From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B050D1FF165 for ; Sun, 17 Nov 2024 19:49:49 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 465F9352B8; Sun, 17 Nov 2024 19:49:52 +0100 (CET) Message-ID: <5829b642-0524-4776-b0ba-ac26b673e181@proxmox.com> Date: Sun, 17 Nov 2024 19:49:17 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox VE development discussion , Markus Frank References: <20241111135713.212601-1-m.frank@proxmox.com> <20241111135713.212601-4-m.frank@proxmox.com> Content-Language: en-GB, de-AT From: Thomas Lamprecht Autocrypt: addr=t.lamprecht@proxmox.com; keydata= xsFNBFsLjcYBEACsaQP6uTtw/xHTUCKF4VD4/Wfg7gGn47+OfCKJQAD+Oyb3HSBkjclopC5J uXsB1vVOfqVYE6PO8FlD2L5nxgT3SWkc6Ka634G/yGDU3ZC3C/7NcDVKhSBI5E0ww4Qj8s9w OQRloemb5LOBkJNEUshkWRTHHOmk6QqFB/qBPW2COpAx6oyxVUvBCgm/1S0dAZ9gfkvpqFSD 90B5j3bL6i9FIv3YGUCgz6Ue3f7u+HsEAew6TMtlt90XV3vT4M2IOuECG/pXwTy7NtmHaBQ7 UJBcwSOpDEweNob50+9B4KbnVn1ydx+K6UnEcGDvUWBkREccvuExvupYYYQ5dIhRFf3fkS4+ wMlyAFh8PQUgauod+vqs45FJaSgTqIALSBsEHKEs6IoTXtnnpbhu3p6XBin4hunwoBFiyYt6 YHLAM1yLfCyX510DFzX/Ze2hLqatqzY5Wa7NIXqYYelz7tXiuCLHP84+sV6JtEkeSUCuOiUY virj6nT/nJK8m0BzdR6FgGtNxp7RVXFRz/+mwijJVLpFsyG1i0Hmv2zTn3h2nyGK/I6yhFNt dX69y5hbo6LAsRjLUvZeHXpTU4TrpN/WiCjJblbj5um5eEr4yhcwhVmG102puTtuCECsDucZ jpKpUqzXlpLbzG/dp9dXFH3MivvfuaHrg3MtjXY1i+/Oxyp5iwARAQABzTNUaG9tYXMgTGFt cHJlY2h0IChBdXRoLTQpIDx0LmxhbXByZWNodEBwcm94bW94LmNvbT7CwY4EEwEIADgWIQQO R4qbEl/pah9K6VrTZCM6gDZWBgUCWwuNxgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK CRDTZCM6gDZWBm/jD/4+6JB2s67eaqoP6x9VGaXNGJPCscwzLuxDTCG90G9FYu29VcXtubH/ bPwsyBbNUQpqTm/s4XboU2qpS5ykCuTjqavrcP33tdkYfGcItj2xMipJ1i3TWvpikQVsX42R G64wovLs/dvpTYphRZkg5DwhgTmy3mRkmofFCTa+//MOcNOORltemp984tWjpR3bUJETNWpF sKGZHa3N4kCNxb7A+VMsJZ/1gN3jbQbQG7GkJtnHlWkw9rKCYqBtWrnrHa4UAvSa9M/XCIAB FThFGqZI1ojdVlv5gd6b/nWxfOPrLlSxbUo5FZ1i/ycj7/24nznW1V4ykG9iUld4uYUY86bB UGSjew1KYp9FmvKiwEoB+zxNnuEQfS7/Bj1X9nxizgweiHIyFsRqgogTvLh403QMSGNSoArk tqkorf1U+VhEncIn4H3KksJF0njZKfilrieOO7Vuot1xKr9QnYrZzJ7m7ZxJ/JfKGaRHXkE1 feMmrvZD1AtdUATZkoeQtTOpMu4r6IQRfSdwm/CkppZXfDe50DJxAMDWwfK2rr2bVkNg/yZI tKLBS0YgRTIynkvv0h8d9dIjiicw3RMeYXyqOnSWVva2r+tl+JBaenr8YTQw0zARrhC0mttu cIZGnVEvQuDwib57QLqMjQaC1gazKHvhA15H5MNxUhwm229UmdH3KM7BTQRbC43GARAAyTkR D6KRJ9Xa2fVMh+6f186q0M3ni+5tsaVhUiykxjsPgkuWXWW9MbLpYXkzX6h/RIEKlo2BGA95 QwG5+Ya2Bo3g7FGJHAkXY6loq7DgMp5/TVQ8phsSv3WxPTJLCBq6vNBamp5hda4cfXFUymsy HsJy4dtgkrPQ/bnsdFDCRUuhJHopnAzKHN8APXpKU6xV5e3GE4LwFsDhNHfH/m9+2yO/trcD txSFpyftbK2gaMERHgA8SKkzRhiwRTt9w5idOfpJVkYRsgvuSGZ0pcD4kLCOIFrer5xXudk6 NgJc36XkFRMnwqrL/bB4k6Pi2u5leyqcXSLyBgeHsZJxg6Lcr2LZ35+8RQGPOw9C0ItmRjtY ZpGKPlSxjxA1WHT2YlF9CEt3nx7c4C3thHHtqBra6BGPyW8rvtq4zRqZRLPmZ0kt/kiMPhTM 8wZAlObbATVrUMcZ/uNjRv2vU9O5aTAD9E5r1B0dlqKgxyoImUWB0JgpILADaT3VybDd3C8X s6Jt8MytUP+1cEWt9VKo4vY4Jh5vwrJUDLJvzpN+TsYCZPNVj18+jf9uGRaoK6W++DdMAr5l gQiwsNgf9372dbMI7pt2gnT5/YdG+ZHnIIlXC6OUonA1Ro/Itg90Q7iQySnKKkqqnWVc+qO9 GJbzcGykxD6EQtCSlurt3/5IXTA7t6sAEQEAAcLBdgQYAQgAIBYhBA5HipsSX+lqH0rpWtNk IzqANlYGBQJbC43GAhsMAAoJENNkIzqANlYGD1sP/ikKgHgcspEKqDED9gQrTBvipH85si0j /Jwu/tBtnYjLgKLh2cjv1JkgYYjb3DyZa1pLsIv6rGnPX9bH9IN03nqirC/Q1Y1lnbNTynPk IflgvsJjoTNZjgu1wUdQlBgL/JhUp1sIYID11jZphgzfDgp/E6ve/8xE2HMAnf4zAfJaKgD0 F+fL1DlcdYUditAiYEuN40Ns/abKs8I1MYx7Yglu3RzJfBzV4t86DAR+OvuF9v188WrFwXCS RSf4DmJ8tntyNej+DVGUnmKHupLQJO7uqCKB/1HLlMKc5G3GLoGqJliHjUHUAXNzinlpE2Vj C78pxpwxRNg2ilE3AhPoAXrY5qED5PLE9sLnmQ9AzRcMMJUXjTNEDxEYbF55SdGBHHOAcZtA kEQKub86e+GHA+Z8oXQSGeSGOkqHi7zfgW1UexddTvaRwE6AyZ6FxTApm8wq8NT2cryWPWTF BDSGB3ujWHMM8ERRYJPcBSjTvt0GcEqnd+OSGgxTkGOdufn51oz82zfpVo1t+J/FNz6MRMcg 8nEC+uKvgzH1nujxJ5pRCBOquFZaGn/p71Yr0oVitkttLKblFsqwa+10Lt6HBxm+2+VLp4Ja 0WZNncZciz3V3cuArpan/ZhhyiWYV5FD0pOXPCJIx7WS9PTtxiv0AOS4ScWEUmBxyhFeOpYa DrEx In-Reply-To: <20241111135713.212601-4-m.frank@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.048 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH qemu-server v12 3/6] config: add AMD SEV support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 11.11.24 um 14:57 schrieb Markus Frank: > This patch is for enabling AMD SEV (Secure Encrypted Virtualization) > support in QEMU. > > VM-Config-Examples: > amd_sev: type=std,no-debug=1,no-key-sharing=1 > amd_sev: es,no-debug=1,kernel-hashes=1 > > kernel-hashes, reduced-phys-bits & cbitpos correspond to the variables > with the same name in QEMU. > > kernel-hashes=1 adds kernel hashes to enable measured linux kernel > launch since it is per default off for backward compatibility. > > reduced-phys-bios and cbitpos are system specific and are read out by > the query-machine-capabilities c program and saved to the > /run/qemu-server/host-hw-capabilities.json file. This file is parsed > and than used by qemu-server to correctly start a AMD SEV VM. > > type=std stands for standard sev to differentiate it from sev-es (es) > or sev-snp (snp) when support is upstream. > > QEMU's sev-guest policy gets calculated with the parameters no-debug > & no-key-sharing. These parameters correspond to policy-bits 0 & 1. > If type is 'es' than policy-bit 2 gets set to 1 to activate SEV-ES. > Policy bit 3 (nosend) is always set to 1, because migration features > for sev are not upstream yet and are attackable. > > SEV-ES is highly experimental since it could not be tested. > > see coherent doc patch looks mostly OK some more minor stuff inline > > Signed-off-by: Markus Frank > Reviewed-by: Fiona Ebner > --- > changes v12: > * a eval for decode_json() > * get_amd_sev_object: use the three properties as parameters instead of > the whole config > * removed efidisk check, as it is obsolete > * small perl style changes > > PVE/QemuServer.pm | 13 +++++- > PVE/QemuServer/CPUConfig.pm | 88 ++++++++++++++++++++++++++++++++++++- > 2 files changed, 99 insertions(+), 2 deletions(-) > > diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm > index 0df3bda0..dd6ae93f 100644 > --- a/PVE/QemuServer.pm > +++ b/PVE/QemuServer.pm > @@ -53,7 +53,7 @@ use PVE::QemuConfig; > use PVE::QemuServer::Helpers qw(config_aware_timeout min_version windows_version); > use PVE::QemuServer::Cloudinit; > use PVE::QemuServer::CGroup; > -use PVE::QemuServer::CPUConfig qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch); > +use PVE::QemuServer::CPUConfig qw(print_cpu_device get_cpu_options get_cpu_bitness is_native_arch get_amd_sev_object); > use PVE::QemuServer::Drive qw(is_valid_drivename drive_is_cloudinit drive_is_cdrom drive_is_read_only parse_drive print_drive); > use PVE::QemuServer::Machine; > use PVE::QemuServer::Memory qw(get_current_memory); > @@ -358,6 +358,12 @@ my $confdesc = { > description => "Memory properties.", > format => $PVE::QemuServer::Memory::memory_fmt > }, > + amd_sev => { as of now this can be named 'amd-sev' > + description => "Secure Encrypted Virtualization (SEV) features by AMD CPUs", > + optional => 1, > + format => 'pve-qemu-sev-fmt', > + type => 'string', > + }, > balloon => { > optional => 1, > type => 'integer', > @@ -4159,6 +4165,11 @@ sub config_to_command { > } > } > > + if ($conf->{amd_sev}) { > + push @$devices, '-object', get_amd_sev_object($conf->{amd_sev}, $conf->{bios}, $conf->{efidisk0}); > + push @$machineFlags, 'confidential-guest-support=sev0'; > + } > + > push @$cmd, @$devices; > push @$cmd, '-rtc', join(',', @$rtcFlags) if scalar(@$rtcFlags); > push @$cmd, '-machine', join(',', @$machineFlags) if scalar(@$machineFlags); > diff --git a/PVE/QemuServer/CPUConfig.pm b/PVE/QemuServer/CPUConfig.pm > index 33f7524f..5110b37e 100644 > --- a/PVE/QemuServer/CPUConfig.pm > +++ b/PVE/QemuServer/CPUConfig.pm > @@ -3,9 +3,11 @@ package PVE::QemuServer::CPUConfig; > use strict; > use warnings; > > +use JSON; > + > use PVE::JSONSchema; > use PVE::Cluster qw(cfs_register_file cfs_read_file); > -use PVE::Tools qw(get_host_arch); > +use PVE::Tools qw(run_command get_host_arch); > use PVE::QemuServer::Helpers qw(min_version); > > use base qw(PVE::SectionConfig Exporter); > @@ -15,6 +17,7 @@ print_cpu_device > get_cpu_options > get_cpu_bitness > is_native_arch > +get_amd_sev_object > ); > > # under certain race-conditions, this module might be loaded before pve-cluster > @@ -225,6 +228,37 @@ my $cpu_fmt = { > }, > }; > > +my $sev_fmt = { > + type => { > + description => "Enable standard SEV with type='std' or enable" > + ." experimental SEV-ES with the 'es' option.", > + type => 'string', > + default_key => 1, > + format_description => "sev-type", > + enum => ['std', 'es'], > + maxLength => 3, > + }, > + 'no-debug' => { > + description => "Sets policy bit 0 to 1 to disallow debugging of guest", > + type => 'boolean', > + default => 0, > + optional => 1, > + }, > + 'no-key-sharing' => { > + description => "Sets policy bit 1 to 1 to disallow key sharing with other guests", > + type => 'boolean', > + default => 0, > + optional => 1, > + }, > + "kernel-hashes" => { > + description => "Add kernel hashes to guest firmware for measured linux kernel launch", > + type => 'boolean', > + default => 0, > + optional => 1, > + }, > +}; > +PVE::JSONSchema::register_format('pve-qemu-sev-fmt', $sev_fmt); > + > PVE::JSONSchema::register_format('pve-phys-bits', \&parse_phys_bits); > sub parse_phys_bits { > my ($str, $noerr) = @_; > @@ -773,6 +807,58 @@ sub get_cpu_bitness { > die "unsupported architecture '$arch'\n"; > } > > +sub get_hw_capabilities { > + # Get reduced-phys-bits & cbitpos from host-hw-capabilities.json > + my $filename = '/run/qemu-server/host-hw-capabilities.json'; hmm, rethinking this it might be good to move that to somewhere accessible for non-root, but can be done also in the future. > + if (! -e $filename) { > + run_command("/usr/libexec/qemu-server/query-machine-capabilities"); maybe once at boot through a systemd service file could be nicer than this a bit subtle way. > + } > + my $json_text = PVE::Tools::file_get_contents($filename); > + ($json_text) = $json_text =~ /(.*)/; # untaint json text > + my $hw_capabilities; > + eval { > + $hw_capabilities = decode_json($json_text); > + }; can be shortened to: my $hw_capabilities = eval { decode_json($json_text) }; > + if (my $err = $@) { > + die $err; > + } > + return $hw_capabilities; > +} > + > +sub get_amd_sev_object { > + my ($amd_sev, $bios, $efidisk0) = @_; > + > + my $amd_sev_conf = PVE::JSONSchema::parse_property_string($sev_fmt, $amd_sev); > + my $sev_hw_caps = get_hw_capabilities()->{'amd-sev'}; > + > + if (!$sev_hw_caps->{'sev-support'}) { > + die "Your CPU does not support AMD SEV.\n"; > + } > + if ($amd_sev_conf->{type} eq 'es' && !$sev_hw_caps->{'sev-support-es'}) { > + die "Your CPU does not support AMD SEV-ES.\n"; > + } > + if (!$bios || ($bios && $bios ne 'ovmf')) { In general `!a || (a && b) == !a || b` so above can be shortened to if (!$bios || $bios ne 'ovmf') { # ... > + die "To use AMD SEV, you need to change the BIOS to OVMF.\n"; > + } > + > + my $sev_mem_object = 'sev-guest,id=sev0'; > + $sev_mem_object .= ',cbitpos='.$sev_hw_caps->{cbitpos}; > + $sev_mem_object .= ',reduced-phys-bits='.$sev_hw_caps->{'reduced-phys-bits'}; > + > + # guest policy bit calculation as described here: > + # https://documentation.suse.com/sles/15-SP5/html/SLES-amd-sev/article-amd-sev.html#table-guestpolicy > + my $policy = 0b0000; > + $policy += 0b0001 if $amd_sev_conf->{'no-debug'}; > + $policy += 0b0010 if $amd_sev_conf->{'no-key-sharing'}; > + $policy += 0b0100 if $amd_sev_conf->{type} eq 'es'; > + # disable migration with bit 3 nosend to prevent amd-sev-migration-attack > + $policy += 0b1000; > + > + $sev_mem_object .= ',policy='.sprintf("%#x", $policy); > + $sev_mem_object .= ',kernel-hashes=on' if ($amd_sev_conf->{'kernel-hashes'}); > + return $sev_mem_object; > +} > + > __PACKAGE__->register(); > __PACKAGE__->init(); > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel