xref: /qemu/include/system/confidential-guest-support.h (revision cc944932ecef3b7a56ae62d89dd92fb9e56c5cc8) 
1 /*
2  * QEMU Confidential Guest support
3  *   This interface describes the common pieces between various
4  *   schemes for protecting guest memory or other state against a
5  *   compromised hypervisor.  This includes memory encryption (AMD's
6  *   SEV and Intel's MKTME) or special protection modes (PEF on POWER,
7  *   or PV on s390x).
8  *
9  * Copyright Red Hat.
10  *
11  * Authors:
12  *  David Gibson <david@gibson.dropbear.id.au>
13  *
14  * This work is licensed under the terms of the GNU GPL, version 2 or
15  * later.  See the COPYING file in the top-level directory.
16  *
17  */
18 #ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
19 #define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
20 
21 #include "qom/object.h"
22 
23 #define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
24 OBJECT_DECLARE_TYPE(ConfidentialGuestSupport,
25                     ConfidentialGuestSupportClass,
26                     CONFIDENTIAL_GUEST_SUPPORT)
27 
28 
29 struct ConfidentialGuestSupport {
30     Object parent;
31 
32     /*
33      * True if the machine should use guest_memfd for RAM.
34      */
35     bool require_guest_memfd;
36 
37     /*
38      * ready: flag set by CGS initialization code once it's ready to
39      *        start executing instructions in a potentially-secure
40      *        guest
41      *
42      * The definition here is a bit fuzzy, because this is essentially
43      * part of a self-sanity-check, rather than a strict mechanism.
44      *
45      * It's not feasible to have a single point in the common machine
46      * init path to configure confidential guest support, because
47      * different mechanisms have different interdependencies requiring
48      * initialization in different places, often in arch or machine
49      * type specific code.  It's also usually not possible to check
50      * for invalid configurations until that initialization code.
51      * That means it would be very easy to have a bug allowing CGS
52      * init to be bypassed entirely in certain configurations.
53      *
54      * Silently ignoring a requested security feature would be bad, so
55      * to avoid that we check late in init that this 'ready' flag is
56      * set if CGS was requested.  If the CGS init hasn't happened, and
57      * so 'ready' is not set, we'll abort.
58      */
59     bool ready;
60 };
61 
62 typedef struct ConfidentialGuestSupportClass {
63     ObjectClass parent;
64 
65     int (*kvm_init)(ConfidentialGuestSupport *cgs, Error **errp);
66     int (*kvm_reset)(ConfidentialGuestSupport *cgs, Error **errp);
67 } ConfidentialGuestSupportClass;
68 
69 static inline int confidential_guest_kvm_init(ConfidentialGuestSupport *cgs,
70                                               Error **errp)
71 {
72     ConfidentialGuestSupportClass *klass;
73 
74     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
75     if (klass->kvm_init) {
76         return klass->kvm_init(cgs, errp);
77     }
78 
79     return 0;
80 }
81 
82 static inline int confidential_guest_kvm_reset(ConfidentialGuestSupport *cgs,
83                                                Error **errp)
84 {
85     ConfidentialGuestSupportClass *klass;
86 
87     klass = CONFIDENTIAL_GUEST_SUPPORT_GET_CLASS(cgs);
88     if (klass->kvm_reset) {
89         return klass->kvm_reset(cgs, errp);
90     }
91 
92     return 0;
93 }
94 
95 #endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */
96