Download raw body.
Hi,
this is an updated diff that works well on vmd/vmm and linux/kvm hosts
with SEV-ES enabled guests.
The previous discussion raised some questions, thanks for your input!
All in all we came to the conclusion to proceed with this approach.
ok?
Take care,
HJ.
-------------------------------------------------------------------------
commit 576036aa72fef155f1584690fab5bdfe018672b8
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date: Sat Aug 2 12:58:50 2025 +0200
Whitelist devices in cfdrive for use when SEV is enabled
Skip devices, that are not flagged for use with SEV. Hook into
config_search() and isascan().
diff --git a/sys/arch/amd64/amd64/bios.c b/sys/arch/amd64/amd64/bios.c
index 3a264d09d5b..15dec870ba6 100644
--- a/sys/arch/amd64/amd64/bios.c
+++ b/sys/arch/amd64/amd64/bios.c
@@ -50,7 +50,7 @@ const struct cfattach bios_ca = {
};
struct cfdriver bios_cd = {
- NULL, "bios", DV_DULL
+ NULL, "bios", DV_DULL, CD_COCOVM
};
struct smbios_entry smbios_entry;
diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c
index 1287c610344..b8ad479cefa 100644
--- a/sys/arch/amd64/amd64/cpu.c
+++ b/sys/arch/amd64/amd64/cpu.c
@@ -445,7 +445,7 @@ const struct cfattach cpu_ca = {
};
struct cfdriver cpu_cd = {
- NULL, "cpu", DV_DULL
+ NULL, "cpu", DV_DULL, CD_COCOVM
};
/*
diff --git a/sys/arch/amd64/amd64/ioapic.c b/sys/arch/amd64/amd64/ioapic.c
index 9989fdfeb29..40af6c4154d 100644
--- a/sys/arch/amd64/amd64/ioapic.c
+++ b/sys/arch/amd64/amd64/ioapic.c
@@ -231,7 +231,7 @@ const struct cfattach ioapic_ca = {
};
struct cfdriver ioapic_cd = {
- NULL, "ioapic", DV_DULL
+ NULL, "ioapic", DV_DULL, CD_COCOVM
};
int
diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c
index 3462ac54559..7c540328d98 100644
--- a/sys/arch/amd64/amd64/machdep.c
+++ b/sys/arch/amd64/amd64/machdep.c
@@ -1474,6 +1474,8 @@ init_x86_64(paddr_t first_avail)
cpu_init_early_vctrap(first_avail);
first_avail += 2 * NBPG;
}
+ if (ISSET(cpu_sev_guestmode, SEV_STAT_ENABLED))
+ boothowto |= RB_COCOVM;
/*
* locore0 mapped 3 pages for use before the pmap is initialized
diff --git a/sys/arch/amd64/amd64/mainbus.c b/sys/arch/amd64/amd64/mainbus.c
index 030f0b1212f..f77a67f5517 100644
--- a/sys/arch/amd64/amd64/mainbus.c
+++ b/sys/arch/amd64/amd64/mainbus.c
@@ -83,7 +83,7 @@ const struct cfattach mainbus_ca = {
};
struct cfdriver mainbus_cd = {
- NULL, "mainbus", DV_DULL
+ NULL, "mainbus", DV_DULL, CD_COCOVM
};
int mainbus_print(void *, const char *);
diff --git a/sys/arch/amd64/pci/acpipci.c b/sys/arch/amd64/pci/acpipci.c
index 5b07e2d3aba..81d8ad3ced0 100644
--- a/sys/arch/amd64/pci/acpipci.c
+++ b/sys/arch/amd64/pci/acpipci.c
@@ -76,7 +76,7 @@ const struct cfattach acpipci_ca = {
};
struct cfdriver acpipci_cd = {
- NULL, "acpipci", DV_DULL
+ NULL, "acpipci", DV_DULL, CD_COCOVM
};
const char *acpipci_hids[] = {
diff --git a/sys/arch/amd64/pci/pchb.c b/sys/arch/amd64/pci/pchb.c
index 9b10011e2db..eb06df06b19 100644
--- a/sys/arch/amd64/pci/pchb.c
+++ b/sys/arch/amd64/pci/pchb.c
@@ -122,7 +122,7 @@ const struct cfattach pchb_ca = {
};
struct cfdriver pchb_cd = {
- NULL, "pchb", DV_DULL
+ NULL, "pchb", DV_DULL, CD_COCOVM
};
int pchb_print(void *, const char *);
diff --git a/sys/dev/acpi/acpi.c b/sys/dev/acpi/acpi.c
index 7bcf56cab49..bb3645528c9 100644
--- a/sys/dev/acpi/acpi.c
+++ b/sys/dev/acpi/acpi.c
@@ -184,7 +184,7 @@ struct acpi_softc *acpi_softc;
extern struct aml_node aml_root;
struct cfdriver acpi_cd = {
- NULL, "acpi", DV_DULL
+ NULL, "acpi", DV_DULL, CD_COCOVM
};
uint8_t
diff --git a/sys/dev/acpi/acpicmos.c b/sys/dev/acpi/acpicmos.c
index 6e424e26530..068787c1922 100644
--- a/sys/dev/acpi/acpicmos.c
+++ b/sys/dev/acpi/acpicmos.c
@@ -37,7 +37,7 @@ const struct cfattach acpicmos_ca = {
};
struct cfdriver acpicmos_cd = {
- NULL, "acpicmos", DV_DULL
+ NULL, "acpicmos", DV_DULL, CD_COCOVM
};
const char *acpicmos_hids[] = {
diff --git a/sys/dev/acpi/acpicpu_x86.c b/sys/dev/acpi/acpicpu_x86.c
index 15f0ceeaeae..a5ddc55b1b3 100644
--- a/sys/dev/acpi/acpicpu_x86.c
+++ b/sys/dev/acpi/acpicpu_x86.c
@@ -183,7 +183,7 @@ const struct cfattach acpicpu_ca = {
};
struct cfdriver acpicpu_cd = {
- NULL, "acpicpu", DV_DULL
+ NULL, "acpicpu", DV_DULL, CD_COCOVM
};
const char *acpicpu_hids[] = {
diff --git a/sys/dev/acpi/acpihpet.c b/sys/dev/acpi/acpihpet.c
index dd992132678..dd25309c1c5 100644
--- a/sys/dev/acpi/acpihpet.c
+++ b/sys/dev/acpi/acpihpet.c
@@ -79,7 +79,7 @@ const struct cfattach acpihpet_ca = {
};
struct cfdriver acpihpet_cd = {
- NULL, "acpihpet", DV_DULL
+ NULL, "acpihpet", DV_DULL, CD_COCOVM
};
uint64_t
diff --git a/sys/dev/acpi/acpimadt.c b/sys/dev/acpi/acpimadt.c
index 3faed32b355..6359ffd925b 100644
--- a/sys/dev/acpi/acpimadt.c
+++ b/sys/dev/acpi/acpimadt.c
@@ -48,7 +48,7 @@ const struct cfattach acpimadt_ca = {
};
struct cfdriver acpimadt_cd = {
- NULL, "acpimadt", DV_DULL
+ NULL, "acpimadt", DV_DULL, CD_COCOVM
};
int acpimadt_validate(struct acpi_madt *);
diff --git a/sys/dev/acpi/acpimcfg.c b/sys/dev/acpi/acpimcfg.c
index f3e520882aa..b7df8a297a0 100644
--- a/sys/dev/acpi/acpimcfg.c
+++ b/sys/dev/acpi/acpimcfg.c
@@ -31,7 +31,7 @@ const struct cfattach acpimcfg_ca = {
};
struct cfdriver acpimcfg_cd = {
- NULL, "acpimcfg", DV_DULL
+ NULL, "acpimcfg", DV_DULL, CD_COCOVM
};
int
diff --git a/sys/dev/acpi/acpiprt.c b/sys/dev/acpi/acpiprt.c
index 39de79dcfca..1011ec68600 100644
--- a/sys/dev/acpi/acpiprt.c
+++ b/sys/dev/acpi/acpiprt.c
