1958b5fc40
Early in the boot process, add checks to determine if the kernel is running with Secure Encrypted Virtualization (SEV) active. Checking for SEV requires checking that the kernel is running under a hypervisor (CPUID 0x00000001, bit 31), that the SEV feature is available (CPUID 0x8000001f, bit 1) and then checking a non-interceptable SEV MSR (0xc0010131, bit 0). This check is required so that during early compressed kernel booting the pagetables (both the boot pagetables and KASLR pagetables (if enabled) are updated to include the encryption mask so that when the kernel is decompressed into encrypted memory, it can boot properly. After the kernel is decompressed and continues booting the same logic is used to check if SEV is active and set a flag indicating so. This allows to distinguish between SME and SEV, each of which have unique differences in how certain things are handled: e.g. DMA (always bounce buffered with SEV) or EFI tables (always access decrypted with SME). Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@suse.de> Tested-by: Borislav Petkov <bp@suse.de> Cc: Laura Abbott <labbott@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: kvm@vger.kernel.org Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Andy Lutomirski <luto@kernel.org> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Link: https://lkml.kernel.org/r/20171020143059.3291-13-brijesh.singh@amd.com
114 lines
2.9 KiB
C
114 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
#ifndef _UAPI_ASM_X86_KVM_PARA_H
|
|
#define _UAPI_ASM_X86_KVM_PARA_H
|
|
|
|
#include <linux/types.h>
|
|
#include <asm/hyperv.h>
|
|
|
|
/* This CPUID returns the signature 'KVMKVMKVM' in ebx, ecx, and edx. It
|
|
* should be used to determine that a VM is running under KVM.
|
|
*/
|
|
#define KVM_CPUID_SIGNATURE 0x40000000
|
|
|
|
/* This CPUID returns a feature bitmap in eax. Before enabling a particular
|
|
* paravirtualization, the appropriate feature bit should be checked.
|
|
*/
|
|
#define KVM_CPUID_FEATURES 0x40000001
|
|
#define KVM_FEATURE_CLOCKSOURCE 0
|
|
#define KVM_FEATURE_NOP_IO_DELAY 1
|
|
#define KVM_FEATURE_MMU_OP 2
|
|
/* This indicates that the new set of kvmclock msrs
|
|
* are available. The use of 0x11 and 0x12 is deprecated
|
|
*/
|
|
#define KVM_FEATURE_CLOCKSOURCE2 3
|
|
#define KVM_FEATURE_ASYNC_PF 4
|
|
#define KVM_FEATURE_STEAL_TIME 5
|
|
#define KVM_FEATURE_PV_EOI 6
|
|
#define KVM_FEATURE_PV_UNHALT 7
|
|
|
|
/* The last 8 bits are used to indicate how to interpret the flags field
|
|
* in pvclock structure. If no bits are set, all flags are ignored.
|
|
*/
|
|
#define KVM_FEATURE_CLOCKSOURCE_STABLE_BIT 24
|
|
|
|
#define MSR_KVM_WALL_CLOCK 0x11
|
|
#define MSR_KVM_SYSTEM_TIME 0x12
|
|
|
|
#define KVM_MSR_ENABLED 1
|
|
/* Custom MSRs falls in the range 0x4b564d00-0x4b564dff */
|
|
#define MSR_KVM_WALL_CLOCK_NEW 0x4b564d00
|
|
#define MSR_KVM_SYSTEM_TIME_NEW 0x4b564d01
|
|
#define MSR_KVM_ASYNC_PF_EN 0x4b564d02
|
|
#define MSR_KVM_STEAL_TIME 0x4b564d03
|
|
#define MSR_KVM_PV_EOI_EN 0x4b564d04
|
|
|
|
struct kvm_steal_time {
|
|
__u64 steal;
|
|
__u32 version;
|
|
__u32 flags;
|
|
__u8 preempted;
|
|
__u8 u8_pad[3];
|
|
__u32 pad[11];
|
|
};
|
|
|
|
#define KVM_CLOCK_PAIRING_WALLCLOCK 0
|
|
struct kvm_clock_pairing {
|
|
__s64 sec;
|
|
__s64 nsec;
|
|
__u64 tsc;
|
|
__u32 flags;
|
|
__u32 pad[9];
|
|
};
|
|
|
|
#define KVM_STEAL_ALIGNMENT_BITS 5
|
|
#define KVM_STEAL_VALID_BITS ((-1ULL << (KVM_STEAL_ALIGNMENT_BITS + 1)))
|
|
#define KVM_STEAL_RESERVED_MASK (((1 << KVM_STEAL_ALIGNMENT_BITS) - 1 ) << 1)
|
|
|
|
#define KVM_MAX_MMU_OP_BATCH 32
|
|
|
|
#define KVM_ASYNC_PF_ENABLED (1 << 0)
|
|
#define KVM_ASYNC_PF_SEND_ALWAYS (1 << 1)
|
|
#define KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT (1 << 2)
|
|
|
|
/* Operations for KVM_HC_MMU_OP */
|
|
#define KVM_MMU_OP_WRITE_PTE 1
|
|
#define KVM_MMU_OP_FLUSH_TLB 2
|
|
#define KVM_MMU_OP_RELEASE_PT 3
|
|
|
|
/* Payload for KVM_HC_MMU_OP */
|
|
struct kvm_mmu_op_header {
|
|
__u32 op;
|
|
__u32 pad;
|
|
};
|
|
|
|
struct kvm_mmu_op_write_pte {
|
|
struct kvm_mmu_op_header header;
|
|
__u64 pte_phys;
|
|
__u64 pte_val;
|
|
};
|
|
|
|
struct kvm_mmu_op_flush_tlb {
|
|
struct kvm_mmu_op_header header;
|
|
};
|
|
|
|
struct kvm_mmu_op_release_pt {
|
|
struct kvm_mmu_op_header header;
|
|
__u64 pt_phys;
|
|
};
|
|
|
|
#define KVM_PV_REASON_PAGE_NOT_PRESENT 1
|
|
#define KVM_PV_REASON_PAGE_READY 2
|
|
|
|
struct kvm_vcpu_pv_apf_data {
|
|
__u32 reason;
|
|
__u8 pad[60];
|
|
__u32 enabled;
|
|
};
|
|
|
|
#define KVM_PV_EOI_BIT 0
|
|
#define KVM_PV_EOI_MASK (0x1 << KVM_PV_EOI_BIT)
|
|
#define KVM_PV_EOI_ENABLED KVM_PV_EOI_MASK
|
|
#define KVM_PV_EOI_DISABLED 0x0
|
|
|
|
#endif /* _UAPI_ASM_X86_KVM_PARA_H */
|