Mailing List Archive

> Date: Sat, 2 Aug 2025 22:41:33 +0200 > From: Hans-Jörg Höxer <hshoexer@genua.de> > > Hi, > > based on some hackroom discussion with mlarkin this diff takes a > different approach: Add a cfdrivers flag to white list devices when > running virtualized with SEV enabled. > > The filtering is now happening in config_search() isascan(). > > Any thoughts on that? If we do something like this I have a request: Since this is MI code, can we rename the flag into something technology agnostic that describes the purpose better. Something like CD_CONFIDENTIAL or CD_TRUSTED? > ----------------------------------------------------------------------- > commit f66e1eb92c59aec93ec5c44c0d3cfe8a1f4049c8 > Author: Hans-Joerg Hoexer <hshoexer@genua.de> > Date: Sat Aug 2 12:58:50 2025 +0200 > > SEV: Whitelist devices in cfdrive for use when SEV is enabled > > Skip devices, that are not flagged for use with SEV. Hook into > config_search() and isascan(). > > diff --git a/sys/arch/amd64/amd64/bios.c b/sys/arch/amd64/amd64/bios.c > index 3a264d09d5b..73653f13703 100644 > --- a/sys/arch/amd64/amd64/bios.c > +++ b/sys/arch/amd64/amd64/bios.c > @@ -50,7 +50,7 @@ const struct cfattach bios_ca = { > }; > > struct cfdriver bios_cd = { > - NULL, "bios", DV_DULL > + NULL, "bios", DV_DULL, CD_SEVVM > }; > > struct smbios_entry smbios_entry; > diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c > index 1287c610344..c7d7fb9101f 100644 > --- a/sys/arch/amd64/amd64/cpu.c > +++ b/sys/arch/amd64/amd64/cpu.c > @@ -445,7 +445,7 @@ const struct cfattach cpu_ca = { > }; > > struct cfdriver cpu_cd = { > - NULL, "cpu", DV_DULL > + NULL, "cpu", DV_DULL, CD_SEVVM > }; > > /* > diff --git a/sys/arch/amd64/amd64/ioapic.c b/sys/arch/amd64/amd64/ioapic.c > index 9989fdfeb29..6286ab708c3 100644 > --- a/sys/arch/amd64/amd64/ioapic.c > +++ b/sys/arch/amd64/amd64/ioapic.c > @@ -231,7 +231,7 @@ const struct cfattach ioapic_ca = { > }; > > struct cfdriver ioapic_cd = { > - NULL, "ioapic", DV_DULL > + NULL, "ioapic", DV_DULL, CD_SEVVM > }; > > int > diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c > index 991dd2cbeb6..e9f42af31df 100644 > --- a/sys/arch/amd64/amd64/machdep.c > +++ b/sys/arch/amd64/amd64/machdep.c > @@ -1474,6 +1474,8 @@ init_x86_64(paddr_t first_avail) > cpu_init_early_vctrap(first_avail); > first_avail += 2 * NBPG; > } > + if (ISSET(cpu_sev_guestmode, SEV_STAT_ENABLED)) > + boothowto |= RB_SEVVM; > > /* > * locore0 mapped 3 pages for use before the pmap is initialized > diff --git a/sys/arch/amd64/amd64/mainbus.c b/sys/arch/amd64/amd64/mainbus.c > index ebc86e3767b..28a5c018c3d 100644 > --- a/sys/arch/amd64/amd64/mainbus.c > +++ b/sys/arch/amd64/amd64/mainbus.c > @@ -83,7 +83,7 @@ const struct cfattach mainbus_ca = { > }; > > struct cfdriver mainbus_cd = { > - NULL, "mainbus", DV_DULL > + NULL, "mainbus", DV_DULL, CD_SEVVM > }; > > int mainbus_print(void *, const char *); > diff --git a/sys/dev/acpi/acpi.c b/sys/dev/acpi/acpi.c > index 7bcf56cab49..2a33b7b0029 100644 > --- a/sys/dev/acpi/acpi.c > +++ b/sys/dev/acpi/acpi.c > @@ -184,7 +184,7 @@ struct acpi_softc *acpi_softc; > extern struct aml_node aml_root; > > struct cfdriver acpi_cd = { > - NULL, "acpi", DV_DULL > + NULL, "acpi", DV_DULL, CD_SEVVM > }; > > uint8_t > diff --git a/sys/dev/acpi/acpimadt.c b/sys/dev/acpi/acpimadt.c > index 3faed32b355..2539ec68139 100644 > --- a/sys/dev/acpi/acpimadt.c > +++ b/sys/dev/acpi/acpimadt.c > @@ -48,7 +48,7 @@ const struct cfattach acpimadt_ca = { > }; > > struct cfdriver acpimadt_cd = { > - NULL, "acpimadt", DV_DULL > + NULL, "acpimadt", DV_DULL, CD_SEVVM > }; > > int acpimadt_validate(struct acpi_madt *); > diff --git a/sys/dev/ic/com.c b/sys/dev/ic/com.c > index dd45e3c901c..7eace6f06f0 100644 > --- a/sys/dev/ic/com.c > +++ b/sys/dev/ic/com.c > @@ -96,7 +96,7 @@ void compwroff(struct com_softc *); > void cominit(bus_space_tag_t, bus_space_handle_t, int, int); > > struct cfdriver com_cd = { > - NULL, "com", DV_TTY > + NULL, "com", DV_TTY, CD_SEVVM > }; > > int comdefaultrate = TTYDEF_SPEED; > diff --git a/sys/dev/isa/isa.c b/sys/dev/isa/isa.c > index 2d11dc33a84..9837c3a11b0 100644 > --- a/sys/dev/isa/isa.c > +++ b/sys/dev/isa/isa.c > @@ -62,6 +62,7 @@ > #include <sys/malloc.h> > #include <sys/device.h> > #include <sys/extent.h> > +#include <sys/reboot.h> > > #include <dev/isa/isareg.h> > #include <dev/isa/isavar.h> > @@ -84,7 +85,7 @@ const struct cfattach isa_ca = { > }; > > struct cfdriver isa_cd = { > - NULL, "isa", DV_DULL, CD_INDIRECT > + NULL, "isa", DV_DULL, CD_INDIRECT | CD_SEVVM > }; > > int > @@ -218,6 +219,10 @@ isascan(struct device *parent, void *match) > ia.ipa_ndrq = 2; > ia.ia_delaybah = sc->sc_delaybah; > > + if (ISSET(boothowto, RB_SEVVM) && > + !ISSET(cf->cf_driver->cd_mode, CD_SEVVM)) > + return; > + > if (cf->cf_fstate == FSTATE_STAR) { > struct isa_attach_args ia2 = ia; > > diff --git a/sys/dev/pci/pci.c b/sys/dev/pci/pci.c > index c0376842914..c2b713a6728 100644 > --- a/sys/dev/pci/pci.c > +++ b/sys/dev/pci/pci.c > @@ -90,7 +90,7 @@ const struct cfattach pci_ca = { > }; > > struct cfdriver pci_cd = { > - NULL, "pci", DV_DULL > + NULL, "pci", DV_DULL, CD_SEVVM > }; > > int pci_ndomains; > diff --git a/sys/dev/pci/ppb.c b/sys/dev/pci/ppb.c > index cf7cb120cc1..9439ca07aee 100644 > --- a/sys/dev/pci/ppb.c > +++ b/sys/dev/pci/ppb.c > @@ -113,7 +113,7 @@ const struct cfattach ppb_ca = { > }; > > struct cfdriver ppb_cd = { > - NULL, "ppb", DV_DULL > + NULL, "ppb", DV_DULL, CD_SEVVM > }; > > void ppb_alloc_busrange(struct ppb_softc *, struct pci_attach_args *, > diff --git a/sys/dev/pv/if_vio.c b/sys/dev/pv/if_vio.c > index a94945a8ea0..7ea483c6e40 100644 > --- a/sys/dev/pv/if_vio.c > +++ b/sys/dev/pv/if_vio.c > @@ -382,7 +382,7 @@ const struct cfattach vio_ca = { > }; > > struct cfdriver vio_cd = { > - NULL, "vio", DV_IFNET > + NULL, "vio", DV_IFNET, CD_SEVVM > }; > > int > diff --git a/sys/dev/pv/pvbus.c b/sys/dev/pv/pvbus.c > index 165fcc9fbff..c4761a318e3 100644 > --- a/sys/dev/pv/pvbus.c > +++ b/sys/dev/pv/pvbus.c > @@ -68,7 +68,8 @@ const struct cfattach pvbus_ca = { > struct cfdriver pvbus_cd = { > NULL, > "pvbus", > - DV_DULL > + DV_DULL, > + CD_SEVVM > }; > > struct pvbus_type { > diff --git a/sys/dev/pv/pvclock.c b/sys/dev/pv/pvclock.c > index 89eff0ce248..0e82226583c 100644 > --- a/sys/dev/pv/pvclock.c > +++ b/sys/dev/pv/pvclock.c > @@ -125,7 +125,8 @@ const struct cfattach pvclock_ca = { > struct cfdriver pvclock_cd = { > NULL, > "pvclock", > - DV_DULL > + DV_DULL, > + CD_SEVVM > }; > > struct timecounter pvclock_timecounter = { > diff --git a/sys/dev/pv/vioblk.c b/sys/dev/pv/vioblk.c > index 7f7a518332f..a6c4462a37e 100644 > --- a/sys/dev/pv/vioblk.c > +++ b/sys/dev/pv/vioblk.c > @@ -146,7 +146,7 @@ const struct cfattach vioblk_ca = { > }; > > struct cfdriver vioblk_cd = { > - NULL, "vioblk", DV_DULL > + NULL, "vioblk", DV_DULL, CD_SEVVM > }; > > const struct scsi_adapter vioblk_switch = { > diff --git a/sys/dev/pv/viornd.c b/sys/dev/pv/viornd.c > index 484f7ce1be0..5e1fa06b8d5 100644 > --- a/sys/dev/pv/viornd.c > +++ b/sys/dev/pv/viornd.c > @@ -66,7 +66,7 @@ const struct cfattach viornd_ca = { > }; > > struct cfdriver viornd_cd = { > - NULL, "viornd", DV_DULL > + NULL, "viornd", DV_DULL, CD_SEVVM > }; > > int > diff --git a/sys/dev/pv/virtio.c b/sys/dev/pv/virtio.c > index ac0432dc9f9..4a32c960908 100644 > --- a/sys/dev/pv/virtio.c > +++ b/sys/dev/pv/virtio.c > @@ -48,7 +48,7 @@ void vq_free_entry(struct virtqueue *, struct vq_entry *); > struct vq_entry *vq_alloc_entry(struct virtqueue *); > > struct cfdriver virtio_cd = { > - NULL, "virtio", DV_DULL > + NULL, "virtio", DV_DULL, CD_SEVVM > }; > > static const char * const virtio_device_name[] = { > diff --git a/sys/dev/pv/vmmci.c b/sys/dev/pv/vmmci.c > index 984626393cd..14b66502675 100644 > --- a/sys/dev/pv/vmmci.c > +++ b/sys/dev/pv/vmmci.c > @@ -72,7 +72,7 @@ const struct cfattach vmmci_ca = { > #define VMMCI_F_SYNCRTC (1ULL<<2) > > struct cfdriver vmmci_cd = { > - NULL, "vmmci", DV_DULL > + NULL, "vmmci", DV_DULL, CD_SEVVM > }; > > int > diff --git a/sys/dev/softraid.c b/sys/dev/softraid.c > index c10ebeaaa93..0c1e184074c 100644 > --- a/sys/dev/softraid.c > +++ b/sys/dev/softraid.c > @@ -88,7 +88,7 @@ const struct cfattach softraid_ca = { > }; > > struct cfdriver softraid_cd = { > - NULL, "softraid", DV_DULL > + NULL, "softraid", DV_DULL, CD_SEVVM > }; > > /* scsi & discipline */ > diff --git a/sys/dev/vscsi.c b/sys/dev/vscsi.c > index 31885a6b9c9..b7687877e13 100644 > --- a/sys/dev/vscsi.c > +++ b/sys/dev/vscsi.c > @@ -89,7 +89,8 @@ const struct cfattach vscsi_ca = { > struct cfdriver vscsi_cd = { > NULL, > "vscsi", > - DV_DULL > + DV_DULL, > + CD_SEVVM > }; > > void vscsi_cmd(struct scsi_xfer *); > diff --git a/sys/kern/subr_autoconf.c b/sys/kern/subr_autoconf.c > index 41633140dc6..787ff869382 100644 > --- a/sys/kern/subr_autoconf.c > +++ b/sys/kern/subr_autoconf.c > @@ -216,6 +216,9 @@ config_search(cfmatch_t fn, struct device *parent, void *aux) > if (cf->cf_driver->cd_class == DV_TAPE) > continue; > } > + if (ISSET(boothowto, RB_SEVVM) && > + !ISSET(cf->cf_driver->cd_mode, CD_SEVVM)) > + continue; > for (p = cf->cf_parents; *p >= 0; p++) > if (parent->dv_cfdata == &cfdata[*p]) > mapply(&m, cf); > diff --git a/sys/scsi/mpath.c b/sys/scsi/mpath.c > index c94a4ff5cf7..cf41e8f6aa5 100644 > --- a/sys/scsi/mpath.c > +++ b/sys/scsi/mpath.c > @@ -79,7 +79,8 @@ const struct cfattach mpath_ca = { > struct cfdriver mpath_cd = { > NULL, > "mpath", > - DV_DULL > + DV_DULL, > + CD_SEVVM > }; > > void mpath_cmd(struct scsi_xfer *); > diff --git a/sys/scsi/scsiconf.c b/sys/scsi/scsiconf.c > index 495020a23a3..db154f0d634 100644 > --- a/sys/scsi/scsiconf.c > +++ b/sys/scsi/scsiconf.c > @@ -102,7 +102,7 @@ const struct cfattach scsibus_ca = { > }; > > struct cfdriver scsibus_cd = { > - NULL, "scsibus", DV_DULL > + NULL, "scsibus", DV_DULL, CD_SEVVM > }; > > struct scsi_quirk_inquiry_pattern { > diff --git a/sys/scsi/sd.c b/sys/scsi/sd.c > index 9b02314c679..e564d6c3f8b 100644 > --- a/sys/scsi/sd.c > +++ b/sys/scsi/sd.c > @@ -116,7 +116,7 @@ const struct cfattach sd_ca = { > }; > > struct cfdriver sd_cd = { > - NULL, "sd", DV_DISK > + NULL, "sd", DV_DISK, CD_SEVVM > }; > > const struct scsi_inquiry_pattern sd_patterns[] = { > diff --git a/sys/sys/device.h b/sys/sys/device.h > index 5dccec16cf8..ace259f085a 100644 > --- a/sys/sys/device.h > +++ b/sys/sys/device.h > @@ -139,6 +139,7 @@ struct cfattach { > /* For cd_mode, below */ > #define CD_INDIRECT 1 > #define CD_SKIPHIBERNATE 2 > +#define CD_SEVVM 4 > > struct cfdriver { > void **cd_devs; /* devices found */ > diff --git a/sys/sys/reboot.h b/sys/sys/reboot.h > index bf3e7f82680..70e987dc194 100644 > --- a/sys/sys/reboot.h > +++ b/sys/sys/reboot.h > @@ -59,6 +59,7 @@ > #define RB_RESET 0x08000 /* just reset, no cleanup */ > #define RB_GOODRANDOM 0x10000 /* excellent random seed loaded */ > #define RB_UNHIBERNATE 0x20000 /* unhibernate */ > +#define RB_SEVVM 0x40000 /* VM booting with SEV enabled */ > > /* > * Constants for converting boot-style device number to type, > > [2:application/pkcs7-signature Show Save:smime.p7s (5kB)] >

- 2025-08-03 07:49 Mike Larkin:
  [EXT] Re: AMD SEV: confidential autoconf whitelist
- 2025-08-03 08:39 Theo de Raadt:
  [EXT] Re: AMD SEV: confidential autoconf whitelist

2025-08-03 09:42 Mark Kettenis:

[EXT] Re: AMD SEV: confidential autoconf whitelist

2025-08-03 11:45 Theo de Raadt:
[EXT] Re: AMD SEV: confidential autoconf whitelist

2025-07-21 14:16 Theo de Raadt:

AMD SEV: confidential autoconf whitelist