@@ -77,7 +77,7 @@ const struct cfattach acpiprt_ca = {
};
struct cfdriver acpiprt_cd = {
- NULL, "acpiprt", DV_DULL
+ NULL, "acpiprt", DV_DULL, CD_COCOVM
};
void acpiprt_prt_add(struct acpiprt_softc *, struct aml_value *);
diff --git a/sys/dev/acpi/acpitimer.c b/sys/dev/acpi/acpitimer.c
index 11a8b9eccf3..498146a592e 100644
--- a/sys/dev/acpi/acpitimer.c
+++ b/sys/dev/acpi/acpitimer.c
@@ -55,7 +55,7 @@ const struct cfattach acpitimer_ca = {
};
struct cfdriver acpitimer_cd = {
- NULL, "acpitimer", DV_DULL
+ NULL, "acpitimer", DV_DULL, CD_COCOVM
};
int
diff --git a/sys/dev/efi/efi.c b/sys/dev/efi/efi.c
index 43a774253fa..e600a3b1e47 100644
--- a/sys/dev/efi/efi.c
+++ b/sys/dev/efi/efi.c
@@ -24,7 +24,7 @@
#include <machine/efivar.h>
struct cfdriver efi_cd = {
- NULL, "efi", DV_DULL
+ NULL, "efi", DV_DULL, CD_COCOVM
};
int efiioc_get_table(struct efi_softc *sc, void *);
diff --git a/sys/dev/ic/com.c b/sys/dev/ic/com.c
index dd45e3c901c..da29f82243b 100644
--- a/sys/dev/ic/com.c
+++ b/sys/dev/ic/com.c
@@ -96,7 +96,7 @@ void compwroff(struct com_softc *);
void cominit(bus_space_tag_t, bus_space_handle_t, int, int);
struct cfdriver com_cd = {
- NULL, "com", DV_TTY
+ NULL, "com", DV_TTY, CD_COCOVM
};
int comdefaultrate = TTYDEF_SPEED;
diff --git a/sys/dev/isa/isa.c b/sys/dev/isa/isa.c
index 2d11dc33a84..2a799f8a82a 100644
--- a/sys/dev/isa/isa.c
+++ b/sys/dev/isa/isa.c
@@ -62,6 +62,7 @@
#include <sys/malloc.h>
#include <sys/device.h>
#include <sys/extent.h>
+#include <sys/reboot.h>
#include <dev/isa/isareg.h>
#include <dev/isa/isavar.h>
@@ -84,7 +85,7 @@ const struct cfattach isa_ca = {
};
struct cfdriver isa_cd = {
- NULL, "isa", DV_DULL, CD_INDIRECT
+ NULL, "isa", DV_DULL, CD_INDIRECT | CD_COCOVM
};
int
@@ -218,6 +219,10 @@ isascan(struct device *parent, void *match)
ia.ipa_ndrq = 2;
ia.ia_delaybah = sc->sc_delaybah;
+ if (ISSET(boothowto, RB_COCOVM) &&
+ !ISSET(cf->cf_driver->cd_mode, CD_COCOVM))
+ return;
+
if (cf->cf_fstate == FSTATE_STAR) {
struct isa_attach_args ia2 = ia;
diff --git a/sys/dev/pci/pci.c b/sys/dev/pci/pci.c
index c0376842914..d7601dd976e 100644
--- a/sys/dev/pci/pci.c
+++ b/sys/dev/pci/pci.c
@@ -90,7 +90,7 @@ const struct cfattach pci_ca = {
};
struct cfdriver pci_cd = {
- NULL, "pci", DV_DULL
+ NULL, "pci", DV_DULL, CD_COCOVM
};
int pci_ndomains;
diff --git a/sys/dev/pci/ppb.c b/sys/dev/pci/ppb.c
index cf7cb120cc1..f6ab05f9168 100644
--- a/sys/dev/pci/ppb.c
+++ b/sys/dev/pci/ppb.c
@@ -113,7 +113,7 @@ const struct cfattach ppb_ca = {
};
struct cfdriver ppb_cd = {
- NULL, "ppb", DV_DULL
+ NULL, "ppb", DV_DULL, CD_COCOVM
};
void ppb_alloc_busrange(struct ppb_softc *, struct pci_attach_args *,
diff --git a/sys/dev/pv/if_vio.c b/sys/dev/pv/if_vio.c
