sev.c (38844B)
1 /* 2 * QEMU SEV support 3 * 4 * Copyright Advanced Micro Devices 2016-2018 5 * 6 * Author: 7 * Brijesh Singh <brijesh.singh@amd.com> 8 * 9 * This work is licensed under the terms of the GNU GPL, version 2 or later. 10 * See the COPYING file in the top-level directory. 11 * 12 */ 13 14 #include "qemu/osdep.h" 15 16 #include <linux/kvm.h> 17 #include <linux/psp-sev.h> 18 19 #include <sys/ioctl.h> 20 21 #include "qapi/error.h" 22 #include "qom/object_interfaces.h" 23 #include "qemu/base64.h" 24 #include "qemu/module.h" 25 #include "qemu/uuid.h" 26 #include "crypto/hash.h" 27 #include "sysemu/kvm.h" 28 #include "sev.h" 29 #include "sysemu/sysemu.h" 30 #include "sysemu/runstate.h" 31 #include "trace.h" 32 #include "migration/blocker.h" 33 #include "qom/object.h" 34 #include "monitor/monitor.h" 35 #include "monitor/hmp-target.h" 36 #include "qapi/qapi-commands-misc-target.h" 37 #include "qapi/qmp/qerror.h" 38 #include "exec/confidential-guest-support.h" 39 #include "hw/i386/pc.h" 40 #include "exec/address-spaces.h" 41 42 #define TYPE_SEV_GUEST "sev-guest" 43 OBJECT_DECLARE_SIMPLE_TYPE(SevGuestState, SEV_GUEST) 44 45 46 /** 47 * SevGuestState: 48 * 49 * The SevGuestState object is used for creating and managing a SEV 50 * guest. 51 * 52 * # $QEMU \ 53 * -object sev-guest,id=sev0 \ 54 * -machine ...,memory-encryption=sev0 55 */ 56 struct SevGuestState { 57 ConfidentialGuestSupport parent_obj; 58 59 /* configuration parameters */ 60 char *sev_device; 61 uint32_t policy; 62 char *dh_cert_file; 63 char *session_file; 64 uint32_t cbitpos; 65 uint32_t reduced_phys_bits; 66 bool kernel_hashes; 67 68 /* runtime state */ 69 uint32_t handle; 70 uint8_t api_major; 71 uint8_t api_minor; 72 uint8_t build_id; 73 int sev_fd; 74 SevState state; 75 gchar *measurement; 76 77 uint32_t reset_cs; 78 uint32_t reset_ip; 79 bool reset_data_valid; 80 }; 81 82 #define DEFAULT_GUEST_POLICY 0x1 /* disable debug */ 83 #define DEFAULT_SEV_DEVICE "/dev/sev" 84 85 #define SEV_INFO_BLOCK_GUID "00f771de-1a7e-4fcb-890e-68c77e2fb44e" 86 typedef struct __attribute__((__packed__)) SevInfoBlock { 87 /* SEV-ES Reset Vector Address */ 88 uint32_t reset_addr; 89 } SevInfoBlock; 90 91 #define SEV_HASH_TABLE_RV_GUID "7255371f-3a3b-4b04-927b-1da6efa8d454" 92 typedef struct QEMU_PACKED SevHashTableDescriptor { 93 /* SEV hash table area guest address */ 94 uint32_t base; 95 /* SEV hash table area size (in bytes) */ 96 uint32_t size; 97 } SevHashTableDescriptor; 98 99 /* hard code sha256 digest size */ 100 #define HASH_SIZE 32 101 102 typedef struct QEMU_PACKED SevHashTableEntry { 103 QemuUUID guid; 104 uint16_t len; 105 uint8_t hash[HASH_SIZE]; 106 } SevHashTableEntry; 107 108 typedef struct QEMU_PACKED SevHashTable { 109 QemuUUID guid; 110 uint16_t len; 111 SevHashTableEntry cmdline; 112 SevHashTableEntry initrd; 113 SevHashTableEntry kernel; 114 } SevHashTable; 115 116 /* 117 * Data encrypted by sev_encrypt_flash() must be padded to a multiple of 118 * 16 bytes. 119 */ 120 typedef struct QEMU_PACKED PaddedSevHashTable { 121 SevHashTable ht; 122 uint8_t padding[ROUND_UP(sizeof(SevHashTable), 16) - sizeof(SevHashTable)]; 123 } PaddedSevHashTable; 124 125 QEMU_BUILD_BUG_ON(sizeof(PaddedSevHashTable) % 16 != 0); 126 127 static SevGuestState *sev_guest; 128 static Error *sev_mig_blocker; 129 130 static const char *const sev_fw_errlist[] = { 131 [SEV_RET_SUCCESS] = "", 132 [SEV_RET_INVALID_PLATFORM_STATE] = "Platform state is invalid", 133 [SEV_RET_INVALID_GUEST_STATE] = "Guest state is invalid", 134 [SEV_RET_INAVLID_CONFIG] = "Platform configuration is invalid", 135 [SEV_RET_INVALID_LEN] = "Buffer too small", 136 [SEV_RET_ALREADY_OWNED] = "Platform is already owned", 137 [SEV_RET_INVALID_CERTIFICATE] = "Certificate is invalid", 138 [SEV_RET_POLICY_FAILURE] = "Policy is not allowed", 139 [SEV_RET_INACTIVE] = "Guest is not active", 140 [SEV_RET_INVALID_ADDRESS] = "Invalid address", 141 [SEV_RET_BAD_SIGNATURE] = "Bad signature", 142 [SEV_RET_BAD_MEASUREMENT] = "Bad measurement", 143 [SEV_RET_ASID_OWNED] = "ASID is already owned", 144 [SEV_RET_INVALID_ASID] = "Invalid ASID", 145 [SEV_RET_WBINVD_REQUIRED] = "WBINVD is required", 146 [SEV_RET_DFFLUSH_REQUIRED] = "DF_FLUSH is required", 147 [SEV_RET_INVALID_GUEST] = "Guest handle is invalid", 148 [SEV_RET_INVALID_COMMAND] = "Invalid command", 149 [SEV_RET_ACTIVE] = "Guest is active", 150 [SEV_RET_HWSEV_RET_PLATFORM] = "Hardware error", 151 [SEV_RET_HWSEV_RET_UNSAFE] = "Hardware unsafe", 152 [SEV_RET_UNSUPPORTED] = "Feature not supported", 153 [SEV_RET_INVALID_PARAM] = "Invalid parameter", 154 [SEV_RET_RESOURCE_LIMIT] = "Required firmware resource depleted", 155 [SEV_RET_SECURE_DATA_INVALID] = "Part-specific integrity check failure", 156 }; 157 158 #define SEV_FW_MAX_ERROR