00:00
event_notifier.h Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
fifo8.h utils/fifo8: add VMSTATE_FIFO8_TEST macro 2021-02-07 20:38:34 +00:00
fifo32.h hw: Clean up includes 2016-06-07 18:19:23 +03:00
filemonitor.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
futex.h futex: add missing header guards 2017-10-16 20:57:13 +03:00
guest-random.h util: Add qemu_guest_getrandom and associated routines 2019-05-22 12:38:54 -04:00
hbitmap.h block/dirty-bitmap: improve _next_dirty_area API 2020-03-18 14:03:46 -04:00
help_option.h keyval: Parse help options 2020-10-15 16:06:27 +02:00
host-utils.h fix the prototype of muls64/mulu64 2020-07-06 18:13:13 +02:00
id.h chardev: generate an internal id when none given 2020-01-07 16:50:09 +04:00
int128.h qemu/int128: Add int128_lshift 2020-08-28 10:02:47 +01:00
iov.h util/iov: make qemu_iovec_init_extended() honest 2021-02-03 08:00:33 -06:00
iova-tree.h util: remove redundant include of glib.h and add osdep.h 2018-06-29 12:22:28 +01:00
jhash.h Clean up ill-advised or unusual header guards 2019-05-13 08:58:55 +02:00
job.h job: refactor progress to separate object 2020-03-11 12:42:30 +01:00
lockable.h lockable: fix __COUNTER__ macro to be referenced properly 2020-05-04 16:07:43 +01:00
log-for-trace.h log-for-trace.h: Split out parts of log.h used by trace.h 2018-03-12 11:10:20 +00:00
log.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
main-loop.h main-loop: Fix comment 2020-09-01 12:07:52 +02:00
memfd.h linux-user: add memfd_create 2019-09-11 08:46:17 +02:00
mmap-alloc.h memory: add readonly support to memory_region_init_ram_from_file() 2021-02-01 17:07:34 -05:00
module.h module: silence errors for module_load_qom_all(). 2020-10-15 10:43:48 +02:00
notify.h xen / notify: introduce a new XenWatchList abstraction 2019-09-24 12:18:47 +01:00
nvdimm-utils.h Clean up includes 2020-12-10 17:16:44 +01:00
option_int.h qemu/queue.h: simplify reverse access to QTAILQ 2019-01-11 15:46:55 +01:00
option.h qemu-option: restrict qemu_opts_set to merge-lists QemuOpts 2020-12-10 12:15:12 -05:00
osdep.h osdep: build with non-working system() function 2021-01-29 10:47:28 +00:00
path.h Clean up decorations and whitespace around header guards 2016-07-12 16:20:46 +02:00
plugin-memory.h plugins: implement helpers for resolving hwaddr 2019-10-28 15:12:38 +00:00
plugin.h plugin: propagate errors 2020-12-15 12:51:56 -05:00
pmem.h Clean up decorations and whitespace around header guards 2019-05-13 08:58:55 +02:00
processor.h Drop remaining bits of ia64 host support 2018-02-05 18:09:45 +01:00
progress_meter.h job: refactor progress to separate object 2020-03-11 12:42:30 +01:00
qdist.h Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
qemu-plugin.h qemu-plugin.h: remove GCC < 4 2020-12-15 12:52:09 -05:00
qemu-print.h qemu-print: New qemu_fprintf(), qemu_vfprintf() 2019-04-18 22:18:59 +02:00
qht.h qht: constify qht_statistics_init 2018-09-26 08:55:54 -07:00
qsp.h qsp: Simplify how qsp_report() prints 2019-04-18 22:18:59 +02:00
queue.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
range.h Include qemu/queue.h slightly less 2019-08-16 13:31:52 +02:00
ratelimit.h include: Make headers more self-contained 2019-08-16 13:31:51 +02:00
rcu_queue.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
rcu.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
readline.h readline: add a free function 2018-01-16 14:54:50 +01:00
selfmap.h linux-user: factor out reading of /proc/self/maps 2020-04-07 16:19:49 +01:00
seqlock.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
sockets.h net: check if the file descriptor is valid before using it 2020-07-15 21:00:13 +08:00
stats64.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
sys_membarrier.h Normalize header guard symbol definition. 2019-05-13 08:58:55 +02:00
systemd.h Normalize header guard symbol definition. 2019-05-13 08:58:55 +02:00
thread-posix.h qsp: QEMU's Synchronization Profiler 2018-08-23 18:46:25 +02:00
thread-win32.h include: Make headers more self-contained 2019-08-16 13:31:51 +02:00
thread.h qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
throttle-options.h block: add throttle block filter driver 2017-09-06 10:12:02 +02:00
throttle.h Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
timed-average.h include: Clean up includes 2016-02-23 12:43:05 +00:00
timer.h semihosting: Implement SYS_ELAPSED and SYS_TICKFREQ 2021-01-18 10:05:06 +00:00
tsan.h include/qemu: Added tsan.h for annotations. 2020-06-16 14:49:05 +01:00
typedefs.h confidential guest support: Introduce new confidential guest support class 2021-02-08 16:57:37 +11:00
unicode.h json: Reject invalid UTF-8 sequences 2018-08-24 20:26:37 +02:00
units.h block: Eliminate the S_1KiB, S_2KiB, ... macros 2019-02-01 13:46:45 +01:00
uri.h Remove unused function declarations 2016-09-15 15:32:22 +03:00
uuid.h acpi: nvdimm: change NVDIMM_UUID_LE to a common macro 2020-05-14 15:03:08 +01:00
vfio-helpers.h util/vfio-helpers: Pass page protections to qemu_vfio_pci_map_bar() 2020-10-05 09:35:52 +01:00
vhost-user-server.h libvhost-user: make it a meson subproject 2020-12-08 13:48:58 -05:00
win_dump_defs.h dump: move Windows dump structures definitions 2018-10-02 19:09:12 +02:00
xattr.h include: Fix typos found by codespell 2017-01-24 23:26:52 +03:00
xxhash.h target/arm: Implement an IMPDEF pauth algorithm 2021-01-19 14:38:51 +00:00
yank.h Introduce yank feature 2021-01-13 10:21:17 +01:00