qemu/kvm-Add-support-for-userspace-MSR-filtering-and-hand.patch

From 7aced2a5fff91e0fcff97bb5eafddafece0cb983 Mon Sep 17 00:00:00 2001
From: Ashish Kalra <ashish.kalra@amd.com>
Date: Tue, 27 Jul 2021 17:59:33 +0000
Subject: [PATCH] kvm: Add support for userspace MSR filtering and handling of
 MSR_KVM_MIGRATION_CONTROL.

cherry-picked from https://github.com/AMDESE/qemu/commit/67935c3fd5f.

Add support for userspace MSR filtering using KVM_X86_SET_MSR_FILTER
ioctl and handling of MSRs in userspace. Currently this is only used
for SEV guests which use MSR_KVM_MIGRATION_CONTROL to indicate if the
guest is enabled and ready for migration.

KVM arch code calls into SEV guest specific code to delete the
SEV migrate blocker which has been setup at SEV_LAUNCH_FINISH.

Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
[ Fix conflicts. ]
Signed-off-by: hanliyang <hanliyang@hygon.cn>
---
 target/i386/kvm/kvm.c      | 35 +++++++++++++++++++++++++++++++++++
 target/i386/kvm/sev-stub.c |  4 ++++
 target/i386/sev.c          |  6 ++++++
 target/i386/sev.h          |  1 +
 4 files changed, 46 insertions(+)

diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index 82f6d3b048..a5a755db01 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -2488,6 +2488,32 @@ static bool kvm_rdmsr_core_thread_count(X86CPU *cpu, uint32_t msr,
     return true;
 }
 
+/*
+ * Currently this exit is only used by SEV guests for
+ * MSR_KVM_MIGRATION_CONTROL to indicate if the guest
+ * is ready for migration.
+ */
+static uint64_t msr_kvm_migration_control;
+
+static bool kvm_rdmsr_kvm_migration_control(X86CPU *cpu, uint32_t msr,
+                                            uint64_t *val)
+{
+    *val = msr_kvm_migration_control;
+
+    return true;
+}
+
+static bool kvm_wrmsr_kvm_migration_control(X86CPU *cpu, uint32_t msr,
+                                            uint64_t val)
+{
+    msr_kvm_migration_control = val;
+
+    if (val == KVM_MIGRATION_READY)
+        sev_del_migrate_blocker();
+
+    return true;
+}
+
 static Notifier smram_machine_done;
 static KVMMemoryListener smram_listener;
 static AddressSpace smram_address_space;
@@ -2735,6 +2761,15 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
                          strerror(-ret));
             exit(1);
         }
+
+        r = kvm_filter_msr(s, MSR_KVM_MIGRATION_CONTROL,
+                           kvm_rdmsr_kvm_migration_control,
+                           kvm_wrmsr_kvm_migration_control);
+        if (!r) {
+            error_report("Could not install MSR_KVM_MIGRATION_CONTROL handler: %s",
+                         strerror(-ret));
+            exit(1);
+        }
     }
 
     return 0;
diff --git a/target/i386/kvm/sev-stub.c b/target/i386/kvm/sev-stub.c
index 1282d242a7..99899688e4 100644
--- a/target/i386/kvm/sev-stub.c
+++ b/target/i386/kvm/sev-stub.c
@@ -30,3 +30,7 @@ int sev_add_shared_regions_list(unsigned long gfn_start, unsigned long gfn_end)
 {
     return 0;
 }
+
+void sev_del_migrate_blocker(void)
+{
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 47f41aefe7..98b0d3937a 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -925,6 +925,12 @@ sev_launch_finish(SevGuestState *sev)
     migrate_add_blocker(&sev_mig_blocker, &error_fatal);
 }
 
+void
+sev_del_migrate_blocker(void)
+{
+    migrate_del_blocker(&sev_mig_blocker);
+}
+
 static int
 sev_receive_finish(SevGuestState *s)
 {
diff --git a/target/i386/sev.h b/target/i386/sev.h
index b9c2afb799..84e3bdf2df 100644
--- a/target/i386/sev.h
+++ b/target/i386/sev.h
@@ -70,6 +70,7 @@ int sev_add_shared_regions_list(unsigned long gfn_start, unsigned long gfn_end);
 int sev_save_outgoing_shared_regions_list(QEMUFile *f, uint64_t *bytes_sent);
 int sev_load_incoming_shared_regions_list(QEMUFile *f);
 bool sev_is_gfn_in_unshared_region(unsigned long gfn);
+void sev_del_migrate_blocker(void);
 
 int sev_kvm_init(ConfidentialGuestSupport *cgs, Error **errp);
 
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-18: - hw/loongarch/virt: Fix FDT memory node address width - hw/loongarch: Fix fdt memory node wrong 'reg' - load_elf: fix iterator's type for elf file processing - migration/colo: Fix bdrv_graph_rdlock_main_loop: Assertion `!qemu_in_… - target/i386: no single-step exception after MOV or POP SS - char-stdio: Restore blocking mode of stdout on exit - backends/cryptodev-builtin: Fix local_error leaks - target/loongarch: fix a wrong print in cpu dump - virtio-pci: fix use of a released vector - target/arm: Disable SVE extensions when SVE is disabled - hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE - target/i386: Introduce SapphireRapids-v3 to add missing features - virtio-net: Ensure queue index fits with RSS (CVE-2024-6505) - nbd/server: CVE-2024-7409: Avoid use-after-free when closing server - update io/trace-events. Parameters should remain consistent. - update docs/tools/virtfs-proxy-helper.rst. This place is spelled wrong. - kvm: Add support for CSV2 reboot - target/i386/kvm: Fix the resettable info when emulate Hygon CSV2 guest - target/i386: get/set/migrate GHCB state - target/i386: csv: Add support for migrate VMSA for CSV2 guest - migration/ram: Accelerate the loading of CSV guest's encrypted pages - migration/ram: Accelerate the transmission of CSV guest's encrypted pages - target/i386: csv: add support to load incoming encrypted pages queued in the CMD list - target/i386: csv: add support to queue the incoming page into a list - target/i386: csv: add support to encrypt the outgoing pages in the list queued before. - target/i386: csv: add support to queue the outgoing page into a list - target/i386: csv: Read cert chain from file when prepared for CSV live migration - target/i386: Introduce header file csv.h - migration/ram: Fix calculation of gfn correpond to a page in ramblock - target/i386: sev: Clear shared_regions_list when reboot CSV Guest - migration/ram: Force encrypted status for VGA vram - target/i386: sev: Return 0 if sev_send_get_packet_len() fails - kvm: Add support for userspace MSR filtering and handling of MSR_KVM_MIGRATION_CONTROL. - migration/ram: Force encrypted status for flash0 & flash1 devices. - migration/ram: add support to send encrypted pages - migration: add support to migrate shared regions list - kvm: Add support for SEV shared regions list and KVM_EXIT_HYPERCALL. - target/i386: sev: add support to load incoming encrypted page - target/i386: sev: add support to encrypt the outgoing page - target/i386: sev: do not create launch context for an incoming guest - target/i386: sev: provide callback to setup outgoing context - confidential guest support: introduce ConfidentialGuestMemoryEncryptionOps for encrypted VMs - migration.json: add AMD SEV specific migration parameters - doc: update AMD SEV to include Live migration flow - crypto/tlscredspsk: Free username on finalize - hw/nvme: fix leak of uninitialized memory in io_mgmt_recv - hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read() - cvm : Implement command blacklist for cvm security enhancement - crypto: Introduce SM3 hash hmac pbkdf algorithm - virtio-net: Use virtual time for RSC timers - vvfat: Fix bug in writing to middle of file - hw/core/ptimer: fix timer zero period condition for freq > 1GHz - hw/misc: support vpsp Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> 2024-09-18 15:20:53 +08:00			`From 7aced2a5fff91e0fcff97bb5eafddafece0cb983 Mon Sep 17 00:00:00 2001`
			`From: Ashish Kalra <ashish.kalra@amd.com>`
			`Date: Tue, 27 Jul 2021 17:59:33 +0000`
			`Subject: [PATCH] kvm: Add support for userspace MSR filtering and handling of`
			`MSR_KVM_MIGRATION_CONTROL.`

			`cherry-picked from https://github.com/AMDESE/qemu/commit/67935c3fd5f.`

			`Add support for userspace MSR filtering using KVM_X86_SET_MSR_FILTER`
			`ioctl and handling of MSRs in userspace. Currently this is only used`
			`for SEV guests which use MSR_KVM_MIGRATION_CONTROL to indicate if the`
			`guest is enabled and ready for migration.`

			`KVM arch code calls into SEV guest specific code to delete the`
			`SEV migrate blocker which has been setup at SEV_LAUNCH_FINISH.`

