KVM: SEV: define VM types for SEV and SEV-ES

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20240404121327.3107131-11-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index 0b5a33ee71eea11e5dabe09ad77e62426a72fd11..f0b76ff5030dcb75fb57f4b5f6346b704a71989e 100644 (file)
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8819,6 +8819,8 @@ means the VM type with value @n is supported.  Possible values of @n are::
 
   #define KVM_X86_DEFAULT_VM   0
   #define KVM_X86_SW_PROTECTED_VM      1
+  #define KVM_X86_SEV_VM       2
+  #define KVM_X86_SEV_ES_VM    3
 
 Note, KVM_X86_SW_PROTECTED_VM is currently only for development and testing.
 Do not use KVM_X86_SW_PROTECTED_VM for "real" VMs, and especially not in

diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index b7dc515f4c27a17c070f6bca5f8a5f13b5844489..ab609adacb115d0bdf4a06d3a41447c41ad12cdf 100644 (file)
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -861,5 +861,7 @@ struct kvm_hyperv_eventfd {
 
 #define KVM_X86_DEFAULT_VM     0
 #define KVM_X86_SW_PROTECTED_VM        1
+#define KVM_X86_SEV_VM         2
+#define KVM_X86_SEV_ES_VM      3
 
 #endif /* _ASM_X86_KVM_H */

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index f98448dc8be83f4c396e2a0524d7282f3d7c1ad5..1512bacd74a90b70b37cc29eddbbc936d6363139 100644 (file)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -251,6 +251,9 @@ static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp)
        if (kvm->created_vcpus)
                return -EINVAL;
 
+       if (kvm->arch.vm_type != KVM_X86_DEFAULT_VM)
+               return -EINVAL;
+
        if (unlikely(sev->active))
                return -EINVAL;
 
@@ -272,6 +275,7 @@ static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp)
 
        INIT_LIST_HEAD(&sev->regions_list);
        INIT_LIST_HEAD(&sev->mirror_vms);
+       sev->need_init = false;
 
        kvm_set_apicv_inhibit(kvm, APICV_INHIBIT_REASON_SEV);
 
@@ -1808,7 +1812,8 @@ int sev_vm_move_enc_context_from(struct kvm *kvm, unsigned int source_fd)
        if (ret)
                goto out_fput;
 
-       if (sev_guest(kvm) || !sev_guest(source_kvm)) {
+       if (kvm->arch.vm_type != source_kvm->arch.vm_type ||
+           sev_guest(kvm) || !sev_guest(source_kvm)) {
                ret = -EINVAL;
                goto out_unlock;
        }
@@ -2132,6 +2137,7 @@ int sev_vm_copy_enc_context_from(struct kvm *kvm, unsigned int source_fd)
        mirror_sev->asid = source_sev->asid;
        mirror_sev->fd = source_sev->fd;
        mirror_sev->es_active = source_sev->es_active;
+       mirror_sev->need_init = false;
        mirror_sev->handle = source_sev->handle;
        INIT_LIST_HEAD(&mirror_sev->regions_list);
        INIT_LIST_HEAD(&mirror_sev->mirror_vms);
@@ -2197,10 +2203,14 @@ void sev_vm_destroy(struct kvm *kvm)
 
 void __init sev_set_cpu_caps(void)
 {
-       if (sev_enabled)
+       if (sev_enabled) {
                kvm_cpu_cap_set(X86_FEATURE_SEV);
-       if (sev_es_enabled)
+               kvm_caps.supported_vm_types |= BIT(KVM_X86_SEV_VM);
+       }
+       if (sev_es_enabled) {
                kvm_cpu_cap_set(X86_FEATURE_SEV_ES);
+               kvm_caps.supported_vm_types |= BIT(KVM_X86_SEV_ES_VM);
+       }
 }
 
 void __init sev_hardware_setup(void)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index c22e87ebf0decfda17b1187a7aad8a01c0fd21eb..b0038ece55cbccddf6fbdb0a6b41a14f72cb9ae7 100644 (file)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4086,6 +4086,9 @@ static void svm_cancel_injection(struct kvm_vcpu *vcpu)
 
 static int svm_vcpu_pre_run(struct kvm_vcpu *vcpu)
 {
+       if (to_kvm_sev_info(vcpu->kvm)->need_init)
+               return -EINVAL;
+
        return 1;
 }
 
@@ -4891,6 +4894,14 @@ static void svm_vm_destroy(struct kvm *kvm)
 
 static int svm_vm_init(struct kvm *kvm)
 {
+       int type = kvm->arch.vm_type;
+
+       if (type != KVM_X86_DEFAULT_VM &&
+           type != KVM_X86_SW_PROTECTED_VM) {
+               kvm->arch.has_protected_state = (type == KVM_X86_SEV_ES_VM);
+               to_kvm_sev_info(kvm)->need_init = true;
+       }
+
        if (!pause_filter_count || !pause_filter_thresh)
                kvm->arch.pause_in_guest = true;
 

diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 5d5b8ed43db8359bdc0d0506161b5c31503485fe..32390178254738cb3198c01459b31fa2839da45d 100644 (file)
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -79,6 +79,7 @@ enum {
 struct kvm_sev_info {
        bool active;            /* SEV enabled guest */
        bool es_active;         /* SEV-ES enabled guest */
+       bool need_init;         /* waiting for SEV_INIT2 */
        unsigned int asid;      /* ASID used for this guest */
        unsigned int handle;    /* SEV firmware handle */
        int fd;                 /* SEV device fd */