You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
122 lines
4.6 KiB
122 lines
4.6 KiB
2 months ago
|
From 1fbfcb7d98c95e80e9332770b78613a803c15c20 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||
|
Date: Tue, 30 Jul 2024 10:51:21 +0100
|
||
|
Subject: [PATCH] Fix detection of TDX confidential VM on Azure platform
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
The original CVM detection logic for TDX assumes that the guest can see
|
||
|
the standard TDX CPUID leaf. This was true in Azure when this code was
|
||
|
originally written, however, current Azure now blocks that leaf in the
|
||
|
paravisor. Instead it is required to use the same Azure specific CPUID
|
||
|
leaf that is used for SEV-SNP detection, which reports the VM isolation
|
||
|
type.
|
||
|
|
||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||
|
(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd)
|
||
|
|
||
|
Related: RHEL-56144
|
||
|
---
|
||
|
src/basic/confidential-virt.c | 11 ++++++++---
|
||
|
src/boot/efi/vmm.c | 9 ++++++---
|
||
|
src/fundamental/confidential-virt-fundamental.h | 1 +
|
||
|
3 files changed, 15 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
|
||
|
index b6521cf5bf..8a88a3eb83 100644
|
||
|
--- a/src/basic/confidential-virt.c
|
||
|
+++ b/src/basic/confidential-virt.c
|
||
|
@@ -76,7 +76,7 @@ static uint64_t msr(uint64_t index) {
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
-static bool detect_hyperv_sev(void) {
|
||
|
+static bool detect_hyperv_cvm(uint32_t isoltype) {
|
||
|
uint32_t eax, ebx, ecx, edx, feat;
|
||
|
char sig[13] = {};
|
||
|
|
||
|
@@ -100,7 +100,7 @@ static bool detect_hyperv_sev(void) {
|
||
|
ebx = ecx = edx = 0;
|
||
|
cpuid(&eax, &ebx, &ecx, &edx);
|
||
|
|
||
|
- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
|
||
|
+ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
@@ -133,7 +133,7 @@ static ConfidentialVirtualization detect_sev(void) {
|
||
|
if (!(eax & EAX_SEV)) {
|
||
|
log_debug("No sev in CPUID, trying hyperv CPUID");
|
||
|
|
||
|
- if (detect_hyperv_sev())
|
||
|
+ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP))
|
||
|
return CONFIDENTIAL_VIRTUALIZATION_SEV_SNP;
|
||
|
|
||
|
log_debug("No hyperv CPUID");
|
||
|
@@ -171,6 +171,11 @@ static ConfidentialVirtualization detect_tdx(void) {
|
||
|
if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
|
||
|
return CONFIDENTIAL_VIRTUALIZATION_TDX;
|
||
|
|
||
|
+ log_debug("No tdx in CPUID, trying hyperv CPUID");
|
||
|
+
|
||
|
+ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
|
||
|
+ return CONFIDENTIAL_VIRTUALIZATION_TDX;
|
||
|
+
|
||
|
return CONFIDENTIAL_VIRTUALIZATION_NONE;
|
||
|
}
|
||
|
|
||
|
diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c
|
||
|
index 60e216d54c..3459461390 100644
|
||
|
--- a/src/boot/efi/vmm.c
|
||
|
+++ b/src/boot/efi/vmm.c
|
||
|
@@ -337,7 +337,7 @@ static uint64_t msr(uint32_t index) {
|
||
|
return val;
|
||
|
}
|
||
|
|
||
|
-static bool detect_hyperv_sev(void) {
|
||
|
+static bool detect_hyperv_cvm(uint32_t isoltype) {
|
||
|
uint32_t eax, ebx, ecx, edx, feat;
|
||
|
char sig[13] = {};
|
||
|
|
||
|
@@ -354,7 +354,7 @@ static bool detect_hyperv_sev(void) {
|
||
|
if (ebx & CPUID_HYPERV_ISOLATION && !(ebx & CPUID_HYPERV_CPU_MANAGEMENT)) {
|
||
|
__cpuid(CPUID_HYPERV_ISOLATION_CONFIG, eax, ebx, ecx, edx);
|
||
|
|
||
|
- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
|
||
|
+ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
@@ -379,7 +379,7 @@ static bool detect_sev(void) {
|
||
|
* specific CPUID checks.
|
||
|
*/
|
||
|
if (!(eax & EAX_SEV))
|
||
|
- return detect_hyperv_sev();
|
||
|
+ return detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP);
|
||
|
|
||
|
msrval = msr(MSR_AMD64_SEV);
|
||
|
|
||
|
@@ -403,6 +403,9 @@ static bool detect_tdx(void) {
|
||
|
if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
|
||
|
return true;
|
||
|
|
||
|
+ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
|
||
|
+ return true;
|
||
|
+
|
||
|
return false;
|
||
|
}
|
||
|
#endif /* ! __i386__ && ! __x86_64__ */
|
||
|
diff --git a/src/fundamental/confidential-virt-fundamental.h b/src/fundamental/confidential-virt-fundamental.h
|
||
|
index 986923e1c2..618b5800ea 100644
|
||
|
--- a/src/fundamental/confidential-virt-fundamental.h
|
||
|
+++ b/src/fundamental/confidential-virt-fundamental.h
|
||
|
@@ -65,6 +65,7 @@
|
||
|
|
||
|
#define CPUID_HYPERV_ISOLATION_TYPE_MASK UINT32_C(0xf)
|
||
|
#define CPUID_HYPERV_ISOLATION_TYPE_SNP 2
|
||
|
+#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3
|
||
|
|
||
|
#define EAX_SEV (UINT32_C(1) << 1)
|
||
|
#define MSR_SEV (UINT64_C(1) << 0)
|