From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 55BDF1FF380
	for <inbox@lore.proxmox.com>; Fri, 19 Apr 2024 12:12:39 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 068D75D5E;
	Fri, 19 Apr 2024 12:12:41 +0200 (CEST)
From: Markus Frank <m.frank@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri, 19 Apr 2024 12:10:47 +0200
Message-Id: <20240419101049.697299-1-m.frank@proxmox.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.082 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 PROLO_LEO1                0.1 Meta Catches all Leo drug variations so far
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH qemu-server v5 1/3] add C program to get AMD SEV
 hardware parameters from CPUID
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Implement a systemd service that runs a C program that extracts AMD SEV
hardware parameters such as reduced-phys-bios and cbitpos from CPUID at boot
time, verifies that SEV, SEV-ES & SEV-SNP are enabled, and outputs these details
as JSON to /run/amd-sev-params.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 Makefile                                |  1 +
 amd-sev-support/Makefile                | 21 +++++++++++
 amd-sev-support/amd-sev-support.c       | 48 +++++++++++++++++++++++++
 amd-sev-support/amd-sev-support.service | 12 +++++++
 4 files changed, 82 insertions(+)
 create mode 100644 amd-sev-support/Makefile
 create mode 100644 amd-sev-support/amd-sev-support.c
 create mode 100644 amd-sev-support/amd-sev-support.service

diff --git a/Makefile b/Makefile
index 133468d..ccd12a1 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,7 @@ install: $(PKGSOURCES)
 	install -m 0644 -D bootsplash.jpg $(DESTDIR)/usr/share/$(PACKAGE)
 	$(MAKE) -C PVE install
 	$(MAKE) -C qmeventd install
+	$(MAKE) -C amd-sev-support install
 	$(MAKE) -C qemu-configs install
 	$(MAKE) -C vm-network-scripts install
 	install -m 0755 qm $(DESTDIR)$(SBINDIR)
diff --git a/amd-sev-support/Makefile b/amd-sev-support/Makefile
new file mode 100644
index 0000000..022ed94
--- /dev/null
+++ b/amd-sev-support/Makefile
@@ -0,0 +1,21 @@
+DESTDIR=
+PREFIX=/usr
+SBINDIR=${PREFIX}/libexec/qemu-server
+SERVICEDIR=/lib/systemd/system
+
+CC ?= gcc
+CFLAGS += -O2 -fanalyzer -Werror -Wall -Wextra -Wpedantic -Wtype-limits -Wl,-z,relro -std=gnu11
+
+amd-sev-support: amd-sev-support.c
+	$(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
+
+.PHONY: install
+install: amd-sev-support
+	install -d ${DESTDIR}/${SBINDIR}
+	install -d ${DESTDIR}${SERVICEDIR}
+	install -m 0644 amd-sev-support.service ${DESTDIR}${SERVICEDIR}
+	install -m 0755 amd-sev-support ${DESTDIR}${SBINDIR}
+
+.PHONY: clean
+clean:
+	rm -f amd-sev-support
diff --git a/amd-sev-support/amd-sev-support.c b/amd-sev-support/amd-sev-support.c
new file mode 100644
index 0000000..73a7bd8
--- /dev/null
+++ b/amd-sev-support/amd-sev-support.c
@@ -0,0 +1,48 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+int main() {
+    uint32_t eax, ebx, ecx, edx;
+
+    // query Encrypted Memory Capabilities, see:
+    // https://en.wikipedia.org/wiki/CPUID#EAX=8000001Fh:_Encrypted_Memory_Capabilities
+    uint32_t query_function = 0x8000001F;
+    asm volatile("cpuid"
+	 : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx)
+	 : "0"(query_function)
+    );
+
+    bool sev_support = (eax & (1<<1)) != 0;
+    bool sev_es_support = (eax & (1<<3)) != 0;
+    bool sev_snp_support = (eax & (1<<4)) != 0;
+
+    uint8_t cbitpos = ebx & 0x3f;
+    uint8_t reduced_phys_bits = (ebx >> 6) & 0x3f;
+
+    FILE *file;
+    char *filename = "/run/amd-sev-params";
+
+    file = fopen(filename, "w");
+    if (file == NULL) {
+	perror("Error opening file");
+	return 1;
+    }
+
+    fprintf(file, "{"
+	" \"cbitpos\": %u,"
+	" \"reduced-phys-bits\": %u,"
+	" \"sev\": %s,"
+	" \"sev-es\": %s,"
+	" \"sev-snp\": %s"
+	" }\n",
+	cbitpos,
+	reduced_phys_bits,
+	sev_support ? "true" : "false",
+	sev_es_support ? "true" : "false",
+	sev_snp_support ? "true" : "false"
+    );
+
+    fclose(file);
+    return 0;
+}
diff --git a/amd-sev-support/amd-sev-support.service b/amd-sev-support/amd-sev-support.service
new file mode 100644
index 0000000..466dd0a
--- /dev/null
+++ b/amd-sev-support/amd-sev-support.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Read AMD SEV Parameters
+RequiresMountsFor=/run
+Before=pve-ha-lrm.service
+Before=pve-guests.service
+
+[Service]
+ExecStart=/usr/libexec/qemu-server/amd-sev-support
+Type=forking
+
+[Install]
+WantedBy=multi-user.target
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel