packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/target-i386-csv-Read-cert-chain-from-file-when-prepa.patch
Jiabo Feng 4f059b938c QEMU update to version 8.2.0-18: 
- hw/loongarch/virt: Fix FDT memory node address width
- hw/loongarch: Fix fdt memory node wrong 'reg'
- load_elf: fix iterator's type for elf file processing
- migration/colo: Fix bdrv_graph_rdlock_main_loop: Assertion `!qemu_in_…
- target/i386: no single-step exception after MOV or POP SS
- char-stdio: Restore blocking mode of stdout on exit
- backends/cryptodev-builtin: Fix local_error leaks
- target/loongarch: fix a wrong print in cpu dump
- virtio-pci: fix use of a released vector
- target/arm: Disable SVE extensions when SVE is disabled
- hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE
- target/i386: Introduce SapphireRapids-v3 to add missing features
- virtio-net: Ensure queue index fits with RSS (CVE-2024-6505)
- nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
- update io/trace-events. Parameters should remain consistent.
- update docs/tools/virtfs-proxy-helper.rst. This place is spelled wrong.
- kvm: Add support for CSV2 reboot
- target/i386/kvm: Fix the resettable info when emulate Hygon CSV2 guest
- target/i386: get/set/migrate GHCB state
- target/i386: csv: Add support for migrate VMSA for CSV2 guest
- migration/ram: Accelerate the loading of CSV guest's encrypted pages
- migration/ram: Accelerate the transmission of CSV guest's encrypted pages
- target/i386: csv: add support to load incoming encrypted pages queued in the CMD list
- target/i386: csv: add support to queue the incoming page into a list
- target/i386: csv: add support to encrypt the outgoing pages in the list queued before.
- target/i386: csv: add support to queue the outgoing page into a list
- target/i386: csv: Read cert chain from file when prepared for CSV live migration
- target/i386: Introduce header file csv.h
- migration/ram: Fix calculation of gfn correpond to a page in ramblock
- target/i386: sev: Clear shared_regions_list when reboot CSV Guest
- migration/ram: Force encrypted status for VGA vram
- target/i386: sev: Return 0 if sev_send_get_packet_len() fails
- kvm: Add support for userspace MSR filtering and handling of MSR_KVM_MIGRATION_CONTROL.
- migration/ram: Force encrypted status for flash0 & flash1 devices.
- migration/ram: add support to send encrypted pages
- migration: add support to migrate shared regions list
- kvm: Add support for SEV shared regions list and KVM_EXIT_HYPERCALL.
- target/i386: sev: add support to load incoming encrypted page
- target/i386: sev: add support to encrypt the outgoing page
- target/i386: sev: do not create launch context for an incoming guest
- target/i386: sev: provide callback to setup outgoing context
- confidential guest support: introduce ConfidentialGuestMemoryEncryptionOps for encrypted VMs
- migration.json: add AMD SEV specific migration parameters
- doc: update AMD SEV to include Live migration flow
- crypto/tlscredspsk: Free username on finalize
- hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
- hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read()
- cvm : Implement command blacklist for cvm security enhancement
- crypto: Introduce SM3 hash hmac pbkdf algorithm
- virtio-net: Use virtual time for RSC timers
- vvfat: Fix bug in writing to middle of file
- hw/core/ptimer: fix timer zero period condition for freq > 1GHz
- hw/misc: support vpsp

