Commits

Most of the current 'query-sev' command is relevant to both legacy SEV/SEV-ES guests and SEV-SNP guests, with 2 exceptions: - 'policy' is a 64-bit field for SEV-SNP, not 32-bit, and the meaning of the bit positions has changed - 'handle' is not relevant to SEV-SNP To address this, this patch adds a new 'sev-type' field that can be used as a discriminator to select between SEV and SEV-SNP-specific fields/formats without breaking compatibility for existing management tools (so long as management tools that add support for launching SEV-SNP guest update their handling of query-sev appropriately). The corresponding HMP command has also been fixed up similarly. Signed-off-by: Michael Roth <michael.roth@amd.com>

SEV-SNP firmware allows a special guest page to be populated with a table of guest CPUID values so that they can be validated through firmware before being loaded into encrypted guest memory where they can be used in place of hypervisor-provided values[1]. As part of SEV-SNP guest initialization, use this process to validate the CPUID entries reported by KVM_GET_CPUID2 prior to initial guest start. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Signed-off-by: Michael Roth <michael.roth@amd.com>

This patch introduces new EPYC cpu versions: EPYC-v4, EPYC-Rome-v3, and EPYC-Milan-v2. The only difference vs. older models is an updated cache_info with the 'complex_indexing' bit unset, since this bit is not currently defined for AMD and may cause problems should it be used for something else in the future. Setting this bit will also cause CPUID validation failures when running SEV-SNP guests. Signed-off-by: Michael Roth <michael.roth@amd.com>

New EPYC CPUs versions require small changes to their cache_info's. Because current QEMU x86 CPU definition does not support cache versions, we would have to declare a new CPU type for each such case. To avoid this duplication, the patch allows new cache_info pointers to be specificed for a new CPU version. Co-developed-by: Wei Huang <wei.huang2@amd.com> Signed-off-by: Wei Huang <wei.huang2@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

SNP guests will rely on this bit to determine certain feature support. Signed-off-by: Michael Roth <michael.roth@amd.com>

During the SNP guest launch sequence, a special secrets and cpuid page needs to be populated by the SEV-SNP firmware. The secrets page contains the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. And CPUID page will contain the CPUID value filtered through the PSP. The guest BIOS (OVMF) reserves these pages in MEMFD and location of it is available through the SNP boot block GUID. While finalizing the guest boot flow, lookup for the boot block and call the SNP_LAUNCH_UPDATE command to populate secrets and cpuid pages. In order to support early boot code, the OVMF may ask hypervisor to request the pre-validation of certain memory range. If such range is present the call SNP_LAUNCH_UPDATE command to validate those address range without affecting the measurement. See the SEV-SNP specification for further details. Finally, call the SNP_LAUNCH_FINISH to finalize the guest boot. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

The KVM_SEV_SNP_LAUNCH_UPDATE command is used for encrypting the bios image used for booting the SEV-SNP guest. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

The SNP_LAUNCH_START is called first to create a cryptographic launch context within the firmware. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

When SEV-SNP is enabled, the KVM_SNP_INIT command is used to initialize the platform. The command checks whether SNP is enabled in the KVM, if enabled then it allocates a new ASID from the SNP pool and calls the firmware to initialize the all the resources. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

SEV-SNP support relies on a different set of properties/state than the existing 'sev-guest' object. This patch introduces the 'sev-snp-guest' object, which can be used to configure an SEV-SNP guest. For example, a default-configured SEV-SNP guest with no additional information passed in for use with attestation: -object sev-snp-guest,id=sev0 or a fully-specified SEV-SNP guest where all spec-defined binary blobs are passed in as base64-encoded strings: -object sev-snp-guest,id=sev0, \ policy=0x30000, \ init-flags=0, \ id-block=YWFhYWFhYWFhYWFhYWFhCg==, \ id-auth=CxHK/OKLkXGn/KpAC7Wl1FSiisWDbGTEKz..., \ auth-key-enabled=on, \ host-data=LNkCWBRC5CcdGXirbNUV1OrsR28s..., \ guest-visible-workarounds=AA==, \ See the QAPI schema updates included in this patch for more usage details. In some cases these blobs may be up to 4096 characters, but this is generally well below the default limit for linux hosts where command-line sizes are defined by the sysconf-configurable ARG_MAX value, which defaults to 2097152 characters for Ubuntu hosts, for example. Co-developed-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

Sync the kvm.h with the kernel to include the SNP specific commands. Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Michael Roth <michael.roth@amd.com>

Currently all SEV/SEV-ES functionality is managed through a single 'sev-guest' QOM type. With upcoming support for SEV-SNP, taking this same approach won't work well since some of the properties/state managed by 'sev-guest' is not applicable to SEV-SNP, which will instead rely on a new QOM type with its own set of properties/state. To prepare for this, this patch moves common state into an abstract 'sev-common' parent type to encapsulate properties/state that is common to both SEV/SEV-ES and SEV-SNP, leaving only SEV/SEV-ES-specific properties/state in the current 'sev-guest' type. This should not affect current behavior or command-line options. As part of this patch, some related changes are also made: - a static 'sev_guest' variable is currently used to keep track of the 'sev-guest' instance. SEV-SNP would similarly introduce an 'sev_snp_guest' static variable. But these instances are now available via qdev_get_machine()->cgs, so switch to using that instead and drop the static variable. - 'sev_guest' is currently used as the name for the static variable holding a pointer to the 'sev-guest' instance. Re-purpose the name as a local variable referring the 'sev-guest' instance, and use that consistently throughout the code so it can be easily distinguished from sev-common/sev-snp-guest instances. - 'sev' is generally used as the name for local variables holding a pointer to the 'sev-guest' instance. In cases where that now points to common state, use the name 'sev_common'; in cases where that now points to state specific to 'sev-guest' instance, use the name 'sev_guest' Signed-off-by: Michael Roth <michael.roth@amd.com>

…6' into staging QAPI patches patches for 2021-08-26 # gpg: Signature made Thu 26 Aug 2021 13:18:34 BST # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "armbru@redhat.com" # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full] # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full] # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-qapi-2021-08-26: qapi: make 'if' condition strings simple identifiers qapi: add 'not' condition operation qapi: Use 'if': { 'any': ... } where appropriate qapi: add 'any' condition qapi: replace if condition list with dict {'all': [...]} qapidoc: introduce QAPISchemaIfCond.docgen() qapi: introduce QAPISchemaIfCond.cgen() qapi: add QAPISchemaIfCond.is_present() qapi: wrap Sequence[str] in an object docs: update the documentation upfront about schema configuration qapi: Fix crash on redefinition with a different condition Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Change the 'if' condition strings to be C-agnostic. It will accept '[A-Z][A-Z0-9_]*' identifiers. This allows to express configuration conditions in other languages (Rust or Python for ex) or other more suitable forms. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: John Snow <jsnow@redhat.com> Message-Id: <20210804083105.97531-11-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Rebased with semantic conflict in redefined-event.json] Signed-off-by: Markus Armbruster <armbru@redhat.com>

For the sake of completeness, introduce the 'not' condition. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210804083105.97531-10-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Long line broken in tests/qapi-schema/qapi-schema-test.json] Signed-off-by: Markus Armbruster <armbru@redhat.com>

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: John Snow <jsnow@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210804083105.97531-9-marcandre.lureau@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210804083105.97531-8-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>

Replace the simple list sugar form with a recursive structure that will accept other operators in the following commits (all, any or not). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210804083105.97531-7-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Accidental code motion undone. Degenerate :forms: comment dropped. Helper _check_if() moved. Error messages tweaked. ui.json updated. Accidental changes to qapi-schema-test.json dropped.] Signed-off-by: Markus Armbruster <armbru@redhat.com>

Instead of building the condition documentation from a list of string, use the result generated from QAPISchemaIfCond.docgen(). This changes the generated documentation from: - COND1, COND2... (where COND1, COND2 are Literal nodes, and ',' is Text) to: - COND1 and COND2 (the whole string as a Literal node) This will allow us to generate more complex conditions in the following patches, such as "(COND1 and COND2) or COND3". Adding back the differentiated formatting is left to the wish list. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210804083105.97531-6-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [TODO comment added] Signed-off-by: Markus Armbruster <armbru@redhat.com>

Instead of building prepocessor conditions from a list of string, use the result generated from QAPISchemaIfCond.cgen() and hide the implementation details. Note: this patch introduces a minor regression, generating a redundant pair of parenthesis. This is mostly fixed in a later patch in this series ("qapi: replace if condition list with dict [..]") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210804083105.97531-5-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Commit message tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210804083105.97531-4-marcandre.lureau@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>

Mechanical change, except for a new assertion in QAPISchemaEntity.ifcond(). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210804083105.97531-3-marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Rebased with obvious conflicts, commit message adjusted] Signed-off-by: Markus Armbruster <armbru@redhat.com>

Update the documentation describing the changes in this series. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: John Snow <jsnow@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210804083105.97531-2-marcandre.lureau@redhat.com> [Rebased with straightforward conflicts] Signed-off-by: Markus Armbruster <armbru@redhat.com>

QAPISchema._make_implicit_object_type() asserts that when an implicit object type is used multiple times, @ifcond is the same for all uses. It will be for legitimate uses, i.e. simple union branch wrapper types. A comment explains this. The assertion fails when a command or event is redefined with a different condition. The redefinition is an error, but it's flagged only later. Fixing the assertion would complicate matters further. Not worthwhile, drop it instead. We really need to get rid of simple unions. Tweak test case redefined-event to cover redefinition with a different condition. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210806120510.2367124-1-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>

…request' into staging x86 queue, 2021-08-25 Bug fixes: * Remove split lock detect in Snowridge CPU model (Chenyi Qiang) * Remove AVX_VNNI feature from Cooperlake cpu model (Yang Zhong) # gpg: Signature made Wed 25 Aug 2021 20:53:59 BST # gpg: using RSA key 5A322FD5ABC4D3DBACCFD1AA2807936F984DC5A6 # gpg: issuer "ehabkost@redhat.com" # gpg: Good signature from "Eduardo Habkost <ehabkost@redhat.com>" [full] # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF D1AA 2807 936F 984D C5A6 * remotes/ehabkost-gl/tags/x86-next-pull-request: i386/cpu: Remove AVX_VNNI feature from Cooperlake cpu model target/i386: Remove split lock detect in Snowridge CPU model Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

… staging MIPS patches queue - minor simplifications in PREF / JR opcodes - merge 32-bit/64-bit Release6 decodetree definitions - converted NEC Vr54xx extension opcodes to decodetree - housekeeping in gen_helper() macros - replace TARGET_WORDS_BIGENDIAN #ifdef'ry by cpu_is_bigendian() - allow Loongson 3A1000 to use up to 48-bit VAddr # gpg: Signature made Wed 25 Aug 2021 12:04:31 BST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * remotes/philmd/tags/mips-20210825: (28 commits) target/mips: Replace TARGET_WORDS_BIGENDIAN by cpu_is_bigendian() target/mips: Store CP0_Config0 in DisasContext target/mips: Replace GET_LMASK64() macro by get_lmask(64) function target/mips: Replace GET_LMASK() macro by get_lmask(32) function target/mips: Call cpu_is_bigendian & inline GET_OFFSET in ld/st helpers target/mips: Define gen_helper() macros in translate.h target/mips: Use tcg_constant_i32() in generate_exception_err() target/mips: Inline gen_helper_0e0i() target/mips: Inline gen_helper_1e1i() call in op_ld_INSN() macros target/mips: Simplify gen_helper() macros by using tcg_constant_i32() target/mips: Use tcg_constant_i32() in gen_helper_0e2i() target/mips: Remove gen_helper_1e2i() target/mips: Remove gen_helper_0e3i() target/mips: Remove duplicated check_cp1_enabled() calls in Loongson EXT target/mips: Allow Loongson 3A1000 to use up to 48-bit VAddr target/mips: Document Loongson-3A CPU definitions target/mips: Convert Vr54xx MSA* opcodes to decodetree target/mips: Convert Vr54xx MUL* opcodes to decodetree target/mips: Convert Vr54xx MACC* opcodes to decodetree target/mips: Introduce decodetree structure for NEC Vr54xx extension ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

…2021-08-25' into staging * Various updates for the documentation # gpg: Signature made Wed 25 Aug 2021 11:27:27 BST # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "thuth@redhat.com" # gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full] # gpg: aka "Thomas Huth <thuth@redhat.com>" [full] # gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full] # gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown] # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5 * remotes/thuth-gitlab/tags/pull-request-2021-08-25: docs: make sphinx-build be quiet by default docs: split the CI docs into two files docs/about/removed-features: Move some CLI options to the right location docs/about: Add the missing release record in the subject docs/about: Unify the subject format docs/about: Remove the duplicated doc Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

The AVX_VNNI feature is not in Cooperlake platform, remove it from cpu model. Signed-off-by: Yang Zhong <yang.zhong@intel.com> Message-Id: <20210820054611.84303-1-yang.zhong@intel.com> Fixes: c1826ea ("i386/cpu: Expose AVX_VNNI instruction to guest") Cc: qemu-stable@nongnu.org Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

At present, there's no mechanism intelligent enough to virtualize split lock detection correctly. Remove it in Snowridge CPU model to avoid the feature exposure. Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com> Message-Id: <20210630012053.10098-1-chenyi.qiang@intel.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

Add the inlined cpu_is_bigendian() function in "translate.h". Replace the TARGET_WORDS_BIGENDIAN #ifdef'ry by calls to cpu_is_bigendian(). Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210818164321.2474534-6-f4bug@amsat.org>

Most TCG helpers only have access to a DisasContext pointer, not CPUMIPSState. Store a copy of CPUMIPSState::CP0_Config0 in DisasContext so we can access it from TCG helpers. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210818164321.2474534-5-f4bug@amsat.org>

The target endianess information is stored in the BigEndian bit of the Config0 register in CP0. Replace the GET_LMASK() macro by an inlined get_lmask() function, passing CPUMIPSState and the word size as argument. We can remove another use of the TARGET_WORDS_BIGENDIAN definition. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210818215517.2560994-4-f4bug@amsat.org>

The target endianess information is stored in the BigEndian bit of the Config0 register in CP0. Replace the GET_LMASK() macro by an inlined get_lmask() function, passing CPUMIPSState and the word size as argument. We can remove one use of the TARGET_WORDS_BIGENDIAN definition. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210818215517.2560994-3-f4bug@amsat.org>

The target endianess information is stored in the BigEndian bit of the Config0 register in CP0. As a first step, inline the GET_OFFSET() macro, calling cpu_is_bigendian() to get the 'direction' of the offset. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210818215517.2560994-2-f4bug@amsat.org>

To be able to split some code calling the gen_helper() macros out of the huge translate.c, we need to define them in the 'translate.h' local header. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210816205107.2051495-9-f4bug@amsat.org>

Commits on Aug 26, 2021

Commits on Aug 25, 2021