Re: [RFC Part2 PATCH v3 01/26] Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization (SEV)
From: Borislav Petkov
Date: Tue Sep 05 2017 - 13:21:47 EST
On Mon, Jul 24, 2017 at 03:02:38PM -0500, Brijesh Singh wrote:
> Create a Documentation entry to describe the AMD Secure Encrypted
> Virtualization (SEV) feature.
>
> Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
> ---
> .../virtual/kvm/amd-memory-encryption.txt | 328 +++++++++++++++++++++
> 1 file changed, 328 insertions(+)
> create mode 100644 Documentation/virtual/kvm/amd-memory-encryption.txt
>
> diff --git a/Documentation/virtual/kvm/amd-memory-encryption.txt b/Documentation/virtual/kvm/amd-memory-encryption.txt
> new file mode 100644
> index 0000000..cffed2d
> --- /dev/null
> +++ b/Documentation/virtual/kvm/amd-memory-encryption.txt
You need to add this new file to Documentation/virtual/kvm/00-INDEX
> @@ -0,0 +1,328 @@
> +Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
> +
> +SEV is an extension to the AMD-V architecture which supports running virtual
> +machine (VMs) under the control of a hypervisor. When enabled, the memory
"machines"
> +contents of VM will be transparently encrypted with a key unique to the VM.
> +
> +Hypervisor can determine the SEV support through the CPUID instruction. The CPUID
> +function 0x8000001f reports information related to SEV:
> +
> + 0x8000001f[eax]:
> + Bit[1] indicates support for SEV
> +
> + 0x8000001f[ecx]:
0x8000001f[eax]:
Bit[1]
... [ecx]:
Bits[31:0]
looks more compact to me and shows quicker that it is the same CPUID
leaf, just different reg.
While at it, you can do that to
Documentation/x86/amd-memory-encryption.txt too and now that I look at
it, 0x800001f[eax]: is short one 0.
> + Bits[31:0] Number of encrypted guest supported simultaneously
guests
> +
> +If support for SEV is present, MSR 0xc00100010 (MSR_K8_SYSCFG) and MSR
0xc0010010
there's one 0 too many in yours. Also, write it 0xc001_0010, with the
4-digit help bar.
> +0xc0000015 (MSR_K7_HWCR_SMMLOCK) can be used to determine if it can be enabled:
Do you mean 0xc0010015 (MSR_K7_HWCR) here? Because the MSR is
#define MSR_K7_HWCR 0xc0010015
That MSR_K7_HWCR_SMMLOCK is bit 0 in it.
> +
> + 0xc00100010:
that's 9 hex digits
> + Bit[23] 0 = memory encryption can be enabled
> + 0 = memory encryption can not be enabled
^-- one of those needs to be 1b :-)
> +
> + 0xc00010015:
Ditto.
> + Bit[0] 0 = memory encryption can not be enabled
> + 1 = memory encryption can be enabled
> +
> +When SEV support is available, it can be enabled on specific VM during the VMRUN
s/on/in a/
and not "during the VMRUN... " but say "by setting SEV bit ... before
executing VMRUN."
> +instruction by setting SEV bit in VMCB offset 090h:
> +
> + VMCB offset 090h:
I guess
VMCB[0x90]
?
> + Bit[1] 1 = Enable SEV
> +
> +SEV hardware uses ASIDs to associate memory encryption key with the guest VMs.
"...to associate a memory encryption key with a VM."
> +Hence the ASID for the SEV-enabled guests must be from 1 to a maximum value
"Hence, ..."
> +defined through the CPUID function 0x8000001f[ECX].
"defined in the CPUID ... field."
Also, s/ECX/ecx/ as you're using small letters for register names
consistently so far.
> +
> +
> +SEV Key Management
> +------------------
> +
> +The Key management for the SEV guest is handled by a seperate processor known as
WARNING: 'seperate' may be misspelled - perhaps 'separate'?
#74: FILE: Documentation/virtual/kvm/amd-memory-encryption.txt:41:
+The Key management for the SEV guest is handled by a seperate processor known as
Run them all through a spellchecker pls.
