From: Hans-Jörg Höxer Subject: SEV-ES: vmd(8): configure SEV-ES 1/2 To: Date: Wed, 21 May 2025 16:07:19 +0200 Hi, this diff adds the "seves" keyword to vm.conf(5). I will definitely have to spent some more time on makeing configuration more sound. Take care, HJ. ---------------------------------------------------------------------------- commit b51e4f6be025a97af5d6673d81292dba2b9dcc01 Author: Hans-Joerg Hoexer Date: Mon Jul 29 14:13:25 2024 +0200 vmd(8): configure SEV-ES Introduce keyword "seves" for vm.conf to enable SEV-ES. When sending the LAUNCH sTART command do psp(4), set the guest policy flag GPOL_ES to enable SEV-ES. diff --git a/usr.sbin/vmd/parse.y b/usr.sbin/vmd/parse.y index 3f6866eb592..a98d85c0f95 100644 --- a/usr.sbin/vmd/parse.y +++ b/usr.sbin/vmd/parse.y @@ -123,7 +123,7 @@ typedef struct { %token FORMAT GROUP %token INET6 INSTANCE INTERFACE LLADDR LOCAL LOCKED MEMORY NET NIFS OWNER %token PATH PREFIX RDOMAIN SIZE SOCKET SWITCH UP VM VMID STAGGERED START -%token PARALLEL DELAY SEV +%token PARALLEL DELAY SEV SEVES %token NUMBER %token STRING %type lladdr @@ -138,6 +138,7 @@ typedef struct { %type string %type vm_instance %type sev; +%type seves; %% @@ -415,6 +416,9 @@ vm_opts : disable { | sev { vcp->vcp_sev = 1; } + | seves { + vcp->vcp_sev = vcp->vcp_seves = 1; + } | DISK string image_format { if (parse_disk($2, $3) != 0) { yyerror("failed to parse disks: %s", $2); @@ -761,6 +765,9 @@ disable : ENABLE { $$ = 0; } sev : SEV { $$ = 1; } ; +seves : SEVES { $$ = 1; } + ; + bootdevice : CDROM { $$ = VMBOOTDEV_CDROM; } | DISK { $$ = VMBOOTDEV_DISK; } | NET { $$ = VMBOOTDEV_NET; } @@ -846,6 +853,7 @@ lookup(char *s) { "prefix", PREFIX }, { "rdomain", RDOMAIN }, { "sev", SEV }, + { "seves", SEVES }, { "size", SIZE }, { "socket", SOCKET }, { "staggered", STAGGERED }, diff --git a/usr.sbin/vmd/psp.c b/usr.sbin/vmd/psp.c index 320da37dc99..aa5a53bb4bd 100644 --- a/usr.sbin/vmd/psp.c +++ b/usr.sbin/vmd/psp.c @@ -118,7 +118,7 @@ psp_get_gstate(uint32_t handle, uint32_t *policy, uint32_t *asid, * Start the launch sequence of a guest. */ int -psp_launch_start(uint32_t *handle) +psp_launch_start(uint32_t *handle, int seves) { struct psp_launch_start ls; @@ -128,6 +128,9 @@ psp_launch_start(uint32_t *handle) ls.policy = (GPOL_NODBG | GPOL_NOKS | GPOL_NOSEND | GPOL_DOMAIN | GPOL_SEV); + if (seves) /* Add ES */ + ls.policy |= GPOL_ES; + if (ioctl(env->vmd_psp_fd, PSP_IOC_LAUNCH_START, &ls) < 0) { log_warn("%s: ioctl", __func__); return (-1); diff --git a/usr.sbin/vmd/sev.c b/usr.sbin/vmd/sev.c index d5216461392..752bb37d163 100644 --- a/usr.sbin/vmd/sev.c +++ b/usr.sbin/vmd/sev.c @@ -58,7 +58,7 @@ sev_init(struct vmd_vm *vm) return (-1); } - if (psp_launch_start(&handle) < 0) { + if (psp_launch_start(&handle, vcp->vcp_seves) < 0) { log_warnx("%s: launch failed", __func__); return (-1); } diff --git a/usr.sbin/vmd/vm.conf.5 b/usr.sbin/vmd/vm.conf.5 index 9b455254eb0..29c722aa8ce 100644 --- a/usr.sbin/vmd/vm.conf.5 +++ b/usr.sbin/vmd/vm.conf.5 @@ -324,11 +324,14 @@ If only is given, only the group is set. .It Ic sev -Enables AMD Secure Encrypted Virtualization for guest. +Enables AMD Secure Encrypted Virtualization for the guest. .Xr vmd 8 uses .Xr psp 4 to configure the guest for SEV. +.It Ic seves +Enables AMD Encrypted State (SEV-ES) for the the guest. +This implicitly enables SEV, too. .El .Sh VM INSTANCES It is possible to use configured or running VMs as a template for diff --git a/usr.sbin/vmd/vmd.h b/usr.sbin/vmd/vmd.h index ea2cb675783..e0b7c27eb46 100644 --- a/usr.sbin/vmd/vmd.h +++ b/usr.sbin/vmd/vmd.h @@ -586,7 +586,7 @@ __dead void vioblk_main(int, int); int psp_get_pstate(uint16_t *, uint8_t *, uint8_t *, uint8_t *, uint8_t *); int psp_df_flush(void); int psp_get_gstate(uint32_t, uint32_t *, uint32_t *, uint8_t *); -int psp_launch_start(uint32_t *); +int psp_launch_start(uint32_t *, int); int psp_launch_update(uint32_t, vaddr_t, size_t); int psp_launch_measure(uint32_t); int psp_launch_finish(uint32_t);