From: "Tobin Feldman-Fitzthum" <tobin@linux.ibm.com>
To: tobin@ibm.com, dovmurik@linux.vnet.ibm.com, jejb@linux.ibm.com,
frankeh@us.ibm.com, pbonzini@redhat.com, ashish.kalra@amd.com,
thomas.lendacky@amd.com, brijesh.singh@amd.com,
dgilbert@redhat.com, srutherford@google.com,
devel@edk2.groups.io, ard.biesheuvel@arm.com,
jiewen.yao@intel.com
Subject: [RFC PATCH 0/9] Firmware Support for Fast Live Migration for AMD SEV
Date: Wed, 18 Aug 2021 17:20:39 -0400 [thread overview]
Message-ID: <20210818212048.162626-1-tobin@linux.ibm.com> (raw)
With AMD SEV the hypervisor cannot decrypt or move guest memory pages.
This makes migration tricky. While the AMD Secure Processor can
export/import pages wrapped with a transport key, the bandwidth is
limited. We look to provide similar support via firmware. In particular,
we implement a Migration Handler (MH) in OVMF. The MH runs in a separate
mirror VM that shares the memory of the guest. To migrate a guest, the
HV asks the MH on the source to export wrapped pages, which the MH
on the target will import. To start the MH on the source or the target
the HV boots the mirror VM to a custom entry vector implemented in these
patches.
This RFC does not include encryption support. The pages are passed
to/from the HV in plaintext. This RFC depends on mirror VM support
already upstreamed in KVM, AMD page encryption status tracking
(Ashish Kalra's v6 OVMF live migration patches), mirror VM support in
QEMU (Ashish's v1 QEMU RFC), page encryption status tracking support in
QEMU (Ashish QEMU guest live migration support v4), and MH support in
QEMU (coming soon). This RFC is aimed at SEV only. The general design
carries over to SEV-ES and SEV-SNP, but extra support is required.
Dov Murik (1):
OvmfPkg/AmdSev: Build page table for migration handler
Tobin Feldman-Fitzthum (8):
OvmfPkg/AmdSev: Base for Confidential Migration Handler
OvmfPkg/PlatfomPei: Set Confidential Migration PCD
OvmfPkg/AmdSev: Setup Migration Handler Mailbox
OvmfPkg/AmdSev: MH support for mailbox protocol
OvmfPkg/AmdSev: Don't overwrite mailbox or pagetables
OvmfPkg/AmdSev: Don't overwrite MH stack
OvmfPkg/AmdSev: Add Migration Handler entry point
OvmfPkg/ResetVector: Expose Migration Handler Entry Addresses
OvmfPkg/OvmfPkg.dec | 13 +
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +
OvmfPkg/AmdSev/AmdSevX64.fdf | 16 +-
.../ConfidentialMigrationDxe.inf | 38 +++
.../ConfidentialMigrationPei.inf | 37 +++
OvmfPkg/PlatformPei/PlatformPei.inf | 2 +
OvmfPkg/ResetVector/ResetVector.inf | 1 +
.../ConfidentialMigration/VirtualMemory.h | 177 ++++++++++++
.../ConfidentialMigrationDxe.c | 272 ++++++++++++++++++
.../ConfidentialMigrationPei.c | 31 ++
OvmfPkg/PlatformPei/Platform.c | 10 +
.../MigrationEntryPoint.nasm | 51 ++++
OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 13 +
OvmfPkg/ResetVector/ResetVector.nasmb | 1 +
14 files changed, 660 insertions(+), 4 deletions(-)
create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationDxe.inf
create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationPei.inf
create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/VirtualMemory.h
create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationDxe.c
create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/ConfidentialMigrationPei.c
create mode 100644 OvmfPkg/AmdSev/ConfidentialMigration/MigrationEntryPoint.nasm
--
2.20.1
next reply other threads:[~2021-08-18 21:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 21:20 Tobin Feldman-Fitzthum [this message]
2021-08-18 21:20 ` [RFC PATCH 1/9] OvmfPkg/AmdSev: Base for Confidential Migration Handler Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 2/9] OvmfPkg/PlatfomPei: Set Confidential Migration PCD Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 3/9] OvmfPkg/AmdSev: Setup Migration Handler Mailbox Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 4/9] OvmfPkg/AmdSev: MH support for mailbox protocol Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 5/9] OvmfPkg/AmdSev: Build page table for migration handler Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 6/9] OvmfPkg/AmdSev: Don't overwrite mailbox or pagetables Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 7/9] OvmfPkg/AmdSev: Don't overwrite MH stack Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 8/9] OvmfPkg/AmdSev: Add Migration Handler entry point Tobin Feldman-Fitzthum
2021-08-18 21:20 ` [RFC PATCH 9/9] OvmfPkg/ResetVector: Expose Migration Handler Entry Addresses Tobin Feldman-Fitzthum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210818212048.162626-1-tobin@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox