diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2020-10-20 17:01:19 +1100 |
|---|---|---|
| committer | David Gibson <david@gibson.dropbear.id.au> | 2021-02-08 16:57:38 +1100 |
| commit | abc27d4241f99bfaebb0b843b9a967d557ac10e8 (patch) | |
| tree | da384090a8bcbcd5476b1f2bc58f11dc0033f0f9 /include | |
| parent | c9f5aaa6bce819c1863c2a56b187cb9eb521fc92 (diff) | |
confidential guest support: Introduce cgs "ready" flag
The platform specific details of mechanisms for implementing
confidential guest support may require setup at various points during
initialization. Thus, it's not really feasible to have a single cgs
initialization hook, but instead each mechanism needs its own
initialization calls in arch or machine specific code.
However, to make it harder to have a bug where a mechanism isn't
properly initialized under some circumstances, we want to have a
common place, late in boot, where we verify that cgs has been
initialized if it was requested.
This patch introduces a ready flag to the ConfidentialGuestSupport
base type to accomplish this, which we verify in
qemu_machine_creation_done().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/exec/confidential-guest-support.h | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/include/exec/confidential-guest-support.h b/include/exec/confidential-guest-support.h index 3db6380e63..ba2dd4b5df 100644 --- a/include/exec/confidential-guest-support.h +++ b/include/exec/confidential-guest-support.h @@ -27,6 +27,30 @@ OBJECT_DECLARE_SIMPLE_TYPE(ConfidentialGuestSupport, CONFIDENTIAL_GUEST_SUPPORT) struct ConfidentialGuestSupport { Object parent; + + /* + * ready: flag set by CGS initialization code once it's ready to + * start executing instructions in a potentially-secure + * guest + * + * The definition here is a bit fuzzy, because this is essentially + * part of a self-sanity-check, rather than a strict mechanism. + * + * It's not feasible to have a single point in the common machine + * init path to configure confidential guest support, because + * different mechanisms have different interdependencies requiring + * initialization in different places, often in arch or machine + * type specific code. It's also usually not possible to check + * for invalid configurations until that initialization code. + * That means it would be very easy to have a bug allowing CGS + * init to be bypassed entirely in certain configurations. + * + * Silently ignoring a requested security feature would be bad, so + * to avoid that we check late in init that this 'ready' flag is + * set if CGS was requested. If the CGS init hasn't happened, and + * so 'ready' is not set, we'll abort. + */ + bool ready; }; typedef struct ConfidentialGuestSupportClass { |