Skip to content

Commit 79c715b

Browse files
marpommarpom
committed
sys/linux: add support for KVM_MEMORY_ENCRYPT_OP
This patch adds the necessary descriptions for KVM_MEMORY_ENCRYPT_OP that currently is not supported.
1 parent 98683f8 commit 79c715b

File tree

2 files changed

+223
-0
lines changed

2 files changed

+223
-0
lines changed

sys/linux/dev_kvm_amd64.txt

Lines changed: 190 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ include <asm/mce.h>
1212
# kvm_syz_vm is a VM handler used by syzos-related pseudo-syscalls. It is actually an opaque pointer under the hood.
1313
resource kvm_syz_vm$x86[int64]
1414
resource fd_sgx_provision[fd]
15+
resource fd_sev[fd]
1516

1617
# Map the given memory into the VM and set up syzos there.
1718
syz_kvm_setup_syzos_vm$x86(fd fd_kvmvm, usermem vma[1024]) kvm_syz_vm$x86
@@ -164,6 +165,195 @@ define KVM_SETUP_VM (1<<6)
164165
openat$sgx_provision(fd const[AT_FDCWD], file ptr[in, string["/dev/sgx_provision"]], flags flags[open_flags], mode const[0]) fd_sgx_provision
165166
ioctl$KVM_CAP_SGX_ATTRIBUTE(fd fd_kvmvm, cmd const[KVM_ENABLE_CAP], arg ptr[in, kvm_enable_cap[KVM_CAP_SGX_ATTRIBUTE, fd_sgx_provision]])
166167

168+
# SEV-related (based on https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html)
169+
openat$sev(fd const[AT_FDCWD], file ptr[in, string["/dev/sev"]], flags flags[open_flags], mode const[0]) fd_sev
170+
171+
ioctl$KVM_SEV_INIT(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_INIT, const[0, intptr]]])
172+
ioctl$KVM_SEV_ES_INIT(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_ES_INIT, const[0, intptr]]])
173+
ioctl$KVM_SEV_INIT2(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_INIT2, ptr[in, kvm_sev_init]]])
174+
175+
ioctl$KVM_SEV_LAUNCH_START(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_LAUNCH_START, ptr[inout, kvm_sev_launch_start]]])
176+
ioctl$KVM_SEV_LAUNCH_UPDATE_DATA(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_LAUNCH_UPDATE_DATA, ptr[in, kvm_sev_launch_update_data]]])
177+
ioctl$KVM_SEV_LAUNCH_UPDATE_VMSA(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_LAUNCH_UPDATE_VMSA, const[0, intptr]]])
178+
ioctl$KVM_SEV_LAUNCH_SECRET(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_LAUNCH_SECRET, ptr[in, kvm_sev_launch_secret]]])
179+
ioctl$KVM_SEV_LAUNCH_MEASURE(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_LAUNCH_MEASURE, ptr[in, kvm_sev_launch_measure]]])
180+
ioctl$KVM_SEV_LAUNCH_FINISH(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_LAUNCH_FINISH, const[0, intptr]]])
181+
182+
ioctl$KVM_SEV_SEND_START(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SEND_START, ptr[in, kvm_sev_send_start]]])
183+
ioctl$KVM_SEV_SEND_UPDATE_DATA(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SEND_UPDATE_DATA, ptr[in, kvm_sev_send_update_data]]])
184+
ioctl$KVM_SEV_SEND_UPDATE_VMSA(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SEND_UPDATE_VMSA, const[0, intptr]]])
185+
ioctl$KVM_SEV_SEND_CANCEL(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SEND_CANCEL, const[0, intptr]]])
186+
ioctl$KVM_SEV_SEND_FINISH(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SEND_FINISH, const[0, intptr]]])
187+
188+
ioctl$KVM_SEV_RECEIVE_START(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_RECEIVE_START, ptr[inout, kvm_sev_receive_start]]])
189+
ioctl$KVM_SEV_RECEIVE_UPDATE_DATA(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_RECEIVE_UPDATE_DATA, ptr[in, kvm_sev_receive_update_data]]])
190+
ioctl$KVM_SEV_RECEIVE_UPDATE_VMSA(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_RECEIVE_UPDATE_VMSA, const[0, intptr]]])
191+
ioctl$KVM_SEV_RECEIVE_FINISH(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_RECEIVE_FINISH, const[0, intptr]]])
192+
193+
ioctl$KVM_SEV_GUEST_STATUS(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_GUEST_STATUS, ptr[out, kvm_sev_guest_status]]])
194+
ioctl$KVM_SEV_DBG_DECRYPT(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_DBG_DECRYPT, ptr[in, kvm_sev_dbg]]])
195+
ioctl$KVM_SEV_DBG_ENCRYPT(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_DBG_ENCRYPT, ptr[in, kvm_sev_dbg]]])
196+
ioctl$KVM_SEV_CERT_EXPORT(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_CERT_EXPORT, const[0, intptr]]])
197+
ioctl$KVM_SEV_GET_ATTESTATION_REPORT(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_GET_ATTESTATION_REPORT, ptr[in, kvm_sev_attestation_report]]])
198+
199+
ioctl$KVM_SEV_SNP_LAUNCH_START(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SNP_LAUNCH_START, ptr[in, kvm_sev_snp_launch_start]]])
200+
ioctl$KVM_SEV_SNP_LAUNCH_UPDATE(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SNP_LAUNCH_UPDATE, ptr[in, kvm_sev_snp_launch_update]]])
201+
ioctl$KVM_SEV_SNP_LAUNCH_FINISH(fd fd_kvmvm, cmd const[KVM_MEMORY_ENCRYPT_OP], arg ptr[inout, kvm_memory_encrypt_op[KVM_SEV_SNP_LAUNCH_FINISH, ptr[in, kvm_sev_snp_launch_finish]]])
202+
203+
type kvm_memory_encrypt_op[ID, DATA] {
204+
id const[ID, int32]
205+
data DATA
206+
error int32
207+
sev_fd fd_sev (in)
208+
}
209+
210+
kvm_sev_init {
211+
vmsa_features int64
212+
flags int32
213+
ghcb_version int16
214+
pad1 const[0, int16]
215+
pad2 array[const[0, int32], 8]
216+
}
217+
218+
kvm_sev_launch_start {
219+
handle int32
220+
policy int32
221+
dh_addr vma64[1:4]
222+
dh_len len[dh_addr, int32]
223+
pad0 const[0, int32]
224+
session_uaddr vma64[1:4]
225+
session_len len[session_uaddr, int32]
226+
pad1 const[0, int32]
227+
}
228+
229+
kvm_sev_launch_update_data {
230+
uaddr vma64[1:4]
231+
len len[uaddr, int32]
232+
pad0 const[0, int32]
233+
}
234+
235+
kvm_sev_launch_secret {
236+
hdr_uaddr vma64[1:4]
237+
hdr_len len[hdr_uaddr, int32]
238+
pad0 const[0, int32]
239+
guest_uaddr vma64[1:4]
240+
guest_len len[guest_uaddr, int32]
241+
pad1 const[0, int32]
242+
trans_uaddr vma64[1:4]
243+
trans_len len[trans_uaddr, int32]
244+
pad2 const[0, int32]
245+
}
246+
247+
kvm_sev_launch_measure {
248+
uaddr vma64[1:4]
249+
len len[uaddr, int32]
250+
pad0 const[0, int32]
251+
}
252+
253+
kvm_sev_guest_status {
254+
handle int32
255+
policy int32
256+
state int32
257+
}
258+
259+
kvm_sev_dbg {
260+
src_uaddr vma64[1:4]
261+
dst_uaddr vma64[1:4]
262+
len len[src_uaddr, int32]
263+
}
264+
265+
kvm_sev_attestation_report {
266+
mnonce array[int8, 16]
267+
uaddr vma64[1:4]
268+
len len[uaddr, int32]
269+
pad0 const[0, int32]
270+
}
271+
272+
kvm_sev_send_start {
273+
policy int32
274+
pad0 const[0, int32]
275+
pdh_cert_uaddr vma64[1:4]
276+
pdh_cert_len len[pdh_cert_uaddr, int32]
277+
pad1 const[0, int32]
278+
plat_certs_uaddr vma64[1:4]
279+
plat_certs_len len[plat_certs_uaddr, int32]
280+
pad2 const[0, int32]
281+
amd_certs_uaddr vma64[1:4]
282+
amd_certs_len len[amd_certs_uaddr, int32]
283+
pad3 const[0, int32]
284+
session_uaddr vma64[1:4]
285+
session_len len[session_uaddr, int32]
286+
pad4 const[0, int32]
287+
}
288+
289+
kvm_sev_send_update_data {
290+
hdr_uaddr vma64[1:4]
291+
hdr_len len[hdr_uaddr, int32]
292+
pad0 const[0, int32]
293+
guest_uaddr vma64[1:4]
294+
guest_len len[guest_uaddr, int32]
295+
pad1 const[0, int32]
296+
trans_uaddr vma64[1:4]
297+
trans_len len[trans_uaddr, int32]
298+
pad2 const[0, int32]
299+
}
300+
301+
kvm_sev_receive_start {
302+
handle int32
303+
policy int32
304+
pdh_addr vma64[1:4]
305+
pdh_len len[pdh_addr, int32]
306+
pad0 const[0, int32]
307+
session_uaddr vma64[1:4]
308+
session_len len[session_uaddr, int32]
309+
pad1 const[0, int32]
310+
}
311+
312+
kvm_sev_receive_update_data {
313+
hdr_uaddr vma64[1:4]
314+
hdr_len len[hdr_uaddr, int32]
315+
pad0 const[0, int32]
316+
guest_uaddr vma64[1:4]
317+
guest_len len[guest_uaddr, int32]
318+
pad1 const[0, int32]
319+
trans_uaddr vma64[1:4]
320+
trans_len len[trans_uaddr, int32]
321+
pad2 const[0, int32]
322+
}
323+
324+
kvm_sev_snp_launch_start {
325+
policy int64
326+
gosvw array[int8, 16]
327+
flags int16
328+
pad0 array[const[0, int8], 6]
329+
pad1 array[const[0, int64], 4]
330+
}
331+
332+
kvm_sev_snp_launch_update {
333+
gfn_start int64
334+
uaddr vma64[1:4]
335+
len len[uaddr, int64]
336+
type flags[snp_page_type, int8]
337+
pad0 const[0, int8]
338+
flags int16
339+
pad1 const[0, int32]
340+
pad2 array[const[0, int64], 4]
341+
}
342+
343+
snp_page_type = KVM_SEV_SNP_PAGE_TYPE_NORMAL, KVM_SEV_SNP_PAGE_TYPE_ZERO, KVM_SEV_SNP_PAGE_TYPE_UNMEASURED, KVM_SEV_SNP_PAGE_TYPE_SECRETS, KVM_SEV_SNP_PAGE_TYPE_CPUID
344+
345+
kvm_sev_snp_launch_finish {
346+
id_block_uaddr vma64[1:4]
347+
id_auth_uaddr vma64[1:4]
348+
id_block_en int8
349+
auth_key_en int8
350+
vcek_disabled int8
351+
host_data array[int8, KVM_SEV_SNP_FINISH_DATA_SIZE]
352+
pad0 array[const[0, int8], 3]
353+
flags int16
354+
pad1 array[const[0, int64], 4]
355+
}
356+
167357
#x86(-64) specific ioctls
168358
ioctl$KVM_GET_MSR_INDEX_LIST(fd fd_kvm, cmd const[KVM_GET_MSR_INDEX_LIST], arg ptr[in, kvm_msr_list])
169359
ioctl$KVM_GET_SUPPORTED_CPUID(fd fd_kvm, cmd const[KVM_GET_SUPPORTED_CPUID], arg buffer[out])