ARRAY_SIZE(sev_fw_errlist) 159 160 static int 161 sev_ioctl(int fd, int cmd, void *data, int *error) 162 { 163 int r; 164 struct kvm_sev_cmd input; 165 166 memset(&input, 0x0, sizeof(input)); 167 168 input.id = cmd; 169 input.sev_fd = fd; 170 input.data = (__u64)(unsigned long)data; 171 172 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, &input); 173 174 if (error) { 175 *error = input.error; 176 } 177 178 return r; 179 } 180 181 static int 182 sev_platform_ioctl(int fd, int cmd, void *data, int *error) 183 { 184 int r; 185 struct sev_issue_cmd arg; 186 187 arg.cmd = cmd; 188 arg.data = (unsigned long)data; 189 r = ioctl(fd, SEV_ISSUE_CMD, &arg); 190 if (error) { 191 *error = arg.error; 192 } 193 194 return r; 195 } 196 197 static const char * 198 fw_error_to_str(int code) 199 { 200 if (code < 0 || code >= SEV_FW_MAX_ERROR) { 201 return "unknown error"; 202 } 203 204 return sev_fw_errlist[code]; 205 } 206 207 static bool 208 sev_check_state(const SevGuestState *sev, SevState state) 209 { 210 assert(sev); 211 return sev->state == state ? true : false; 212 } 213 214 static void 215 sev_set_guest_state(SevGuestState *sev, SevState new_state) 216 { 217 assert(new_state < SEV_STATE__MAX); 218 assert(sev); 219 220 trace_kvm_sev_change_state(SevState_str(sev->state), 221 SevState_str(new_state)); 222 sev->state = new_state; 223 } 224 225 static void 226 sev_ram_block_added(RAMBlockNotifier *n, void *host, size_t size, 227 size_t max_size) 228 { 229 int r; 230 struct kvm_enc_region range; 231 ram_addr_t offset; 232 MemoryRegion *mr; 233 234 /* 235 * The RAM device presents a memory region that should be treated 236 * as IO region and should not be pinned. 237 */ 238 mr = memory_region_from_host(host, &offset); 239 if (mr && memory_region_is_ram_device(mr)) { 240 return; 241 } 242 243 range.addr = (__u64)(unsigned long)host; 244 range.size = max_size; 245 246 trace_kvm_memcrypt_register_region(host, max_size); 247 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_REG_REGION, &range); 248 if (r) { 249 error_report("%s: failed to register region (%p+%#zx) error '%s'", 250 __func__, host, max_size, strerror(errno)); 251 exit(1); 252 } 253 } 254 255 static void 256 sev_ram_block_removed(RAMBlockNotifier *n, void *host, size_t size, 257 size_t max_size) 258 { 259 int r; 260 struct kvm_enc_region range; 261 ram_addr_t offset; 262 MemoryRegion *mr; 263 264 /* 265 * The RAM device presents a memory region that should be treated 266 * as IO region and should not have been pinned. 267 */ 268 mr = memory_region_from_host(host, &offset); 269 if (mr && memory_region_is_ram_device(mr)) { 270 return; 271 } 272 273 range.addr = (__u64)(unsigned long)host; 274 range.size = max_size; 275 276 trace_kvm_memcrypt_unregister_region(host, max_size); 277 r = kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_UNREG_REGION, &range); 278 if (r) { 279 error_report("%s: failed to unregister region (%p+%#zx)", 280 __func__, host, max_size); 281 } 282 } 283 284 static struct RAMBlockNotifier sev_ram_notifier = { 285 .ram_block_added = sev_ram_block_added, 286 .ram_block_removed = sev_ram_block_removed, 287 }; 288 289 static void 290 sev_guest_finalize(Object *obj) 291 { 292 } 293 294 static char * 295 sev_guest_get_session_file(Object *obj, Error **errp) 296 { 297 SevGuestState *s = SEV_GUEST(obj); 298 299 return s->session_file ? g_strdup(s->session_file) : NULL; 300 } 301 302 static void 303 sev_guest_set_session_file(Object *obj, const char *value, Error **errp) 304 { 305 SevGuestState *s = SEV_GUEST(obj); 306 307 s->session_file = g_strdup(value); 308 } 309 310 static char * 311 sev_guest_get_dh_cert_file(Object *obj, Error **errp) 312 { 313 SevGuestState *s = SEV_GUEST(obj); 314 315 return g_strdup(s->dh_cert_file); 316 } 317 318 static void 319 sev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp) 320 { 321 SevGuestState *s = SEV_GUEST(obj); 322 323 s->dh_cert_file = g_strdup(value); 324 } 325 326 static char * 327 sev_guest_get_sev_device(Object *obj, Error **errp) 328 { 329 SevGuestState *sev = SEV_GUEST(obj); 330 331 return g_strdup(sev->sev_device); 332 } 333 334 static void 335 sev_guest_set_sev_device(Object *obj, const char *value, Error **errp) 336 { 337 SevGuestState *sev = SEV_GUEST(obj); 338 339 sev->sev_device = g_strdup(value); 340 } 341 342 static bool sev_guest_get_kernel_hashes(Object *obj, Error **errp) 343 { 344 SevGuestState *sev = SEV_GUEST(obj); 345 346 return sev->kernel_hashes; 347 } 348 349 static void sev_guest_set_kernel_hashes(Object *obj, bool value, Error **errp) 350 { 351 SevGuestState *sev = SEV_GUEST(obj); 352 353 sev->kernel_hashes = value; 354 } 355 356 static void 357 sev_guest_class_init(ObjectClass *oc, void *data) 358 { 359 object_class_property_add_str(oc, "sev-device", 