Re: [PATCH v4 0/4] SEV Live Migration support for OVMF.

["Brijesh Singh" <brijesh.singh@amd.com>]

Hi Ashish,

I have queue'd to review this series for later part of the week.
Just curious, did you run CI on this series ? A quick glance hints that this
series may fail to build on some platforms and additionally have formatting
error.

P.S: If you don't know how to use EDK2 CI then buzz me off-list.

thanks

On 6/22/2021 12:20 PM, Laszlo Ersek wrote:
> Hi Ashish,
> 
> (+Dave, +Paolo)
> 
> On 06/21/21 15:56, Ashish Kalra wrote:
>> From: Ashish Kalra <ashish.kalra@amd.com>
>>
>> By default all the SEV guest memory regions are considered encrypted,
>> if a guest changes the encryption attribute of the page (e.g mark a
>> page as decrypted) then notify hypervisor. Hypervisor will need to
>> track the unencrypted pages. The information will be used during
>> guest live migration, guest page migration and guest debugging.
>>
>> The patch-set adds a new SEV and SEV-ES hypercall abstraction
>> library to support SEV Page encryption/decryption status hypercalls
>> for SEV and SEV-ES guests.
>>
>> BaseMemEncryptSevLib invokes hypercalls via this new hypercall library.
>>
>> The patch-set detects if it is running under KVM hypervisor and then
>> checks for SEV live migration feature support via KVM_FEATURE_CPUID,
>> if detected setup a new UEFI enviroment variable to indicate OVMF
>> support for SEV live migration.
>>
>> A branch containing these patches is available here:
>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fashkalra%2Fedk2%2Ftree%2Fsev_live_migration_v4&amp;data=04%7C01%7Cbrijesh.singh%40amd.com%7Cb6f0cd9ca0cb4203327908d935a21cb3%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637599792656890122%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=zwiAg6jzSPYtUA8UARYE6K39Q3VCJkhm9Ey00aGYC10%3D&amp;reserved=0
>>
>> Changes since v3:
>>  - Fix all DSC files under OvmfPkg except X64 to add support for 
>>    BaseMemEncryptLib and add NULL instance of BaseMemEncryptLib
>>    for 32 bit platforms.
>>  - Add the MemEncryptHypercallLib-related files to Maintainers.txt,
>>    in section "OvmfPkg: Confidential Computing".
>>  - Add support for the new KVM_HC_MAP_GPA_RANGE hypercall interface.
>>  - Add patch for SEV live migration support.
> 
> I have absolutely zero context in my mind about this work.
> 
> By v1 / v2 / v3, are you referring to the following patch series (from December 2020):
> 
> - [PATCH v1 0/2] SEV Page Encryption Bitmap support for OVMF.
>   https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman.redhat.com%2Farchives%2Fedk2-devel-archive%2F2020-December%2Fmsg00081.html&amp;data=04%7C01%7Cbrijesh.singh%40amd.com%7Cb6f0cd9ca0cb4203327908d935a21cb3%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637599792656890122%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=QkZUdYyeWREfXyx2%2B32chbp7dMzEVfBb78dEsecduFw%3D&amp;reserved=0
> 
> - [PATCH v2 0/3] SEV Page Encryption Bitmap support for OVMF.
>   https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman.redhat.com%2Farchives%2Fedk2-devel-archive%2F2020-December%2Fmsg00198.html&amp;data=04%7C01%7Cbrijesh.singh%40amd.com%7Cb6f0cd9ca0cb4203327908d935a21cb3%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637599792656900118%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TH%2BbYo%2B2CZyOunhIpegEjqQkdXlBuZsiyWz1k%2BGXtQc%3D&amp;reserved=0
> 
> - [PATCH v3 0/3] SEV Page Encryption Bitmap support for OVMF.
>   https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman.redhat.com%2Farchives%2Fedk2-devel-archive%2F2020-December%2Fmsg00202.html&amp;data=04%7C01%7Cbrijesh.singh%40amd.com%7Cb6f0cd9ca0cb4203327908d935a21cb3%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637599792656900118%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=css90wZ%2BFgbYm%2FQjvCLIFZwwozZz3dfzaVPDpsQsCsk%3D&amp;reserved=0
> 
> We certainly need a new TianoCore BZ for tracking this feature; I only found the above patch set versions because I have full text search for my complete email traffic on my laptop. Sending v4 after half a year hiatus is like sending it in the next century. :)
> 
> Anyway, where I'm particularly lost is that I (very vaguely) recall conflicting approaches from AMD and IBM on migration. Has an agreement been reached there?
> 
> I certainly apologize for missing the context here; had someone asked me if I had seen any version of this patch set before, I would have *sworn* that I hadn't.
> 
> I'm basically incapable of tracking this volume of development around confidential computing; sorry.
> 
> Laszlo
> 
>>
>> Changes since v2:
>>  - GHCB_BASE setup during reset-vector as decrypted is marked explicitly
>>    in the hypervisor page encryption bitmap after setting the 
>>    PcdSevEsIsEnabled PCD.
>>
>> Changes since v1:
>>  - Mark GHCB_BASE setup during reset-vector as decrypted explicitly in
>>    the hypervisor page encryption bitmap.
>>  - Resending the series with correct shallow threading.
>>
>> Ashish Kalra (3):
>>   OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls.
>>   OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall
>>   OvmfPkg/PlatformDxe: Add support for SEV live migration.
>>
>> Brijesh Singh (1):
>>   OvmfPkg/BaseMemEncryptLib: Support to issue unencrypted hypercall
>>
>>  Maintainers.txt                               |   2 +
>>  OvmfPkg/Include/Guid/MemEncryptLib.h          |  20 ++++
>>  .../Include/Library/MemEncryptHypercallLib.h  |  43 +++++++
>>  .../DxeMemEncryptSevLib.inf                   |   1 +
>>  .../PeiMemEncryptSevLib.inf                   |   1 +
>>  .../X64/PeiDxeVirtualMemory.c                 |  22 ++++
>>  .../Ia32/MemEncryptHypercallLib.c             |  37 ++++++
>>  .../MemEncryptHypercallLib.inf                |  42 +++++++
>>  .../X64/AsmHelperStub.nasm                    |  28 +++++
>>  .../X64/MemEncryptHypercallLib.c              | 105 +++++++++++++++++
>>  OvmfPkg/OvmfPkg.dec                           |   1 +
>>  OvmfPkg/OvmfPkgIa32.dsc                       |   1 +
>>  OvmfPkg/OvmfPkgIa32X64.dsc                    |   1 +
>>  OvmfPkg/OvmfPkgX64.dsc                        |   1 +
>>  OvmfPkg/OvmfXen.dsc                           |   1 +
>>  OvmfPkg/PlatformDxe/AmdSev.c                  | 108 ++++++++++++++++++
>>  OvmfPkg/PlatformDxe/Platform.c                |   5 +
>>  OvmfPkg/PlatformDxe/Platform.inf              |   2 +
>>  OvmfPkg/PlatformDxe/PlatformConfig.h          |   5 +
>>  OvmfPkg/PlatformPei/AmdSev.c                  |  10 ++
>>  20 files changed, 436 insertions(+)
>>  create mode 100644 OvmfPkg/Include/Guid/MemEncryptLib.h
>>  create mode 100644 OvmfPkg/Include/Library/MemEncryptHypercallLib.h
>>  create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c
>>  create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf
>>  create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm
>>  create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c
>>  create mode 100644 OvmfPkg/PlatformDxe/AmdSev.c
>>
>