Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for KVM_MEMORY_ENCRYPT_{OP,REG_REGION,UNREG_REGION} #178

Merged
merged 6 commits into from
Oct 26, 2021
Merged

Add support for KVM_MEMORY_ENCRYPT_{OP,REG_REGION,UNREG_REGION} #178

merged 6 commits into from
Oct 26, 2021

Conversation

rvolosatovs
Copy link
Contributor

@rvolosatovs rvolosatovs commented Oct 7, 2021
edited
Loading

Add support for 3 ioctls:

cc @haraldh

@rvolosatovs rvolosatovs marked this pull request as draft October 7, 2021 16:12
@rvolosatovs rvolosatovs marked this pull request as ready for review October 7, 2021 16:17
@rvolosatovs
Copy link
Contributor Author 

>           assert False, "Coverage drops by {:.2f}%. Please add unit tests for " \
                          "the uncovered lines.".format(diff)
E           AssertionError: Coverage drops by 2.00%. Please add unit tests for the uncovered lines.
E           assert False

This is tricky, since the functionality can only run on SEV-enabled hosts. I guess it would be possible to add a feature flag and guard this functionality and respective tests, although not sure if that's really necessary at this point.

@rvolosatovs
Copy link
Contributor Author

rvolosatovs commented Oct 7, 2021
edited
Loading

Encountered some issues while testing, marking as draft until I'm sure this works as expected. that turned out to be initialization issue, SEV has to be enabled first

@rvolosatovs rvolosatovs marked this pull request as draft October 7, 2021 18:03
@rvolosatovs
Copy link
Contributor Author

rvolosatovs commented Oct 8, 2021
edited
Loading

Made names shorter, while staying consistent with e.g. https://docs.rs/kvm-ioctls/0.10.0/kvm_ioctls/struct.VmFd.html#method.set_user_memory_region:

diff --git a/src/ioctls/vm.rs b/src/ioctls/vm.rs
index ea97cbc..d7faf6d 100644
--- a/src/ioctls/vm.rs
+++ b/src/ioctls/vm.rs
@@ -1283,11 +1283,11 @@ impl VmFd {
     ///     addr: 0x10000 as u64,
     ///     size: 0x10000 as u64,
     /// };
-    /// vm.register_encrypted_memory_region(&memory_region).unwrap();
+    /// vm.register_enc_memory_region(&memory_region).unwrap();
     /// ```
     ///
     #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
-    pub fn register_encrypted_memory_region(&self, memory_region: &kvm_enc_region) -> Result<()> {
+    pub fn register_enc_memory_region(&self, memory_region: &kvm_enc_region) -> Result<()> {
         // Safe because we know that our file is a VM fd, we know the kernel will only read the
         // correct amount of memory from our pointer, and we verify the return result.
         let ret = unsafe { ioctl_with_ref(self, KVM_MEMORY_ENCRYPT_REG_REGION(), memory_region) };
@@ -1321,11 +1321,11 @@ impl VmFd {
     ///     addr: 0x10000 as u64,
     ///     size: 0x10000 as u64,
     /// };
-    /// vm.unregister_encrypted_memory_region(&memory_region).unwrap();
+    /// vm.unregister_enc_memory_region(&memory_region).unwrap();
     /// ```
     ///
     #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
-    pub fn unregister_encrypted_memory_region(&self, memory_region: &kvm_enc_region) -> Result<()> {
+    pub fn unregister_enc_memory_region(&self, memory_region: &kvm_enc_region) -> Result<()> {
         // Safe because we know that our file is a VM fd, we know the kernel will only read the
         // correct amount of memory from our pointer, and we verify the return result.
         let ret = unsafe { ioctl_with_ref(self, KVM_MEMORY_ENCRYPT_UNREG_REGION(), memory_region) };

