[libvirt] [PATCH 0/4] x86: Secure Encrypted Virtualization (AMD)

This patch series provides support for launching an encrypted guest using AMD's new Secure Encrypted Virtualization (SEV) feature. SEV is an extension to the AMD-V architecture which supports running multiple VMs under the control of a hypervisor. When enabled, SEV feature allows the memory contents of a virtual machine (VM) to be transparently encrypted with a key unique to the guest VM. In order to launch SEV guest we need QEMU SEV patch [1]. [1] https://marc.info/?l=kvm&m=151871349515849&w=2 The patch series implements some of recommendation from Daniel [2] [2] https://www.redhat.com/archives/libvir-list/2017-September/msg00197.html At very high level the flow looks this: 1. mgmt tool calls virConnectGetDomainCapabilities. This returns an XML document that includes the following <feature> ... <sev supported='yes'> <cbitpos> </cbitpos> <reduced-phys-bits> </reduced-phys-bits> <pdh> </pdh> <cert-chain> </cert-chain> </feature> If <sev> is provided then we indicate that hypervisor is capable of launching SEV guest. 2. (optional) mgmt tool can provide the PDH and Cert-chain to guest owner in case if guest owner wish to establish a secure connection with SEV firmware to negotiate a key used for validating the measurement. 3. mgmt tool requests to start a guest calling virCreateXML(), passing VIR_DOMAIN_START_PAUSED. The xml would include <sev> <cbitpos> </cbitpos> /* the value is same as what is obtained via virConnectGetDomainCapabilities() <reduced-phys-bits> </reduced-phys-bits> /* the value is same as what is obtained via virConnectGetDomainCapabilities() <dh-cert> .. </dh> /* guest owners diffie-hellman key */ (optional) <session> ..</session> /* guest owners session blob */ (optional) <policy> ..</policy> /* guest policy */ (optional) 4. Libvirt generate the QEMU cli arg to enable the SEV feature, a typical args looks like this: # $QEMU .. -machine memory-encryption=sev0 \ -object sev-guest,id=sev0,dh-cert-file=<file>.... 5. Libvirt generates lifecycle VIR_DOMAIN_EVENT_SUSPENDED_PAUSED event 6. mgmt tool gets the VIR_DOMAIN_EVENT_SUSPENDED_PAUSED and calls virDomainGetSevVmMeasurement() to retrieve the measurement of encrypted memory. 7. (optional) mgmt tool can provide the measurement value to guest owner, which can validate the measurement and gives GO/NO-GO answer. If mgmt tool gets GO then it resumes the guest otherwise it calls destroy() to kill the guest. 8. mgmt tool resumes the guest TODO: * SEV guest require to use DMA apis for the virtio devices. In order to use the DMA apis the virtio devices must have this tag <driver iommu=on ats=on> It is a bit unclear to me where these changes need to go. Do we need to modify the libvirt to automatically add these when SEV is enabled or we ask mgmt tool to make sure that it creates XML with right tag to enable the DMA APIs for virtio devices. I am looking for some suggestions. Using these patches we have succesfully booted and tested a guest both with and without SEV enabled. SEV Firmware API spec is available at: https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf Brijesh Singh (4): qemu: provide support to query the SEV capability qemu: introduce SEV feature in hypervisor capabilities conf: introduce sev element in domain libvirt-domain: add new virDomainGetSevVmMeasurement() API docs/formatdomain.html.in | 71 ++++++++++++++++++++++ docs/formatdomaincaps.html.in | 31 ++++++++++ docs/schemas/domaincaps.rng | 10 ++++ include/libvirt/libvirt-domain.h | 4 ++ src/conf/domain_capabilities.c | 19 ++++++ src/conf/domain_capabilities.h | 25 ++++++++ src/conf/domain_conf.c | 64 ++++++++++++++++++++ src/conf/domain_conf.h | 18 ++++++ src/driver-hypervisor.h | 4 ++ src/libvirt-domain.c | 41 +++++++++++++ src/libvirt_public.syms | 1 + src/qemu/qemu_capabilities.c | 69 +++++++++++++++++++++- src/qemu/qemu_capspriv.h | 4 ++ src/qemu/qemu_command.c | 77 ++++++++++++++++++++++++ src/qemu/qemu_driver.c | 51 ++++++++++++++++ src/qemu/qemu_monitor.c | 17 ++++++ src/qemu/qemu_monitor.h | 6 ++ src/qemu/qemu_monitor_json.c | 124 +++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_monitor_json.h | 5 ++ 19 files changed, 640 insertions(+), 1 deletion(-) -- 2.14.3