Lines Matching +full:secure +full:- +full:only
1 .. SPDX-License-Identifier: GPL-2.0
15 POWER 9 that enables Secure Virtual Machines (SVMs). DD2.3 chips
16 (PVR=0x004e1203) or greater will be PEF-capable. A new ISA release
25 +------------------+
29 +------------------+
31 +------------------+
33 +------------------+
35 +------------------+
38 VMs in the system. SVMs are protected while at rest and can only be
56 process is running in secure mode, MSR(S) bit 41. MSR(S)=1, process
57 is in secure mode, MSR(s)=0 process is in normal mode.
59 * The MSR(S) bit can only be set by the Ultravisor.
63 the VM it is returning to is secure.
73 **Secure Mode MSR Settings**
75 +---+---+---+---------------+
79 +---+---+---+---------------+
81 +---+---+---+---------------+
83 +---+---+---+---------------+
85 +---+---+---+---------------+
89 +---+---+---+---------------+
93 +---+---+---+---------------+
95 +---+---+---+---------------+
97 +---+---+---+---------------+
99 +---+---+---+---------------+
101 * Memory is partitioned into secure and normal memory. Only processes
102 that are running in secure mode can access secure memory.
104 * The hardware does not allow anything that is not running secure to
105 access secure memory. This means that the Hypervisor cannot access
107 Ultravisor). The Ultravisor will only allow the hypervisor to see
110 * I/O systems are not allowed to directly address secure memory. This
111 limits the SVMs to virtual I/O only.
117 * When a process is running in secure mode all hypercalls
120 * When a process is in secure mode all interrupts go to the
131 If SMFCTRL(D) is not set they do not work in secure mode. When set,
135 * PTCR and partition table entries (partition table is in secure
139 * LDBAR (LD Base Address Register) and IMC (In-Memory Collection)
140 non-architected registers. An attempt to write to them will cause a
156 (Enter Secure Mode), to make the transition.
159 secure memory, decrypts the verification information, and checks the
161 passes control in secure mode.
182 * The movement of data between normal and secure pages is coordinated
183 with the Ultravisor by a new HMM plug-in in the Hypervisor.
203 * Secure memory: Memory that is accessible only to Ultravisor and
206 * Secure page: Page backed by secure memory and only available to
209 * SVM: Secure Virtual Machine.
219 support Secure Virtual Machines (SVM)s and Paravirtualized KVM. The
221 Ultravisor such as accessing a register or memory region that can only
222 be accessed when running in Ultravisor-privileged mode.
230 The only exception to this register usage is the ``UV_RETURN``
237 parameter-position based code. i.e U_PARAMETER, U_P2, U_P3 etc
241 and Hypervisor. Secure pages that are transferred from secure memory
243 When the secure pages are transferred back to secure memory, they may
247 For now this only covers ultracalls currently implemented and being
267 -----------
269 Encrypt and move the contents of a page from secure memory to normal
275 .. code-block:: c
280 uint64_t src_gpa, /* source guest-physical-address */
296 * U_BUSY if page cannot be currently paged-out.
301 Encrypt the contents of a secure-page and make it available to
304 By default, the source page is unmapped from the SVM's partition-
321 #. When Ultravisor runs low on secure memory and it needs to page-out
325 and the Ultravisor will encrypt and move the contents of the secure
334 ----------
336 Move the contents of a page from normal memory to secure memory.
341 .. code-block:: c
356 * U_BUSY if page cannot be currently paged-in.
368 memory to secure memory and map it to the guest physical address
372 partition-scoped page-table of the SVM. If `dest_gpa` is not shared,
373 copy the contents of the page into the corresponding secure page.
389 #. When a normal VM switches to secure mode, all its pages residing
390 in normal memory, are moved into secure memory.
395 #. When an SVM accesses a secure page that has been paged-out,
401 -------------
408 .. code-block:: c
412 uint64_t guest_pa, /* destination guest-physical-address */
422 * U_P2 if ``guest_pa`` is invalid (or corresponds to a secure
434 ``guest_pa`` corresponds to a secure page, Ultravisor will ignore the
441 because it is paged-out to disk, Ultravisor needs to know that the
446 -------------
454 .. code-block:: c
473 of a secure virtual machine or if called from a
479 Validate and write a LPID and its partition-table-entry for the given
486 #. The Partition table resides in Secure memory and its entries,
487 called PATE (Partition Table Entries), point to the partition-
489 virtual machines (both secure and normal). The Hypervisor
490 operates in partition 0 and its partition-scoped page tables
493 #. This ultracall allows the Hypervisor to register the partition-
494 scoped and process-scoped page table entries for the Hypervisor
507 ---------
516 .. code-block:: c
536 * Non-volatile registers are restored to their original values.
556 --------------------
558 Register an SVM address-range with specified properties.
563 .. code-block:: c
597 #. When a virtual machine goes secure, all the memory slots managed by
598 the Hypervisor move into secure memory. The Hypervisor iterates
603 #. When new memory is hot-plugged, a new memory slot gets registered.
607 ----------------------
609 Unregister an SVM address-range that was previously registered using
615 .. code-block:: c
641 #. Memory hot-remove.
645 ----------------
652 .. code-block:: c
665 * U_INVALID if VM is not secure.
683 -------------
690 .. code-block:: c
703 * U_INVALID if the VM is not secure.
714 If the address is already backed by a secure page, unmap the page and
724 secure pages. Hence an SVM must explicitly request Ultravisor for
732 ---------------
739 .. code-block:: c
752 * U_INVALID if VM is not secure.
764 and back it with a secure page. Inform the Hypervisor to release
766 yet, mark the PTE as secure and back it with a secure page when that
767 address is accessed. If it is already backed by an secure page zero
777 --------------------
784 .. code-block:: c
795 * U_INVAL if VM is not secure.
801 zeroed on return. Only pages explicitly shared by the SVM with the
814 ------
816 Secure the virtual machine (*enter secure mode*).
821 .. code-block:: c
832 * U_SUCCESS on success (including if VM is already secure).
834 * U_INVALID if VM is not secure.
844 Secure the virtual machine. On successful completion, return
851 #. A normal virtual machine can choose to switch to a secure mode.
868 This document only covers hypercalls currently implemented/planned
881 ----------------
888 .. code-block:: c
898 * H_STATE if the VM is not in a position to switch to secure.
906 pages from normal to secure memory etc. When the process is
913 has initiated the process of switching to secure mode.
917 ---------------
924 .. code-block:: c
938 transition the VM to Secure VM.
955 ----------------
962 .. code-block:: c
976 * H_STATE if called after a VM has gone secure (i.e
989 On entry into this hypercall the non-volatile GPRs and FPRs are
997 out pages that were paged-into secure memory, and issue the
1015 -------------
1017 Move the contents of a page from normal memory to secure memory.
1022 .. code-block:: c
1025 uint64_t guest_pa, /* guest-physical-address */
1045 Only valid value(s) in ``flags`` are:
1058 #. When a normal VM becomes a secure VM (using the UV_ESM ultracall),
1060 the VM from normal memory to secure memory.
1065 #. Ultravisor uses this hypercall to page-in a paged-out page. This
1066 can happen when the SVM touches a paged-out page.
1074 ---------------
1081 .. code-block:: c
1084 uint64_t guest_pa, /* guest-physical-address */
1110 #. If Ultravisor is running low on secure pages, it can move the
1111 contents of some secure pages, into normal pages using this
1117 - `Supporting Protected Computing on IBM Power Architecture <https://developer.ibm.com/articles/l-s…