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2024-09-18 15:23:53 +08:00

141 lines
4.9 KiB
Diff
Raw Blame History

From d23c6a2bcc836587620bd35726ca4d5f71c0a844 Mon Sep 17 00:00:00 2001
From: hanliyang <hanliyang@hygon.cn>
Date: Mon, 13 Nov 2023 21:55:33 +0000
Subject: [PATCH] target/i386: csv: Read cert chain from file when prepared for
CSV live migration
The cert chain is too long when encoded with base64, use the filename
of cert chain instead of the encoded string when prepared for CSV live
migration.
[ Fix conflicts. ]
Signed-off-by: hanliyang <hanliyang@hygon.cn>
---
qapi/migration.json | 24 +++++++++++++++---------
target/i386/sev.c | 30 ++++++++++++++++++++++++++----
2 files changed, 41 insertions(+), 13 deletions(-)
diff --git a/qapi/migration.json b/qapi/migration.json
index 038e99cba3..3aed216c3b 100644
--- a/qapi/migration.json
+++ b/qapi/migration.json
@@ -891,14 +891,16 @@
# @mode: Migration mode. See description in @MigMode. Default is 'normal'.
# (Since 8.2)
#
-# @sev-pdh: The target host platform diffie-hellman key encoded in base64
+# @sev-pdh: The target host platform diffie-hellman key encoded in base64, or
+# pdh filename for hygon
# (Since 4.2)
#
-# @sev-plat-cert: The target host platform certificate chain encoded in base64
+# @sev-plat-cert: The target host platform certificate chain encoded in base64,
+# or plat cert filename for hygon
# (Since 4.2)
#
# @sev-amd-cert: AMD certificate chain which include ASK and OCA encoded in
-# base64 (Since 4.2)
+# base64, or vendor cert filename for hygon (Since 4.2)
#
# Features:
#
@@ -1093,14 +1095,16 @@
# @mode: Migration mode. See description in @MigMode. Default is 'normal'.
# (Since 8.2)
#
-# @sev-pdh: The target host platform diffie-hellman key encoded in base64
+# @sev-pdh: The target host platform diffie-hellman key encoded in base64, or
+# pdh filename for hygon
# (Since 4.2)
#
-# @sev-plat-cert: The target host platform certificate chain encoded in base64
+# @sev-plat-cert: The target host platform certificate chain encoded in base64,
+# or plat cert filename for hygon
# (Since 4.2)
#
# @sev-amd-cert: AMD certificate chain which include ASK and OCA encoded in
-# base64 (Since 4.2)
+# base64, or vendor cert filename for hygon (Since 4.2)
#
# Features:
#
@@ -1340,14 +1344,16 @@
# @mode: Migration mode. See description in @MigMode. Default is 'normal'.
# (Since 8.2)
#
-# @sev-pdh: The target host platform diffie-hellman key encoded in base64
+# @sev-pdh: The target host platform diffie-hellman key encoded in base64, or
+# pdh filename for hygon
# (Since 4.2)
#
-# @sev-plat-cert: The target host platform certificate chain encoded in base64
+# @sev-plat-cert: The target host platform certificate chain encoded in base64,
+# or plat cert filename for hygon
# (Since 4.2)
#
# @sev-amd-cert: AMD certificate chain which include ASK and OCA encoded in
-# base64 (Since 4.2)
+# base64, or vendor cert filename for hygon (Since 4.2)
#
# Features:
#
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 0b0f589aee..331dfa4516 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -27,6 +27,7 @@
#include "crypto/hash.h"
#include "sysemu/kvm.h"
#include "sev.h"
+#include "csv.h"
#include "sysemu/sysemu.h"
#include "sysemu/runstate.h"
#include "trace.h"
@@ -979,18 +980,39 @@ int sev_save_setup(const char *pdh, const char *plat_cert,
{
SevGuestState *s = sev_guest;
- s->remote_pdh = g_base64_decode(pdh, &s->remote_pdh_len);
+ if (is_hygon_cpu()) {
+ if (sev_read_file_base64(pdh, &s->remote_pdh,
+ &s->remote_pdh_len) < 0) {
+ goto error;
+ }
+ } else {
+ s->remote_pdh = g_base64_decode(pdh, &s->remote_pdh_len);
+ }
if (!check_blob_length(s->remote_pdh_len)) {
goto error;
}
- s->remote_plat_cert = g_base64_decode(plat_cert,
- &s->remote_plat_cert_len);
+ if (is_hygon_cpu()) {
+ if (sev_read_file_base64(plat_cert, &s->remote_plat_cert,
+ &s->remote_plat_cert_len) < 0) {
+ goto error;
+ }
+ } else {
+ s->remote_plat_cert = g_base64_decode(plat_cert,
+ &s->remote_plat_cert_len);
+ }
if (!check_blob_length(s->remote_plat_cert_len)) {
goto error;
}
- s->amd_cert = g_base64_decode(amd_cert, &s->amd_cert_len);
+ if (is_hygon_cpu()) {
+ if (sev_read_file_base64(amd_cert, &s->amd_cert,
+ &s->amd_cert_len) < 0) {
+ goto error;
+ }
+ } else {
+ s->amd_cert = g_base64_decode(amd_cert, &s->amd_cert_len);
+ }
if (!check_blob_length(s->amd_cert_len)) {
goto error;
}
--
2.41.0.windows.1
Reference in New Issue View Git Blame Copy Permalink