NACK: [SRU v2][J/gcp] Support for SEV-SNP
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Jan 16 10:01:11 UTC 2023
On Mon, Jan 16, 2023 at 03:25:21AM -0500, Khaled Elmously wrote:
> On 2023-01-13 10:24:42 , Thadeu Lima de Souza Cascardo wrote:
> > On Tue, Jan 10, 2023 at 02:32:00AM -0500, Khaled Elmously wrote:
> > > BugLink: http://bugs.launchpad.net/bugs/2001605
> > >
> > > This patchset adds support for the SEV-SNP feature on AMD EPYC CPUs.
> > >
> > >
> > > v2:
> > > - Added missing provenance to first patch
> > >
> >
> > The commit IDs here are completely wrong. Things seem to be upstream, but will
> > require significant rewrite. This is going to be painful. I think we are past
> > the time to get this applied for this cycle.
> >
> > What is the impact of skipping this to next cycle?
>
> The impact would be Not Good, because then we seriously risk missing the Next-Gen Confidential launch which we had been testing and discussing for 6 months or more. We are already pushing it with an end-of-January release.
> This is the code that they had tested over several months internally and with limited 3rd partners. A "painful significant rewrite" will require a lot more testing and obviously won't match the timeline.
>
Then, where do those commit IDs come from? They are not upstream commit IDs.
This was not mentioned in their provenance on every individual commit and it
was not mentioned in the cover letter. It looks like all of them are upstream
now by looking at the subject. Why weren't the upstream commit IDs used at all?
Cascardo.
>
>
> >
> > Cascardo.
> >
> > >
> > >
> > >
> > >
> > > The following changes since commit 0fd605e02a5dc0a9f8282234f1f517729784b6b5:
> > >
> > > UBUNTU: Ubuntu-gcp-5.15.0-1026.33 (2022-12-01 10:06:59 -0300)
> > >
> > > are available in the Git repository at:
> > >
> > > git+ssh://git.launchpad.net/~kmously/ubuntu/+source/linux/+git/jammy gcp-sev-snp
> > >
> > > for you to fetch changes up to d9b2854ccded7992c5c52b72b031b75138d94876:
> > >
> > > UBUNTU: [config] Enable SEV_GUEST (2023-01-10 02:27:52 -0500)
> > >
> > > ----------------------------------------------------------------
> > > Borislav Petkov (3):
> > > x86/sev: Carve out HV call's return value verification
> > > x86/head64: Carve out the guest encryption postprocessing into a helper
> > > x86/sev: Remove do_early_exception() forward declarations
> > >
> > > Brijesh Singh (21):
> > > KVM: SVM: Define sev_features and vmpl field in the VMSA
> > > x86/mm: Extend cc_attr to include AMD SEV-SNP
> > > x86/sev: Shorten GHCB terminate macro names
> > > x86/sev: Define the Linux specific guest termination reasons
> > > x86/sev: Save the negotiated GHCB version
> > > x86/sev: Check SEV-SNP features support
> > > x86/sev: Add a helper for the PVALIDATE instruction
> > > x86/sev: Check the vmpl level
> > > x86/compressed: Add helper for validating pages in the decompression stage
> > > x86/compressed: Register GHCB memory when SEV-SNP is active
> > > x86/sev: Register GHCB memory when SEV-SNP is active
> > > x86/sev: Add helper for validating pages in early enc attribute changes
> > > x86/kernel: Make the .bss..decrypted section shared in RMP table
> > > x86/kernel: Validate ROM memory before accessing when SEV-SNP is active
