virt-host-validate: Detect SEV-ES and SEV-SNP

With a simple cpuid (Section "E.4.17 Function
8000_001Fh—Encrypted Memory Capabilities" in "AMD64 Architecture
Programmer’s Manual Vol. 3") we can detect whether CPU is capable
of running SEV-ES and/or SEV-SNP guests. Report these in
virt-host-validate tool.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Michal Privoznik 2024-06-24 09:31:09 +02:00
parent 30c01e535d
commit 1a8f646f29

View File

@ -34,6 +34,7 @@
#include "virstring.h"
#include "virarch.h"
#include "virutil.h"
#include "virhostcpu.h"
#define VIR_FROM_THIS VIR_FROM_NONE
@ -380,9 +381,11 @@ bool virHostKernelModuleIsLoaded(const char *module)
static int
virHostValidateAMDSev(virValidateLevel level)
virHostValidateAMDSev(const char *hvname,
virValidateLevel level)
{
g_autofree char *mod_value = NULL;
uint32_t eax, ebx;
if (virFileReadValueString(&mod_value, "/sys/module/kvm_amd/parameters/sev") < 0) {
virValidateFail(level, "AMD Secure Encrypted Virtualization not "
@ -405,6 +408,32 @@ virHostValidateAMDSev(virValidateLevel level)
return VIR_VALIDATE_FAILURE(level);
}
virValidatePass();
virValidateCheck(hvname, "%s",
_("Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)"));
virHostCPUX86GetCPUID(0x8000001F, 0, &eax, &ebx, NULL, NULL);
if (eax & (1U << 3)) {
virValidatePass();
} else {
virValidateFail(level,
"AMD SEV-ES is not supported");
return VIR_VALIDATE_FAILURE(level);
}
virValidateCheck(hvname, "%s",
_("Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)"));
if (eax & (1U << 4)) {
virValidatePass();
} else {
virValidateFail(level,
"AMD SEV-SNP is not supported");
return VIR_VALIDATE_FAILURE(level);
}
return 1;
}
@ -459,7 +488,7 @@ int virHostValidateSecureGuests(const char *hvname,
return VIR_VALIDATE_FAILURE(level);
}
} else if (hasAMDSev) {
int rc = virHostValidateAMDSev(level);
int rc = virHostValidateAMDSev(hvname, level);
if (rc > 0)
virValidatePass();