Download raw body.
SEV-ES: vmd(8): configure SEV-ES 1/2
Hi,
this diff adds the "seves" keyword to vm.conf(5). I will definitely
have to spent some more time on makeing configuration more sound.
Take care,
HJ.
----------------------------------------------------------------------------
commit b51e4f6be025a97af5d6673d81292dba2b9dcc01
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date: Mon Jul 29 14:13:25 2024 +0200
vmd(8): configure SEV-ES
Introduce keyword "seves" for vm.conf to enable SEV-ES. When sending
the LAUNCH sTART command do psp(4), set the guest policy flag GPOL_ES
to enable SEV-ES.
diff --git a/usr.sbin/vmd/parse.y b/usr.sbin/vmd/parse.y
index 3f6866eb592..a98d85c0f95 100644
--- a/usr.sbin/vmd/parse.y
+++ b/usr.sbin/vmd/parse.y
@@ -123,7 +123,7 @@ typedef struct {
%token FORMAT GROUP
%token INET6 INSTANCE INTERFACE LLADDR LOCAL LOCKED MEMORY NET NIFS OWNER
%token PATH PREFIX RDOMAIN SIZE SOCKET SWITCH UP VM VMID STAGGERED START
-%token PARALLEL DELAY SEV
+%token PARALLEL DELAY SEV SEVES
%token <v.number> NUMBER
%token <v.string> STRING
%type <v.lladdr> lladdr
@@ -138,6 +138,7 @@ typedef struct {
%type <v.string> string
%type <v.string> vm_instance
%type <v.number> sev;
+%type <v.number> seves;
%%
@@ -415,6 +416,9 @@ vm_opts : disable {
| sev {
vcp->vcp_sev = 1;
}
+ | seves {
+ vcp->vcp_sev = vcp->vcp_seves = 1;
+ }
| DISK string image_format {
if (parse_disk($2, $3) != 0) {
yyerror("failed to parse disks: %s", $2);
@@ -761,6 +765,9 @@ disable : ENABLE { $$ = 0; }
sev : SEV { $$ = 1; }
;
+seves : SEVES { $$ = 1; }
+ ;
+
bootdevice : CDROM { $$ = VMBOOTDEV_CDROM; }
| DISK { $$ = VMBOOTDEV_DISK; }
| NET { $$ = VMBOOTDEV_NET; }
@@ -846,6 +853,7 @@ lookup(char *s)
{ "prefix", PREFIX },
{ "rdomain", RDOMAIN },
{ "sev", SEV },
+ { "seves", SEVES },
{ "size", SIZE },
{ "socket", SOCKET },
{ "staggered", STAGGERED },
diff --git a/usr.sbin/vmd/psp.c b/usr.sbin/vmd/psp.c
index 320da37dc99..aa5a53bb4bd 100644
--- a/usr.sbin/vmd/psp.c
+++ b/usr.sbin/vmd/psp.c
@@ -118,7 +118,7 @@ psp_get_gstate(uint32_t handle, uint32_t *policy, uint32_t *asid,
* Start the launch sequence of a guest.
*/
int
-psp_launch_start(uint32_t *handle)
+psp_launch_start(uint32_t *handle, int seves)
{
struct psp_launch_start ls;
@@ -128,6 +128,9 @@ psp_launch_start(uint32_t *handle)
ls.policy = (GPOL_NODBG | GPOL_NOKS | GPOL_NOSEND | GPOL_DOMAIN |
GPOL_SEV);
+ if (seves) /* Add ES */
+ ls.policy |= GPOL_ES;
+
if (ioctl(env->vmd_psp_fd, PSP_IOC_LAUNCH_START, &ls) < 0) {
log_warn("%s: ioctl", __func__);
return (-1);
diff --git a/usr.sbin/vmd/sev.c b/usr.sbin/vmd/sev.c
index d5216461392..752bb37d163 100644
--- a/usr.sbin/vmd/sev.c
+++ b/usr.sbin/vmd/sev.c
@@ -58,7 +58,7 @@ sev_init(struct vmd_vm *vm)
return (-1);
}
- if (psp_launch_start(&handle) < 0) {
+ if (psp_launch_start(&handle, vcp->vcp_seves) < 0) {
log_warnx("%s: launch failed", __func__);
return (-1);
}
diff --git a/usr.sbin/vmd/vm.conf.5 b/usr.sbin/vmd/vm.conf.5
index 9b455254eb0..29c722aa8ce 100644
--- a/usr.sbin/vmd/vm.conf.5
+++ b/usr.sbin/vmd/vm.conf.5
@@ -324,11 +324,14 @@ If only
is given,
only the group is set.
.It Ic sev
-Enables AMD Secure Encrypted Virtualization for guest.
+Enables AMD Secure Encrypted Virtualization for the guest.
.Xr vmd 8
uses
.Xr psp 4
to configure the guest for SEV.
+.It Ic seves
+Enables AMD Encrypted State (SEV-ES) for the the guest.
+This implicitly enables SEV, too.
.El
.Sh VM INSTANCES
It is possible to use configured or running VMs as a template for
diff --git a/usr.sbin/vmd/vmd.h b/usr.sbin/vmd/vmd.h
index ea2cb675783..e0b7c27eb46 100644
--- a/usr.sbin/vmd/vmd.h
+++ b/usr.sbin/vmd/vmd.h
@@ -586,7 +586,7 @@ __dead void vioblk_main(int, int);
int psp_get_pstate(uint16_t *, uint8_t *, uint8_t *, uint8_t *, uint8_t *);
int psp_df_flush(void);
int psp_get_gstate(uint32_t, uint32_t *, uint32_t *, uint8_t *);
-int psp_launch_start(uint32_t *);
+int psp_launch_start(uint32_t *, int);
int psp_launch_update(uint32_t, vaddr_t, size_t);
int psp_launch_measure(uint32_t);
int psp_launch_finish(uint32_t);
SEV-ES: vmd(8): configure SEV-ES 1/2