> > > x86/mm: Add support to validate memory when changing C-bit
> > > x86/boot: Add Confidential Computing type to setup_data
> > > x86/sev: Provide support for SNP guest request NAEs
> > > x86/sev: Register SEV-SNP guest request platform device
> > > virt: Add SEV-SNP guest driver
> > > virt: sevguest: Add support to derive key
> > > virt: sevguest: Add support to get extended report
> > >
> > > Khalid Elmously (1):
> > > UBUNTU: [config] Enable SEV_GUEST
> > >
> > > Kuppuswamy Sathyanarayanan (2):
> > > x86/sev: Use CC_ATTR attribute to generalize string I/O unroll
> > > x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c
> > >
> > > Michael Roth (21):
> > > x86/boot: Introduce helpers for MSR reads/writes
> > > x86/boot: Use MSR read/write helpers instead of inline assembly
> > > x86/compressed/64: Detect/setup SEV/SME features earlier in boot
> > > x86/sev: Detect/setup SEV/SME features earlier in boot
> > > x86/head/64: Re-enable stack protection
> > > x86/compressed/acpi: Move EFI detection to helper
> > > x86/compressed/acpi: Move EFI system table lookup to helper
> > > x86/compressed/acpi: Move EFI config table lookup to helper
> > > x86/compressed/acpi: Move EFI vendor table lookup to helper
> > > x86/compressed/acpi: Move EFI kexec handling into common code
> > > KVM: x86: Move lookup of indexed CPUID leafs to helper
> > > x86/sev: Move MSR-based VMGEXITs for CPUID to helper
> > > x86/compressed/64: Add support for SEV-SNP CPUID table in #VC handlers
> > > x86/boot: Add a pointer to Confidential Computing blob in bootparams
> > > x86/compressed: Add SEV-SNP feature detection/setup
> > > x86/compressed: Use firmware-validated CPUID leaves for SEV-SNP guests
> > > x86/compressed: Export and rename add_identity_map()
> > > x86/compressed/64: Add identity mapping for Confidential Computing blob
> > > x86/sev: Add SEV-SNP feature detection/setup
> > > x86/sev: Use firmware-validated CPUID for SEV-SNP guests
> > > virt: sevguest: Add documentation for SEV-SNP CPUID Enforcement
> > >
> > > Peter Gonda (1):
> > > KVM: SEV: Refactor out sev_es_state struct
> > >
> > > Tianyu Lan (1):
> > > x86/sev: Expose sev_es_ghcb_hv_call() for use by HyperV
> > >
> > > Tom Lendacky (5):
> > > KVM: SVM: Create a separate mapping for the SEV-ES save area
> > > KVM: SVM: Create a separate mapping for the GHCB save area
> > > KVM: SVM: Update the SEV-ES save area mapping
> > > treewide: Replace the use of mem_encrypt_active() with cc_platform_has()
> > > x86/sev: Use SEV-SNP AP creation to start secondary CPUs
> > >
> > > Documentation/admin-guide/kernel-parameters.txt | 4 +
> > > Documentation/virt/coco/sevguest.rst | 155 +++++
> > > Documentation/virt/index.rst | 1 +
> > > Documentation/x86/zero-page.rst | 2 +
> > > arch/powerpc/include/asm/mem_encrypt.h | 5 -
> > > arch/powerpc/platforms/pseries/svm.c | 5 +-
> > > arch/s390/include/asm/mem_encrypt.h | 2 -
> > > arch/x86/boot/compressed/Makefile | 1 +
> > > arch/x86/boot/compressed/acpi.c | 173 +----
> > > arch/x86/boot/compressed/efi.c | 238 +++++++
> > > arch/x86/boot/compressed/head_64.S | 37 +-
> > > arch/x86/boot/compressed/ident_map_64.c | 39 +-
> > > arch/x86/boot/compressed/idt_64.c | 18 +-
> > > arch/x86/boot/compressed/mem_encrypt.S | 36 -
> > > arch/x86/boot/compressed/misc.h | 55 +-
> > > arch/x86/boot/compressed/sev.c | 263 +++++++-
> > > arch/x86/boot/cpucheck.c | 30 +-
> > > arch/x86/boot/msr.h | 28 +
> > > arch/x86/include/asm/bootparam_utils.h | 1 +
> > > arch/x86/include/asm/cpuid.h | 32 +
> > > arch/x86/include/asm/io.h | 20 +-
> > > arch/x86/include/asm/mem_encrypt.h | 5 -
> > > arch/x86/include/asm/msr-index.h | 2 +
> > > arch/x86/include/asm/msr.h | 11 +-
> > > arch/x86/include/asm/setup.h | 1 -
> > > arch/x86/include/asm/sev-common.h | 90 ++-
> > > arch/x86/include/asm/sev.h | 108 ++-
> > > arch/x86/include/asm/shared/msr.h | 15 +
> > > arch/x86/include/asm/svm.h | 171 ++++-
> > > arch/x86/include/uapi/asm/bootparam.h | 4 +-
> > > arch/x86/include/uapi/asm/svm.h | 13 +
> > > arch/x86/kernel/Makefile | 1 -
> > > arch/x86/kernel/cc_platform.c | 10 +
> > > arch/x86/kernel/cpu/common.c | 4 +
> > > arch/x86/kernel/head64.c | 86 +--
> > > arch/x86/kernel/head_64.S | 37 +-
> > > arch/x86/kernel/probe_roms.c | 13 +-
> > > arch/x86/kernel/sev-shared.c | 593 ++++++++++++++--
> > > arch/x86/kernel/sev.c | 820 ++++++++++++++++++++++-
> > > arch/x86/kernel/smpboot.c | 3 +
> > > arch/x86/kvm/cpuid.c | 17 +-
> > > arch/x86/kvm/svm/sev.c | 103 +--
> > > arch/x86/kvm/svm/svm.c | 12 +-
> > > arch/x86/kvm/svm/svm.h | 26 +-
> > > arch/x86/mm/Makefile | 8 +-
> > > arch/x86/mm/ioremap.c | 4 +-
> > > arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} | 73 +-
> > > arch/x86/mm/mem_encrypt_identity.c | 8 +
> > > arch/x86/mm/pat/set_memory.c | 18 +-
> > > debian.gcp/config/config.common.ubuntu | 1 +
> > > drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 4 +-
> > > drivers/gpu/drm/drm_cache.c | 4 +-
> > > drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 4 +-
> > > drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 6 +-
> > > drivers/iommu/amd/iommu.c | 3 +-
> > > drivers/iommu/amd/iommu_v2.c | 3 +-
> > > drivers/iommu/iommu.c | 3 +-
> > > drivers/virt/Kconfig | 3 +
> > > drivers/virt/Makefile | 1 +
> > > drivers/virt/coco/sevguest/Kconfig | 12 +
> > > drivers/virt/coco/sevguest/Makefile | 2 +
> > > drivers/virt/coco/sevguest/sevguest.c | 736 ++++++++++++++++++++
> > > drivers/virt/coco/sevguest/sevguest.h | 98 +++
> > > fs/proc/vmcore.c | 6 +-
> > > include/linux/cc_platform.h | 19 +
> > > include/linux/efi.h | 1 +
> > > include/linux/mem_encrypt.h | 4 -
> > > include/uapi/linux/sev-guest.h | 80 +++
> > > kernel/dma/swiotlb.c | 4 +-
> > > 69 files changed, 3838 insertions(+), 557 deletions(-)
> > > create mode 100644 Documentation/virt/coco/sevguest.rst
> > > create mode 100644 arch/x86/boot/compressed/efi.c
> > > create mode 100644 arch/x86/boot/msr.h
> > > create mode 100644 arch/x86/include/asm/cpuid.h
> > > create mode 100644 arch/x86/include/asm/shared/msr.h
> > > rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (89%)
> > > create mode 100644 drivers/virt/coco/sevguest/Kconfig
> > > create mode 100644 drivers/virt/coco/sevguest/Makefile
> > > create mode 100644 drivers/virt/coco/sevguest/sevguest.c
> > > create mode 100644 drivers/virt/coco/sevguest/sevguest.h
> > > create mode 100644 include/uapi/linux/sev-guest.h
> > >
> > > --
> > > kernel-team mailing list
> > > kernel-team at lists.ubuntu.com
> > > https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list