> +the AMD Secure Processor (AMD-SP). Firmware running inside the AMD-SP provides a
> +secure key management interface to perform common hypervisor activities such as
> +encrypting bootstrap code, snapshotting, migrating and debugging the guest. For
> +more informaiton, see SEV Key Management spec:
^^^^^^^^^^^
This looks misspelled too but I caught it and not checkpatch!
Meh, what good is that thing - it can't even catch all typos?! :-\
> +
> +http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf
<--- here you can add an introductory sentence or two:
"KVM implements the following commands to support SEV guests... " and so on.
Also, the userspace API is documented in
Documentation/virtual/kvm/api.txt. Shouldn't those be there too, to have
them in one place?
> +
> +1. KVM_SEV_LAUNCH_START
> +
> +Parameters: struct kvm_sev_launch_start (in/out)
> +Returns: 0 on success, -negative on error
> +
> +LAUNCH_START command is used to bootstrap a guest by encrypting its memory with
"The KVM_SEV_LAUNCH_START command ... "
> +a new VM Encryption Key (VEK). In order to create guest context, hypervisor should
the
You need to start using (in-)definite articles in your sentences - text reads
strange now. Or should I say *the* text reads strange now? :-)
> +provide guest policy, owners public diffie-hellman (PDH) key and session parameters.
^ ^ ^
a the owner's Diffie-Hellman
or owners'. There are more occurrences of this below.
> +
> +The guest policy constrains the use and features activated for the lifetime of the
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please rewrite that - I can only try guessing what it means.
> +launched guest, such as disallowing debugging, enabling key sharing, or turning on
> +other SEV related features.
"SEV-related"
> +
> +The guest owners PDH allows the firmware to establish a cryptographic session with
> +the guest owner to negotiate keys used for attestation.
^
in order to
> +
> +The session parameters contains informations such as guest policy MAC, transport
WARNING: 'informations' may be misspelled - perhaps 'information'?
#98: FILE: Documentation/virtual/kvm/amd-memory-encryption.txt:65:
+The session parameters contains informations such as guest policy MAC, transport
also s/contains/contain/
> +integrity key (TIK), transport encryption key (TEK) etc.
> +
> +struct kvm_sev_launch_start {
> +
> + /* Guest Hanldle, if zero then FW creates a new handle */
> + __u32 handle;
> +
> + /* Guest policy */
> + __u32 policy;
> +
> + /* Address which contains guest owner's PDH certificate blob */
> + __u64 dh_cert_address;
> + __u32 dh_cert_length;
> +
> + /* Address which contains guest session information blob */
> + __u64 session_address;
> + __u32 session_length;
> +};
> +
> +On success, the 'handle' field contain a new handle.
... and on error, a negative value...
> +
> +2. KVM_SEV_LAUNCH_UPDATE_DATA
> +
> +Parameters (in): struct kvm_sev_launch_update
> +Returns: 0 on success, -negative on error
<--- here you need to explain first what the command does and what could
be used for and then how it does it.
> +LAUNCH_UPDATE_DATA encrypts the memory region using the VEK created during
To avoid confusion, use the "KVM_SEV_"-prefixed defines pls.
> +LAUNCH_START. It also calculates a measurement of the memory region. This
> +measurement can be used as a signature of the memory contents.
> +
> +struct kvm_sev_launch_update {
> + /* address of the data to be encrypted (must be 16-byte aligned) */
> + __u64 address;
> +
> + /* length of the data to be encrypted (must be 16-byte aligned) */
> + __u32 length;
> +};
> +
> +3. KVM_SEV_LAUNCH_MEASURE
> +
> +Parameters (in): struct kvm_sev_launch_measure
> +Returns: 0 on success, -negative on error
> +
> +LAUNCH_MEASURE returns the measurement of the memory region encrypted with
> +LAUNCH_UPDATE_DATA. The measurement is keyed with the TIK so that the guest
> +owner can use the measurement to verify the guest was properly launched without
> +tempering.
So this could use a bit more text as it is such an important aspect of
the whole verification of the guest.
> +
> +struct kvm_sev_launch_measure {
> + /* where to copy the measurement blob */
> + __u64 address;
> +
> + /* length of memory region containing measurement */
> + __u32 length;
> +};
> +
> +If measurement length is too small, the required length is returned in the
> +length field.
> +
> +On success, the measurement is copied to the address.
And how is success signalled to the caller?
> +
> +4. KVM_SEV_LAUNCH_FINISH
> +
> +Returns: 0 on success, -negative on error
> +
> +LAUNCH_FINISH command finalize the SEV guest launch process.
"The KVM_SEV_LAUNCH_FINISH command... "
> +
> +5. KVM_SEV_GUEST_STATUS
> +
> +Parameters (out): struct kvm_sev_guest_status
This is an "out" command, so it should be called
KVM_SEV_GET_GUEST_STATUS. Or is it too late for that?
> +Returns: 0 on success, -negative on error
> +
> +GUEST_STATUS returns the current SEV state the guest is in.
> +
> +struct kvm_sev_guest_status {
> +
> + /* guest hanldle */
> + __u32 handle;
> +
> + /* guest policy */
> + __u32 policy;
> +
> + /* guest state (see below) */
> + __u8 state;
> +};
> +
> +SEV guest state:
> +
> +enum {
> + /* guest state is not known */
> + SEV_STATE_INVALID = 0;
not known or invalid?
> + /* guest is currently being launched */
> + SEV_STATE_LAUNCHING.
^--- comma, I guess, instead of full-stop.
> + /* guest is being launched and ready to accept the ciphertext data */
> + SEV_STATE_SECRET,
> + /* guest is fully launched and running */
> + SEV_STATE_RUNNING,
> + /* guest is being migrated in from another SEV machine */
> + SEV_STATE_RECEIVING,
> + /* guest is getting migrated out another SEV machine */
"out to another"
> + SEV_STATE_SENDING
> +};
Btw, side-comments will make this much more readable:
enum {
SEV_STATE_INVALID = 0,
SEV_STATE_LAUNCHING,
SEV_STATE_SECRET, /* guest is being launched and ready to accept the ciphertext data */
SEV_STATE_RUNNING, /* guest is fully launched and running */
SEV_STATE_RECEIVING, /* guest is being migrated in from another SEV machine */
SEV_STATE_SENDING, /* guest is getting migrated out to another SEV machine */
};
> +
> +6. KVM_SEV_DBG_DECRYPT
> +
> +DEBUG_DECRYPT command can be used for decrypting a region of guest memory for
> +the SEV guest debug purposes. Note that since decrypting protected memory allows
Now here is "the" wrong. Ditto below.
Also, what is "protected memory"? You mean "guest memory", right?
> +the hypervisor to gain access to guest memory, the guest policy must explicitly
> +allow debugging for this command to work.
> +
> +Parameters (in): struct kvm_sev_dbg
> +Returns: 0 on success, -negative on error
> +
> +struct kvm_sev_dbg {
> + __u64 src_address;
> + __u64 dst_address;
Even though obvious, those need comments what they are, just like the
other struct members above. Below need comments too.
> +
> + /* length of memory region to decrypt */
> + __u32 length;
> +};
> +
> +7. KVM_SEV_DBG_ENCRYPT
> +
> +DEBUG_ENCRYPT command can be used for injecting the data into guest for the SEV
"The ... " - but you get the idea :)
make that "... can be used for injecting data into a guest for debugging
purposes."
> +guest debug purposes. Note that since injecting the data into protected memory
> +allows the hypervisor to modify the guest memory, the guest policy must explicitly
> +allow debugging for this command to work.
Same issues as above.
> +
> +Parameters (in): struct kvm_sev_dbg
> +Returns: 0 on success, -negative on error
> +
> +struct kvm_sev_dbg {
> + __u64 src_address;
> + __u64 dst_address;
> +
> + /* length of memory region to encrypt */
> + __u32 length;
> +};
> +
> +8. KVM_SEV_SEND_START
> +
> +Parameters (in): struct kvm_sev_send_start
> +Returns: 0 on success, -negative on error
> +
> +SEND_START command is used to export a SEV guest from one platform to another.
Export or migrate?
> +It can be used for saving a guest to disk to be resumed later, or it can be
> +used to migrate a guest across the network to a receiving platform.
And how do I specify which of those actions needs to happen?