			`Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>`
			`[ Fix conflicts. ]`
			`Signed-off-by: hanliyang <hanliyang@hygon.cn>`
			`---`
			`target/i386/kvm/kvm.c \| 35 +++++++++++++++++++++++++++++++++++`
			`target/i386/kvm/sev-stub.c \| 4 ++++`
			`target/i386/sev.c \| 6 ++++++`
			`target/i386/sev.h \| 1 +`
			`4 files changed, 46 insertions(+)`

			`diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c`
			`index 82f6d3b048..a5a755db01 100644`
			`--- a/target/i386/kvm/kvm.c`
			`+++ b/target/i386/kvm/kvm.c`
			`@@ -2488,6 +2488,32 @@ static bool kvm_rdmsr_core_thread_count(X86CPU *cpu, uint32_t msr,`
			`return true;`
			`}`

			`+/*`
			`+ * Currently this exit is only used by SEV guests for`
			`+ * MSR_KVM_MIGRATION_CONTROL to indicate if the guest`
			`+ * is ready for migration.`
			`+ */`
			`+static uint64_t msr_kvm_migration_control;`
			`+`
			`+static bool kvm_rdmsr_kvm_migration_control(X86CPU *cpu, uint32_t msr,`
			`+ uint64_t *val)`
			`+{`
			`+ *val = msr_kvm_migration_control;`
			`+`
			`+ return true;`
			`+}`
			`+`
			`+static bool kvm_wrmsr_kvm_migration_control(X86CPU *cpu, uint32_t msr,`
			`+ uint64_t val)`
			`+{`
			`+ msr_kvm_migration_control = val;`
			`+`
			`+ if (val == KVM_MIGRATION_READY)`
			`+ sev_del_migrate_blocker();`
			`+`
			`+ return true;`
			`+}`
			`+`
			`static Notifier smram_machine_done;`
			`static KVMMemoryListener smram_listener;`
			`static AddressSpace smram_address_space;`
			`@@ -2735,6 +2761,15 @@ int kvm_arch_init(MachineState ms, KVMState s)`
			`strerror(-ret));`
			`exit(1);`
			`}`
			`+`
			`+ r = kvm_filter_msr(s, MSR_KVM_MIGRATION_CONTROL,`
			`+ kvm_rdmsr_kvm_migration_control,`
			`+ kvm_wrmsr_kvm_migration_control);`
			`+ if (!r) {`
			`+ error_report("Could not install MSR_KVM_MIGRATION_CONTROL handler: %s",`
			`+ strerror(-ret));`
			`+ exit(1);`
			`+ }`
			`}`

			`return 0;`
			`diff --git a/target/i386/kvm/sev-stub.c b/target/i386/kvm/sev-stub.c`
			`index 1282d242a7..99899688e4 100644`
			`--- a/target/i386/kvm/sev-stub.c`
			`+++ b/target/i386/kvm/sev-stub.c`
			`@@ -30,3 +30,7 @@ int sev_add_shared_regions_list(unsigned long gfn_start, unsigned long gfn_end)`
			`{`
			`return 0;`
			`}`
			`+`
			`+void sev_del_migrate_blocker(void)`
			`+{`
			`+}`
			`diff --git a/target/i386/sev.c b/target/i386/sev.c`
			`index 47f41aefe7..98b0d3937a 100644`
			`--- a/target/i386/sev.c`
			`+++ b/target/i386/sev.c`
			`@@ -925,6 +925,12 @@ sev_launch_finish(SevGuestState *sev)`
			`migrate_add_blocker(&sev_mig_blocker, &error_fatal);`
			`}`

			`+void`
			`+sev_del_migrate_blocker(void)`
			`+{`
			`+ migrate_del_blocker(&sev_mig_blocker);`
			`+}`
			`+`
			`static int`
			`sev_receive_finish(SevGuestState *s)`
			`{`
			`diff --git a/target/i386/sev.h b/target/i386/sev.h`
			`index b9c2afb799..84e3bdf2df 100644`
			`--- a/target/i386/sev.h`
			`+++ b/target/i386/sev.h`
			`@@ -70,6 +70,7 @@ int sev_add_shared_regions_list(unsigned long gfn_start, unsigned long gfn_end);`
			`int sev_save_outgoing_shared_regions_list(QEMUFile f, uint64_t bytes_sent);`
			`int sev_load_incoming_shared_regions_list(QEMUFile *f);`
			`bool sev_is_gfn_in_unshared_region(unsigned long gfn);`
			`+void sev_del_migrate_blocker(void);`

			`int sev_kvm_init(ConfidentialGuestSupport cgs, Error *errp);`

			`--`
			`2.41.0.windows.1`