@rvolosatovs rvolosatovs marked this pull request as ready for review October 8, 2021 08:37
@rvolosatovs rvolosatovs mentioned this pull request Oct 8, 2021
Merged
lauralt
lauralt reviewed Oct 8, 2021
View reviewed changes
src/ioctls/vm.rs Outdated Show resolved Hide resolved
src/kvm_ioctls.rs Show resolved Hide resolved
@rvolosatovs rvolosatovs force-pushed the kvm-memory-encrypt-region branch 3 times, most recently from 0e51cb3 to 8786591 Compare October 12, 2021 17:47
rvolosatovs
rvolosatovs commented Oct 12, 2021
View reviewed changes
src/ioctls/vm.rs Outdated Show resolved Hide resolved
@rvolosatovs rvolosatovs force-pushed the kvm-memory-encrypt-region branch 3 times, most recently from 8d067f0 to 9bb0da9 Compare October 13, 2021 11:38
andreeaflorescu
andreeaflorescu reviewed Oct 13, 2021
View reviewed changes
src/ioctls/vm.rs Outdated Show resolved Hide resolved
src/ioctls/vm.rs Outdated Show resolved Hide resolved
src/ioctls/vm.rs Outdated Show resolved Hide resolved
@rvolosatovs rvolosatovs force-pushed the kvm-memory-encrypt-region branch 3 times, most recently from 1333183 to 272bfd7 Compare October 13, 2021 19:11
@lauralt
Copy link
Collaborator

lauralt commented Oct 20, 2021

You'll need to also update the coverage score so that the all the tests pass.

It looks like there's an issue with CI (perhaps due to the config attribute?), since all the added functionality should be covered with tests at this point and there are also examples for all functionality, which are tested on supported systems

kcov is counting the lines that are executed by tests on the platform on which it runs, the CI instance doesn't have sev enabled, so the sev functionality covered by your tests won't be executed when running kcov. We are not yet running the CI on AMD, so until that point we can decrease the coverage value :(.

@andreeaflorescu
Copy link
Member

andreeaflorescu commented Oct 20, 2021
edited
Loading

It looks like there's an issue with CI (perhaps due to the config attribute?), since all the added functionality should be covered with tests at this point and there are also examples for all functionality, which are tested on supported systems

The host on which the CI runs does not have SEV enabled. This means that the tests with #[cfg_attr(not(has_sev), ignore)] are ignored, so they do not contribute to the coverage score. You should just update the coverage score, and we can work on having a host with SEV so we can make sure that the tests are running in the CI as well.

LE: Laura already replied to this.

@jiangliu
Copy link
Member

Is there plan to add more for KVM sev commands such as KVM_SEV_LAUNCH_START, KVM_SEV_LAUNCH_UPDATE_DATA?
I'm thinking whether we should introduce submodules for sev/tdx etc.

@rvolosatovs
Copy link
Contributor Author

Is there plan to add more for KVM sev commands such as KVM_SEV_LAUNCH_START, KVM_SEV_LAUNCH_UPDATE_DATA? I'm thinking whether we should introduce submodules for sev/tdx etc.

AFAIK there was an (unsuccessful?) attempt to add SEV commands in #111.

We currently maintain most of SEV-specific functionality externally, but if there is interest here we may consider contributing those.

@jiangliu
Copy link
Member

#111

The enarx project also makes use of the kvm-bindings/kvm-ioctls crates, so is ti feasible to move some needed data structures from enarx into kvm-ioctls? But I do have some concern about openssl, which is always troublesome.

@rvolosatovs
Copy link
Contributor Author

#111

The enarx project also makes use of the kvm-bindings/kvm-ioctls crates, so is ti feasible to move some needed data structures from enarx into kvm-ioctls? But I do have some concern about openssl, which is always troublesome.

We are actually deprecating SEV crate at the moment, so it could be a good chance to salvage useful parts.
openssl is only necessary for certificate stuff, which not necessarily has to be added here, I believe
We could file an issue about this and discuss there?

@jiangliu
Copy link
Member

#111

The enarx project also makes use of the kvm-bindings/kvm-ioctls crates, so is ti feasible to move some needed data structures from enarx into kvm-ioctls? But I do have some concern about openssl, which is always troublesome.

We are actually deprecating SEV crate at the moment, so it could be a good chance to salvage useful parts. openssl is only necessary for certificate stuff, which not necessarily has to be added here, I believe We could file an issue about this and discuss there?

Yes, a good idea to open a new issue for discussion.

@rvolosatovs
Copy link
Contributor Author

Any update on this?

@rvolosatovs
Introduce has_sev attribute
4baf18f 
Signed-off-by: Roman Volosatovs <[email protected]>
lauralt
lauralt reviewed Oct 25, 2021
View reviewed changes
src/ioctls/vm.rs Outdated Show resolved Hide resolved
src/ioctls/vm.rs Outdated Show resolved Hide resolved
src/ioctls/vm.rs Show resolved Hide resolved
rvolosatovs and others added 5 commits October 25, 2021 17:47
@rvolosatovs
Add support for KVM_MEMORY_ENCRYPT_OP
a23c74d 
Signed-off-by: Roman Volosatovs <[email protected]>
@rvolosatovs @haraldh
Add support for KVM_MEMORY_ENCRYPT_REG_REGION
e1c8e92 
Co-authored-by: Harald Hoyer <[email protected]>
Signed-off-by: Roman Volosatovs <[email protected]>
@rvolosatovs @haraldh
Add support for KVM_MEMORY_ENCRYPT_UNREG_REGION
01d09cc 
Co-authored-by: Harald Hoyer <[email protected]>
Signed-off-by: Roman Volosatovs <[email protected]>
@rvolosatovs
Add KVM_MEMORY_ENCRYPT_{UN,}REG_REGION test
6ec90d3 
Signed-off-by: Roman Volosatovs <[email protected]>
@rvolosatovs
Decrease x86_64 coverage score
435b0a4 
Signed-off-by: Roman Volosatovs <[email protected]>
@rvolosatovs
Copy link
Contributor Author

rvolosatovs commented Oct 25, 2021
edited
Loading

  • Added documentation and license header to build.rs
  • Fixed outdated doc reference
  • Ensured the doc reference format is consistent with Rust stdlib and represents actual method references
  • Added test cases for invalid KVM_MEMORY_ENCRYPT_{,UN}REG_REGION usage (I suppose it does not make much sense to do that for encrypt_op, since it's platform-specific)
  • Made documentation more consistent with existing methods on VmFd

@lauralt
Copy link
Collaborator

lauralt commented Oct 26, 2021 

* Added documentation and license header to `build.rs`

* Fixed outdated doc reference

* Ensured the doc reference format is consistent with Rust stdlib and represents actual method references

* Added test cases for invalid `KVM_MEMORY_ENCRYPT_{,UN}REG_REGION` usage (I suppose it does not make much sense to do that for `encrypt_op`, since it's platform-specific)

* Made documentation more consistent with existing methods on `VmFd`

Thanks!

@andreeaflorescu andreeaflorescu merged commit c9bad6c into rust-vmm:main Oct 26, 2021
@rvolosatovs rvolosatovs deleted the kvm-memory-encrypt-region branch October 26, 2021 08:21
@andreeaflorescu andreeaflorescu mentioned this pull request Nov 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haraldh haraldh haraldh left review comments

@lauralt lauralt lauralt approved these changes

@andreeaflorescu andreeaflorescu andreeaflorescu approved these changes

@acatangiu acatangiu Awaiting requested review from acatangiu acatangiu is a code owner

@alxiord alxiord Awaiting requested review from alxiord

@sameo sameo Awaiting requested review from sameo sameo is a code owner

@jiangliu jiangliu Awaiting requested review from jiangliu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rvolosatovs @andreeaflorescu @lauralt @jiangliu @haraldh