index a94945a8ea0..458f98c6a7a 100644
--- a/sys/dev/pv/if_vio.c
+++ b/sys/dev/pv/if_vio.c
@@ -382,7 +382,7 @@ const struct cfattach vio_ca = {
};
struct cfdriver vio_cd = {
- NULL, "vio", DV_IFNET
+ NULL, "vio", DV_IFNET, CD_COCOVM
};
int
diff --git a/sys/dev/pv/pvbus.c b/sys/dev/pv/pvbus.c
index 165fcc9fbff..a482072de4b 100644
--- a/sys/dev/pv/pvbus.c
+++ b/sys/dev/pv/pvbus.c
@@ -68,7 +68,8 @@ const struct cfattach pvbus_ca = {
struct cfdriver pvbus_cd = {
NULL,
"pvbus",
- DV_DULL
+ DV_DULL,
+ CD_COCOVM
};
struct pvbus_type {
diff --git a/sys/dev/pv/pvclock.c b/sys/dev/pv/pvclock.c
index 89eff0ce248..fd69960ddda 100644
--- a/sys/dev/pv/pvclock.c
+++ b/sys/dev/pv/pvclock.c
@@ -125,7 +125,8 @@ const struct cfattach pvclock_ca = {
struct cfdriver pvclock_cd = {
NULL,
"pvclock",
- DV_DULL
+ DV_DULL,
+ CD_COCOVM
};
struct timecounter pvclock_timecounter = {
diff --git a/sys/dev/pv/vioblk.c b/sys/dev/pv/vioblk.c
index 7f7a518332f..761ce73a847 100644
--- a/sys/dev/pv/vioblk.c
+++ b/sys/dev/pv/vioblk.c
@@ -146,7 +146,7 @@ const struct cfattach vioblk_ca = {
};
struct cfdriver vioblk_cd = {
- NULL, "vioblk", DV_DULL
+ NULL, "vioblk", DV_DULL, CD_COCOVM
};
const struct scsi_adapter vioblk_switch = {
diff --git a/sys/dev/pv/viocon.c b/sys/dev/pv/viocon.c
index 95a1e875579..1d24074c54d 100644
--- a/sys/dev/pv/viocon.c
+++ b/sys/dev/pv/viocon.c
@@ -144,7 +144,7 @@ const struct cfattach viocon_ca = {
};
struct cfdriver viocon_cd = {
- NULL, "viocon", DV_TTY
+ NULL, "viocon", DV_TTY, CD_COCOVM
};
static inline struct viocon_softc *
diff --git a/sys/dev/pv/viornd.c b/sys/dev/pv/viornd.c
index 484f7ce1be0..9eeb6115f3e 100644
--- a/sys/dev/pv/viornd.c
+++ b/sys/dev/pv/viornd.c
@@ -66,7 +66,7 @@ const struct cfattach viornd_ca = {
};
struct cfdriver viornd_cd = {
- NULL, "viornd", DV_DULL
+ NULL, "viornd", DV_DULL, CD_COCOVM
};
int
diff --git a/sys/dev/pv/virtio.c b/sys/dev/pv/virtio.c
index ac0432dc9f9..4a8d140f797 100644
--- a/sys/dev/pv/virtio.c
+++ b/sys/dev/pv/virtio.c
@@ -48,7 +48,7 @@ void vq_free_entry(struct virtqueue *, struct vq_entry *);
struct vq_entry *vq_alloc_entry(struct virtqueue *);
struct cfdriver virtio_cd = {
- NULL, "virtio", DV_DULL
+ NULL, "virtio", DV_DULL, CD_COCOVM
};
static const char * const virtio_device_name[] = {
diff --git a/sys/dev/pv/vmmci.c b/sys/dev/pv/vmmci.c
index 984626393cd..18930c62766 100644
--- a/sys/dev/pv/vmmci.c
+++ b/sys/dev/pv/vmmci.c
@@ -72,7 +72,7 @@ const struct cfattach vmmci_ca = {
#define VMMCI_F_SYNCRTC (1ULL<<2)
struct cfdriver vmmci_cd = {
- NULL, "vmmci", DV_DULL
+ NULL, "vmmci", DV_DULL, CD_COCOVM
};
int
diff --git a/sys/dev/softraid.c b/sys/dev/softraid.c
index c10ebeaaa93..41929692397 100644
--- a/sys/dev/softraid.c
+++ b/sys/dev/softraid.c
@@ -88,7 +88,7 @@ const struct cfattach softraid_ca = {
};
struct cfdriver softraid_cd = {
- NULL, "softraid", DV_DULL
+ NULL, "softraid", DV_DULL, CD_COCOVM
};
/* scsi & discipline */
diff --git a/sys/dev/vscsi.c b/sys/dev/vscsi.c
index 31885a6b9c9..2e2deb25b1f 100644
--- a/sys/dev/vscsi.c
+++ b/sys/dev/vscsi.c
@@ -89,7 +89,8 @@ const struct cfattach vscsi_ca = {
struct cfdriver vscsi_cd = {
NULL,
"vscsi",
- DV_DULL
+ DV_DULL,
+ CD_COCOVM
};
void vscsi_cmd(struct scsi_xfer *);
diff --git a/sys/kern/subr_autoconf.c b/sys/kern/subr_autoconf.c
index 41633140dc6..eec9eef15ce 100644
--- a/sys/kern/subr_autoconf.c
+++ b/sys/kern/subr_autoconf.c
@@ -216,6 +216,9 @@ config_search(cfmatch_t fn, struct device *parent, void *aux)
if (cf->cf_driver->cd_class == DV_TAPE)
continue;
}
+ if (ISSET(boothowto, RB_COCOVM) &&
+ !ISSET(cf->cf_driver->cd_mode, CD_COCOVM))
+ continue;
for (p = cf->cf_parents; *p >= 0; p++)
if (parent->dv_cfdata == &cfdata[*p])
mapply(&m, cf);
diff --git a/sys/scsi/mpath.c b/sys/scsi/mpath.c
index c94a4ff5cf7..090c78c35f1 100644
--- a/sys/scsi/mpath.c
+++ b/sys/scsi/mpath.c
@@ -79,7 +79,8 @@ const struct cfattach mpath_ca = {
struct cfdriver mpath_cd = {
NULL,
"mpath",
- DV_DULL
+ DV_DULL,
+ CD_COCOVM
};
void mpath_cmd(struct scsi_xfer *);
diff --git a/sys/scsi/scsiconf.c b/sys/scsi/scsiconf.c
index 495020a23a3..2f9ab1b15d0 100644
--- a/sys/scsi/scsiconf.c
+++ b/sys/scsi/scsiconf.c
@@ -102,7 +102,7 @@ const struct cfattach scsibus_ca = {
};
struct cfdriver scsibus_cd = {
- NULL, "scsibus", DV_DULL
+ NULL, "scsibus", DV_DULL, CD_COCOVM
};
struct scsi_quirk_inquiry_pattern {
diff --git a/sys/scsi/sd.c b/sys/scsi/sd.c
index 9b02314c679..085ad01cd78 100644
--- a/sys/scsi/sd.c
+++ b/sys/scsi/sd.c
@@ -116,7 +116,7 @@ const struct cfattach sd_ca = {
};
struct cfdriver sd_cd = {
- NULL, "sd", DV_DISK
+ NULL, "sd", DV_DISK, CD_COCOVM
};
const struct scsi_inquiry_pattern sd_patterns[] = {
diff --git a/sys/sys/device.h b/sys/sys/device.h
index 5dccec16cf8..2c4171017ec 100644
--- a/sys/sys/device.h
+++ b/sys/sys/device.h
@@ -139,6 +139,7 @@ struct cfattach {
/* For cd_mode, below */
#define CD_INDIRECT 1
#define CD_SKIPHIBERNATE 2
+#define CD_COCOVM 4
struct cfdriver {
void **cd_devs; /* devices found */
diff --git a/sys/sys/reboot.h b/sys/sys/reboot.h
index bf3e7f82680..1998f21691b 100644
--- a/sys/sys/reboot.h
+++ b/sys/sys/reboot.h
@@ -59,6 +59,7 @@
#define RB_RESET 0x08000 /* just reset, no cleanup */
#define RB_GOODRANDOM 0x10000 /* excellent random seed loaded */
#define RB_UNHIBERNATE 0x20000 /* unhibernate */
+#define RB_COCOVM 0x40000 /* VM booting with SEV enabled */
/*
* Constants for converting boot-style device number to type,