From: "Laszlo Ersek" <lersek@redhat.com>
To: Ashish Kalra <Ashish.Kalra@amd.com>, devel@edk2.groups.io
Cc: brijesh.singh@amd.com, Thomas.Lendacky@amd.com,
jejb@linux.ibm.com, erdemaktas@google.com, jiewen.yao@intel.com,
min.m.xu@intel.com, jordan.l.justen@intel.com,
ard.biesheuvel@arm.com,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v4 0/4] SEV Live Migration support for OVMF.
Date: Tue, 22 Jun 2021 19:20:53 +0200 [thread overview]
Message-ID: <dffa37d8-9139-4d55-18c1-e88bc081def4@redhat.com> (raw)
In-Reply-To: <cover.1624281247.git.ashish.kalra@amd.com>
Hi Ashish,
(+Dave, +Paolo)
On 06/21/21 15:56, Ashish Kalra wrote:
> From: Ashish Kalra <ashish.kalra@amd.com>
>
> By default all the SEV guest memory regions are considered encrypted,
> if a guest changes the encryption attribute of the page (e.g mark a
> page as decrypted) then notify hypervisor. Hypervisor will need to
> track the unencrypted pages. The information will be used during
> guest live migration, guest page migration and guest debugging.
>
> The patch-set adds a new SEV and SEV-ES hypercall abstraction
> library to support SEV Page encryption/decryption status hypercalls
> for SEV and SEV-ES guests.
>
> BaseMemEncryptSevLib invokes hypercalls via this new hypercall library.
>
> The patch-set detects if it is running under KVM hypervisor and then
> checks for SEV live migration feature support via KVM_FEATURE_CPUID,
> if detected setup a new UEFI enviroment variable to indicate OVMF
> support for SEV live migration.
>
> A branch containing these patches is available here:
> https://github.com/ashkalra/edk2/tree/sev_live_migration_v4
>
> Changes since v3:
> - Fix all DSC files under OvmfPkg except X64 to add support for
> BaseMemEncryptLib and add NULL instance of BaseMemEncryptLib
> for 32 bit platforms.
> - Add the MemEncryptHypercallLib-related files to Maintainers.txt,
> in section "OvmfPkg: Confidential Computing".
> - Add support for the new KVM_HC_MAP_GPA_RANGE hypercall interface.
> - Add patch for SEV live migration support.
I have absolutely zero context in my mind about this work.
By v1 / v2 / v3, are you referring to the following patch series (from December 2020):
- [PATCH v1 0/2] SEV Page Encryption Bitmap support for OVMF.
https://listman.redhat.com/archives/edk2-devel-archive/2020-December/msg00081.html
- [PATCH v2 0/3] SEV Page Encryption Bitmap support for OVMF.
https://listman.redhat.com/archives/edk2-devel-archive/2020-December/msg00198.html
- [PATCH v3 0/3] SEV Page Encryption Bitmap support for OVMF.
https://listman.redhat.com/archives/edk2-devel-archive/2020-December/msg00202.html
We certainly need a new TianoCore BZ for tracking this feature; I only found the above patch set versions because I have full text search for my complete email traffic on my laptop. Sending v4 after half a year hiatus is like sending it in the next century. :)
Anyway, where I'm particularly lost is that I (very vaguely) recall conflicting approaches from AMD and IBM on migration. Has an agreement been reached there?
I certainly apologize for missing the context here; had someone asked me if I had seen any version of this patch set before, I would have *sworn* that I hadn't.
I'm basically incapable of tracking this volume of development around confidential computing; sorry.
Laszlo
>
> Changes since v2:
> - GHCB_BASE setup during reset-vector as decrypted is marked explicitly
> in the hypervisor page encryption bitmap after setting the
> PcdSevEsIsEnabled PCD.
>
> Changes since v1:
> - Mark GHCB_BASE setup during reset-vector as decrypted explicitly in
> the hypervisor page encryption bitmap.
> - Resending the series with correct shallow threading.
>
> Ashish Kalra (3):
> OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls.
> OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall
> OvmfPkg/PlatformDxe: Add support for SEV live migration.
>
> Brijesh Singh (1):
> OvmfPkg/BaseMemEncryptLib: Support to issue unencrypted hypercall
>
> Maintainers.txt | 2 +
> OvmfPkg/Include/Guid/MemEncryptLib.h | 20 ++++
> .../Include/Library/MemEncryptHypercallLib.h | 43 +++++++
> .../DxeMemEncryptSevLib.inf | 1 +
> .../PeiMemEncryptSevLib.inf | 1 +
> .../X64/PeiDxeVirtualMemory.c | 22 ++++
> .../Ia32/MemEncryptHypercallLib.c | 37 ++++++
> .../MemEncryptHypercallLib.inf | 42 +++++++
> .../X64/AsmHelperStub.nasm | 28 +++++
> .../X64/MemEncryptHypercallLib.c | 105 +++++++++++++++++
> OvmfPkg/OvmfPkg.dec | 1 +
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> OvmfPkg/OvmfXen.dsc | 1 +
> OvmfPkg/PlatformDxe/AmdSev.c | 108 ++++++++++++++++++
> OvmfPkg/PlatformDxe/Platform.c | 5 +
> OvmfPkg/PlatformDxe/Platform.inf | 2 +
> OvmfPkg/PlatformDxe/PlatformConfig.h | 5 +
> OvmfPkg/PlatformPei/AmdSev.c | 10 ++
> 20 files changed, 436 insertions(+)
> create mode 100644 OvmfPkg/Include/Guid/MemEncryptLib.h
> create mode 100644 OvmfPkg/Include/Library/MemEncryptHypercallLib.h
> create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c
> create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf
> create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm
> create mode 100644 OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c
> create mode 100644 OvmfPkg/PlatformDxe/AmdSev.c
>
next prev parent reply other threads:[~2021-06-22 17:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 13:56 [PATCH v4 0/4] SEV Live Migration support for OVMF Ashish Kalra
2021-06-21 13:56 ` [PATCH v4 1/4] OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls Ashish Kalra
2021-06-22 19:47 ` Brijesh Singh
2021-06-22 19:58 ` Brijesh Singh
2021-06-22 22:47 ` Lendacky, Thomas
2021-06-22 23:20 ` Ashish Kalra
2021-06-22 23:38 ` Brijesh Singh
2021-06-23 1:47 ` Ashish Kalra
2021-06-23 15:02 ` Ashish Kalra
2021-06-21 13:57 ` [PATCH v4 2/4] OvmfPkg/BaseMemEncryptLib: Support to issue unencrypted hypercall Ashish Kalra
2021-06-22 22:50 ` Lendacky, Thomas
2021-06-21 13:57 ` [PATCH v4 3/4] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall Ashish Kalra
2021-06-22 20:35 ` Brijesh Singh
2021-06-21 13:57 ` [PATCH v4 4/4] OvmfPkg/PlatformDxe: Add support for SEV live migration Ashish Kalra
2021-06-22 23:06 ` Lendacky, Thomas
2021-06-24 16:29 ` Ashish Kalra
2021-06-22 17:20 ` Laszlo Ersek [this message]
2021-06-22 17:45 ` [PATCH v4 0/4] SEV Live Migration support for OVMF Brijesh Singh
2021-06-22 17:46 ` Ashish Kalra
2021-06-23 13:18 ` [edk2-devel] " Dov Murik
2021-06-23 16:42 ` Laszlo Ersek
2021-06-23 16:49 ` Laszlo Ersek
2021-06-23 17:03 ` Ashish Kalra
2021-06-30 9:11 ` Ashish Kalra
2021-06-30 16:25 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dffa37d8-9139-4d55-18c1-e88bc081def4@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox