i386/sev: Introduce 'sev-snp-guest' object

SEV-SNP support relies on a different set of properties/state than the
existing 'sev-guest' object. This patch introduces the 'sev-snp-guest'
object, which

i386/sev: Introduce 'sev-snp-guest' object

SEV-SNP support relies on a different set of properties/state than the
existing 'sev-guest' object. This patch introduces the 'sev-snp-guest'
object, which can be used to configure an SEV-SNP guest. For example,
a default-configured SEV-SNP guest with no additional information
passed in for use with attestation:

-object sev-snp-guest,id=sev0

or a fully-specified SEV-SNP guest where all spec-defined binary
blobs are passed in as base64-encoded strings:

-object sev-snp-guest,id=sev0, \
policy=0x30000, \
init-flags=0, \
id-block=YWFhYWFhYWFhYWFhYWFhCg==, \
id-auth=CxHK/OKLkXGn/KpAC7Wl1FSiisWDbGTEKz..., \
author-key-enabled=on, \
host-data=LNkCWBRC5CcdGXirbNUV1OrsR28s..., \
guest-visible-workarounds=AA==, \

See the QAPI schema updates included in this patch for more usage
details.

In some cases these blobs may be up to 4096 characters, but this is
generally well below the default limit for linux hosts where
command-line sizes are defined by the sysconf-configurable ARG_MAX
value, which defaults to 2097152 characters for Ubuntu hosts, for
example.

Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Co-developed-by: Michael Roth <michael.roth@amd.com>
Acked-by: Markus Armbruster <armbru@redhat.com> (for QAPI schema)
Signed-off-by: Michael Roth <michael.roth@amd.com>
Co-developed-by: Pankaj Gupta <pankaj.gupta@amd.com>
Signed-off-by: Pankaj Gupta <pankaj.gupta@amd.com>
Message-ID: <20240530111643.1091816-8-pankaj.gupta@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Update AMD memory encryption document links.

The previous links for the white paper and programmer's manual
are no longer available. Replace them with the new ones.

Signed-off-by: Jianlin Li <ljian

Update AMD memory encryption document links.

The previous links for the white paper and programmer's manual
are no longer available. Replace them with the new ones.

Signed-off-by: Jianlin Li <ljianlin99@gmail.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

show more ...

docs/system/i386: Add measurement calculation details to amd-memory-encryption

Add a section explaining how the Guest Owner should calculate the
expected guest launch measurement for SEV and SEV-ES.

docs/system/i386: Add measurement calculation details to amd-memory-encryption

Add a section explaining how the Guest Owner should calculate the
expected guest launch measurement for SEV and SEV-ES.

Also update the name and links to the SEV API Spec document.

Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20220217110059.2320497-1-dovmurik@linux.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

docs: rstfy confidential guest documentation

Also rstfy the documentation for AMD SEV, and link it.

The documentation for PEF had been merged into the pseries doc,
fix the reference.

Signed-off-by

docs: rstfy confidential guest documentation

Also rstfy the documentation for AMD SEV, and link it.

The documentation for PEF had been merged into the pseries doc,
fix the reference.

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220204161251.241877-1-cohuck@redhat.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>

show more ...

docs: Add SEV-ES documentation to amd-memory-encryption.txt

Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differenc

docs: Add SEV-ES documentation to amd-memory-encryption.txt

Update the amd-memory-encryption.txt file with information about SEV-ES,
including how to launch an SEV-ES guest and some of the differences
between SEV and SEV-ES guests in regards to launching and measuring the
guest.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
Message-Id: <fa1825a5eb0290eac4712cde75ba4c6829946eac.1619208498.git.thomas.lendacky@amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

show more ...

doc: Fix some mistakes in the SEV documentation

Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
file. No new information added.

Signed-off-by: Tom Lendacky <thomas.lendacky@

doc: Fix some mistakes in the SEV documentation

Fix some spelling and grammar mistakes in the amd-memory-encryption.txt
file. No new information added.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Connor Kuehl <ckuehl@redhat.com>
Message-Id: <a7c5ee6c056d840f46028f4a817c16a9862bdd9e.1619208498.git.thomas.lendacky@amd.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>

show more ...

confidential guest support: Update documentation

Now that we've implemented a generic machine option for configuring various
confidential guest support mechanisms:
1. Update docs/amd-memory-encryp

confidential guest support: Update documentation

Now that we've implemented a generic machine option for configuring various
confidential guest support mechanisms:
1. Update docs/amd-memory-encryption.txt to reference this rather than
the earlier SEV specific option
2. Add a docs/confidential-guest-support.txt to cover the generalities of
the confidential guest support scheme

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>

show more ...

docs: Fix broken links

Signed-off-by: Han Han <hhan@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200807101736.3544506-1-hhan@redhat.com>
Signed-off-by: Laurent

docs: Fix broken links

Signed-off-by: Han Han <hhan@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200807101736.3544506-1-hhan@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

show more ...

doc: fix typos for documents in tree

Signed-off-by: Like Xu <like.xu@linux.intel.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <1550640446-18788-1-git-send-email-like.xu@linux.intel.c

doc: fix typos for documents in tree

Signed-off-by: Like Xu <like.xu@linux.intel.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <1550640446-18788-1-git-send-email-like.xu@linux.intel.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

show more ...

target/i386: add Secure Encrypted Virtualization (SEV) object

Add a new memory encryption object 'sev-guest'. The object will be used
to create encrypted VMs on AMD EPYC CPU. The object provides the

target/i386: add Secure Encrypted Virtualization (SEV) object

Add a new memory encryption object 'sev-guest'. The object will be used
to create encrypted VMs on AMD EPYC CPU. The object provides the properties
to pass guest owner's public Diffie-hellman key, guest policy and session
information required to create the memory encryption context within the
SEV firmware.

e.g to launch SEV guest
# $QEMU \
-object sev-guest,id=sev0 \
-machine ....,memory-encryption=sev0

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

docs: add AMD Secure Encrypted Virtualization (SEV)

Create a documentation entry to describe the AMD Secure Encrypted
Virtualization (SEV) feature.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-of

docs: add AMD Secure Encrypted Virtualization (SEV)

Create a documentation entry to describe the AMD Secure Encrypted
Virtualization (SEV) feature.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...