islet icon indicating copy to clipboard operation
islet copied to clipboard

Published 20 hours ago verified publisher icon islet-project

SEV, TDX에서는 virtio를 어떻게 지원하는지 파악

Open bokdeuk-jeong opened this issue 2 years ago • 3 comments

bokdeuk-jeong avatar Nov 16 '22 05:11 bokdeuk-jeong

Guest Linux Kernel The latest guest Linux kernel support for TDX is available here.

In order to run as a TD guest, the Linux kernel must support the following features:

  • TDX IO

    • Port IO is handled from the TD guest, by unrolling IO port #VE exceptions into TDVMCALLs. That will eventually translate into an unmodified VMM PIO exit handlers. <-- On CCA: MMIO는 S2 pgtlb에 매핑 되어 있지 않아서 S2 pgtlb fault로 RMM으로 exception이 trap되고, 이 exception는 KVM으로 forward돼서 처리하고 있다.
    • Virtio: Essentially, the TD guest kernel converts the private (TDX encrypted) virtio queue pages into shared ones in order to seamlessly use the guest virtio drivers and the VMM virtio compliant device implementations. <-- [todo] 어떤 식으로 covert하는지(virtio 드라이버를 수정했는지?, alloc page API가 추가 됐는지? 등)을 알아보자. https://github.com/intel/tdx
    • Direct device assignment: DMA between MMIO device buffers and the TD guest must happen in the TD shared memory address space. Converting DMA buffers to shared memory is handled by the TDX guest kernel. <-- 상동

  • ACPI SKVL (Storage Volume Key Label) is an ACPI table for passing storage encryption keys from the TDVF to the guest kernel. Again, this should not have any impact on the VMM enablement path.

  • Remote attestation driver. This is a kernel interface for the guest to trigger the attestation process by requesting a TD quote from the TDX-module. Attestation is out of scope for our initial enablement effort.

Overall, in the context of our initial TDX enablement effort with Cloud Hypervisor, the TDX specific guest Linux kernel changes should be transparent to the VMM implementation.

bokdeuk-jeong avatar Nov 21 '22 08:11 bokdeuk-jeong

https://github.com/AMDESE/AMDSEV/ issues/ 이슈중 74 번

What virtio drivers does the SEV VM definitely support?

.... feature support for VIRTIO_F_ACCESS_PLATFORM... -device amd-iommu,intremap=on,device-iotlb=on -device vhost-vsock-pci,disable-legacy=on,guest-cid=1,iommu_platform=on,ats=on

iommu를 통해서 virtio backend가 guest confidential VM의 메모리를 액세스 하는 것 같다. (추가 정보 수집 필요)

bokdeuk-jeong avatar Nov 21 '22 08:11 bokdeuk-jeong

https://static.sched.com/hosted_files/kvmforum2021/a3/KVM_2021_sharing_TDP_IOMMU.pdf

https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#virtio-and-shared-memory

https://lwn.net/Articles/865216/

bokdeuk-jeong avatar Nov 21 '22 12:11 bokdeuk-jeong