xref: /qemu/include/system/confidential-guest-support.h (revision 513823e7521a09ed7ad1e32e6454bac3b2cbf52d) 
1 /*
2  * QEMU Confidential Guest support
3  *   This interface describes the common pieces between various
4  *   schemes for protecting guest memory or other state against a
5  *   compromised hypervisor.  This includes memory encryption (AMD's
6  *   SEV and Intel's MKTME) or special protection modes (PEF on POWER,
7  *   or PV on s390x).
8  *
9  * Copyright Red Hat.
10  *
11  * Authors:
12  *  David Gibson <david@gibson.dropbear.id.au>
13  *
14  * This work is licensed under the terms of the GNU GPL, version 2 or
15  * later.  See the COPYING file in the top-level directory.
16  *
17  */
18 #ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
19 #define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
20 
21 #ifdef CONFIG_USER_ONLY
22 #error Cannot include system/confidential-guest-support.h from user emulation
23 #endif
24 
25 #include "qom/object.h"
26 
27 #define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
28 OBJECT_DECLARE_TYPE(ConfidentialGuestSupport,
29                     ConfidentialGuestSupportClass,
30                     CONFIDENTIAL_GUEST_SUPPORT)
31 
32 
33 struct ConfidentialGuestSupport {
34     Object parent;
35 
36     /*
37      * True if the machine should use guest_memfd for RAM.
38      */
39     bool require_guest_memfd;
40 
41     /*
42      * ready: flag set by CGS initialization code once it's ready to
43      *        start executing instructions in a potentially-secure
44      *        guest
45      *
46      * The definition here is a bit fuzzy, because this is essentially
47      * part of a self-sanity-check, rather than a strict mechanism.
48      *
49      * It's not feasible to have a single point in the common machine
50      * init path to configure confidential guest support, because
51      * different mechanisms have different interdependencies requiring
52      * initialization in different places, often in arch or machine
53      * type specific code.  It's also usually not possible to check
54      * for invalid configurations until that initialization code.
55      * That means it would be very easy to have a bug allowing CGS
56      * init to be bypassed entirely in certain configurations.
57      *
58      * Silently ignoring a requested security feature would be bad, so
59      * to avoid that we check late in init that this 'ready' flag is
60      * set if CGS was requested.  If the CGS init hasn't happened, and
61      * so 'ready' is not set, we'll abort.
62      */
63     bool ready;
64 };
65 
66 typedef struct ConfidentialGuestSupportClass {
67     ObjectClass parent;
68 
69     int (*kvm_init)(ConfidentialGuestSupport *cgs, Error **errp);
70     int (*kvm_reset)(ConfidentialGuestSupport *cgs, Error **errp);
71 } ConfidentialGuestSupportClass;
72 
73 static inline int confidential_guest_kvm_init(ConfidentialGuestSupport *cgs,
74                                               Error **errp)
75 {
76     ConfidentialGuestSupportClass *klass;
77 
78     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
79     if (klass->kvm_init) {
80         return klass->kvm_init(cgs, errp);
81     }
82 
83     return 0;
84 }
85 
86 static inline int confidential_guest_kvm_reset(ConfidentialGuestSupport *cgs,
87                                                Error **errp)
88 {
89     ConfidentialGuestSupportClass *klass;
90 
91     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
92     if (klass->kvm_reset) {
93         return klass->kvm_reset(cgs, errp);
94     }
95 
96     return 0;
97 }
98 
99 #endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */
100