• Brijesh Singh's avatar
    KVM: SEV: Add KVM_SEV_SNP_LAUNCH_UPDATE command · dee5a47c
    Brijesh Singh authored
    A key aspect of a launching an SNP guest is initializing it with a
    known/measured payload which is then encrypted into guest memory as
    pre-validated private pages and then measured into the cryptographic
    launch context created with KVM_SEV_SNP_LAUNCH_START so that the guest
    can attest itself after booting.
    
    Since all private pages are provided by guest_memfd, make use of the
    kvm_gmem_populate() interface to handle this. The general flow is that
    guest_memfd will handle allocating the pages associated with the GPA
    ranges being initialized by each particular call of
    KVM_SEV_SNP_LAUNCH_UPDATE, copying data from userspace into those pages,
    and then the post_populate callback will do the work of setting the
    RMP entries for these pages to private and issuing the SNP firmware
    calls to encrypt/measure them.
    
    For more information see the SEV-SNP specification.
    Signed-off-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
    Co-developed-by: default avatarMichael Roth <michael.roth@amd.com>
    Signed-off-by: default avatarMichael Roth <michael.roth@amd.com>
    Signed-off-by: default avatarAshish Kalra <ashish.kalra@amd.com>
    Message-ID: <20240501085210.2213060-7-michael.roth@amd.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    dee5a47c
amd-memory-encryption.rst 20.5 KB