eb39e37d5c
Add to confidential guests the necessary memory integrity protection against malicious hypervisor-based attacks like data replay, memory remapping and others, thus achieving a stronger isolation from the hypervisor. At the core of the functionality is a new structure called a reverse map table (RMP) with which the guest has a say in which pages get assigned to it and gets notified when a page which it owns, gets accessed/modified under the covers so that the guest can take an appropriate action. In addition, add support for the whole machinery needed to launch a SNP guest, details of which is properly explained in each patch. And last but not least, the series refactors and improves parts of the previous SEV support so that the new code is accomodated properly and not just bolted on. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmKLU2AACgkQEsHwGGHe VUpb/Q//f4LGiJf4nw1flzpe90uIsHNwAafng3NOjeXmhI/EcOlqPf23WHPCgg3Z 2umfa4sRZyj4aZubDd7tYAoq4qWrQ7pO7viWCNTh0InxBAILOoMPMuq2jSAbq0zV ASUJXeQ2bqjYxX4JV4N5f3HT2l+k68M0mpGLN0H+O+LV9pFS7dz7Jnsg+gW4ZP25 PMPLf6FNzO/1tU1aoYu80YDP1ne4eReLrNzA7Y/rx+S2NAetNwPn21AALVgoD4Nu vFdKh4MHgtVbwaQuh0csb/+4vD+tDXAhc8lbIl+Abl9ZxJaDWtAJW5D9e2CnsHk1 NOkHwnrzizzhtGK1g56YPUVRFAWhZYMOI1hR0zGPLQaVqBnN4b+iahPeRiV0XnGE PSbIHSfJdeiCkvLMCdIAmpE5mRshhRSUfl1CXTCdetMn8xV/qz/vG6bXssf8yhTV cfLGPHU7gfVmsbR9nk5a8KZ78PaytxOxfIDXvCy8JfQwlIWtieaCcjncrj+sdMJy 0fdOuwvi4jma0cyYuPolKiS1Hn4ldeibvxXT7CZQlIx6jZShMbpfpTTJs11XdtHm PdDAc1TY3AqI33mpy9DhDQmx/+EhOGxY3HNLT7evRhv4CfdQeK3cPVUWgo4bGNVv ZnFz7nvmwpyufltW9K8mhEZV267174jXGl6/idxybnlVE7ESr2Y= =Y8kW -----END PGP SIGNATURE----- Merge tag 'x86_sev_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull AMD SEV-SNP support from Borislav Petkov: "The third AMD confidential computing feature called Secure Nested Paging. Add to confidential guests the necessary memory integrity protection against malicious hypervisor-based attacks like data replay, memory remapping and others, thus achieving a stronger isolation from the hypervisor. At the core of the functionality is a new structure called a reverse map table (RMP) with which the guest has a say in which pages get assigned to it and gets notified when a page which it owns, gets accessed/modified under the covers so that the guest can take an appropriate action. In addition, add support for the whole machinery needed to launch a SNP guest, details of which is properly explained in each patch. And last but not least, the series refactors and improves parts of the previous SEV support so that the new code is accomodated properly and not just bolted on" * tag 'x86_sev_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (60 commits) x86/entry: Fixup objtool/ibt validation x86/sev: Mark the code returning to user space as syscall gap x86/sev: Annotate stack change in the #VC handler x86/sev: Remove duplicated assignment to variable info x86/sev: Fix address space sparse warning x86/sev: Get the AP jump table address from secrets page x86/sev: Add missing __init annotations to SEV init routines virt: sevguest: Rename the sevguest dir and files to sev-guest virt: sevguest: Change driver name to reflect generic SEV support x86/boot: Put globals that are accessed early into the .data section x86/boot: Add an efi.h header for the decompressor virt: sevguest: Fix bool function returning negative value virt: sevguest: Fix return value check in alloc_shared_pages() x86/sev-es: Replace open-coded hlt-loop with sev_es_terminate() virt: sevguest: Add documentation for SEV-SNP CPUID Enforcement virt: sevguest: Add support to get extended report virt: sevguest: Add support to derive key virt: Add SEV-SNP guest driver x86/sev: Register SEV-SNP guest request platform device x86/sev: Provide support for SNP guest request NAEs ...
56 lines
1.5 KiB
Plaintext
56 lines
1.5 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# Virtualization support drivers
|
|
#
|
|
|
|
menuconfig VIRT_DRIVERS
|
|
bool "Virtualization drivers"
|
|
help
|
|
Say Y here to get to see options for device drivers that support
|
|
virtualization environments.
|
|
|
|
If you say N, all options in this submenu will be skipped and disabled.
|
|
|
|
if VIRT_DRIVERS
|
|
|
|
config VMGENID
|
|
tristate "Virtual Machine Generation ID driver"
|
|
default y
|
|
depends on ACPI
|
|
help
|
|
Say Y here to use the hypervisor-provided Virtual Machine Generation ID
|
|
to reseed the RNG when the VM is cloned. This is highly recommended if
|
|
you intend to do any rollback / cloning / snapshotting of VMs.
|
|
|
|
Prefer Y to M so that this protection is activated very early.
|
|
|
|
config FSL_HV_MANAGER
|
|
tristate "Freescale hypervisor management driver"
|
|
depends on FSL_SOC
|
|
select EPAPR_PARAVIRT
|
|
help
|
|
The Freescale hypervisor management driver provides several services
|
|
to drivers and applications related to the Freescale hypervisor:
|
|
|
|
1) An ioctl interface for querying and managing partitions.
|
|
|
|
2) A file interface to reading incoming doorbells.
|
|
|
|
3) An interrupt handler for shutting down the partition upon
|
|
receiving the shutdown doorbell from a manager partition.
|
|
|
|
4) A kernel interface for receiving callbacks when a managed
|
|
partition shuts down.
|
|
|
|
source "drivers/virt/vboxguest/Kconfig"
|
|
|
|
source "drivers/virt/nitro_enclaves/Kconfig"
|
|
|
|
source "drivers/virt/acrn/Kconfig"
|
|
|
|
source "drivers/virt/coco/efi_secret/Kconfig"
|
|
|
|
source "drivers/virt/coco/sev-guest/Kconfig"
|
|
|
|
endif
|