360 sev_guest_get_sev_device, 361 sev_guest_set_sev_device); 362 object_class_property_set_description(oc, "sev-device", 363 "SEV device to use"); 364 object_class_property_add_str(oc, "dh-cert-file", 365 sev_guest_get_dh_cert_file, 366 sev_guest_set_dh_cert_file); 367 object_class_property_set_description(oc, "dh-cert-file", 368 "guest owners DH certificate (encoded with base64)"); 369 object_class_property_add_str(oc, "session-file", 370 sev_guest_get_session_file, 371 sev_guest_set_session_file); 372 object_class_property_set_description(oc, "session-file", 373 "guest owners session parameters (encoded with base64)"); 374 object_class_property_add_bool(oc, "kernel-hashes", 375 sev_guest_get_kernel_hashes, 376 sev_guest_set_kernel_hashes); 377 object_class_property_set_description(oc, "kernel-hashes", 378 "add kernel hashes to guest firmware for measured Linux boot"); 379 } 380 381 static void 382 sev_guest_instance_init(Object *obj) 383 { 384 SevGuestState *sev = SEV_GUEST(obj); 385 386 sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE); 387 sev->policy = DEFAULT_GUEST_POLICY; 388 object_property_add_uint32_ptr(obj, "policy", &sev->policy, 389 OBJ_PROP_FLAG_READWRITE); 390 object_property_add_uint32_ptr(obj, "handle", &sev->handle, 391 OBJ_PROP_FLAG_READWRITE); 392 object_property_add_uint32_ptr(obj, "cbitpos", &sev->cbitpos, 393 OBJ_PROP_FLAG_READWRITE); 394 object_property_add_uint32_ptr(obj, "reduced-phys-bits", 395 &sev->reduced_phys_bits, 396 OBJ_PROP_FLAG_READWRITE); 397 } 398 399 /* sev guest info */ 400 static const TypeInfo sev_guest_info = { 401 .parent = TYPE_CONFIDENTIAL_GUEST_SUPPORT, 402 .name = TYPE_SEV_GUEST, 403 .instance_size = sizeof(SevGuestState), 404 .instance_finalize = sev_guest_finalize, 405 .class_init = sev_guest_class_init, 406 .instance_init = sev_guest_instance_init, 407 .interfaces = (InterfaceInfo[]) { 408 { TYPE_USER_CREATABLE }, 409 { } 410 } 411 }; 412 413 bool 414 sev_enabled(void) 415 { 416 return !!sev_guest; 417 } 418 419 bool 420 sev_es_enabled(void) 421 { 422 return sev_enabled() && (sev_guest->policy & SEV_POLICY_ES); 423 } 424 425 uint32_t 426 sev_get_cbit_position(void) 427 { 428 return sev_guest ? sev_guest->cbitpos : 0; 429 } 430 431 uint32_t 432 sev_get_reduced_phys_bits(void) 433 { 434 return sev_guest ? sev_guest->reduced_phys_bits : 0; 435 } 436 437 static SevInfo *sev_get_info(void) 438 { 439 SevInfo *info; 440 441 info = g_new0(SevInfo, 1); 442 info->enabled = sev_enabled(); 443 444 if (info->enabled) { 445 info->api_major = sev_guest->api_major; 446 info->api_minor = sev_guest->api_minor; 447 info->build_id = sev_guest->build_id; 448 info->policy = sev_guest->policy; 449 info->state = sev_guest->state; 450 info->handle = sev_guest->handle; 451 } 452 453 return info; 454 } 455 456 SevInfo *qmp_query_sev(Error **errp) 457 { 458 SevInfo *info; 459 460 info = sev_get_info(); 461 if (!info) { 462 error_setg(errp, "SEV feature is not available"); 463 return NULL; 464 } 465 466 return info; 467 } 468 469 void hmp_info_sev(Monitor *mon, const QDict *qdict) 470 { 471 SevInfo *info = sev_get_info(); 472 473 if (info && info->enabled) { 474 monitor_printf(mon, "handle: %d\n", info->handle); 475 monitor_printf(mon, "state: %s\n", SevState_str(info->state)); 476 monitor_printf(mon, "build: %d\n", info->build_id); 477 monitor_printf(mon, "api version: %d.%d\n", 478 info->api_major, info->api_minor); 479 monitor_printf(mon, "debug: %s\n", 480 info->policy & SEV_POLICY_NODBG ? "off" : "on"); 481 monitor_printf(mon, "key-sharing: %s\n", 482 info->policy & SEV_POLICY_NOKS ? "off" : "on"); 483 } else { 484 monitor_printf(mon, "SEV is not enabled\n"); 485 } 486 487 qapi_free_SevInfo(info); 488 } 489 490 static int 491 sev_get_pdh_info(int fd, guchar **pdh, size_t *pdh_len, guchar **cert_chain, 492 size_t *cert_chain_len, Error **errp) 493 { 494 guchar *pdh_data = NULL; 495 guchar *cert_chain_data = NULL; 496 struct sev_user_data_pdh_cert_export export = {}; 497 int err, r; 498 499 /* query the certificate length */ 500 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err); 501 if (r < 0) { 502 if (err != SEV_RET_INVALID_LEN) { 503 error_setg(errp, "SEV: Failed to export PDH cert" 504 " ret=%d fw_err=%d (%s)", 505 r, err, fw_error_to_str(err)); 506 return 1; 507 } 508 } 509 510 pdh_data = g_new(guchar, export.pdh_cert_len); 511 cert_chain_data = g_new(guchar, export.cert_chain_len); 512 export.pdh_cert_address = (unsigned long)pdh_data; 513 export.cert_chain_address = (unsigned long)cert_chain_data; 514 515 r = sev_platform_ioctl(fd, SEV_PDH_CERT_EXPORT, &export, &err); 516 if (r < 0) { 517 error_setg(errp, "SEV: Failed to export PDH cert ret=%d fw_err=%d (%s)", 518 r, err, fw_error_to_str(err)); 519 goto e_free; 520 } 521 522 *pdh = pdh_data; 523 *pdh_len = export.pdh_cert_len; 524 *cert_chain = cert_chain_data; 525 *cert_chain_len = export.cert_chain_len; 526 return 0; 527 528 e_free: 529 g_free(pdh_data); 530 g_free(cert_chain_data); 531 return 1; 532 } 533 534 static int sev_get_cpu0_id(int fd, guchar **id, size_t *id_len, Error **errp) 535 { 536 guchar *id_data; 537 struct sev_user_data_get_id2 get_id2 = {}; 538 int err, r; 539 540 /* query the ID length */ 541 r = sev_platform_ioctl(fd, SEV_GET_ID2, &get_id2, &err); 542 if (r < 0 && err != SEV_RET_INVALID_LEN) { 543 error_setg(errp, "SEV: Failed to get ID ret=%d fw_err=%d (%s)", 544 r, err, fw_error_to_str(err)); 545 return 1; 546 } 547 548 id_data = g_new(guchar, get_id2.length); 549 get_id2.address = (unsigned long)id_data; 550 551 r = sev_platform_ioctl(fd, SEV_GET_ID2, &get_id2, &err); 552 if (r < 0) { 553 error_setg(errp, "SEV: Failed to get ID ret=%d fw_err=%d (%s)", 554 r, err, fw_error_to_str(err)); 555 goto err; 556 } 557 558 *id = id_data; 559 *id_len = get_id2.length; 560 return 0; 561 562 err: 563 g_free(id_data); 564 return 1; 565 } 566 567 static SevCapability *sev_get_capabilities(Error **errp) 568 { 569 SevCapability *cap = NULL; 570 guchar *pdh_data = NULL; 571 guchar *cert_chain_data = NULL; 572 guchar *cpu0_id_data = NULL; 573 size_t pdh_len = 0, cert_chain_len = 0, cpu0_id_len = 0; 574 uint32_t ebx; 575 int fd; 576 577 if (!kvm_enabled()) { 578 error_setg(errp, "KVM not enabled"); 579 return NULL; 580 } 581 if (kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, NULL) < 0) { 582 error_setg(errp, "SEV is not enabled in KVM"); 583 return NULL; 584 } 585 586 fd = open(DEFAULT_SEV_DEVICE, O_RDWR); 587 if (fd < 0) { 588 error_setg_errno(errp, errno, "SEV: Failed to open %s", 589 DEFAULT_SEV_DEVICE); 590 return NULL; 591 } 592 593 if (sev_get_pdh_info(fd, &pdh_data, &pdh_len, 594 &cert_chain_data, &cert_chain_len, errp)) { 595 goto out; 596 } 597 598 if (sev_get_cpu0_id(fd, &cpu0_id_data, &cpu0_id_len, errp)) { 599 goto out; 600 } 601 602 cap = g_new0(SevCapability, 1); 603 cap->pdh = g_base64_encode(pdh_data, pdh_len); 604 cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len); 605 cap->cpu0_id = g_base64_encode(cpu0_id_data, cpu0_id_len); 606 607 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); 608 cap->cbitpos = ebx & 0x3f; 609 610 /* 611 * When SEV feature is enabled, we loose one bit in guest physical 612 * addressing. 613 */ 614 cap->reduced_phys_bits = 1; 615 616 out: 617 g_free(cpu0_id_data); 618 g_free(pdh_data); 619 g_free(cert_chain_data); 620 close(fd); 621 return cap; 622 } 623 624 SevCapability *qmp_query_sev_capabilities(Error **errp) 625 { 626 return sev_get_capabilities(errp); 627 } 628 629 static SevAttestationReport *sev_get_attestation_report(const char *mnonce, 630 Error **errp) 631 { 632 struct kvm_sev_attestation_report input = {}; 633 SevAttestationReport *report = NULL; 634 SevGuestState *sev = sev_guest; 635 g_autofree guchar *data = NULL; 636 g_autofree guchar *buf = NULL; 637 gsize len; 638 int err = 0, ret; 639 640 if (!sev_enabled()) { 641 error_setg(errp, "SEV is not enabled"); 642 return NULL; 643 } 644 645 /* lets decode the mnonce string */ 646 buf = g_base64_decode(mnonce, &len); 647 if (!buf) { 648 error_setg(errp, "SEV: failed to decode mnonce input"); 649 return NULL; 650 } 651 652 /* verify the input mnonce length */ 653 if (len != sizeof(input.mnonce)) { 654 error_setg(errp, "SEV: mnonce must be %zu bytes (got %" G_GSIZE_FORMAT ")", 655 sizeof(input.mnonce), len); 656 return NULL; 657 } 658 659 /* Query the report length */ 660 ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, 661 &input, &err); 662 if (ret < 0) { 663 if (err != SEV_RET_INVALID_LEN) { 664 error_setg(errp, "SEV: Failed to query the attestation report" 665 " length ret=%d fw_err=%d (%s)", 666 ret, err, fw_error_to_str(err)); 667 return NULL; 668 } 669 } 670 671 data = g_malloc(input.len); 672 input.uaddr = (unsigned long)data; 673 memcpy(input.mnonce, buf, sizeof(input.mnonce)); 674 675 /* Query the report */ 676 ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, 677 &input, &err); 678 if (ret) { 679 error_setg_errno(errp, errno, "SEV: Failed to get attestation report" 680 " ret=%d fw_err=%d (%s)", ret, err, fw_error_to_str(err)); 681 return NULL; 682 } 683 684 report = g_new0(SevAttestationReport, 1); 685 report->data = g_base64_encode(data, input.len); 686 687 trace_kvm_sev_attestation_report(mnonce, report->data); 688 689 return report; 690 } 691 692 SevAttestationReport *qmp_query_sev_attestation_report(const char *mnonce, 693 Error **errp) 694 { 695 return sev_get_attestation_report(mnonce, errp); 696 } 697 698 static int 699 sev_read_file_base64(const char *filename, guchar **data, gsize *len) 700 { 701 gsize sz; 702 g_autofree gchar *base64 = NULL; 703 GError *error = NULL; 704 705 if (!g_file_get_contents(filename, &base64, &sz, &error)) { 706 error_report("SEV: Failed to read '%s' (%s)", filename, error->message); 707 g_error_free(error); 708 return -1; 709 } 710 711 *data = g_base64_decode(base64, len); 712 return 0; 713 } 714 715 static int 716 sev_launch_start(SevGuestState *sev) 717 { 718 gsize sz; 719 int ret = 1; 720 int fw_error, rc; 721 struct kvm_sev_launch_start start = { 722 .handle = sev->handle, .policy = sev->policy 723 }; 724 guchar *session = NULL, *dh_cert = NULL; 725 726 if (sev->session_file) { 727 if (sev_read_file_base64(sev->session_file, &session, &sz) < 0) { 728 goto out; 729 } 730 start.session_uaddr = (unsigned long)session; 731 start.session_len = sz; 732 } 733 734 if (sev->dh_cert_file) { 735 if (sev_read_file_base64(sev->dh_cert_file, &dh_cert, &sz) < 0) { 736 goto out; 737 } 738 start.dh_uaddr = (unsigned long)dh_cert; 739 start.dh_len = sz; 740 } 741 742 trace_kvm_sev_launch_start(start.policy, session, dh_cert); 743 rc = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_START, &start, &fw_error); 744 if (rc < 0) { 745 error_report("%s: LAUNCH_START ret=%d fw_error=%d '%s'", 746 __func__, ret, fw_error, fw_error_to_str(fw_error)); 747 goto out; 748 } 749 750 sev_set_guest_state(sev, SEV_STATE_LAUNCH_UPDATE); 751 sev->handle = start.handle; 752 ret = 0; 753 754 out: 755 g_free(session); 756 g_free(dh_cert); 757 return ret; 758 } 759 760 static int 761 sev_launch_update_data(SevGuestState *sev, uint8_t *addr, uint64_t len) 762 { 763 int ret, fw_error; 764 struct kvm_sev_launch_update_data update; 765 766 if (!addr || !len) { 767 return 1; 768 } 769 770 update.uaddr = (__u64)(unsigned long)addr; 771 update.len = len; 772 trace_kvm_sev_launch_update_data(addr, len); 773 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_DATA, 774 &update, &fw_error); 775 if (ret) { 776 error_report("%s: LAUNCH_UPDATE ret=%d fw_error=%d '%s'", 777 __func__, ret, fw_error, fw_error_to_str(fw_error)); 778 } 779 780 return ret; 781 } 782 783 static int 784 sev_launch_update_vmsa(SevGuestState *sev) 785 { 786 int ret, fw_error; 787 788 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_UPDATE_VMSA, NULL, &fw_error); 789 if (ret) { 790 error_report("%s: LAUNCH_UPDATE_VMSA ret=%d fw_error=%d '%s'", 791 __func__, ret, fw_error, fw_error_to_str(fw_error)); 792 } 793 794 return ret; 795 } 796 797 static void 798 sev_launch_get_measure(Notifier *notifier, void *unused) 799 { 800 SevGuestState *sev = sev_guest; 801 int ret, error; 802 g_autofree guchar *data = NULL; 803 struct kvm_sev_launch_measure measurement = {}; 804 805 if (!sev_check_state(sev, SEV_STATE_LAUNCH_UPDATE)) { 806 return; 807 } 808 809 if (sev_es_enabled()) { 810 /* measure all the VM save areas before getting launch_measure */ 811 ret = sev_launch_update_vmsa(sev); 812 if (ret) { 813 exit(1); 814 } 815 } 816 817 /* query the measurement blob length */ 818 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, 819 &measurement, &error); 820 if (!measurement.len) { 821 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", 822 __func__, ret, error, fw_error_to_str(errno)); 823 return; 824 } 825 826 data = g_new0(guchar, measurement.len); 827 measurement.uaddr = (unsigned long)data; 828 829 /* get the measurement blob */ 830 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_MEASURE, 831 &measurement, &error); 832 if (ret) { 833 error_report("%s: LAUNCH_MEASURE ret=%d fw_error=%d '%s'", 834 __func__, ret, error, fw_error_to_str(errno)); 835 return; 836 } 837 838 sev_set_guest_state(sev, SEV_STATE_LAUNCH_SECRET); 839 840 /* encode the measurement value and emit the event */ 841 sev->measurement = g_base64_encode(data, measurement.len); 842 trace_kvm_sev_launch_measurement(sev->measurement); 843 } 844 845 static char *sev_get_launch_measurement(void) 846 { 847 if (sev_guest && 848 sev_guest->state >= SEV_STATE_LAUNCH_SECRET) { 849 return g_strdup(sev_guest->measurement); 850 } 851 852 return NULL; 853 } 854 855 SevLaunchMeasureInfo *qmp_query_sev_launch_measure(Error **errp) 856 { 857 char *data; 858 SevLaunchMeasureInfo *info; 859 860 data = sev_get_launch_measurement(); 861 if (!data) { 862 error_setg(errp, "SEV launch measurement is not available"); 863 return NULL; 864 } 865 866 info = g_malloc0(sizeof(*info)); 867 info->data = data; 868 869 return info; 870 } 871 872 static Notifier sev_machine_done_notify = { 873 .notify = sev_launch_get_measure, 874 }; 875 876 static void 877 sev_launch_finish(SevGuestState *sev) 878 { 879 int ret, error; 880 881 trace_kvm_sev_launch_finish(); 882 ret = sev_ioctl(sev->sev_fd, KVM_SEV_LAUNCH_FINISH, 0, &error); 883 if (ret) { 884 error_report("%s: LAUNCH_FINISH ret=%d fw_error=%d '%s'", 885 __func__, ret, error, fw_error_to_str(error)); 886 exit(1); 887 } 888 889 sev_set_guest_state(sev, SEV_STATE_RUNNING); 890 891 /* add migration blocker */ 892 error_setg(&sev_mig_blocker, 893 "SEV: Migration is not implemented"); 894 migrate_add_blocker(sev_mig_blocker, &error_fatal); 895 } 896 897 static void 898 sev_vm_state_change(void *opaque, bool running, RunState state) 899 { 900 SevGuestState *sev = opaque; 901 902 if (running) { 903 if (!sev_check_state(sev, SEV_STATE_RUNNING)) { 904 sev_launch_finish(sev); 905 } 906 } 907 } 908 909 int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp) 910 { 911 SevGuestState *sev 912 = (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); 913 char *devname; 914 int ret, fw_error, cmd; 915 uint32_t ebx; 916 uint32_t host_cbitpos; 917 struct sev_user_data_status status = {}; 918 919 if (!sev) { 920 return 0; 921 } 922 923 ret = ram_block_discard_disable(true); 924 if (ret) { 925 error_report("%s: cannot disable RAM discard", __func__); 926 return -1; 927 } 928 929 sev_guest = sev; 930 sev->state = SEV_STATE_UNINIT; 931 932 host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL); 933 host_cbitpos = ebx & 0x3f; 934 935 if (host_cbitpos != sev->cbitpos) { 936 error_setg(errp, "%s: cbitpos check failed, host '%d' requested '%d'", 937 __func__, host_cbitpos, sev->cbitpos); 938 goto err; 939 } 940 941 if (sev->reduced_phys_bits < 1) { 942 error_setg(errp, "%s: reduced_phys_bits check failed, it should be >=1," 943 " requested '%d'", __func__, sev->reduced_phys_bits); 944 goto err; 945 } 946 947 devname = object_property_get_str(OBJECT(sev), "sev-device", NULL); 948 sev->sev_fd = open(devname, O_RDWR); 949 if (sev->sev_fd < 0) { 950 error_setg(errp, "%s: Failed to open %s '%s'", __func__, 951 devname, strerror(errno)); 952 g_free(devname); 953 goto err; 954 } 955 g_free(devname); 956 957 ret = sev_platform_ioctl(sev->sev_fd, SEV_PLATFORM_STATUS, &status, 958 &fw_error); 959 if (ret) { 960 error_setg(errp, "%s: failed to get platform status ret=%d " 961 "fw_error='%d: %s'", __func__, ret, fw_error, 962 fw_error_to_str(fw_error)); 963 goto err; 964 } 965 sev->build_id = status.build; 966 sev->api_major = status.api_major; 967 sev->api_minor = status.api_minor; 968 969 if (sev_es_enabled()) { 970 if (!kvm_kernel_irqchip_allowed()) { 971 error_report("%s: SEV-ES guests require in-kernel irqchip support", 972 __func__); 973 goto err; 974 } 975 976 if (!(status.flags & SEV_STATUS_FLAGS_CONFIG_ES)) { 977 error_report("%s: guest policy requires SEV-ES, but " 978 "host SEV-ES support unavailable", 979 __func__); 980 goto err; 981 } 982 cmd = KVM_SEV_ES_INIT; 983 } else { 984 cmd = KVM_SEV_INIT; 985 } 986 987 trace_kvm_sev_init(); 988 ret = sev_ioctl(sev->sev_fd, cmd, NULL, &fw_error); 989 if (ret) { 990 error_setg(errp, "%s: failed to initialize ret=%d fw_error=%d '%s'", 991 __func__, ret, fw_error, fw_error_to_str(fw_error)); 992 goto err; 993 } 994 995 ret = sev_launch_start(sev); 996 if (ret) { 997 error_setg(errp, "%s: failed to create encryption context", __func__); 998 goto err; 999 } 1000 1001 ram_block_notifier_add(&sev_ram_notifier); 1002 qemu_add_machine_init_done_notifier(&sev_machine_done_notify); 1003 qemu_add_vm_change_state_handler(sev_vm_state_change, sev); 1004 1005 cgs->ready = true; 1006 1007 return 0; 1008 err: 1009 sev_guest = NULL; 1010 ram_block_discard_disable(false); 1011 return -1; 1012 } 1013 1014 int 1015 sev_encrypt_flash(uint8_t *ptr, uint64_t len, Error **errp) 1016 { 1017 if (!sev_guest) { 1018 return 0; 1019 } 1020 1021 /* if SEV is in update state then encrypt the data else do nothing */ 1022 if (sev_check_state(sev_guest, SEV_STATE_LAUNCH_UPDATE)) { 1023 int ret = sev_launch_update_data(sev_guest, ptr, len); 1024 if (ret < 0) { 1025 error_setg(errp, "SEV: Failed to encrypt pflash rom"); 1026 return ret; 1027 } 1028 } 1029 1030 return 0; 1031 } 1032 1033 int sev_inject_launch_secret(const char *packet_hdr, const char *secret, 1034 uint64_t gpa, Error **errp) 1035 { 1036 struct kvm_sev_launch_secret input; 1037 g_autofree guchar *data = NULL, *hdr = NULL; 1038 int error, ret = 1; 1039 void *hva; 1040 gsize hdr_sz = 0, data_sz = 0; 1041 MemoryRegion *mr = NULL; 1042 1043 if (!sev_guest) { 1044 error_setg(errp, "SEV not enabled for guest"); 1045 return 1; 1046 } 1047 1048 /* secret can be injected only in this state */ 1049 if (!sev_check_state(sev_guest, SEV_STATE_LAUNCH_SECRET)) { 1050 error_setg(errp, "SEV: Not in correct state. (LSECRET) %x", 1051 sev_guest->state); 1052 return 1; 1053 } 1054 1055 hdr = g_base64_decode(packet_hdr, &hdr_sz); 1056 if (!hdr || !hdr_sz) { 1057 error_setg(errp, "SEV: Failed to decode sequence header"); 1058 return 1; 1059 } 1060 1061 data = g_base64_decode(secret, &data_sz); 1062 if (!data || !data_sz) { 1063 error_setg(errp, "SEV: Failed to decode data"); 1064 return 1; 1065 } 1066 1067 hva = gpa2hva(&mr, gpa, data_sz, errp); 1068 if (!hva) { 1069 error_prepend(errp, "SEV: Failed to calculate guest address: "); 1070 return 1; 1071 } 1072 1073 input.hdr_uaddr = (uint64_t)(unsigned long)hdr; 1074 input.hdr_len = hdr_sz; 1075 1076 input.trans_uaddr = (uint64_t)(unsigned long)data; 1077 input.trans_len = data_sz; 1078 1079 input.guest_uaddr = (uint64_t)(unsigned long)hva; 1080 input.guest_len = data_sz; 1081 1082 trace_kvm_sev_launch_secret(gpa, input.guest_uaddr, 1083 input.trans_uaddr, input.trans_len); 1084 1085 ret = sev_ioctl(sev_guest->sev_fd, KVM_SEV_LAUNCH_SECRET, 1086 &input, &error); 1087 if (ret) { 1088 error_setg(errp, "SEV: failed to inject secret ret=%d fw_error=%d '%s'", 1089 ret, error, fw_error_to_str(error)); 1090 return ret; 1091 } 1092 1093 return 0; 1094 } 1095 1096 #define SEV_SECRET_GUID "4c2eb361-7d9b-4cc3-8081-127c90d3d294" 1097 struct sev_secret_area { 1098 uint32_t base; 1099 uint32_t size; 1100 }; 1101 1102 void qmp_sev_inject_launch_secret(const char *packet_hdr, 1103 const char *secret, 1104 bool has_gpa, uint64_t gpa, 1105 Error **errp) 1106 { 1107 if (!sev_enabled()) { 1108 error_setg(errp, "SEV not enabled for guest"); 1109 return; 1110 } 1111 if (!has_gpa) { 1112 uint8_t *data; 1113 struct sev_secret_area *area; 1114 1115 if (!pc_system_ovmf_table_find(SEV_SECRET_GUID, &data, NULL)) { 1116 error_setg(errp, "SEV: no secret area found in OVMF," 1117 " gpa must be specified."); 1118 return; 1119 } 1120 area = (struct sev_secret_area *)data; 1121 gpa = area->base; 1122 } 1123 1124 sev_inject_launch_secret(packet_hdr, secret, gpa, errp); 1125 } 1126 1127 static int 1128 sev_es_parse_reset_block(SevInfoBlock *info, uint32_t *addr) 1129 { 1130 if (!info->reset_addr) { 1131 error_report("SEV-ES reset address is zero"); 1132 return 1; 1133 } 1134 1135 *addr = info->reset_addr; 1136 1137 return 0; 1138 } 1139 1140 static int 1141 sev_es_find_reset_vector(void *flash_ptr, uint64_t flash_size, 1142 uint32_t *addr) 1143 { 1144 QemuUUID info_guid, *guid; 1145 SevInfoBlock *info; 1146 uint8_t *data; 1147 uint16_t *len; 1148 1149 /* 1150 * Initialize the address to zero. An address of zero with a successful 1151 * return code indicates that SEV-ES is not active. 1152 */ 1153 *addr = 0; 1154 1155 /* 1156 * Extract the AP reset vector for SEV-ES guests by locating the SEV GUID. 1157 * The SEV GUID is located on its own (original implementation) or within 1158 * the Firmware GUID Table (new implementation), either of which are 1159 * located 32 bytes from the end of the flash. 1160 * 1161 * Check the Firmware GUID Table first. 1162 */ 1163 if (pc_system_ovmf_table_find(SEV_INFO_BLOCK_GUID, &data, NULL)) { 1164 return sev_es_parse_reset_block((SevInfoBlock *)data, addr); 1165 } 1166 1167 /* 1168 * SEV info block not found in the Firmware GUID Table (or there isn't 1169 * a Firmware GUID Table), fall back to the original implementation. 1170 */ 1171 data = flash_ptr + flash_size - 0x20; 1172 1173 qemu_uuid_parse(SEV_INFO_BLOCK_GUID, &info_guid); 1174 info_guid = qemu_uuid_bswap(info_guid); /* GUIDs are LE */ 1175 1176 guid = (QemuUUID *)(data - sizeof(info_guid)); 1177 if (!qemu_uuid_is_equal(guid, &info_guid)) { 1178 error_report("SEV information block/Firmware GUID Table block not found in pflash rom"); 1179 return 1; 1180 } 1181 1182 len = (uint16_t *)((uint8_t *)guid - sizeof(*len)); 1183 info = (SevInfoBlock *)(data - le16_to_cpu(*len)); 1184 1185 return sev_es_parse_reset_block(info, addr); 1186 } 1187 1188 void sev_es_set_reset_vector(CPUState *cpu) 1189 { 1190 X86CPU *x86; 1191 CPUX86State *env; 1192 1193 /* Only update if we have valid reset information */ 1194 if (!sev_guest || !sev_guest->reset_data_valid) { 1195 return; 1196 } 1197 1198 /* Do not update the BSP reset state */ 1199 if (cpu->cpu_index == 0) { 1200 return; 1201 } 1202 1203 x86 = X86_CPU(cpu); 1204 env = &x86->env; 1205 1206 cpu_x86_load_seg_cache(env, R_CS, 0xf000, sev_guest->reset_cs, 0xffff, 1207 DESC_P_MASK | DESC_S_MASK | DESC_CS_MASK | 1208 DESC_R_MASK | DESC_A_MASK); 1209 1210 env->eip = sev_guest->reset_ip; 1211 } 1212 1213 int sev_es_save_reset_vector(void *flash_ptr, uint64_t flash_size) 1214 { 1215 CPUState *cpu; 1216 uint32_t addr; 1217 int ret; 1218 1219 if (!sev_es_enabled()) { 1220 return 0; 1221 } 1222 1223 addr = 0; 1224 ret = sev_es_find_reset_vector(flash_ptr, flash_size, 1225 &addr); 1226 if (ret) { 1227 return ret; 1228 } 1229 1230 if (addr) { 1231 sev_guest->reset_cs = addr & 0xffff0000; 1232 sev_guest->reset_ip = addr & 0x0000ffff; 1233 sev_guest->reset_data_valid = true; 1234 1235 CPU_FOREACH(cpu) { 1236 sev_es_set_reset_vector(cpu); 