mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-02 04:15:46 +00:00
tools: fix VMSA construction with explicit CPU family/model/stepping
If the CPU family/model/stepping are provided on the command line, but the firmware is being automatically extracted from the libvirt guest, we try to build the VMSA too early. This leads to an exception trying to parse the firmware that has not been loaded yet. We must delay building the VMSA in that scenario. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
6b95437c17
commit
120724bc6d
@ -940,7 +940,7 @@ class LibvirtConfidentialVM(ConfidentialVM):
|
|||||||
"kernel/initrd/cmdline not provided but kernel "
|
"kernel/initrd/cmdline not provided but kernel "
|
||||||
"measurement is enabled")
|
"measurement is enabled")
|
||||||
|
|
||||||
def load_domain(self, uri, id_name_uuid, secure, ignore_config):
|
def load_domain(self, uri, id_name_uuid, build_vmsa, secure, ignore_config):
|
||||||
self.conn = libvirt.open(uri)
|
self.conn = libvirt.open(uri)
|
||||||
|
|
||||||
remote = socket.getfqdn() != self.conn.getHostname()
|
remote = socket.getfqdn() != self.conn.getHostname()
|
||||||
@ -1049,7 +1049,7 @@ class LibvirtConfidentialVM(ConfidentialVM):
|
|||||||
capsxml = self.conn.getCapabilities()
|
capsxml = self.conn.getCapabilities()
|
||||||
capsdoc = etree.fromstring(capsxml)
|
capsdoc = etree.fromstring(capsxml)
|
||||||
|
|
||||||
if self.is_sev_es() and self.vmsa_cpu0 is None:
|
if self.is_sev_es() and build_vmsa:
|
||||||
if secure:
|
if secure:
|
||||||
raise InsecureUsageException(
|
raise InsecureUsageException(
|
||||||
"Using CPU SKU from capabilities is not secure")
|
"Using CPU SKU from capabilities is not secure")
|
||||||
@ -1263,17 +1263,19 @@ def attest(args):
|
|||||||
if args.vmsa_cpu1 is not None:
|
if args.vmsa_cpu1 is not None:
|
||||||
cvm.load_vmsa_cpu1(args.vmsa_cpu1)
|
cvm.load_vmsa_cpu1(args.vmsa_cpu1)
|
||||||
|
|
||||||
|
if args.domain is not None:
|
||||||
|
build_vmsa = args.vmsa_cpu0 is None and args.cpu_family is None
|
||||||
|
cvm.load_domain(args.connect,
|
||||||
|
args.domain,
|
||||||
|
build_vmsa,
|
||||||
|
not args.insecure,
|
||||||
|
args.ignore_config)
|
||||||
|
|
||||||
if args.cpu_family is not None:
|
if args.cpu_family is not None:
|
||||||
cvm.build_vmsas(args.cpu_family,
|
cvm.build_vmsas(args.cpu_family,
|
||||||
args.cpu_model,
|
args.cpu_model,
|
||||||
args.cpu_stepping)
|
args.cpu_stepping)
|
||||||
|
|
||||||
if args.domain is not None:
|
|
||||||
cvm.load_domain(args.connect,
|
|
||||||
args.domain,
|
|
||||||
not args.insecure,
|
|
||||||
args.ignore_config)
|
|
||||||
|
|
||||||
cvm.attest()
|
cvm.attest()
|
||||||
if not args.quiet:
|
if not args.quiet:
|
||||||
print("OK: Looks good to me")
|
print("OK: Looks good to me")
|
||||||
|
Loading…
Reference in New Issue
Block a user