[mirror_qemu.git] / include / exec / confidential-guest-support.h

/*
 * QEMU Confidential Guest support
 *   This interface describes the common pieces between various
 *   schemes for protecting guest memory or other state against a
 *   compromised hypervisor.  This includes memory encryption (AMD's
 *   SEV and Intel's MKTME) or special protection modes (PEF on POWER,
 *   or PV on s390x).
 *
 * Copyright Red Hat.
 *
 * Authors:
 *  David Gibson <david@gibson.dropbear.id.au>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or
 * later.  See the COPYING file in the top-level directory.
 *
 */
#ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
#define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H

#ifndef CONFIG_USER_ONLY

#include "qom/object.h"

#define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
OBJECT_DECLARE_SIMPLE_TYPE(ConfidentialGuestSupport, CONFIDENTIAL_GUEST_SUPPORT)

struct ConfidentialGuestSupport {
    Object parent;

    /*
     * ready: flag set by CGS initialization code once it's ready to
     *        start executing instructions in a potentially-secure
     *        guest
     *
     * The definition here is a bit fuzzy, because this is essentially
     * part of a self-sanity-check, rather than a strict mechanism.
     *
     * It's not feasible to have a single point in the common machine
     * init path to configure confidential guest support, because
     * different mechanisms have different interdependencies requiring
     * initialization in different places, often in arch or machine
     * type specific code.  It's also usually not possible to check
     * for invalid configurations until that initialization code.
     * That means it would be very easy to have a bug allowing CGS
     * init to be bypassed entirely in certain configurations.
     *
     * Silently ignoring a requested security feature would be bad, so
     * to avoid that we check late in init that this 'ready' flag is
     * set if CGS was requested.  If the CGS init hasn't happened, and
     * so 'ready' is not set, we'll abort.
     */
    bool ready;
};

typedef struct ConfidentialGuestSupportClass {
    ObjectClass parent;
} ConfidentialGuestSupportClass;

#endif /* !CONFIG_USER_ONLY */

#endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */
Commit	Line	Data
f91f9f25 DG	1	/*
	2	* QEMU Confidential Guest support
	3	* This interface describes the common pieces between various
	4	* schemes for protecting guest memory or other state against a
	5	* compromised hypervisor. This includes memory encryption (AMD's
	6	* SEV and Intel's MKTME) or special protection modes (PEF on POWER,
	7	* or PV on s390x).
	8	*
	9	* Copyright Red Hat.
	10	*
	11	* Authors:
	12	* David Gibson <david@gibson.dropbear.id.au>
	13	*
	14	* This work is licensed under the terms of the GNU GPL, version 2 or
	15	* later. See the COPYING file in the top-level directory.
	16	*
	17	*/
	18	#ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
	19	#define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
	20
	21	#ifndef CONFIG_USER_ONLY
	22
	23	#include "qom/object.h"
	24
	25	#define TYPE_CONFIDENTIAL_GUEST_SUPPORT "confidential-guest-support"
	26	OBJECT_DECLARE_SIMPLE_TYPE(ConfidentialGuestSupport, CONFIDENTIAL_GUEST_SUPPORT)
	27
	28	struct ConfidentialGuestSupport {
	29	Object parent;
abc27d42 DG	30
	31	/*
	32	* ready: flag set by CGS initialization code once it's ready to
	33	* start executing instructions in a potentially-secure
	34	* guest
	35	*
	36	* The definition here is a bit fuzzy, because this is essentially
	37	* part of a self-sanity-check, rather than a strict mechanism.
	38	*
	39	* It's not feasible to have a single point in the common machine
	40	* init path to configure confidential guest support, because
	41	* different mechanisms have different interdependencies requiring
	42	* initialization in different places, often in arch or machine
	43	* type specific code. It's also usually not possible to check
	44	* for invalid configurations until that initialization code.
	45	* That means it would be very easy to have a bug allowing CGS
	46	* init to be bypassed entirely in certain configurations.
	47	*
	48	* Silently ignoring a requested security feature would be bad, so
	49	* to avoid that we check late in init that this 'ready' flag is
	50	* set if CGS was requested. If the CGS init hasn't happened, and
	51	* so 'ready' is not set, we'll abort.
	52	*/
	53	bool ready;
f91f9f25 DG	54	};
	55
	56	typedef struct ConfidentialGuestSupportClass {
	57	ObjectClass parent;
	58	} ConfidentialGuestSupportClass;
	59
	60	#endif /* !CONFIG_USER_ONLY */
	61
	62	#endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */