From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 9632C1FF15F for ; Mon, 18 Nov 2024 12:17:41 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DB4BDE0CF; Mon, 18 Nov 2024 12:17:44 +0100 (CET) From: Markus Frank To: pve-devel@lists.proxmox.com Date: Mon, 18 Nov 2024 12:16:57 +0100 Message-Id: <20241118111700.110077-3-m.frank@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241118111700.110077-1-m.frank@proxmox.com> References: <20241118111700.110077-1-m.frank@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH qemu-server v13 2/5] config: add AMD SEV support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This patch is for enabling AMD SEV (Secure Encrypted Virtualization) support in QEMU. VM-Config-Examples: amd_sev: type=std,no-debug=1,no-key-sharing=1 amd_sev: es,no-debug=1,kernel-hashes=1 kernel-hashes, reduced-phys-bits & cbitpos correspond to the variables with the same name in QEMU. kernel-hashes=1 adds kernel hashes to enable measured linux kernel launch since it is per default off for backward compatibility. reduced-phys-bios and cbitpos are system specific and are read out by the query-machine-capabilities c program and saved to the /run/qemu-server/host-hw-capabilities.json file. This file is parsed and than used by qemu-server to correctly start a AMD SEV VM. type=std stands for standard sev to differentiate it from sev-es (es) or sev-snp (snp) when support is upstream. QEMU's sev-guest policy gets calculated with the parameters no-debug & no-key-sharing. These parameters correspond to policy-bits 0 & 1. If type is 'es' than policy-bit 2 gets set to 1 to activate SEV-ES. Policy bit 3 (nosend) is always set to 1, because migration features for sev are not upstream yet and are attackable. SEV-ES is highly experimental since it could not be tested. see coherent doc patch Signed-off-by: Markus Frank Reviewed-by: Fiona Ebner --- PVE/QemuServer.pm | 13 +++++- PVE/QemuServer/CPUConfig.pm | 87 ++++++++++++++++++++++++++++++++++++- 2 files changed, 98 insertions(+), 2 deletions(-) diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm index 8da1b4d2..a3446c3d 100644 --- a/PVE/QemuServer.pm +++ b/PVE/QemuServer.pm @@ -54,7 +54,7 @@ use PVE::QemuConfig; use PVE::QemuServer::Helpers qw(config_aware_timeout min_version windows_version); use PVE::QemuServer::Cloudinit; use PVE::QemuServer::CGroup; -use PVE::QemuServer::CPUConfig qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch); +use PVE::QemuServer::CPUConfig qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object); use PVE::QemuServer::Drive qw(is_valid_drivename drive_is_cloudinit drive_is_cdrom drive_is_read_only parse_drive print_drive); use PVE::QemuServer::Machine; use PVE::QemuServer::Memory qw(get_current_memory); @@ -359,6 +359,12 @@ my $confdesc = { description => "Memory properties.", format => $PVE::QemuServer::Memory::memory_fmt }, + 'amd-sev' => { + description => "Secure Encrypted Virtualization (SEV) features by AMD CPUs", + optional => 1, + format => 'pve-qemu-sev-fmt', + type => 'string', + }, balloon => { optional => 1, type => 'integer', @@ -4167,6 +4173,11 @@ sub config_to_command { } } + if ($conf->{'amd-sev'}) { + push @$devices, '-object', get_amd_sev_object($conf->{'amd-sev'}, $conf->{bios}); + push @$machineFlags, 'confidential-guest-support=sev0'; + } + push @$cmd, @$devices; push @$cmd, '-rtc', join(',', @$rtcFlags) if scalar(@$rtcFlags); push @$cmd, '-machine', join(',', @$machineFlags) if scalar(@$machineFlags); diff --git a/PVE/QemuServer/CPUConfig.pm b/PVE/QemuServer/CPUConfig.pm index 33f7524f..e65d8c26 100644 --- a/PVE/QemuServer/CPUConfig.pm +++ b/PVE/QemuServer/CPUConfig.pm @@ -3,9 +3,11 @@ package PVE::QemuServer::CPUConfig; use strict; use warnings; +use JSON; + use PVE::JSONSchema; use PVE::Cluster qw(cfs_register_file cfs_read_file); -use PVE::Tools qw(get_host_arch); +use PVE::Tools qw(run_command get_host_arch); use PVE::QemuServer::Helpers qw(min_version); use base qw(PVE::SectionConfig Exporter); @@ -15,6 +17,7 @@ print_cpu_device get_cpu_options get_cpu_bitness is_native_arch +get_amd_sev_object ); # under certain race-conditions, this module might be loaded before pve-cluster @@ -225,6 +228,37 @@ my $cpu_fmt = { }, }; +my $sev_fmt = { + type => { + description => "Enable standard SEV with type='std' or enable" + ." experimental SEV-ES with the 'es' option.", + type => 'string', + default_key => 1, + format_description => "sev-type", + enum => ['std', 'es'], + maxLength => 3, + }, + 'no-debug' => { + description => "Sets policy bit 0 to 1 to disallow debugging of guest", + type => 'boolean', + default => 0, + optional => 1, + }, + 'no-key-sharing' => { + description => "Sets policy bit 1 to 1 to disallow key sharing with other guests", + type => 'boolean', + default => 0, + optional => 1, + }, + "kernel-hashes" => { + description => "Add kernel hashes to guest firmware for measured linux kernel launch", + type => 'boolean', + default => 0, + optional => 1, + }, +}; +PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt); + PVE::JSONSchema::register_format('pve-phys-bits', \&parse_phys_bits); sub parse_phys_bits { my ($str, $noerr) = @_; @@ -773,6 +807,57 @@ sub get_cpu_bitness { die "unsupported architecture '$arch'\n"; } +sub get_hw_capabilities { + # Get reduced-phys-bits & cbitpos from host-hw-capabilities.json + # TODO: Find better location than /run/qemu-server/ + my $filename = '/run/qemu-server/host-hw-capabilities.json'; + if (! -e $filename) { + die "$filename does not exist. Please check the status of query-machine-capabilities: " + ."systemctl status query-machine-capabilities\n"; + } + my $json_text = PVE::Tools::file_get_contents($filename); + ($json_text) = $json_text =~ /(.*)/; # untaint json text + my $hw_capabilities = eval { decode_json($json_text) }; + if (my $err = $@) { + die $err; + } + return $hw_capabilities; +} + +sub get_amd_sev_object { + my ($amd_sev, $bios) = @_; + + my $amd_sev_conf = PVE::JSONSchema::parse_property_string($sev_fmt, $amd_sev); + my $sev_hw_caps = get_hw_capabilities()->{'amd-sev'}; + + if (!$sev_hw_caps->{'sev-support'}) { + die "Your CPU does not support AMD SEV.\n"; + } + if ($amd_sev_conf->{type} eq 'es' && !$sev_hw_caps->{'sev-support-es'}) { + die "Your CPU does not support AMD SEV-ES.\n"; + } + if (!$bios || $bios ne 'ovmf') { + die "To use AMD SEV, you need to change the BIOS to OVMF.\n"; + } + + my $sev_mem_object = 'sev-guest,id=sev0'; + $sev_mem_object .= ',cbitpos='.$sev_hw_caps->{cbitpos}; + $sev_mem_object .= ',reduced-phys-bits='.$sev_hw_caps->{'reduced-phys-bits'}; + + # guest policy bit calculation as described here: + # https://documentation.suse.com/sles/15-SP5/html/SLES-amd-sev/article-amd-sev.html#table-guestpolicy + my $policy = 0b0000; + $policy += 0b0001 if $amd_sev_conf->{'no-debug'}; + $policy += 0b0010 if $amd_sev_conf->{'no-key-sharing'}; + $policy += 0b0100 if $amd_sev_conf->{type} eq 'es'; + # disable migration with bit 3 nosend to prevent amd-sev-migration-attack + $policy += 0b1000; + + $sev_mem_object .= ',policy='.sprintf("%#x", $policy); + $sev_mem_object .= ',kernel-hashes=on' if ($amd_sev_conf->{'kernel-hashes'}); + return $sev_mem_object; +} + __PACKAGE__->register(); __PACKAGE__->init(); -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel