NACK: [SRU v2][J/gcp] Support for SEV-SNP
Khaled Elmously
khalid.elmously at canonical.com
Mon Jan 16 08:25:21 UTC 2023
On 2023-01-13 10:24:42 , Thadeu Lima de Souza Cascardo wrote:
> On Tue, Jan 10, 2023 at 02:32:00AM -0500, Khaled Elmously wrote:
> > BugLink: http://bugs.launchpad.net/bugs/2001605
> >
> > This patchset adds support for the SEV-SNP feature on AMD EPYC CPUs.
> >
> >
> > v2:
> > - Added missing provenance to first patch
> >
>
> The commit IDs here are completely wrong. Things seem to be upstream, but will
> require significant rewrite. This is going to be painful. I think we are past
> the time to get this applied for this cycle.
>
> What is the impact of skipping this to next cycle?
The impact would be Not Good, because then we seriously risk missing the Next-Gen Confidential launch which we had been testing and discussing for 6 months or more. We are already pushing it with an end-of-January release.
This is the code that they had tested over several months internally and with limited 3rd partners. A "painful significant rewrite" will require a lot more testing and obviously won't match the timeline.
>
> Cascardo.
>
> >
> >
> >
> >
> > The following changes since commit 0fd605e02a5dc0a9f8282234f1f517729784b6b5:
> >
> > UBUNTU: Ubuntu-gcp-5.15.0-1026.33 (2022-12-01 10:06:59 -0300)
> >
> > are available in the Git repository at:
> >
> > git+ssh://git.launchpad.net/~kmously/ubuntu/+source/linux/+git/jammy gcp-sev-snp
> >
> > for you to fetch changes up to d9b2854ccded7992c5c52b72b031b75138d94876:
> >
> > UBUNTU: [config] Enable SEV_GUEST (2023-01-10 02:27:52 -0500)
> >
> > ----------------------------------------------------------------
> > Borislav Petkov (3):
> > x86/sev: Carve out HV call's return value verification
> > x86/head64: Carve out the guest encryption postprocessing into a helper
> > x86/sev: Remove do_early_exception() forward declarations
> >
> > Brijesh Singh (21):
> > KVM: SVM: Define sev_features and vmpl field in the VMSA
> > x86/mm: Extend cc_attr to include AMD SEV-SNP
> > x86/sev: Shorten GHCB terminate macro names
> > x86/sev: Define the Linux specific guest termination reasons
> > x86/sev: Save the negotiated GHCB version
> > x86/sev: Check SEV-SNP features support
> > x86/sev: Add a helper for the PVALIDATE instruction
> > x86/sev: Check the vmpl level
> > x86/compressed: Add helper for validating pages in the decompression stage
> > x86/compressed: Register GHCB memory when SEV-SNP is active
> > x86/sev: Register GHCB memory when SEV-SNP is active
> > x86/sev: Add helper for validating pages in early enc attribute changes
> > x86/kernel: Make the .bss..decrypted section shared in RMP table
> > x86/kernel: Validate ROM memory before accessing when SEV-SNP is active
> > x86/mm: Add support to validate memory when changing C-bit
> > x86/boot: Add Confidential Computing type to setup_data
> > x86/sev: Provide support for SNP guest request NAEs
> > x86/sev: Register SEV-SNP guest request platform device
> > virt: Add SEV-SNP guest driver
> > virt: sevguest: Add support to derive key
> > virt: sevguest: Add support to get extended report
> >
> > Khalid Elmously (1):
> > UBUNTU: [config] Enable SEV_GUEST
> >
> > Kuppuswamy Sathyanarayanan (2):
> > x86/sev: Use CC_ATTR attribute to generalize string I/O unroll
> > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c
> >
> > Michael Roth (21):
> > x86/boot: Introduce helpers for MSR reads/writes
> > x86/boot: Use MSR read/write helpers instead of inline assembly
> > x86/compressed/64: Detect/setup SEV/SME features earlier in boot
> > x86/sev: Detect/setup SEV/SME features earlier in boot
> > x86/head/64: Re-enable stack protection
> > x86/compressed/acpi: Move EFI detection to helper
> > x86/compressed/acpi: Move EFI system table lookup to helper
> > x86/compressed/acpi: Move EFI config table lookup to helper
> > x86/compressed/acpi: Move EFI vendor table lookup to helper
> > x86/compressed/acpi: Move EFI kexec handling into common code
> > KVM: x86: Move lookup of indexed CPUID leafs to helper
> > x86/sev: Move MSR-based VMGEXITs for CPUID to helper
> > x86/compressed/64: Add support for SEV-SNP CPUID table in #VC handlers
> > x86/boot: Add a pointer to Confidential Computing blob in bootparams
> > x86/compressed: Add SEV-SNP feature detection/setup
> > x86/compressed: Use firmware-validated CPUID leaves for SEV-SNP guests
> > x86/compressed: Export and rename add_identity_map()
