Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4 #824

Merged
merged 2 commits into from
Aug 28, 2024
Merged

microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4 #824

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e74c48c
microsoft.kata-kernel-uvm: 6.1.0.mshv16 -> 6.1.58-mshv4
katexochen Aug 14, 2024
b4a704d
microsoft.cloud-hypervisor: implement extendended quest request with …
katexochen Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .../microsoft/cloud-hypervisor/0001-snp-fix-panic-when-rejecting-extended-guest-report.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
From e7980fa1acc9972073d394de86a48cee5410cd97 Mon Sep 17 00:00:00 2001
From b8bda1e691c08c18a6178eb5d603789b07176cdf Mon Sep 17 00:00:00 2001
From: Tom Dohrmann <erbse.13@gmx.de>
Date: Wed, 14 Aug 2024 16:02:39 +0200
Subject: [PATCH] snp: fix panic when rejecting extended guest report
Subject: [PATCH 1/2] snp: fix panic when rejecting extended guest report

swei2_rw_gpa_arg.data is an array of size 16 and value.to_le_bytes() is
only 8 bytes.
Expand All @@ -24,5 +24,5 @@ index f60d8ceb..b8fccf31 100644
.gpa_write(&mut swei2_rw_gpa_arg)
.map_err(|e| cpu::HypervisorCpuError::GpaWrite(e.into()))?;
--
2.45.1
2.45.2

125 changes: 125 additions & 0 deletions ...icrosoft/cloud-hypervisor/0002-hypervisor-mshv-implement-extended-guest-requests-wi.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
From bab58d1e2e7a3758920bcff0bf330a5ce64a0b79 Mon Sep 17 00:00:00 2001
From: Tom Dohrmann <erbse.13@gmx.de>
Date: Mon, 26 Aug 2024 11:14:34 +0200
Subject: [PATCH 2/2] hypervisor: mshv: implement extended guest requests with
empty certs

Previously we didn't handle extended guest requests at all and always
returned an error. This lead to issues with some guests that expected
extended requests to succeed. Instead, handle extended requests like
normal requests and write zeros to the extended area to signal to the
guest that we don't want to supply any additional certificate data.

Signed-off-by: Tom Dohrmann <erbse.13@gmx.de>
---
hypervisor/src/mshv/mod.rs | 75 +++++++++++++++++++++-------
hypervisor/src/mshv/snp_constants.rs | 1 +
2 files changed, 57 insertions(+), 19 deletions(-)

diff --git a/hypervisor/src/mshv/mod.rs b/hypervisor/src/mshv/mod.rs
index b8fccf31..998570be 100644
--- a/hypervisor/src/mshv/mod.rs
+++ b/hypervisor/src/mshv/mod.rs
@@ -950,24 +950,6 @@ impl cpu::Vcpu for MshvVcpu {
}
}
}
- SVM_EXITCODE_SNP_EXTENDED_GUEST_REQUEST => {
- warn!("Fetching extended guest request is not supported");
- // Extended guest request is not supported by the Hypervisor
- // Returning the error to the guest
- // 0x6 means `The NAE event was not valid`
- // Reference: GHCB Spec, page 42
- let value: u64 = 0x6;
- let mut swei2_rw_gpa_arg = mshv_bindings::mshv_read_write_gpa {
- base_gpa: ghcb_gpa + GHCB_SW_EXITINFO2_OFFSET,
- byte_count: std::mem::size_of::<u64>() as u32,
- ..Default::default()
- };
- swei2_rw_gpa_arg.data[0..8]
- .copy_from_slice(&value.to_le_bytes());
- self.fd
- .gpa_write(&mut swei2_rw_gpa_arg)
- .map_err(|e| cpu::HypervisorCpuError::GpaWrite(e.into()))?;
- }
SVM_EXITCODE_IOIO_PROT => {
let exit_info1 =
info.__bindgen_anon_2.__bindgen_anon_1.sw_exit_info1 as u32;
@@ -1096,7 +1078,62 @@ impl cpu::Vcpu for MshvVcpu {
})?;
}
}
- SVM_EXITCODE_SNP_GUEST_REQUEST => {
+ SVM_EXITCODE_SNP_GUEST_REQUEST
+ | SVM_EXITCODE_SNP_EXTENDED_GUEST_REQUEST => {
+ if exit_code == SVM_EXITCODE_SNP_EXTENDED_GUEST_REQUEST {
+ warn!("Fetching extended guest request is not supported");
+ // We don't support extended guest request, so we just write empty data.
+ // This matches the behavior of KVM in Linux 6.11.
+
+ // Read RAX & RBX from the GHCB.
+ let mut rax_rw_gpa_arg: mshv_read_write_gpa =
+ mshv_bindings::mshv_read_write_gpa {
+ base_gpa: ghcb_gpa + GHCB_RAX_OFFSET,
+ byte_count: std::mem::size_of::<u64>() as u32,
+ ..Default::default()
+ };
+ self.fd.gpa_read(&mut rax_rw_gpa_arg).map_err(|e| {
+ cpu::HypervisorCpuError::GpaRead(e.into())
+ })?;
+ let data_gpa = u64::from_le_bytes(
+ <[u8; 8]>::try_from(&rax_rw_gpa_arg.data[..8]).unwrap(),
+ );
+ let mut rbx_rw_gpa_arg: mshv_read_write_gpa =
+ mshv_bindings::mshv_read_write_gpa {
+ base_gpa: ghcb_gpa + GHCB_RBX_OFFSET,
+ byte_count: std::mem::size_of::<u64>() as u32,
+ ..Default::default()
+ };
+ self.fd.gpa_read(&mut rbx_rw_gpa_arg).map_err(|e| {
+ cpu::HypervisorCpuError::GpaRead(e.into())
+ })?;
+ let data_npages = u64::from_le_bytes(
+ <[u8; 8]>::try_from(&rbx_rw_gpa_arg.data[..8]).unwrap(),
+ );
+
+ if data_npages > 0 {
+ // The certificates are terminated by 24 zero bytes.
+ let mut certs_rw_gpa_arg =
+ mshv_bindings::mshv_read_write_gpa {
+ base_gpa: data_gpa,
+ byte_count: 16,
+ ..Default::default()
+ };
+ self.fd.gpa_write(&mut certs_rw_gpa_arg).map_err(
+ |e| cpu::HypervisorCpuError::GpaWrite(e.into()),
+ )?;
+ let mut certs_rw_gpa_arg =
+ mshv_bindings::mshv_read_write_gpa {
+ base_gpa: data_gpa + 16,
+ byte_count: 8,
+ ..Default::default()
+ };
+ self.fd.gpa_write(&mut certs_rw_gpa_arg).map_err(
+ |e| cpu::HypervisorCpuError::GpaWrite(e.into()),
+ )?;
+ }
+ }
+
let req_gpa =
info.__bindgen_anon_2.__bindgen_anon_1.sw_exit_info1;
let rsp_gpa =
diff --git a/hypervisor/src/mshv/snp_constants.rs b/hypervisor/src/mshv/snp_constants.rs
index 307326dd..69b12364 100644
--- a/hypervisor/src/mshv/snp_constants.rs
+++ b/hypervisor/src/mshv/snp_constants.rs
@@ -20,5 +20,6 @@ pub const ECDSA_SIG_Y_COMPONENT_END: usize =
// These constants are derived from GHCB spec Sect. 2.6 Table 3 GHCB Layout
// Link: https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
pub const GHCB_RAX_OFFSET: u64 = 0x01F8;
+pub const GHCB_RBX_OFFSET: u64 = 0x0318;
pub const GHCB_SW_EXITINFO1_OFFSET: u64 = 0x398;
pub const GHCB_SW_EXITINFO2_OFFSET: u64 = 0x3A0;
--
2.45.2

5 changes: 4 additions & 1 deletion packages/by-name/microsoft/cloud-hypervisor/package.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,10 @@ rustPlatform.buildRustPackage rec {
};
};

patches = [ ./0001-snp-fix-panic-when-rejecting-extended-guest-report.patch ];
patches = [
./0001-snp-fix-panic-when-rejecting-extended-guest-report.patch
./0002-hypervisor-mshv-implement-extended-guest-requests-wi.patch
];

separateDebugInfo = true;

Expand Down
12 changes: 6 additions & 6 deletions packages/by-name/microsoft/kata-kernel-uvm/package.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
}:

let
kver = "6.1.0";
modDirVersion = "${kver}.mshv16";
kver = "6.1.58";
modDirVersion = "${kver}.mshv4";
tarfs_make = ./src;
tarfs_patch = fetchurl {
name = "tarfs.patch";
Expand Down Expand Up @@ -40,8 +40,8 @@ linuxManualConfig {
src = fetchurl {
# Kernel source as defined in
# https://github.com/microsoft/azurelinux/blob/59ce246f224f282b3e199d9a2dacaa8011b75a06/SPECS/kernel-uvm/kernel-uvm.spec#L19
url = "https://cblmarinerstorage.blob.core.windows.net/sources/core/kernel-uvm-${modDirVersion}.tar.gz";
hash = "sha256-8EU8NmU4eiqHdDeCNH28y2wKLaHx6fNcBKzWupqf2Sw=";
url = "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/kernel-uvm-${modDirVersion}.tar.gz";
hash = "sha256-gayZqwbPffCEXwvVlrOUZY+z8YAdCtmF9bZP+j2Q6Ao=";
};
kernelPatches = [
# this patches the existing Makefile and Kconfig to know about CONFIG_TARFS_FS and fs/tarfs
Expand All @@ -56,7 +56,7 @@ linuxManualConfig {
}
];
configfile = fetchurl {
url = "https://raw.githubusercontent.com/microsoft/azurelinux/59ce246f224f282b3e199d9a2dacaa8011b75a06/SPECS/kernel-uvm/config";
url = "https://raw.githubusercontent.com/microsoft/azurelinux/4e90dd61c165a167d96987d1eb63c49d6ceae721/SPECS/kernel-uvm/config";
# Contrast additionally requires the following features:
# - erofs
#
Expand All @@ -74,7 +74,7 @@ linuxManualConfig {
CONFIG_EROFS_FS_ONDEMAND=y
EOF
'';
hash = "sha256-c1+FQzzJQbAvRhV2j0OqRYWcET5kMqvz3vNL7exkudg=";
hash = "sha256-+vOS82pZE0YuloIaOT3VthlQs7vr8QwmVJDpCvNyrKk=";
};
version = kver;
inherit modDirVersion;
Expand Down
Loading