@@ -117,9 +117,6 @@ struct KVMState
KVMMemoryListener memory_listener;
QLIST_HEAD(, KVMParkedVcpu) kvm_parked_vcpus;
- /* host trust limitation (e.g. by guest memory encryption) */
- HostTrustLimitation *htl;
-
/* For "info mtree -f" to tell if an MR is registered in KVM */
int nr_as;
struct KVMAs {
@@ -218,28 +215,6 @@ int kvm_get_max_memslots(void)
return s->nr_slots;
}
-bool kvm_memcrypt_enabled(void)
-{
- if (kvm_state && kvm_state->htl) {
- return true;
- }
-
- return false;
-}
-
-int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len)
-{
- HostTrustLimitation *htl = kvm_state->htl;
-
- if (htl) {
- HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_GET_CLASS(htl);
-
- return htlc->encrypt_data(htl, ptr, len);
- }
-
- return 1;
-}
-
/* Called with KVMMemoryListener.slots_lock held */
static KVMSlot *kvm_get_free_slot(KVMMemoryListener *kml)
{
@@ -2194,8 +2169,6 @@ static int kvm_init(MachineState *ms)
if (ret < 0) {
goto err;
}
-
- kvm_state->htl = ms->htl;
}
ret = kvm_arch_init(ms, s);
@@ -104,16 +104,6 @@ int kvm_on_sigbus(int code, void *addr)
return 1;
}
-bool kvm_memcrypt_enabled(void)
-{
- return false;
-}
-
-int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len)
-{
- return 1;
-}
-
#ifndef CONFIG_USER_ONLY
int kvm_irqchip_add_msi_route(KVMState *s, int vector, PCIDevice *dev)
{
@@ -38,6 +38,7 @@
#include "sysemu/sysemu.h"
#include "hw/block/flash.h"
#include "sysemu/kvm.h"
+#include "exec/host-trust-limitation.h"
/*
* We don't have a theoretically justifiable exact lower bound on the base
@@ -201,10 +202,11 @@ static void pc_system_flash_map(PCMachineState *pcms,
pc_isa_bios_init(rom_memory, flash_mem, size);
/* Encrypt the pflash boot ROM */
- if (kvm_memcrypt_enabled()) {
+ if (host_trust_limitation_enabled(MACHINE(pcms))) {
flash_ptr = memory_region_get_ram_ptr(flash_mem);
flash_size = memory_region_size(flash_mem);
- ret = kvm_memcrypt_encrypt_data(flash_ptr, flash_size);
+ ret = host_trust_limitation_encrypt(MACHINE(pcms),
+ flash_ptr, flash_size);
if (ret) {
error_report("failed to encrypt pflash rom");
exit(1);
@@ -14,6 +14,7 @@
#define QEMU_HOST_TRUST_LIMITATION_H
#include "qom/object.h"
+#include "hw/boards.h"
#define TYPE_HOST_TRUST_LIMITATION "host-trust-limitation"
#define HOST_TRUST_LIMITATION(obj) \
@@ -33,4 +34,39 @@ typedef struct HostTrustLimitationClass {
int (*encrypt_data)(HostTrustLimitation *, uint8_t *, uint64_t);
} HostTrustLimitationClass;
+/**
+ * host_trust_limitation_enabled - return whether guest memory is protected
+ * from hypervisor access (with memory
+ * encryption or otherwise)
+ * Returns: true guest memory is not directly accessible to qemu
+ * false guest memory is directly accessible to qemu
+ */
+static inline bool host_trust_limitation_enabled(MachineState *machine)
+{
+ return !!machine->htl;
+}
+
+/**
+ * host_trust_limitation_encrypt: encrypt the memory range to make
+ * it guest accessible
+ *
+ * Return: 1 failed to encrypt the range
+ * 0 succesfully encrypted memory region
+ */
+static inline int host_trust_limitation_encrypt(MachineState *machine,
+ uint8_t *ptr, uint64_t len)
+{
+ HostTrustLimitation *htl = machine->htl;
+
+ if (htl) {
+ HostTrustLimitationClass *htlc = HOST_TRUST_LIMITATION_GET_CLASS(htl);
+
+ if (htlc->encrypt_data) {
+ return htlc->encrypt_data(htl, ptr, len);
+ }
+ }
+
+ return 1;
+}
+
#endif /* QEMU_HOST_TRUST_LIMITATION_H */
@@ -231,23 +231,6 @@ int kvm_destroy_vcpu(CPUState *cpu);
*/
bool kvm_arm_supports_user_irq(void);
-/**
- * kvm_memcrypt_enabled - return boolean indicating whether memory encryption
- * is enabled
- * Returns: 1 memory encryption is enabled
- * 0 memory encryption is disabled
- */
-bool kvm_memcrypt_enabled(void);
-
-/**
- * kvm_memcrypt_encrypt_data: encrypt the memory range
- *
- * Return: 1 failed to encrypt the range
- * 0 succesfully encrypted memory region
- */
-int kvm_memcrypt_encrypt_data(uint8_t *ptr, uint64_t len);
-
-
#ifdef NEED_CPU_H
#include "cpu.h"