sev: Glue KVM to IOMMUFD/vIOMMU

Handle guest exits and call SEV or IOMMUFD in the right order.

Read certificates/measurements/report for the VM from sysfs.

Signed-off-by: Alexey Kardashevskiy <aik@amd.com>

Author: aik

accel/kvm/kvm-all.c

@@ -3195,6 +3195,11 @@ int kvm_ioctl(KVMState *s, int type, ...)
     return ret;
 }
 
+int kvm_vmfd(KVMState *s)
+{
+    return s->vmfd;
+}
+
 int kvm_vm_ioctl(KVMState *s, int type, ...)
 {
     int ret;

include/sysemu/kvm.h

@@ -235,6 +235,8 @@ static inline int kvm_update_guest_debug(CPUState *cpu, unsigned long reinject_t
 
 /* internal API */
 
+int kvm_vmfd(KVMState *s);
+
 int kvm_ioctl(KVMState *s, int type, ...);
 
 int kvm_vm_ioctl(KVMState *s, int type, ...);

target/i386/sev.c

@@ -2026,11 +2026,173 @@ bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
     return klass->build_kernel_loader_hashes(sev_common, area, ctx, errp);
 }
 
+static ssize_t read_full(const char *fn, uint8_t *buf, ssize_t len)
+{
+    int fd;
+    ssize_t rb;
+
+    if (len <= 0) {
+        return 0;
+    }
+    fd = open(fn, O_RDONLY);
+    if (fd < 0) {
+        return 0;
+    }
+    rb = read(fd, buf, len);
+    close(fd);
+    trace_sev_read_file(fn, rb);
+
+    return rb;
+}
+
 static int kvm_handle_vmgexit_tio_req(SevCommonState *sev_common, struct kvm_user_vmgexit *ex)
 {
+    PCIDevice *pdev = NULL;
+    VFIOPCIDevice *vdev;
+    PCIETIOIfClass *tiok;
+    Object *tioko, *vdevko;
     int ret, fw_err = 0;
+    char fn[128];
+
+    ret = pci_qdev_find_device_by_pciid(0 /* Domain */, PCI_BUS_NUM(ex->tio_req.guest_rid),
+                                        PCI_BDF_TO_DEVFN(ex->tio_req.guest_rid), &pdev);
+    if (ret) {
+        return ret;
+    }
+
+    tioko = object_dynamic_cast(OBJECT(pdev), INTERFACE_PCIE_TIO_DEVICE);
+    vdevko = object_dynamic_cast(OBJECT(pdev), TYPE_VFIO_PCI);
+    if (!tioko || !vdevko) {
+        return -EPERM;
+    }
+    tiok = PCIE_TIO_DEVICE_GET_CLASS(tioko);
+
+    ret = tiok->tio_bind(pdev, kvm_vmfd(kvm_state));
+    if (ret) {
+        return ret;
+    }
+
+    vdev = VFIO_PCI(pdev);
+#define MMIO_VALIDATE_GPA(r)      ((r) & 0x000FFFFFFFFFF000ULL)
+#define MMIO_VALIDATE_LEN(r)      (1ULL << (12 + (((r) >> 4) & 0xFF)))
+#define MMIO_VALIDATE_RANGEID(r)  ((r) & 0x7)
+#define MMIO_VALIDATE_RESERVED(r) ((r) & 0xFFF0000000000008ULL)
+    if (ex->tio_req.flags & KVM_USER_VMGEXIT_TIO_REQ_FLAG_MMIO_CONFIG) {
+        printf("+++Q+++ (%u) %s %u: TODO FIXME MMIO_CONFIG\n", getpid(), __func__, __LINE__);
+        return -EINVAL;
+    }
+
+    if (ex->tio_req.flags & KVM_USER_VMGEXIT_TIO_REQ_FLAG_MMIO_VALIDATE) {
+        uint64_t mmio_gpa = MMIO_VALIDATE_GPA(ex->tio_req.mmio_gpa);
+        uint64_t mmio_size = MMIO_VALIDATE_LEN(ex->tio_req.mmio_gpa);
+        unsigned int rangeid = MMIO_VALIDATE_RANGEID(ex->tio_req.mmio_gpa);
+        int error = 0;
+
+        ret = kvm_set_memory_attributes_private(mmio_gpa, mmio_size);
+
+        struct kvm_sev_snp_rmp_update params = {
+            .flags = KVM_SEV_SNP_RMP_FLAG_PRIVATE,
+            .useraddr = (uint64_t) vdev->bars[rangeid].region.mmaps[0].mmap,
+            .gpa = mmio_gpa,
+            .size = mmio_size,
+        };
+
+        ret = sev_ioctl(sev_common->sev_fd, KVM_SEV_SNP_MMIO_RMP_UPDATE,
+                        &params, &error);
+        if (ret) {
+            return ret;
+        }
+        trace_sev_snp_make_private(mmio_gpa, mmio_size);
+    }
+
+    /* Guest requests use 1 page for request and 1 page for response */
+    hwaddr req_len = 4096, rsp_len = 4096;
+    MemTxAttrs attrs = { 0 };
+    void *req = address_space_map(&address_space_memory, ex->tio_req.req_spa,
+                                  &req_len, false, attrs);
+    void *rsp = address_space_map(&address_space_memory, ex->tio_req.rsp_spa,
+                                  &rsp_len, true, attrs);
+
+    ret = tiok->tio_guest_request(pdev, req, 4096, rsp, 4096, &fw_err);
+    if (ret) {
+        return ret;
+    }
+
     ex->tio_req.fw_err = fw_err;
 
+    if (ex->tio_req.data_npages) {
+        hwaddr data_len = ex->tio_req.data_npages << 12;
+        uint8_t *data = address_space_map(&address_space_memory, ex->tio_req.data_gpa,
+                                          &data_len, true, attrs);
+        struct tio_blob_table_entry {
+            QemuUUID guid;
+            uint32_t offset;
+            uint32_t length;
+        } QEMU_PACKED *t = (struct tio_blob_table_entry *) data;
+        ssize_t off = sizeof(*t) * 4, len = data_len - off;
+        QemuUUID certuuid = { .data =
+            UUID_LE(0x078ccb75, 0x2644, 0x49e8, 0xaf, 0xe7, 0x56, 0x86, 0xc5, 0xcf, 0x72, 0xf1)
+        };
+        QemuUUID measuuid = { .data =
+            UUID_LE(0x5caa80c6, 0x12ef, 0x401a, 0xb3, 0x64, 0xec, 0x59, 0xa9, 0x3a, 0xbe, 0x3f)
+        };
+        QemuUUID repouuid = { .data =
+            UUID_LE(0x70dc5b0e, 0x0cc0, 0x4cd5, 0x97, 0xbb, 0xff, 0x0b, 0xa2, 0x5b, 0xf3, 0x20)
+        };
+
+        snprintf(fn, sizeof(fn) - 1,
+                 "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/tsm_dev/tsm_certs",
+                 vdev->host.domain, vdev->host.bus,
+                 vdev->host.slot, vdev->host.function);
+        t[0].guid = certuuid;
+        t[0].offset = off;
+        t[0].length = read_full(fn, data + off, len);
+        off += t[0].length;
+        len -= t[0].length;
+
+        snprintf(fn, sizeof(fn) - 1,
+                 "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/tsm_dev/tsm_meas",
+                 vdev->host.domain, vdev->host.bus,
+                 vdev->host.slot, vdev->host.function);
+        t[1].guid = measuuid;
+        t[1].offset = off;
+        t[1].length = read_full(fn, data + off, len);
+        off += t[1].length;
+        len -= t[1].length;
+
+        snprintf(fn, sizeof(fn) - 1,
+                 "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/tsm-tdi/tdi:%04x:%02x:%02x.%01x/tsm_report",
+                 vdev->host.domain, vdev->host.bus,
+                 vdev->host.slot, vdev->host.function,
+                 vdev->host.domain, vdev->host.bus,
+                 vdev->host.slot, vdev->host.function);
+
+        t[2].guid = repouuid;
+        t[2].offset = off;
+        t[2].length = read_full(fn, data + off, len);
+
+        memset(&t[3], 0, sizeof(*t));
+
+        address_space_unmap(&address_space_memory, data, data_len, true, data_len);
+    }
+
+    if (ex->tio_req.flags & KVM_USER_VMGEXIT_TIO_REQ_FLAG_STATUS) {
+        snprintf(fn, sizeof(fn) - 1,
+                 "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/tsm-tdi/tdi:%04x:%02x:%02x.%01x/tsm_tdi_status",
+                 vdev->host.domain, vdev->host.bus,
+                 vdev->host.slot, vdev->host.function,
+                 vdev->host.domain, vdev->host.bus,
+                 vdev->host.slot, vdev->host.function);
+
+        if (sizeof(ex->tio_req.tdi_status) !=
+            read_full(fn, &ex->tio_req.tdi_status, sizeof(ex->tio_req.tdi_status))) {
+            ex->tio_req.tdi_status = 0;
+        }
+        trace_sev_snp_tdi_status(vdev->vbasedev.name, ex->tio_req.tdi_status);
+    }
+
+    address_space_unmap(&address_space_memory, req, req_len, false, req_len);
+    address_space_unmap(&address_space_memory, rsp, rsp_len, true, rsp_len);
     return ret;
 }
 

target/i386/trace-events

@@ -15,5 +15,6 @@ kvm_sev_snp_launch_start(uint64_t policy, char *gosvw) "policy 0x%" PRIx64 " gos
 kvm_sev_snp_launch_update(uint64_t src, uint64_t gpa, uint64_t len, const char *type) "src 0x%" PRIx64 " gpa 0x%" PRIx64 " len 0x%" PRIx64 " (%s page)"
 kvm_sev_snp_launch_finish(char *id_block, char *id_auth, char *host_data) "id_block %s id_auth %s host_data %s"
 sev_platform_ioctl(int fd, int cmd, int ret, int psperror) "fd=%d cmd=0x%x ret=%d psp=%d"
+sev_read_file(const char *fn, ssize_t rb) "Read %s => %ld bytes"
 sev_snp_make_private(uint64_t addr, uint64_t size) "addr=0x%" PRIx64 " size=0x%" PRIx64
 sev_snp_tdi_status(const char *dev, unsigned status) "%s TDI status is %d"