On Thu, Oct 19, 2023, Alexey Kardashevskiy wrote:
On 19/10/23 00:48, Sean Christopherson wrote:
static int snp_handle_ext_guest_request(struct vcpu_svm *svm)
{
struct kvm_vcpu *vcpu = &svm->vcpu;
struct kvm *kvm = vcpu->kvm;
struct kvm_sev_info *sev;
unsigned long exitcode;
u64 data_gpa;
if (!sev_snp_guest(vcpu->kvm)) {
ghcb_set_sw_exit_info_2(svm->sev_es.ghcb, SEV_RET_INVALID_GUEST);
return 1;
}
data_gpa = vcpu->arch.regs[VCPU_REGS_RAX];
if (!IS_ALIGNED(data_gpa, PAGE_SIZE)) {
ghcb_set_sw_exit_info_2(svm->sev_es.ghcb, SEV_RET_INVALID_ADDRESS);
return 1;
}
vcpu->run->hypercall.nr = KVM_HC_SNP_GET_CERTS;
vcpu->run->hypercall.args[0] = data_gpa;
vcpu->run->hypercall.args[1] = vcpu->arch.regs[VCPU_REGS_RBX];
vcpu->run->hypercall.flags = KVM_EXIT_HYPERCALL_LONG_MODE;
btw why is it _LONG_MODE and not just _64? :)
I'm pretty sure it got copied from Xen when KVM started adding supporting for
emulating Xen's hypercalls. I assume Xen PV actually has a need for identifying
long mode as opposed to just 64-bit mode, but KVM, not so much.
vcpu->arch.complete_userspace_io = snp_complete_ext_guest_request;
return 0;
}
This should work the KVM stored certs nicely but not for the global certs.
Although I am not all convinced that global certs is all that valuable but I
do not know the history of that, happened before I joined so I let others to
comment on that. Thanks,
Aren't the global certs provided by userspace too though? If all certs are
ultimately controlled by userspace, I don't see any reason to make the kernel a
middle-man.