Skip to content

Commit

Permalink
Merge pull request virtee#168 from its-luca/fb-deduplicate-guest-policy
Browse files Browse the repository at this point in the history
Unify Duplicated GuestPolicy Definitions
  • Loading branch information
larrydewey authored Apr 9, 2024
2 parents fb28b1d + 26e229c commit def1174
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 77 deletions.
28 changes: 17 additions & 11 deletions src/firmware/guest/types/snp.rs
Original file line number Diff line number Diff line change
Expand Up @@ -414,32 +414,32 @@ bitfield! {
/// | 24 | CIPHERTEXT_HIDING | 0: Ciphertext hiding may be enabled or disabled.<br>1: Ciphertext hiding must be enabled. >
/// | 63:25 | - | Reserved. MBZ. >
///
#[derive(Default, Clone, Copy)]
#[derive(Default, Clone, Copy,Eq, PartialEq)]
#[derive(Deserialize, Serialize)]
#[repr(C)]
pub struct GuestPolicy(u64);
impl Debug;
/// ABI_MINOR field: Indicates the minor API version.
pub abi_minor, _: 7, 0;
pub abi_minor, set_abi_minor: 7, 0;
/// ABI_MAJOR field: Indicates the minor API version.
pub abi_major, _: 15, 8;
pub abi_major, set_abi_major: 15, 8;
/// SMT_ALLOWED field: Indicates the if SMT should be permitted.
pub smt_allowed, _: 16, 16;
pub smt_allowed, set_smt_allowed: 16, 16;
/// MIGRATE_MA_ALLOWED field: Indicates the if migration is permitted with
/// the migration agent.
pub migrate_ma_allowed, _: 18, 18;
pub migrate_ma_allowed, set_migrate_ma_allowed: 18, 18;
/// DEBUG_ALLOWED field: Indicates the if debugging should is permitted.
pub debug_allowed, _: 19, 19;
pub debug_allowed, set_debug_allowed: 19, 19;
/// SINGLE_SOCKET_REQUIRED field: Indicates the if a single socket is required.
pub single_socket_required, _: 20, 20;
pub single_socket_required, set_single_socket_required: 20, 20;
/// CXL_ALLOW field: (1) can populate CXL devices/memory, (0) cannot populate CXL devices/memory
pub cxl_allowed, _: 21, 21;
pub cxl_allowed, set_cxl_allowed: 21, 21;
/// MEM_AES_256_XTS field: (1) require AES 256 XTS encryption, (0) allows either AES 128 XEX or AES 256 XTS encryption
pub mem_aes_256_xts, _: 22, 22;
pub mem_aes_256_xts, set_mem_aes_256_xts: 22, 22;
/// RAPL_DIS field: (1) RAPL must be disabled, (0) allow RAPL
pub rapl_dis, _: 23, 23;
pub rapl_dis, set_rapl_dis: 23, 23;
/// CIPHERTEXT_HIDING field: (1) ciphertext hiding must be enabled, (0) ciphertext hiding may be enabled/disabled
pub ciphertext_hiding, _: 24, 24;
pub ciphertext_hiding, set_ciphertext_hiding: 24, 24;
}

impl Display for GuestPolicy {
Expand All @@ -465,6 +465,12 @@ impl Display for GuestPolicy {
}
}

impl From<GuestPolicy> for u64 {
fn from(value: GuestPolicy) -> Self {
value.0
}
}

bitfield! {
/// A structure with a bit-field unsigned 64 bit integer:
/// Bit 0 representing the status of SMT enablement.
Expand Down
65 changes: 8 additions & 57 deletions src/launch/snp.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@
//! This ensures (at compile time) that the right steps are called in the
//! right order.
use crate::Version;

use crate::firmware::guest::GuestPolicy;
#[cfg(target_os = "linux")]
use crate::launch::linux::{ioctl::*, snp::*};

Expand Down Expand Up @@ -108,67 +107,14 @@ impl<U: AsRawFd, V: AsRawFd> Launcher<Started, U, V> {
}
}

bitflags! {
/// Configurable SNP Policy options.
#[derive(Default, Deserialize, Serialize)]
pub struct PolicyFlags: u16 {
/// Enable if SMT is enabled in the host machine.
const SMT = 1;

/// If enabled, association with a migration agent is allowed.
const MIGRATE_MA = 1 << 2;

/// If enabled, debugging is allowed.
const DEBUG = 1 << 3;
}
}

/// Describes a policy that the AMD Secure Processor will
/// enforce.
#[derive(Copy, Clone, Debug, Default, PartialEq, Eq, Deserialize, Serialize)]
pub struct Policy {
/// The various policy optons are encoded as bit flags.
pub flags: PolicyFlags,

/// The desired minimum platform firmware version.
pub minfw: Version,
}

impl From<Policy> for u64 {
fn from(policy: Policy) -> u64 {
let mut val: u64 = 0;

let minor_version = u64::from(policy.minfw.minor);
let mut major_version = u64::from(policy.minfw.major);

/*
* According to the SNP firmware spec, bit 1 of the policy flags is reserved and must
* always be set to 1. Rather than passing this responsibility off to callers, set this bit
* every time an ioctl is issued to the kernel.
*/
let flags = policy.flags.bits | 0b10;
let mut flags_64 = u64::from(flags);

major_version <<= 8;
flags_64 <<= 16;

val |= minor_version;
val |= major_version;
val |= flags_64;
val &= 0x00FFFFFF;

val
}
}

/// Encapsulates the various data needed to begin the launch process.
#[derive(Clone, Debug, Default, PartialEq, Eq, Deserialize, Serialize)]
pub struct Start<'a> {
/// The userspace address of the migration agent region to be encrypted.
pub(crate) ma_uaddr: Option<&'a [u8]>,

/// Describes a policy that the AMD Secure Processor will enforce.
pub(crate) policy: Policy,
pub(crate) policy: GuestPolicy,

/// Indicates that this launch flow is launching an IMI for the purpose of guest-assisted migration.
pub(crate) imi_en: bool,
Expand All @@ -179,7 +125,12 @@ pub struct Start<'a> {

impl<'a> Start<'a> {
/// Encapsulate all data needed for the SNP_LAUNCH_START ioctl.
pub fn new(ma_uaddr: Option<&'a [u8]>, policy: Policy, imi_en: bool, gosvw: [u8; 16]) -> Self {
pub fn new(
ma_uaddr: Option<&'a [u8]>,
policy: GuestPolicy,
imi_en: bool,
gosvw: [u8; 16],
) -> Self {
Self {
ma_uaddr,
policy,
Expand Down
14 changes: 5 additions & 9 deletions tests/snp_launch.rs
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ const CODE: &[u8; 4096] = &[
#[cfg_attr(not(has_sev), ignore)]
#[test]
fn snp() {
use sev::firmware::guest::GuestPolicy;

let kvm_fd = Kvm::new().unwrap();
let vm_fd = kvm_fd.create_vm().unwrap();

Expand Down Expand Up @@ -59,15 +61,9 @@ fn snp() {
let sev = Firmware::open().unwrap();
let launcher = Launcher::new(vm_fd, sev).unwrap();

let start = Start::new(
None,
Policy {
flags: PolicyFlags::SMT,
..Default::default()
},
false,
[0; 16],
);
let mut policy = GuestPolicy(0);
policy.set_smt_allowed(1);
let start = Start::new(None, policy, false, [0; 16]);

let mut launcher = launcher.start(start).unwrap();

Expand Down

0 comments on commit def1174

Please sign in to comment.