1237 } 1238 } 1239 1240 return 0; 1241 } 1242 1243 static const QemuUUID sev_hash_table_header_guid = { 1244 .data = UUID_LE(0x9438d606, 0x4f22, 0x4cc9, 0xb4, 0x79, 0xa7, 0x93, 1245 0xd4, 0x11, 0xfd, 0x21) 1246 }; 1247 1248 static const QemuUUID sev_kernel_entry_guid = { 1249 .data = UUID_LE(0x4de79437, 0xabd2, 0x427f, 0xb8, 0x35, 0xd5, 0xb1, 1250 0x72, 0xd2, 0x04, 0x5b) 1251 }; 1252 static const QemuUUID sev_initrd_entry_guid = { 1253 .data = UUID_LE(0x44baf731, 0x3a2f, 0x4bd7, 0x9a, 0xf1, 0x41, 0xe2, 1254 0x91, 0x69, 0x78, 0x1d) 1255 }; 1256 static const QemuUUID sev_cmdline_entry_guid = { 1257 .data = UUID_LE(0x97d02dd8, 0xbd20, 0x4c94, 0xaa, 0x78, 0xe7, 0x71, 1258 0x4d, 0x36, 0xab, 0x2a) 1259 }; 1260 1261 /* 1262 * Add the hashes of the linux kernel/initrd/cmdline to an encrypted guest page 1263 * which is included in SEV's initial memory measurement. 1264 */ 1265 bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp) 1266 { 1267 uint8_t *data; 1268 SevHashTableDescriptor *area; 1269 SevHashTable *ht; 1270 PaddedSevHashTable *padded_ht; 1271 uint8_t cmdline_hash[HASH_SIZE]; 1272 uint8_t initrd_hash[HASH_SIZE]; 1273 uint8_t kernel_hash[HASH_SIZE]; 1274 uint8_t *hashp; 1275 size_t hash_len = HASH_SIZE; 1276 hwaddr mapped_len = sizeof(*padded_ht); 1277 MemTxAttrs attrs = { 0 }; 1278 bool ret = true; 1279 1280 /* 1281 * Only add the kernel hashes if the sev-guest configuration explicitly 1282 * stated kernel-hashes=on. 1283 */ 1284 if (!sev_guest->kernel_hashes) { 1285 return false; 1286 } 1287 1288 if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data, NULL)) { 1289 error_setg(errp, "SEV: kernel specified but guest firmware " 1290 "has no hashes table GUID"); 1291 return false; 1292 } 1293 area = (SevHashTableDescriptor *)data; 1294 if (!area->base || area->size < sizeof(PaddedSevHashTable)) { 1295 error_setg(errp, "SEV: guest firmware hashes table area is invalid " 1296 "(base=0x%x size=0x%x)", area->base, area->size); 1297 return false; 1298 } 1299 1300 /* 1301 * Calculate hash of kernel command-line with the terminating null byte. If 1302 * the user doesn't supply a command-line via -append, the 1-byte "\0" will 1303 * be used. 1304 */ 1305 hashp = cmdline_hash; 1306 if (qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256, ctx->cmdline_data, 1307 ctx->cmdline_size, &hashp, &hash_len, errp) < 0) { 1308 return false; 1309 } 1310 assert(hash_len == HASH_SIZE); 1311 1312 /* 1313 * Calculate hash of initrd. If the user doesn't supply an initrd via 1314 * -initrd, an empty buffer will be used (ctx->initrd_size == 0). 1315 */ 1316 hashp = initrd_hash; 1317 if (qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256, ctx->initrd_data, 1318 ctx->initrd_size, &hashp, &hash_len, errp) < 0) { 1319 return false; 1320 } 1321 assert(hash_len == HASH_SIZE); 1322 1323 /* Calculate hash of the kernel */ 1324 hashp = kernel_hash; 1325 struct iovec iov[2] = { 1326 { .iov_base = ctx->setup_data, .iov_len = ctx->setup_size }, 1327 { .iov_base = ctx->kernel_data, .iov_len = ctx->kernel_size } 1328 }; 1329 if (qcrypto_hash_bytesv(QCRYPTO_HASH_ALG_SHA256, iov, ARRAY_SIZE(iov), 1330 &hashp, &hash_len, errp) < 0) { 1331 return false; 1332 } 1333 assert(hash_len == HASH_SIZE); 1334 1335 /* 1336 * Populate the hashes table in the guest's memory at the OVMF-designated 1337 * area for the SEV hashes table 1338 */ 1339 padded_ht = address_space_map(&address_space_memory, area->base, 1340 &mapped_len, true, attrs); 1341 if (!padded_ht || mapped_len != sizeof(*padded_ht)) { 1342 error_setg(errp, "SEV: cannot map hashes table guest memory area"); 1343 return false; 1344 } 1345 ht = &padded_ht->ht; 1346 1347 ht->guid = sev_hash_table_header_guid; 1348 ht->len = sizeof(*ht); 1349 1350 ht->cmdline.guid = sev_cmdline_entry_guid; 1351 ht->cmdline.len = sizeof(ht->cmdline); 1352 memcpy(ht->cmdline.hash, cmdline_hash, sizeof(ht->cmdline.hash)); 1353 1354 ht->initrd.guid = sev_initrd_entry_guid; 1355 ht->initrd.len = sizeof(ht->initrd); 1356 memcpy(ht->initrd.hash, initrd_hash, sizeof(ht->initrd.hash)); 1357 1358 ht->kernel.guid = sev_kernel_entry_guid; 1359 ht->kernel.len = sizeof(ht->kernel); 1360 memcpy(ht->kernel.hash, kernel_hash, sizeof(ht->kernel.hash)); 1361 1362 /* zero the excess data so the measurement can be reliably calculated */ 1363 memset(padded_ht->padding, 0, sizeof(padded_ht->padding)); 1364 1365 if (sev_encrypt_flash((uint8_t *)padded_ht, sizeof(*padded_ht), errp) < 0) { 1366 ret = false; 1367 } 1368 1369 address_space_unmap(&address_space_memory, padded_ht, 1370 mapped_len, true, mapped_len); 1371 1372 return ret; 1373 } 1374 1375 static void 1376 sev_register_types(void) 1377 { 1378 type_register_static(&sev_guest_info); 1379 } 1380 1381 type_init(sev_register_types);