Code Monkey home page Code Monkey logo

Comments (3)

bokdeuk-jeong avatar bokdeuk-jeong commented on July 20, 2024

Guest Linux Kernel
The latest guest Linux kernel support for TDX is available here.

In order to run as a TD guest, the Linux kernel must support the following features:

  • TDX IO

    • Port IO is handled from the TD guest, by unrolling IO port #VE exceptions into TDVMCALLs. That will eventually translate into an unmodified VMM PIO exit handlers.
      <-- On CCA: MMIO는 S2 pgtlb에 매핑 되어 있지 않아서 S2 pgtlb fault로 RMM으로 exception이 trap되고,
      이 exception는 KVM으로 forward돼서 처리하고 있다.
    • Virtio: Essentially, the TD guest kernel converts the private (TDX encrypted) virtio queue pages into shared ones in order to seamlessly use the guest virtio drivers and the VMM virtio compliant device implementations.
      <-- [todo] 어떤 식으로 covert하는지(virtio 드라이버를 수정했는지?, alloc page API가 추가 됐는지? 등)을 알아보자.
      https://github.com/intel/tdx
    • Direct device assignment: DMA between MMIO device buffers and the TD guest must happen in the TD shared memory address space. Converting DMA buffers to shared memory is handled by the TDX guest kernel.
      <-- 상동

  • ACPI SKVL (Storage Volume Key Label) is an ACPI table for passing storage encryption keys from the TDVF to the guest kernel. Again, this should not have any impact on the VMM enablement path.

  • Remote attestation driver. This is a kernel interface for the guest to trigger the attestation process by requesting a TD quote from the TDX-module. Attestation is out of scope for our initial enablement effort.

Overall, in the context of our initial TDX enablement effort with Cloud Hypervisor, the TDX specific guest Linux kernel changes should be transparent to the VMM implementation.

from islet.

bokdeuk-jeong avatar bokdeuk-jeong commented on July 20, 2024

https://github.com/AMDESE/AMDSEV/ issues/ 이슈중 74 번

What virtio drivers does the SEV VM definitely support?

.... feature support for VIRTIO_F_ACCESS_PLATFORM...
-device amd-iommu,intremap=on,device-iotlb=on -device vhost-vsock-pci,disable-legacy=on,guest-cid=1,iommu_platform=on,ats=on

iommu를 통해서 virtio backend가 guest confidential VM의 메모리를 액세스 하는 것 같다. (추가 정보 수집 필요)

from islet.

bokdeuk-jeong avatar bokdeuk-jeong commented on July 20, 2024

https://static.sched.com/hosted_files/kvmforum2021/a3/KVM_2021_sharing_TDP_IOMMU.pdf

https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#virtio-and-shared-memory

https://lwn.net/Articles/865216/

from islet.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.