[edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF.
Yao, Jiewen
jiewen.yao at intel.com
Thu Aug 5 05:17:15 UTC 2021
Hi
I have some questions:
1) May I know what is the usage of this UEFI variable - SevLiveMigrationEnabled?
I only see it is created, but I do not see how it is consumed.
2) Is this a full live migration patch, or is this just a startup and there will be more on the way?
Thank you
Yao Jiewen
> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Ashish Kalra
> via groups.io
> Sent: Monday, August 2, 2021 8:31 PM
> To: devel at edk2.groups.io
> Cc: dovmurik at linux.vnet.ibm.com; brijesh.singh at amd.com; tobin at ibm.com;
> Thomas.Lendacky at amd.com; jejb at linux.ibm.com; Justen, Jordan L
> <jordan.l.justen at intel.com>; ard.biesheuvel at arm.com;
> erdemaktas at google.com; Yao, Jiewen <jiewen.yao at intel.com>; Xu, Min M
> <min.m.xu at intel.com>
> Subject: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF.
>
> From: Ashish Kalra <ashish.kalra at amd.com>
>
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3467
>
> By default all the SEV guest memory regions are considered encrypted,
> if a guest changes the encryption attribute of the page (e.g mark a
> page as decrypted) then notify hypervisor. Hypervisor will need to
> track the unencrypted pages. The information will be used during
> guest live migration, guest page migration and guest debugging.
>
> The patch-set detects if it is running under KVM hypervisor and then
> checks for SEV live migration feature support via KVM_FEATURE_CPUID,
> if detected setup a new UEFI enviroment variable to indicate OVMF
> support for SEV live migration.
>
> A branch containing these patches is available here:
> https://github.com/ashkalra/edk2-1/tree/sev_live_migration_v5_10
>
> Changes since v5:
> - Split first patch into three components, one patch for the
> MemEncryptSevLiveMigrationIsEnabled() API, one patch for the
> SetMemoryEncDecHypercall3() API, one patch to make use of the
> SetMemoryEncDecHypercall3() API.
> - Fix patch subject, in code and patch comments and
> additionally add relevant comments.
> - Replace SetMemoryEncDecHypercall3() API's Status argument
> with a boolean IsEncrypted argument and corresponding fixes
> to users of this API call.
> - Fix AsciiStrCmp() usage in KVM hypervisor detection code.
>
> Changes since v4:
> - Remove MemEncryptHypercallLib Library and add support to issue
> hypercall in the BaseMemEncryptSevLib library itself.
> - For SEV-ES, make the VC handler hypercall aware by comparing
> the hypercall number and add the additional register values
> in the GHCB.
> - Fix comments in the hypercall API interface.
> - The encryption bit is set/clear on the smallest page size, hence
> use the 4k page size in MAP_GPA_RANGE hypercall.
> - Make the hypercall expect the guest physical address to be
> page-aligned.
> - Add KVM live migration feature flag check in BaseMemEncryptSevLib
> library similar to how BaseMemEncryptSevLib does for the
> MemEncryptSevIsEnabled() and check it before invoking HC. Also
> export the MemEncryptSevLiveMigrationIsEnabled() function as
> part of the library.
> - Add error handling on hypercall return, on failure, return error
> code to caller which potentially will cause an assert() and
> terminate the boot.
>
> Changes since v3:
> - Fix all DSC files under OvmfPkg except X64 to add support for
> BaseMemEncryptLib and add NULL instance of BaseMemEncryptLib
> for 32 bit platforms.
> - Add the MemEncryptHypercallLib-related files to Maintainers.txt,
> in section "OvmfPkg: Confidential Computing".
> - Add support for the new KVM_HC_MAP_GPA_RANGE hypercall interface.
> - Add patch for SEV live migration support.
>
> Changes since v2:
> - GHCB_BASE setup during reset-vector as decrypted is marked explicitly
> in the hypervisor page encryption bitmap after setting the
> PcdSevEsIsEnabled PCD.
>
> Changes since v1:
> - Mark GHCB_BASE setup during reset-vector as decrypted explicitly in
> the hypervisor page encryption bitmap.
> - Resending the series with correct shallow threading.
>
> Ashish Kalra (6):
> OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature.
> OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state
> change
> OvmfPkg/BaseMemEncryptLib: Invoke page encryption state change
> hypercall
> OvmfPkg/VmgExitLib: Encryption state change hypercall support in VC
> handler
> OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall
> OvmfPkg/AmdSevDxe: Add support for SEV live migration.
>
> OvmfPkg/AmdSevDxe/AmdSevDxe.c | 64 +++++++++++++++++
> OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 4 ++
> OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h | 20 ++++++
> OvmfPkg/Include/Library/MemEncryptSevLib.h | 70 +++++++++++++++++++
> .../DxeMemEncryptSevLib.inf | 1 +
> .../DxeMemEncryptSevLibInternal.c | 39 +++++++++++
> .../Ia32/MemEncryptSevLib.c | 27 +++++++
> .../PeiDxeMemEncryptSevLibInternal.c | 52 ++++++++++++++
> .../PeiMemEncryptSevLib.inf | 1 +
> .../PeiMemEncryptSevLibInternal.c | 39 +++++++++++
> .../SecMemEncryptSevLibInternal.c | 38 ++++++++++
> .../X64/AsmHelperStub.nasm | 33 +++++++++
> .../X64/MemEncryptSevLib.c | 62 ++++++++++++++++
> .../X64/PeiDxeVirtualMemory.c | 20 ++++++
> OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 13 ++++
> OvmfPkg/OvmfPkg.dec | 1 +
> OvmfPkg/PlatformPei/AmdSev.c | 11 +++
> 17 files changed, 495 insertions(+)
> create mode 100644 OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h
> create mode 100644
> OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm
>
> --
> 2.17.1
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78700): https://edk2.groups.io/g/devel/message/78700
Mute This Topic: https://groups.io/mt/84609828/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list