> > x86/compressed/64: Add identity mapping for Confidential Computing blob
> > x86/sev: Add SEV-SNP feature detection/setup
> > x86/sev: Use firmware-validated CPUID for SEV-SNP guests
> > virt: sevguest: Add documentation for SEV-SNP CPUID Enforcement
> >
> > Peter Gonda (1):
> > KVM: SEV: Refactor out sev_es_state struct
> >
> > Tianyu Lan (1):
> > x86/sev: Expose sev_es_ghcb_hv_call() for use by HyperV
> >
> > Tom Lendacky (5):
> > KVM: SVM: Create a separate mapping for the SEV-ES save area
> > KVM: SVM: Create a separate mapping for the GHCB save area
> > KVM: SVM: Update the SEV-ES save area mapping
> > treewide: Replace the use of mem_encrypt_active() with cc_platform_has()
> > x86/sev: Use SEV-SNP AP creation to start secondary CPUs
> >
> > Documentation/admin-guide/kernel-parameters.txt | 4 +
> > Documentation/virt/coco/sevguest.rst | 155 +++++
> > Documentation/virt/index.rst | 1 +
> > Documentation/x86/zero-page.rst | 2 +
> > arch/powerpc/include/asm/mem_encrypt.h | 5 -
> > arch/powerpc/platforms/pseries/svm.c | 5 +-
> > arch/s390/include/asm/mem_encrypt.h | 2 -
> > arch/x86/boot/compressed/Makefile | 1 +
> > arch/x86/boot/compressed/acpi.c | 173 +----
> > arch/x86/boot/compressed/efi.c | 238 +++++++
> > arch/x86/boot/compressed/head_64.S | 37 +-
> > arch/x86/boot/compressed/ident_map_64.c | 39 +-
> > arch/x86/boot/compressed/idt_64.c | 18 +-
> > arch/x86/boot/compressed/mem_encrypt.S | 36 -
> > arch/x86/boot/compressed/misc.h | 55 +-
> > arch/x86/boot/compressed/sev.c | 263 +++++++-
> > arch/x86/boot/cpucheck.c | 30 +-
> > arch/x86/boot/msr.h | 28 +
> > arch/x86/include/asm/bootparam_utils.h | 1 +
> > arch/x86/include/asm/cpuid.h | 32 +
> > arch/x86/include/asm/io.h | 20 +-
> > arch/x86/include/asm/mem_encrypt.h | 5 -
> > arch/x86/include/asm/msr-index.h | 2 +
> > arch/x86/include/asm/msr.h | 11 +-
> > arch/x86/include/asm/setup.h | 1 -
> > arch/x86/include/asm/sev-common.h | 90 ++-
> > arch/x86/include/asm/sev.h | 108 ++-
> > arch/x86/include/asm/shared/msr.h | 15 +
> > arch/x86/include/asm/svm.h | 171 ++++-
> > arch/x86/include/uapi/asm/bootparam.h | 4 +-
> > arch/x86/include/uapi/asm/svm.h | 13 +
> > arch/x86/kernel/Makefile | 1 -
> > arch/x86/kernel/cc_platform.c | 10 +
> > arch/x86/kernel/cpu/common.c | 4 +
> > arch/x86/kernel/head64.c | 86 +--
> > arch/x86/kernel/head_64.S | 37 +-
> > arch/x86/kernel/probe_roms.c | 13 +-
> > arch/x86/kernel/sev-shared.c | 593 ++++++++++++++--
> > arch/x86/kernel/sev.c | 820 ++++++++++++++++++++++-
> > arch/x86/kernel/smpboot.c | 3 +
> > arch/x86/kvm/cpuid.c | 17 +-
> > arch/x86/kvm/svm/sev.c | 103 +--
> > arch/x86/kvm/svm/svm.c | 12 +-
> > arch/x86/kvm/svm/svm.h | 26 +-
> > arch/x86/mm/Makefile | 8 +-
> > arch/x86/mm/ioremap.c | 4 +-
> > arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} | 73 +-
> > arch/x86/mm/mem_encrypt_identity.c | 8 +
> > arch/x86/mm/pat/set_memory.c | 18 +-
> > debian.gcp/config/config.common.ubuntu | 1 +
> > drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 4 +-
> > drivers/gpu/drm/drm_cache.c | 4 +-
> > drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 4 +-
> > drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 6 +-
> > drivers/iommu/amd/iommu.c | 3 +-
> > drivers/iommu/amd/iommu_v2.c | 3 +-
> > drivers/iommu/iommu.c | 3 +-
> > drivers/virt/Kconfig | 3 +
> > drivers/virt/Makefile | 1 +
> > drivers/virt/coco/sevguest/Kconfig | 12 +
> > drivers/virt/coco/sevguest/Makefile | 2 +
> > drivers/virt/coco/sevguest/sevguest.c | 736 ++++++++++++++++++++
> > drivers/virt/coco/sevguest/sevguest.h | 98 +++
> > fs/proc/vmcore.c | 6 +-
> > include/linux/cc_platform.h | 19 +
> > include/linux/efi.h | 1 +
> > include/linux/mem_encrypt.h | 4 -
> > include/uapi/linux/sev-guest.h | 80 +++
> > kernel/dma/swiotlb.c | 4 +-
> > 69 files changed, 3838 insertions(+), 557 deletions(-)
> > create mode 100644 Documentation/virt/coco/sevguest.rst
> > create mode 100644 arch/x86/boot/compressed/efi.c
> > create mode 100644 arch/x86/boot/msr.h
> > create mode 100644 arch/x86/include/asm/cpuid.h
> > create mode 100644 arch/x86/include/asm/shared/msr.h
> > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (89%)
> > create mode 100644 drivers/virt/coco/sevguest/Kconfig
> > create mode 100644 drivers/virt/coco/sevguest/Makefile
> > create mode 100644 drivers/virt/coco/sevguest/sevguest.c
> > create mode 100644 drivers/virt/coco/sevguest/sevguest.h
> > create mode 100644 include/uapi/linux/sev-guest.h
> >
> > --
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list