Thanks Paolo.
On 19/04/2022 8:50, Paolo Bonzini wrote:
> From: Dov Murik <[email protected]>
>
> Add a new field 'cpu0-id' to the response of query-sev-capabilities QMP
> command. The value of the field is the base64-encoded unique ID of CPU0
> (socket 0), which can be used to retrieve the signed CEK of the CPU from
> AMD's Key Distribution Service (KDS).
>
> Signed-off-by: Dov Murik <[email protected]>
>
> Reviewed-by: Daniel P. Berrangé <[email protected]>
> Message-Id: <[email protected]>
> Signed-off-by: Paolo Bonzini <[email protected]>
> ---
> qapi/misc-target.json | 4 ++++
> target/i386/sev.c | 42 +++++++++++++++++++++++++++++++++++++++++-
> 2 files changed, 45 insertions(+), 1 deletion(-)
>
> diff --git a/qapi/misc-target.json b/qapi/misc-target.json
> index 036c5e4a91..bc9355b595 100644
> --- a/qapi/misc-target.json
> +++ b/qapi/misc-target.json
> @@ -144,6 +144,8 @@
> #
> # @cert-chain: PDH certificate chain (base64 encoded)
> #
> +# @cpu0-id: Unique ID of CPU0 (base64 encoded) (since 7.0)
> +#
Should this be changed to "since 7.1" ?
Paolo, can you modify the patch in your tree, or should I submit a new
version?
-Dov
> # @cbitpos: C-bit location in page table entry
> #
> # @reduced-phys-bits: Number of physical Address bit reduction when SEV is
> @@ -154,6 +156,7 @@
> { 'struct': 'SevCapability',
> 'data': { 'pdh': 'str',
> 'cert-chain': 'str',
> + 'cpu0-id': 'str',
> 'cbitpos': 'int',
> 'reduced-phys-bits': 'int'},
> 'if': 'TARGET_I386' }
> @@ -172,6 +175,7 @@
> #
> # -> { "execute": "query-sev-capabilities" }
> # <- { "return": { "pdh": "8CCDD8DDD", "cert-chain": "888CCCDDDEE",
> +# "cpu0-id": "2lvmGwo+...61iEinw==",
> # "cbitpos": 47, "reduced-phys-bits": 5}}
> #
> ##
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 025ff7a6f8..32f7dbac4e 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -531,12 +531,46 @@ e_free:
> return 1;
> }
>
> +static int sev_get_cpu0_id(int fd, guchar **id, size_t *id_len, Error **errp)
> +{
> + guchar *id_data;
> + struct sev_user_data_get_id2 get_id2 = {};
> + int err, r;
> +
> + /* query the ID length */
> + r = sev_platform_ioctl(fd, SEV_GET_ID2, &get_id2, &err);
> + if (r < 0 && err != SEV_RET_INVALID_LEN) {
> + error_setg(errp, "SEV: Failed to get ID ret=%d fw_err=%d (%s)",
> + r, err, fw_error_to_str(err));
> + return 1;
> + }
> +
> + id_data = g_new(guchar, get_id2.length);
> + get_id2.address = (unsigned long)id_data;
> +
> + r = sev_platform_ioctl(fd, SEV_GET_ID2, &get_id2, &err);
> + if (r < 0) {
> + error_setg(errp, "SEV: Failed to get ID ret=%d fw_err=%d (%s)",
> + r, err, fw_error_to_str(err));
> + goto err;
> + }
> +
> + *id = id_data;
> + *id_len = get_id2.length;
> + return 0;
> +
> +err:
> + g_free(id_data);
> + return 1;
> +}
> +
> static SevCapability *sev_get_capabilities(Error **errp)
> {
> SevCapability *cap = NULL;
> guchar *pdh_data = NULL;
> guchar *cert_chain_data = NULL;
> - size_t pdh_len = 0, cert_chain_len = 0;
> + guchar *cpu0_id_data = NULL;
> + size_t pdh_len = 0, cert_chain_len = 0, cpu0_id_len = 0;
> uint32_t ebx;
> int fd;
>
> @@ -561,9 +595,14 @@ static SevCapability *sev_get_capabilities(Error **errp)
> goto out;
> }
>
> + if (sev_get_cpu0_id(fd, &cpu0_id_data, &cpu0_id_len, errp)) {
> + goto out;
> + }
> +
> cap = g_new0(SevCapability, 1);
> cap->pdh = g_base64_encode(pdh_data, pdh_len);
> cap->cert_chain = g_base64_encode(cert_chain_data, cert_chain_len);
> + cap->cpu0_id = g_base64_encode(cpu0_id_data, cpu0_id_len);
>
> host_cpuid(0x8000001F, 0, NULL, &ebx, NULL, NULL);
> cap->cbitpos = ebx & 0x3f;
> @@ -575,6 +614,7 @@ static SevCapability *sev_get_capabilities(Error **errp)
> cap->reduced_phys_bits = 1;
>
> out:
> + g_free(cpu0_id_data);
> g_free(pdh_data);
> g_free(cert_chain_data);
> close(fd);
