Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added additional SNP checks on the host and guest via verification of SNP bit status from instruction set #12

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

LakshmiSaiHarika
Copy link
Contributor

  1. Added check on the host for all host SEV features in CPU via cpuid 0x8000001f instruction set
  2. Added additional check on the guest to see if guest sev, sev-es, and snp bits are active from MSR 0xc0010131 (MSR_AMD64_SEV)

Copy link
Collaborator

@larrydewey larrydewey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you please run these through shellcheck? There are a number of changes which I would like to see applied for this PR before we approve it.

@LakshmiSaiHarika
Copy link
Contributor Author

Hi @larrydewey, I made few changes and did shellcheck... Please let me know if any further changes are required.

tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
tools/snp.sh Outdated Show resolved Hide resolved
@LakshmiSaiHarika LakshmiSaiHarika force-pushed the add-snp-check-via-instruction-set branch from 4ba7408 to 4ff4dcd Compare September 28, 2024 00:58
@LakshmiSaiHarika
Copy link
Contributor Author

Hi @larrydewey I addressed the changes as per the conversation above, please let me know if any additional changes are required

Copy link
Contributor

@DGonzalezVillal DGonzalezVillal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some nits and some overall functionality questions. But overall it lgtm.

docs/snp.md Outdated
Comment on lines 55 to 60
Read the dedicated host cpuid Fn8000_001F[EAX] instruction set to verify if the SNP is on and supported on the host:
```
./snp.sh check-host-snp-cpuid
```


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want this to be it's own individual command? I see that it is being called when people are setting up the host and launching the guest. Is there additional functionality to be it's own individual command?

tools/snp.sh Outdated
Comment on lines 178 to 171
local host_cpuid_eax
host_cpuid_eax=$(cpuid -1 -r -l 0x8000001f | grep -oE "eax=[[:alnum:]]+ " | cut -c5- | tr -d '[:space:]')

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had created a function that does this for you called get_cpuid if you want to use that instead.

get_cpuid() {

tools/snp.sh Outdated
Comment on lines 182 to 195
declare -A actual_sev_snp_bit_status=(
[SME]=$((${host_cpuid_eax} & 1))
[SEV]=$((${host_cpuid_eax} & 2))
[SEV-ES]=$((${host_cpuid_eax} & 8))
[SNP]=$((${host_cpuid_eax} & 16))
)

# Map all the expected host sev/snp bit values in a single associative array
declare -A expected_sev_snp_bit_value=(
[SME]=1
[SEV]=2
[SEV-ES]=8
[SNP]=16
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could just grab the specific bit for each of the features and that way you don't have to create two different arrays.

tools/snp.sh Outdated
Comment on lines 214 to 224
declare -A actual_sev_snp_bit_status=(
[SEV]=$((${guest_msr_read} & 1))
[SEV-ES]=$((${guest_msr_read} & 2))
[SNP]=$((${guest_msr_read} & 4))
)

declare -A expected_sev_snp_bit_value=(
[SEV]=1
[SEV-ES]=2
[SNP]=4
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thing as above. You can just get the specific bit for each feature and that way you don't need 2 different arrays.

@@ -1228,6 +1325,7 @@ main() {

setup_and_launch_guest
wait_and_retry_command verify_snp_guest
wait_and_retry_command verify_platform_snp_bit_status guest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should maybe replace verify_snp_guest. They are essentially doing the same thing, the only difference is that the original function is checking dmesg, while the bit_status is looking at the guest MSR to verify enablement. No need to run both of them if the MSR check is working correctly.

…able

Read the dedicated host cpuid 0x8000001f instruction set to check if SNP is on and supported

Signed-off-by: Harika <[email protected]>

Add shift operator for SNP host check

Signed-off-by: Harika Nittala <[email protected]>
This check reads the dedicated guest MSR(MSR_AMD64_SEV, MSR 0xc0010131) to determine if SNP is on and supported.

Signed-off-by: Harika Nittala <[email protected]>
@LakshmiSaiHarika LakshmiSaiHarika force-pushed the add-snp-check-via-instruction-set branch from 4ff4dcd to 699d8b1 Compare October 22, 2024 21:48
[SEV-ES]=$(( (${host_cpuid_eax} >> 3) & 1))
[SNP]=$(( (${host_cpuid_eax} >> 4) & 1))
)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally to the CPUID (which checks if the feature is supported by the CPU) there is also an MSR that you can use to check if SME and SNP are enabled.

MSR 0xC0010010 bit 23 checks SME
MSR 0xC0010010 bit 24 checks SNP

Comment on lines +188 to +190
# Install guest rdmsr package dependencies to insert & insert guest msr module
ssh_guest_command "sudo DEBIAN_FRONTEND=noninteractive sudo apt install -y msr-tools > /dev/null 2>&1" > /dev/null 2>&1
ssh_guest_command "sudo modprobe msr" > /dev/null 2>&1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this only work on Debian?

Comment on lines +194 to +195
guest_msr_read=$(ssh_guest_command "sudo rdmsr -p 0 0xc0010131")
guest_msr_read=$(echo "${guest_msr_read}" | tr -d '\r' | bc)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In one of my tools that I built out to do this, I had an issue with padding. If I had a bit number that looked like 0000001, my msr read would return 1 not the full number. So when I tried to reach a bit that was a 0 I'd get a an issue trying to reach a digit that was not there. Have you checked for this issue? Try running this command in a guest with no SEV enabled and see if the fail case doesn't cause an error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants