Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEV, TDX에서는 virtio를 어떻게 지원하는지 파악 #15

Open
bokdeuk-jeong opened this issue Nov 16, 2022 · 3 comments
Open

SEV, TDX에서는 virtio를 어떻게 지원하는지 파악 #15

bokdeuk-jeong opened this issue Nov 16, 2022 · 3 comments
Assignees
@bokdeuk-jeong

Comments

@bokdeuk-jeong
Copy link
Collaborator

No description provided.

@bokdeuk-jeong
Copy link
Collaborator Author

bokdeuk-jeong commented Nov 21, 2022
edited
Loading

Guest Linux Kernel
The latest guest Linux kernel support for TDX is available here.

In order to run as a TD guest, the Linux kernel must support the following features:

  • TDX IO

    • Port IO is handled from the TD guest, by unrolling IO port #VE exceptions into TDVMCALLs. That will eventually translate into an unmodified VMM PIO exit handlers.
      <-- On CCA: MMIO는 S2 pgtlb에 매핑 되어 있지 않아서 S2 pgtlb fault로 RMM으로 exception이 trap되고,
      이 exception는 KVM으로 forward돼서 처리하고 있다.
    • Virtio: Essentially, the TD guest kernel converts the private (TDX encrypted) virtio queue pages into shared ones in order to seamlessly use the guest virtio drivers and the VMM virtio compliant device implementations.
      <-- [todo] 어떤 식으로 covert하는지(virtio 드라이버를 수정했는지?, alloc page API가 추가 됐는지? 등)을 알아보자.
      https://github.com/intel/tdx
    • Direct device assignment: DMA between MMIO device buffers and the TD guest must happen in the TD shared memory address space. Converting DMA buffers to shared memory is handled by the TDX guest kernel.
      <-- 상동

  • ACPI SKVL (Storage Volume Key Label) is an ACPI table for passing storage encryption keys from the TDVF to the guest kernel. Again, this should not have any impact on the VMM enablement path.

  • Remote attestation driver. This is a kernel interface for the guest to trigger the attestation process by requesting a TD quote from the TDX-module. Attestation is out of scope for our initial enablement effort.

Overall, in the context of our initial TDX enablement effort with Cloud Hypervisor, the TDX specific guest Linux kernel changes should be transparent to the VMM implementation.

@bokdeuk-jeong
Copy link
Collaborator Author

bokdeuk-jeong commented Nov 21, 2022
edited
Loading

https://github.com/AMDESE/AMDSEV/ issues/ 이슈중 74 번

What virtio drivers does the SEV VM definitely support?

.... feature support for VIRTIO_F_ACCESS_PLATFORM...
-device amd-iommu,intremap=on,device-iotlb=on -device vhost-vsock-pci,disable-legacy=on,guest-cid=1,iommu_platform=on,ats=on

iommu를 통해서 virtio backend가 guest confidential VM의 메모리를 액세스 하는 것 같다. (추가 정보 수집 필요)

@bokdeuk-jeong bokdeuk-jeong self-assigned this Nov 21, 2022
@bokdeuk-jeong
Copy link
Collaborator Author

bokdeuk-jeong commented Nov 21, 2022
edited
Loading

https://static.sched.com/hosted_files/kvmforum2021/a3/KVM_2021_sharing_TDP_IOMMU.pdf

https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#virtio-and-shared-memory

https://lwn.net/Articles/865216/

bitboom pushed a commit that referenced this issue Mar 23, 2023
@jlmucb
Merge pull request #15 from vmware-research/sanitize
43ff38c 
Added FIXME comments for code cleanup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bokdeuk-jeong bokdeuk-jeong

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bokdeuk-jeong