[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [RFC PATCH v4 17/20] target/i386: encrypt bios rom when mem
From: |
Brijesh Singh |
Subject: |
[Qemu-devel] [RFC PATCH v4 17/20] target/i386: encrypt bios rom when memory encryption is enabled |
Date: |
Wed, 8 Mar 2017 15:54:11 -0500 |
User-agent: |
StGit/0.17.1-dirty |
If guest is launched with memory encryption enabled then we encrypt the
data copied into pflash device also set the debug ops for PC.BIOS, PC.RAM
and PLFASH memory regions. This will ensure that any debug access to these
memory region will go through the memory encryption APIs. It cover both plfash
type of device as well as passing the bios image via -bios option in qemu
command line.
Signed-off-by: Brijesh Singh <address@hidden>
---
hw/i386/pc.c | 7 +++++++
hw/i386/pc_sysfw.c | 30 +++++++++++++++++++++++++++++-
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index d24388e..a0c0816 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1392,6 +1392,13 @@ void pc_memory_init(PCMachineState *pcms,
e820_add_entry(0x100000000ULL, pcms->above_4g_mem_size, E820_RAM);
}
+ /* if memory encryption is enabled then set the memory encryption
+ * ops so that any debug read and write to guest memory from hypervisor
will
+ * go through encryption routines. */
+ if (kvm_memcrypt_enabled()) {
+ kvm_memcrypt_set_debug_ops(ram);
+ }
+
if (!pcmc->has_reserved_memory &&
(machine->ram_slots ||
(machine->maxram_size > machine->ram_size))) {
diff --git a/hw/i386/pc_sysfw.c b/hw/i386/pc_sysfw.c
index f915ad0..518a341 100644
--- a/hw/i386/pc_sysfw.c
+++ b/hw/i386/pc_sysfw.c
@@ -47,7 +47,7 @@ static void pc_isa_bios_init(MemoryRegion *rom_memory,
MemoryRegion *flash_mem,
int ram_size)
{
- int isa_bios_size;
+ int ret, isa_bios_size;
MemoryRegion *isa_bios;
uint64_t flash_size;
void *flash_ptr, *isa_bios_ptr;
@@ -72,6 +72,15 @@ static void pc_isa_bios_init(MemoryRegion *rom_memory,
((uint8_t*)flash_ptr) + (flash_size - isa_bios_size),
isa_bios_size);
+ /* If memory encryption is enabled then encrypt the ISA rom */
+ if (kvm_memcrypt_enabled()) {
+ ret = kvm_memcrypt_encrypt_launch_data(isa_bios_ptr, isa_bios_size);
+ if (ret) {
+ fprintf(stderr, "Error: failed to encrypt isa_bios image\n");
+ }
+ kvm_memcrypt_set_debug_ops(isa_bios);
+ }
+
memory_region_set_readonly(isa_bios, true);
}
@@ -103,6 +112,7 @@ static void pc_isa_bios_init(MemoryRegion *rom_memory,
*/
static void pc_system_flash_init(MemoryRegion *rom_memory)
{
+ int ret;
int unit;
DriveInfo *pflash_drv;
BlockBackend *blk;
@@ -113,6 +123,8 @@ static void pc_system_flash_init(MemoryRegion *rom_memory)
pflash_t *system_flash;
MemoryRegion *flash_mem;
char name[64];
+ void *flash_ptr;
+ int flash_size;
sector_bits = 12;
sector_size = 1 << sector_bits;
@@ -168,7 +180,20 @@ static void pc_system_flash_init(MemoryRegion *rom_memory)
0 /* be */);
if (unit == 0) {
flash_mem = pflash_cfi01_get_memory(system_flash);
+
pc_isa_bios_init(rom_memory, flash_mem, size);
+
+ /* Encrypt the pflash boot ROM */
+ if (kvm_memcrypt_enabled()) {
+ flash_ptr = memory_region_get_ram_ptr(flash_mem);
+ flash_size = memory_region_size(flash_mem);
+ ret = kvm_memcrypt_encrypt_launch_data(flash_ptr, flash_size);
+ if (ret) {
+ fprintf(stderr, "Error: failed to encrypt %s\n", name);
+ exit(1);
+ }
+ kvm_memcrypt_set_debug_ops(flash_mem);
+ }
}
}
}
@@ -208,6 +233,9 @@ static void old_pc_system_rom_init(MemoryRegion
*rom_memory, bool isapc_ram_fw)
}
g_free(filename);
+ if (kvm_memcrypt_enabled()) {
+ kvm_memcrypt_set_debug_ops(bios);
+ }
/* map the last 128KB of the BIOS in ISA space */
isa_bios_size = bios_size;
if (isa_bios_size > (128 * 1024)) {
- [Qemu-devel] [RFC PATCH v4 12/20] SEV: add GUEST_STATUS command, (continued)
- [Qemu-devel] [RFC PATCH v4 12/20] SEV: add GUEST_STATUS command, Brijesh Singh, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 14/20] sev: add LAUNCH_FINISH command, Brijesh Singh, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 18/20] target/i386: add cpuid Fn8000_001f, Brijesh Singh, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 16/20] sev: add DEBUG_ENCRYPT command, Brijesh Singh, 2017/03/08
- Re: [Qemu-devel] [RFC PATCH v4 00/20] x86: Secure Encrypted Virtualization (AMD), Eduardo Habkost, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 07/20] kvm: add memory encryption api support, Brijesh Singh, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 15/20] sev: add DEBUG_DECRYPT command, Brijesh Singh, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 17/20] target/i386: encrypt bios rom when memory encryption is enabled,
Brijesh Singh <=
- [Qemu-devel] [RFC PATCH v4 20/20] migration: disable save/restore and migration when SEV is active, Brijesh Singh, 2017/03/08
- [Qemu-devel] [RFC PATCH v4 19/20] target/i386: clear memory encryption bit when walking SEV guest page table, Brijesh Singh, 2017/03/08
- Re: [Qemu-devel] [RFC PATCH v4 00/20] x86: Secure Encrypted Virtualization (AMD), no-reply, 2017/03/08