sys/linux/dev_kvm_amd64.txt.const

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ KVM_IRQCHIP_PIC_MASTER = 0
7373
KVM_IRQCHIP_PIC_SLAVE = 1
7474
KVM_MAX_IRQ_ROUTES = 4096
7575
KVM_MEMORY_ATTRIBUTE_PRIVATE = 8
76+
KVM_MEMORY_ENCRYPT_OP = 386:3221532346, amd64:3221794490
7677
KVM_MSR_EXIT_REASON_FILTER = 4
7778
KVM_MSR_EXIT_REASON_INVAL = 1
7879
KVM_MSR_EXIT_REASON_UNKNOWN = 2
@@ -105,6 +106,38 @@ KVM_SET_TSS_ADDR = 44615
105106
KVM_SET_VAPIC_ADDR = 1074310803
106107
KVM_SET_XCRS = 1099476647
107108
KVM_SET_XSAVE = 1342221989
109+
KVM_SEV_CERT_EXPORT = 19
110+
KVM_SEV_DBG_DECRYPT = 17
111+
KVM_SEV_DBG_ENCRYPT = 18
112+
KVM_SEV_ES_INIT = 1
113+
KVM_SEV_GET_ATTESTATION_REPORT = 20
114+
KVM_SEV_GUEST_STATUS = 16
115+
KVM_SEV_INIT = 0
116+
KVM_SEV_INIT2 = 22
117+
KVM_SEV_LAUNCH_FINISH = 7
118+
KVM_SEV_LAUNCH_MEASURE = 6
119+
KVM_SEV_LAUNCH_SECRET = 5
120+
KVM_SEV_LAUNCH_START = 2
121+
KVM_SEV_LAUNCH_UPDATE_DATA = 3
122+
KVM_SEV_LAUNCH_UPDATE_VMSA = 4
123+
KVM_SEV_RECEIVE_FINISH = 15
124+
KVM_SEV_RECEIVE_START = 12
125+
KVM_SEV_RECEIVE_UPDATE_DATA = 13
126+
KVM_SEV_RECEIVE_UPDATE_VMSA = 14
127+
KVM_SEV_SEND_CANCEL = 21
128+
KVM_SEV_SEND_FINISH = 11
129+
KVM_SEV_SEND_START = 8
130+
KVM_SEV_SEND_UPDATE_DATA = 9
131+
KVM_SEV_SEND_UPDATE_VMSA = 10
132+
KVM_SEV_SNP_FINISH_DATA_SIZE = 32
133+
KVM_SEV_SNP_LAUNCH_FINISH = 102
134+
KVM_SEV_SNP_LAUNCH_START = 100
135+
KVM_SEV_SNP_LAUNCH_UPDATE = 101
136+
KVM_SEV_SNP_PAGE_TYPE_CPUID = 6
137+
KVM_SEV_SNP_PAGE_TYPE_NORMAL = 1
138+
KVM_SEV_SNP_PAGE_TYPE_SECRETS = 5
139+
KVM_SEV_SNP_PAGE_TYPE_UNMEASURED = 4
140+
KVM_SEV_SNP_PAGE_TYPE_ZERO = 3
108141
KVM_SMI = 44727
109142
KVM_STATE_NESTED_GUEST_MODE = 1
110143
KVM_STATE_NESTED_RUN_PENDING = 2

0 commit comments

Comments
 (0)