[PATCH 2/2] x86/sev: Document KVM_SEV_SNP_{G,S}ET_CERTS

From: Dionna Glaze
Date: Thu Sep 01 2022 - 20:06:22 EST

Next message: Dionna Glaze: "[PATCH 1/2] x86/sev: Add KVM commands for instance certs"
Previous message: Tanmay Shah: "Re: [PATCH v9 6/6] drivers: remoteproc: Add Xilinx r5 remoteproc driver"
In reply to: Dionna Glaze: "[PATCH 1/2] x86/sev: Add KVM commands for instance certs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Update the KVM_MEMORY_ENCRYPT_OP documentation to include the new
commands for overriding the host certificates that the guest receives
from an extended guest request.

Cc: Thomas Lendacky <Thomas.Lendacky@xxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>

Signed-off-by: Dionna Glaze <dionnaglaze@xxxxxxxxxx>
---
.../virt/kvm/amd-memory-encryption.rst | 44 +++++++++++++++++++
1 file changed, 44 insertions(+)

diff --git a/Documentation/virt/kvm/amd-memory-encryption.rst b/Documentation/virt/kvm/amd-memory-encryption.rst
index c7332e0e0baa..699bde86948e 100644
--- a/Documentation/virt/kvm/amd-memory-encryption.rst
+++ b/Documentation/virt/kvm/amd-memory-encryption.rst
@@ -529,6 +529,50 @@ Returns: 0 on success, -negative on error

See SEV-SNP specification for further details on launch finish input parameters.

+22. KVM_SEV_SNP_GET_CERTS
+-------------------------
+
+After the SNP guest launch flow has started, the KVM_SEV_SNP_GET_CERTS command
+can be issued to request the data that has been installed with the
+KVM_SEV_SNP_SET_CERTS command.
+
+Parameters (in/out): struct kvm_sev_snp_get_certs
+
+Returns: 0 on success, -negative on error
+
+::
+
+ struct kvm_sev_snp_get_certs {
+ __u64 certs_uaddr;
+ __u64 certs_len
+ };
+
+If no certs have been installed, then the return value is -ENOENT.
+If the buffer specified in the struct is too small, the certs_len field will be
+overwritten with the required bytes to receive all the certificate bytes and the
+return value will be -EINVAL.
+
+23. KVM_SEV_SNP_SET_CERTS
+-------------------------
+
+After the SNP guest launch flow has started, the KVM_SEV_SNP_SET_CERTS command
+can be issued to override the /dev/sev certs data that is returned when a
+guest issues an extended guest request. This is useful for instance-specific
+extensions to the host certificates.
+
+Parameters (in/out): struct kvm_sev_snp_set_certs
+
+Returns: 0 on success, -negative on error
+
+::
+
+ struct kvm_sev_snp_set_certs {
+ __u64 certs_uaddr;
+ __u64 certs_len
+ };
+
+The certs_len field may not exceed SEV_FW_BLOB_MAX_SIZE.
+
References
==========

--
2.37.2.789.g6183377224-goog

Next message: Dionna Glaze: "[PATCH 1/2] x86/sev: Add KVM commands for instance certs"
Previous message: Tanmay Shah: "Re: [PATCH v9 6/6] drivers: remoteproc: Add Xilinx r5 remoteproc driver"
In reply to: Dionna Glaze: "[PATCH 1/2] x86/sev: Add KVM commands for instance certs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]