Re: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF.

["Yao, Jiewen" <jiewen.yao@intel.com>]

Hi
I have some questions:

1) May I know what is the usage of this UEFI variable - SevLiveMigrationEnabled? 
I only see it is created, but I do not see how it is consumed.

2) Is this a full live migration patch, or is this just a startup and there will be more on the way?

Thank you
Yao Jiewen


> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Ashish Kalra
> via groups.io
> Sent: Monday, August 2, 2021 8:31 PM
> To: devel@edk2.groups.io
> Cc: dovmurik@linux.vnet.ibm.com; brijesh.singh@amd.com; tobin@ibm.com;
> Thomas.Lendacky@amd.com; jejb@linux.ibm.com; Justen, Jordan L
> <jordan.l.justen@intel.com>; ard.biesheuvel@arm.com;
> erdemaktas@google.com; Yao, Jiewen <jiewen.yao@intel.com>; Xu, Min M
> <min.m.xu@intel.com>
> Subject: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF.
> 
> From: Ashish Kalra <ashish.kalra@amd.com>
> 
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3467
> 
> By default all the SEV guest memory regions are considered encrypted,
> if a guest changes the encryption attribute of the page (e.g mark a
> page as decrypted) then notify hypervisor. Hypervisor will need to
> track the unencrypted pages. The information will be used during
> guest live migration, guest page migration and guest debugging.
> 
> The patch-set detects if it is running under KVM hypervisor and then
> checks for SEV live migration feature support via KVM_FEATURE_CPUID,
> if detected setup a new UEFI enviroment variable to indicate OVMF
> support for SEV live migration.
> 
> A branch containing these patches is available here:
> https://github.com/ashkalra/edk2-1/tree/sev_live_migration_v5_10
> 
> Changes since v5:
>  - Split first patch into three components, one patch for the
>    MemEncryptSevLiveMigrationIsEnabled() API, one patch for the
>    SetMemoryEncDecHypercall3() API, one patch to make use of the
>    SetMemoryEncDecHypercall3() API.
>  - Fix patch subject, in code and patch comments and
>    additionally add relevant comments.
>  - Replace SetMemoryEncDecHypercall3() API's Status argument
>    with a boolean IsEncrypted argument and corresponding fixes
>    to users of this API call.
>  - Fix AsciiStrCmp() usage in KVM hypervisor detection code.
> 
> Changes since v4:
>  - Remove MemEncryptHypercallLib Library and add support to issue
>    hypercall in the BaseMemEncryptSevLib library itself.
>  - For SEV-ES, make the VC handler hypercall aware by comparing
>    the hypercall number and add the additional register values
>    in the GHCB.
>  - Fix comments in the hypercall API interface.
>  - The encryption bit is set/clear on the smallest page size, hence
>    use the 4k page size in MAP_GPA_RANGE hypercall.
>  - Make the hypercall expect the guest physical address to be
>    page-aligned.
>  - Add KVM live migration feature flag check in BaseMemEncryptSevLib
>    library similar to how BaseMemEncryptSevLib does for the
>    MemEncryptSevIsEnabled() and check it before invoking HC. Also
>    export the MemEncryptSevLiveMigrationIsEnabled() function as
>    part of the library.
>  - Add error handling on hypercall return, on failure, return error
>    code to caller which potentially will cause an assert() and
>    terminate the boot.
> 
> Changes since v3:
>  - Fix all DSC files under OvmfPkg except X64 to add support for
>    BaseMemEncryptLib and add NULL instance of BaseMemEncryptLib
>    for 32 bit platforms.
>  - Add the MemEncryptHypercallLib-related files to Maintainers.txt,
>    in section "OvmfPkg: Confidential Computing".
>  - Add support for the new KVM_HC_MAP_GPA_RANGE hypercall interface.
>  - Add patch for SEV live migration support.
> 
> Changes since v2:
>  - GHCB_BASE setup during reset-vector as decrypted is marked explicitly
>    in the hypervisor page encryption bitmap after setting the
>    PcdSevEsIsEnabled PCD.
> 
> Changes since v1:
>  - Mark GHCB_BASE setup during reset-vector as decrypted explicitly in
>    the hypervisor page encryption bitmap.
>  - Resending the series with correct shallow threading.
> 
> Ashish Kalra (6):
>   OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature.
>   OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state
>     change
>   OvmfPkg/BaseMemEncryptLib: Invoke page encryption state change
>     hypercall
>   OvmfPkg/VmgExitLib: Encryption state change hypercall support in VC
>     handler
>   OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall
>   OvmfPkg/AmdSevDxe: Add support for SEV live migration.
> 
>  OvmfPkg/AmdSevDxe/AmdSevDxe.c                 | 64 +++++++++++++++++
>  OvmfPkg/AmdSevDxe/AmdSevDxe.inf               |  4 ++
>  OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h    | 20 ++++++
>  OvmfPkg/Include/Library/MemEncryptSevLib.h    | 70 +++++++++++++++++++
>  .../DxeMemEncryptSevLib.inf                   |  1 +
>  .../DxeMemEncryptSevLibInternal.c             | 39 +++++++++++
>  .../Ia32/MemEncryptSevLib.c                   | 27 +++++++
>  .../PeiDxeMemEncryptSevLibInternal.c          | 52 ++++++++++++++
>  .../PeiMemEncryptSevLib.inf                   |  1 +
>  .../PeiMemEncryptSevLibInternal.c             | 39 +++++++++++
>  .../SecMemEncryptSevLibInternal.c             | 38 ++++++++++
>  .../X64/AsmHelperStub.nasm                    | 33 +++++++++
>  .../X64/MemEncryptSevLib.c                    | 62 ++++++++++++++++
>  .../X64/PeiDxeVirtualMemory.c                 | 20 ++++++
>  OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 13 ++++
>  OvmfPkg/OvmfPkg.dec                           |  1 +
>  OvmfPkg/PlatformPei/AmdSev.c                  | 11 +++
>  17 files changed, 495 insertions(+)
>  create mode 100644 OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h
>  create mode 100644
> OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm
> 
> --
> 2.17.1
> 
> 
> 
> 
>