[PATCH 2/2 V5] KVM, SEV: Add support for SEV-ES intra host migration
From: Peter Gonda <hidden>
Date: 2021-08-23 16:28:15
Also in:
lkml
Subsystem:
kernel virtual machine for x86 (kvm/x86), the rest, x86 architecture (32-bit and 64-bit) · Maintainers:
Sean Christopherson, Paolo Bonzini, Linus Torvalds, Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen
For SEV-ES to work with intra host migration the VMSAs, GHCB metadata, and other SEV-ES info needs to be preserved along with the guest's memory. Signed-off-by: Peter Gonda <redacted> Cc: Marc Orr <redacted> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Sean Christopherson <seanjc@google.com> Cc: David Rientjes <rientjes@google.com> Cc: Dr. David Alan Gilbert <redacted> Cc: Brijesh Singh <redacted> Cc: Vitaly Kuznetsov <vkuznets@redhat.com> Cc: Wanpeng Li <redacted> Cc: Jim Mattson <redacted> Cc: Joerg Roedel <joro@8bytes.org> Cc: Thomas Gleixner <redacted> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- arch/x86/kvm/svm/sev.c | 62 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 3467e18d63e0..f17bdf5ce723 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c@@ -1545,6 +1545,59 @@ static void migrate_info_from(struct kvm_sev_info *dst, list_replace_init(&src->regions_list, &dst->regions_list); } +static int migrate_vmsa_from(struct kvm *dst, struct kvm *src) +{ + int i, num_vcpus; + struct kvm_vcpu *dst_vcpu, *src_vcpu; + struct vcpu_svm *dst_svm, *src_svm; + + num_vcpus = atomic_read(&dst->online_vcpus); + if (num_vcpus != atomic_read(&src->online_vcpus)) { + pr_warn_ratelimited( + "Source and target VMs must have same number of vCPUs.\n"); + return -EINVAL; + } + + for (i = 0; i < num_vcpus; ++i) { + src_vcpu = src->vcpus[i]; + if (!src_vcpu->arch.guest_state_protected) { + pr_warn_ratelimited( + "Source ES VM vCPUs must have protected state.\n"); + return -EINVAL; + } + } + + for (i = 0; i < num_vcpus; ++i) { + src_vcpu = src->vcpus[i]; + src_svm = to_svm(src_vcpu); + dst_vcpu = dst->vcpus[i]; + dst_svm = to_svm(dst_vcpu); + + /* + * Copy VMSA and GHCB fields from the source to the destination. + * Clear them on the source to prevent the VM running and + * changing the state of the VMSA/GHCB unexpectedly. + */ + dst_vcpu->vcpu_id = src_vcpu->vcpu_id; + dst_svm->vmsa = src_svm->vmsa; + src_svm->vmsa = NULL; + dst_svm->ghcb = src_svm->ghcb; + src_svm->ghcb = NULL; + dst_svm->vmcb->control.ghcb_gpa = + src_svm->vmcb->control.ghcb_gpa; + src_svm->vmcb->control.ghcb_gpa = 0; + dst_svm->ghcb_sa = src_svm->ghcb_sa; + src_svm->ghcb_sa = NULL; + dst_svm->ghcb_sa_len = src_svm->ghcb_sa_len; + src_svm->ghcb_sa_len = 0; + dst_svm->ghcb_sa_sync = src_svm->ghcb_sa_sync; + src_svm->ghcb_sa_sync = false; + dst_svm->ghcb_sa_free = src_svm->ghcb_sa_free; + src_svm->ghcb_sa_free = false; + } + return 0; +} + int svm_vm_migrate_from(struct kvm *kvm, unsigned int source_fd) { struct kvm_sev_info *dst_sev = &to_kvm_svm(kvm)->sev_info;
@@ -1556,7 +1609,7 @@ int svm_vm_migrate_from(struct kvm *kvm, unsigned int source_fd) if (ret) return ret; - if (!sev_guest(kvm) || sev_es_guest(kvm)) { + if (!sev_guest(kvm)) { ret = -EINVAL; pr_warn_ratelimited("VM must be SEV enabled to migrate to.\n"); goto out_unlock;
@@ -1580,13 +1633,18 @@ int svm_vm_migrate_from(struct kvm *kvm, unsigned int source_fd) if (ret) goto out_fput; - if (!sev_guest(source_kvm) || sev_es_guest(source_kvm)) { + if (!sev_guest(source_kvm)) { ret = -EINVAL; pr_warn_ratelimited( "Source VM must be SEV enabled to migrate from.\n"); goto out_source; } + if (sev_es_guest(kvm)) { + ret = migrate_vmsa_from(kvm, source_kvm); + if (ret) + goto out_source; + } migrate_info_from(dst_sev, &to_kvm_svm(source_kvm)->sev_info); ret = 0;
--
2.33.0.rc2.250.ged5fa647cd-goog