[PATCH hyperv-next v2 1/4] Documentation: hyperv: Confidential VMBus
Roman Kisel
romank at linux.microsoft.com
Tue May 13 09:24:43 PDT 2025
On 5/11/2025 10:22 PM, ALOK TIWARI wrote:
>
>
> On 12-05-2025 04:37, Roman Kisel wrote:
>> Define what the confidential VMBus is and describe what advantages
>> it offers on the capable hardware.
>>
>> Signed-off-by: Roman Kisel <romank at linux.microsoft.com>
>> ---
>> Documentation/virt/hyperv/vmbus.rst | 41 +++++++++++++++++++++++++++++
>> 1 file changed, 41 insertions(+)
>>
>> diff --git a/Documentation/virt/hyperv/vmbus.rst b/Documentation/virt/
>> hyperv/vmbus.rst
>> index 1dcef6a7fda3..ca2b948e5070 100644
>> --- a/Documentation/virt/hyperv/vmbus.rst
>> +++ b/Documentation/virt/hyperv/vmbus.rst
>> @@ -324,3 +324,44 @@ rescinded, neither Hyper-V nor Linux retains any
>> state about
>> its previous existence. Such a device might be re-added later,
>> in which case it is treated as an entirely new device. See
>> vmbus_onoffer_rescind().
>> +
>> +Confidential VMBus
>> +------------------
>> +
>
> The purpose and benefits of the Confidential VMBus are not clearly stated.
> for example:
> "Confidential VMBus provides a secure communication channel between
> guest and paravisor, ensuring that sensitive data is protected from
> hypervisor-level access through memory encryption and register state
> isolation."
>
>> +The confidential VMBus provides the control and data planes where
>> +the guest doesn't talk to either the hypervisor or the host. Instead,
>> +it relies on the trusted paravisor. The hardware (SNP or TDX) encrypts
>> +the guest memory and the register state also measuring the paravisor
>
> s/alos/while and s/via using/using
> "register state while measuring the paravisor image using the platform
> security"
>
>> +image via using the platform security processor to ensure trusted and
>> +confidential computing.
>> +
>> +To support confidential communication with the paravisor, a VMBus client
>> +will first attempt to use regular, non-isolated mechanisms for
>> communication.
>> +To do this, it must:
>> +
>> +* Configure the paravisor SIMP with an encrypted page. The paravisor
>> SIMP is
>> + configured by setting the relevant MSR directly, without using GHCB
>> or tdcall.
>> +
>> +* Enable SINT 2 on both the paravisor and hypervisor, without setting
>> the proxy
>> + flag on the paravisor SINT. Enable interrupts on the paravisor SynIC.
>> +
>> +* Configure both the paravisor and hypervisor event flags page.
>> + Both pages will need to be scanned when VMBus receives a channel
>> interrupt.
>> +
>> +* Send messages to the paravisor by calling HvPostMessage directly,
>> without using
>> + GHCB or tdcall.
>> +
>> +* Set the EOM MSR directly in the paravisor, without using GHCB or
>> tdcall.
>> +
>> +If sending the InitiateContact message using non-isolated
>> HvPostMessage fails,
>> +the client must fall back to using the hypervisor synic, by using the
>> GHCB/tdcall
>> +as appropriate.
>> +
>> +To fall back, the client will have to reconfigure the following:
>> +
>> +* Configure the hypervisor SIMP with a host-visible page.
>> + Since the hypervisor SIMP is not used when in confidential mode,
>> + this can be done up front, or only when needed, whichever makes
>> sense for
>> + the particular implementation.
>
> "SIMP is not used in confidential mode,
> this can be done either upfront or only when needed, depending on the
> specific implementation."
>
>> +
>> +* Set the proxy flag on SINT 2 for the paravisor.
>
Alok, thanks for you continued interest and support! I'll incorporate
your suggestions in the next version of the patchset, great points!
>
> Thanks,
> Alok
>
--
Thank you,
Roman
More information about the linux-arm-kernel
mailing list