> +
> +struct kvm_sev_send_start {
> + /* guest policy */
> + __u32 policy;
> +
> + /* address which contains receivers PDH key blob */
the receiver's
> + __u64 pdh_cert_address;
> + __u32 pdh_cert_length;
> +
> + /* address which contains platform certificate blob */
> + __u64 plat_cert_address;
> + __u32 plat_cert_length;
> +
> + /* address which contains AMD certificate chain */
> + __u64 amd_cert_address;
> + __u32 amd_cert_length;
> +
> + /* where to copy the current session information */
> + __u64 session_address;
> + __u32 session_length;
> +};
> +
> +The command uses PDH key to establish a new cryptographic context with the
> +remote platform - the new cryptographic context will be used for re-encrypting
> +the guest memory before sending it to remote platform.
> +
> +If length of the certificate blobs are too small, the required length is
So you wanna say "If the certificate blobs are short, ... "
> +returned in the length field and an error is returned.
> +
> +9. KVM_SEV_SEND_UPDATE_DATA
> +
> +Parameters (in): struct kvm_sev_send_update_data
> +Returns: 0 on success, -negative on error
> +
> +SEND_UPDATE_DATA command is used to re-encrypt the guest memory using the
> +crytographic context established during SEND_START. A fresh IV is generated
> +and written to the packet header field.
> +
> +struct kvm_sev_send_update_data {
> + /* address which will contain packet header (IV, MAC etc)*/
> + __u64 hdr_data;
> + __u32 hdr_length;
> +
> + /* address of guest memory region containg encrypted data */
"containing" - spellchecker needed.
> + __u64 guest_address;
> + __u32 guest_length;
> +
> + /* address of transport buffer */
> + __u64 host_address;
> + __u32 host_length;
> +};
> +
> +If the hdr_length is too small, the required length is returned in the length
> +field and an error is returned.
> +
> +10. KVM_SEV_SEND_FINISH
> +
> +Returns: 0 on success, -negative on error
> +
> +SEND_FINISH command finalize the SEV guest sending process.
"finalizes"
> +
> +11. KVM_SEV_RECEIVE_START
> +
> +Parameters (in): struct kvm_sev_receive_start
> +Returns: 0 on success, -negative on error
> +
> +RECEIVE_START command is used to import a guest from one platform to another.
> +It can be used for restoring a guest from disk, or it can be used to migrate
> +a guest across the network from a sending platform.
Same issues as above.
Also, the explanatory text doesn't say who calls that command. If it is
called, KVM_SEV_RECEIVE_START, so it must be the receiving end but it is
unclear.
> +
> +struct kvm_sev_receive_start {
> + /* guest handle (if zero then new handle will be created) */
> + __u32 handle;
> +
> + /* guest policy */
> + __u32 policy;
> +
> + /* Address containing senders PDH certificate blob */
> + __u64 pdh_cert_address;
> + __u32 pdh_cert_length;
> +
> + /* Address containing sender's session information blob */
> + __u64 session_address;
> + __u32 session_length;
> +};
> +
> +The RECEIVE_START command creates a new cryptographic context necessary to
> +re-enrypt the guest memory receieved through the RECEIVE_UPDATE command.
"re-encrypt" - typo. Also "received"
Also, what is the RECEIVE_UPDATE command? The
KVM_SEV_RECEIVE_UPDATE_DATA below? See what I mean with ambiguities.
> +
> +12. KVM_SEV_RECEIVE_UPDATE_DATA
> +
> +Parameters (in): struct kvm_sev_receive_update_data
> +Returns: 0 on success, -negative on error
> +
> +RECEIVE_UPDATE_DATA command is used to re-encrypt the guest memory using the
> +crytographic context established during RECEIVE_START.
> +
> +struct kvm_sev_receive_update_data {
> + /* packet header receieved from the SEND_UPDATE_DATA command */
> + __u64 hdr_data;
> + __u32 hdr_length;
> +
> + /* address of guest memory region */
> + __u64 guest_address;
> + __u32 guest_length;
> +
> + /* address of transport buffer */
> + __u64 host_address;
> + __u32 host_length;
> +};
> +
> +13. KVM_SEV_RECEIVE_FINISH
> +
> +Returns: 0 on success, -negative on error
> +
> +RECEIVE_FINISH command finalize the SEV guest receiving process.
Also, "finalizes".
Phew, that took long.
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--