hv: keylocker: Simulate CPUID of keylocker caps for guest VM

KeyLocker is a new security feature available in new Intel CPUs that protects data-encryption keys for the Advanced Encryption Standard (AES) algorithm. This patch emulates Keylocker CPUID leaf 19H to support Keylocker feature for guest VM. To make the hypervisor being able to manage the IWKey correctly, this patch doesn't expose hardware random IWKey capability (CPUID.0x19.ECX[1]) to guest VM. Tracked-On: #5695 Signed-off-by: Shuo A Liu <shuo.a.liu@intel.com> Acked-by: Eddie Dong <eddie.dong@Intel.com>
2025-09-21 16:57:20 +00:00 · 2020-08-24 19:31:49 +08:00
parent 15c967ad34
commit e9247dbca0
4 changed files with 48 additions and 2 deletions
--- a/hypervisor/include/arch/x86/cpufeatures.h
+++ b/hypervisor/include/arch/x86/cpufeatures.h
@@ -78,6 +78,9 @@
 #define X86_FEATURE_SMAP	((FEAT_7_0_EBX << 5U) + 20U)
 #define X86_FEATURE_CLFLUSHOPT	((FEAT_7_0_EBX << 5U) + 23U)

+/* Intel-defined CPU features, CPUID level 0x00000007 (ECX)*/
+#define X86_FEATURE_KEYLOCKER	((FEAT_7_0_ECX << 5U) + 23U)
+
 /* Intel-defined CPU features, CPUID level 0x00000007 (EDX)*/
 #define X86_FEATURE_MDS_CLEAR	((FEAT_7_0_EDX << 5U) + 10U)
 #define X86_FEATURE_IBRS_IBPB	((FEAT_7_0_EDX << 5U) + 26U)
--- a/hypervisor/include/arch/x86/cpuid.h
+++ b/hypervisor/include/arch/x86/cpuid.h
@@ -126,6 +126,14 @@
 #define CPUID_EAX_SGX1          (1U<<0U)
 /* CPUID.12H.EAX.SGX2 */
 #define CPUID_EAX_SGX2          (1U<<1U)
+/* CPUID.19H.EBX.KL_AES_ENABLED */
+#define CPUID_EBX_KL_AES_EN	(1U<<0U)
+/* CPUID.19H.EBX.KL_BACKUP_MSR */
+#define CPUID_EBX_KL_BACKUP_MSR	(1U<<4U)
+/* CPUID.19H.ECX.KL_NOBACKUP */
+#define CPUID_ECX_KL_NOBACKUP	(1U<<0U)
+/* CPUID.19H.ECX.KL_RANDOM_KS */
+#define CPUID_ECX_KL_RANDOM_KS	(1U<<1U)
 /* CPUID.80000001H.EDX.XD_BIT_AVAILABLE */
 #define CPUID_EDX_XD_BIT_AVIL   (1U<<20U)