x86_64: add initial support for protected VMs

Add support for running protected VMs with pKVM on Intel x86 [1]. The --protected-vm option is not workable yet, since loading pvmfw into guest memory via pKVM is not implemented yet, but the developer options --protected-vm-without-firmware and --protected-vm-with-firmware are working. Following the approach used for pKVM on arm64, the KVM uAPI used for running protected VMs on x86 is a "stable temporary" uAPI: the KVM_X86_PKVM_PROTECTED_VM value shall be updated when upstreaming pKVM to the mainline kernel (see also [2]). [1] https://android-review.git.corp.google.com/c/kernel/common/+/3351287 [2] https://android-review.git.corp.google.com/c/kernel/common/+/3351286 BUG=b:349990461 TEST=On an Intel device with kernel compiled with pKVM-IA patches [1] and kvm-intel.pkvm=1 added to kernel command line, run a VM with --protected-vm-without-firmware or with --protected-vm-with-firmware with the same test pvmfw image as in TEST= in CL:5797353. Change-Id: I625f5eb9a38eaef9312ba62308739efb66f163b0 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/6022852 Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Commit-Queue: Dmytro Maluka <dmaluka@chromium.org>
2024-11-24 12:34:31 +00:00 · 2024-11-15 18:05:15 +00:00 · 2024-11-15 18:05:15 +00:00 · b12e8c2cac
commit b12e8c2cac
parent 524e5eedb5
7 changed files with 8 additions and 7 deletions
--- a/hypervisor/src/kvm/x86_64.rs
+++ b/hypervisor/src/kvm/x86_64.rs
@ -156,11 +156,9 @@ impl Kvm {
        get_cpuid_with_initial_capacity(self, kind, KVM_MAX_ENTRIES)
    }

-    // The x86 machine type is always 0. Protected VMs are not supported.
    pub fn get_vm_type(&self, protection_type: ProtectionType) -> Result<u32> {
        if protection_type.isolates_memory() {
-            error!("Protected mode is not supported on x86_64.");
-            Err(Error::new(libc::EINVAL))
+            Ok(KVM_X86_PKVM_PROTECTED_VM)
        } else {
            Ok(0)
        }
--- a/kvm_sys/bindgen.sh
+++ b/kvm_sys/bindgen.sh
@ -24,6 +24,7 @@ pub const KVM_CAP_ARM_PROTECTED_VM: u32 = 0xffbadab1;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_SET_FW_IPA: u32 = 0;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_INFO: u32 = 1;
 pub const KVM_VM_TYPE_ARM_PROTECTED: u32 = 0x80000000;
+pub const KVM_X86_PKVM_PROTECTED_VM: u32 = 28;
 pub const KVM_DEV_VFIO_PVIOMMU: u32 = 2;
 pub const KVM_DEV_VFIO_PVIOMMU_ATTACH: u32 = 1;
 #[repr(C)]
--- a/kvm_sys/src/aarch64/bindings.rs
+++ b/kvm_sys/src/aarch64/bindings.rs
@ -22,6 +22,7 @@ pub const KVM_CAP_ARM_PROTECTED_VM: u32 = 0xffbadab1;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_SET_FW_IPA: u32 = 0;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_INFO: u32 = 1;
 pub const KVM_VM_TYPE_ARM_PROTECTED: u32 = 0x80000000;
+pub const KVM_X86_PKVM_PROTECTED_VM: u32 = 28;
 pub const KVM_DEV_VFIO_PVIOMMU: u32 = 2;
 pub const KVM_DEV_VFIO_PVIOMMU_ATTACH: u32 = 1;
 #[repr(C)]
--- a/kvm_sys/src/riscv64/bindings.rs
+++ b/kvm_sys/src/riscv64/bindings.rs
@ -22,6 +22,7 @@ pub const KVM_CAP_ARM_PROTECTED_VM: u32 = 0xffbadab1;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_SET_FW_IPA: u32 = 0;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_INFO: u32 = 1;
 pub const KVM_VM_TYPE_ARM_PROTECTED: u32 = 0x80000000;
+pub const KVM_X86_PKVM_PROTECTED_VM: u32 = 28;
 pub const KVM_DEV_VFIO_PVIOMMU: u32 = 2;
 pub const KVM_DEV_VFIO_PVIOMMU_ATTACH: u32 = 1;
 #[repr(C)]
--- a/kvm_sys/src/x86/bindings.rs
+++ b/kvm_sys/src/x86/bindings.rs
@ -22,6 +22,7 @@ pub const KVM_CAP_ARM_PROTECTED_VM: u32 = 0xffbadab1;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_SET_FW_IPA: u32 = 0;
 pub const KVM_CAP_ARM_PROTECTED_VM_FLAGS_INFO: u32 = 1;
 pub const KVM_VM_TYPE_ARM_PROTECTED: u32 = 0x80000000;
+pub const KVM_X86_PKVM_PROTECTED_VM: u32 = 28;
 pub const KVM_DEV_VFIO_PVIOMMU: u32 = 2;
 pub const KVM_DEV_VFIO_PVIOMMU_ATTACH: u32 = 1;
 #[repr(C)]
--- a/src/crosvm/sys/linux.rs
+++ b/src/crosvm/sys/linux.rs
@ -1667,6 +1667,9 @@ fn run_kvm(device_path: Option<&Path>, cfg: Config, components: VmComponents) ->
    }

    // Check that the VM was actually created in protected mode as expected.
+    // This check is only needed on aarch64. On x86_64, protected VM creation will fail
+    // if protected mode is not supported.
+    #[cfg(not(target_arch = "x86_64"))]
    if cfg.protection_type.isolates_memory() && !vm.check_capability(VmCap::Protected) {
        bail!("Failed to create protected VM");
    }
--- a/x86_64/src/lib.rs
+++ b/x86_64/src/lib.rs
@ -822,10 +822,6 @@ impl arch::LinuxArch for X8664arch {
        V: VmX86_64,
        Vcpu: VcpuX86_64,
    {
-        if components.hv_cfg.protection_type.isolates_memory() {
-            return Err(Error::UnsupportedProtectionType);
-        }
-
        let mem = vm.get_memory().clone();

        let vcpu_count = components.vcpu_count;