conf: Add s390-pv as launch security type

Add launch security type 's390-pv' as well as some tests.

Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Boris Fiuczynski 2021-07-21 13:17:40 +02:00 committed by Pavel Hrdina
parent 13f4860c61
commit 9568a4d410
14 changed files with 158 additions and 0 deletions

View File

@ -486,6 +486,11 @@
<group> <group>
<ref name="launchSecuritySEV"/> <ref name="launchSecuritySEV"/>
</group> </group>
<group>
<attribute name="type">
<value>s390-pv</value>
</attribute>
</group>
</choice> </choice>
</element> </element>
</define> </define>

View File

@ -1401,6 +1401,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
VIR_DOMAIN_LAUNCH_SECURITY_LAST, VIR_DOMAIN_LAUNCH_SECURITY_LAST,
"", "",
"sev", "sev",
"s390-pv",
); );
static virClass *virDomainObjClass; static virClass *virDomainObjClass;
@ -3501,6 +3502,7 @@ virDomainSecDefFree(virDomainSecDef *def)
g_free(def->data.sev.dh_cert); g_free(def->data.sev.dh_cert);
g_free(def->data.sev.session); g_free(def->data.sev.session);
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
break; break;
@ -14784,6 +14786,8 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
if (virDomainSEVDefParseXML(&sec->data.sev, ctxt) < 0) if (virDomainSEVDefParseXML(&sec->data.sev, ctxt) < 0)
return NULL; return NULL;
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
default: default:
@ -26912,6 +26916,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
break; break;
} }
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
return; return;

View File

@ -2645,6 +2645,7 @@ struct _virDomainKeyWrapDef {
typedef enum { typedef enum {
VIR_DOMAIN_LAUNCH_SECURITY_NONE, VIR_DOMAIN_LAUNCH_SECURITY_NONE,
VIR_DOMAIN_LAUNCH_SECURITY_SEV, VIR_DOMAIN_LAUNCH_SECURITY_SEV,
VIR_DOMAIN_LAUNCH_SECURITY_PV,
VIR_DOMAIN_LAUNCH_SECURITY_LAST, VIR_DOMAIN_LAUNCH_SECURITY_LAST,
} virDomainLaunchSecurity; } virDomainLaunchSecurity;

View File

@ -6976,6 +6976,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
virBufferAddLit(&buf, ",memory-encryption=sev0"); virBufferAddLit(&buf, ",memory-encryption=sev0");
} }
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
virBufferAddLit(&buf, ",confidential-guest-support=pv0");
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype); virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
@ -9873,6 +9876,26 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
} }
static int
qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
{
g_autoptr(virJSONValue) props = NULL;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
qemuDomainObjPrivate *priv = vm->privateData;
if (qemuMonitorCreateObjectProps(&props, "s390-pv-guest", "pv0",
NULL) < 0)
return -1;
if (qemuBuildObjectCommandlineFromJSON(&buf, props, priv->qemuCaps) < 0)
return -1;
virCommandAddArg(cmd, "-object");
virCommandAddArgBuffer(cmd, &buf);
return 0;
}
static int static int
qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd, qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
virDomainSecDef *sec) virDomainSecDef *sec)
@ -9884,6 +9907,9 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
case VIR_DOMAIN_LAUNCH_SECURITY_SEV: case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev); return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
return qemuBuildPVCommandLine(vm, cmd);
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype); virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);

View File

@ -1069,6 +1069,8 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
return false; return false;
} }
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype); virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);

View File

@ -607,6 +607,8 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
VIR_DEBUG("Set up launch security for SEV"); VIR_DEBUG("Set up launch security for SEV");
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype); virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);

View File

@ -6705,6 +6705,8 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainObj *vm)
switch ((virDomainLaunchSecurity) sec->sectype) { switch ((virDomainLaunchSecurity) sec->sectype) {
case VIR_DOMAIN_LAUNCH_SECURITY_SEV: case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
return qemuProcessPrepareSEVGuestInput(vm); return qemuProcessPrepareSEVGuestInput(vm);
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
return 0;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype); virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);

View File

@ -1224,6 +1224,16 @@ qemuValidateDomainDef(const virDomainDef *def,
return -1; return -1;
} }
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
!virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) ||
!virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("S390 PV launch security is not supported with "
"this QEMU binary"));
return -1;
}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
case VIR_DOMAIN_LAUNCH_SECURITY_LAST: case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype); virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);

View File

@ -0,0 +1,18 @@
<domain type='kvm'>
<name>QEMUGuest1</name>
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219100</memory>
<currentMemory unit='KiB'>219100</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
</devices>
<launchSecurity type='s390-pv'/>
</domain>

View File

@ -233,6 +233,7 @@ mymain(void)
DO_TEST("tseg"); DO_TEST("tseg");
DO_TEST("launch-security-sev"); DO_TEST("launch-security-sev");
DO_TEST("launch-security-s390-pv");
DO_TEST_DIFFERENT("cputune"); DO_TEST_DIFFERENT("cputune");
DO_TEST("device-backenddomain"); DO_TEST("device-backenddomain");

View File

@ -0,0 +1,35 @@
LC_ALL=C \
PATH=/bin \
HOME=/tmp/lib/domain--1-QEMUGuest1 \
USER=test \
LOGNAME=test \
XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
/usr/bin/qemu-system-s390x \
-name guest=QEMUGuest1,debug-threads=on \
-S \
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
-machine s390-ccw-virtio,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=pv0,memory-backend=s390.ram \
-cpu gen15a-base,aen=on,cmmnt=on,vxpdeh=on,aefsi=on,diag318=on,csske=on,mepoch=on,msa9=on,msa8=on,msa7=on,msa6=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,sthyi=on,edat=on,ri=on,deflate=on,edat2=on,etoken=on,vx=on,ipter=on,mepochptff=on,ap=on,vxeh=on,vxpd=on,esop=on,msa9_pckmo=on,vxeh2=on,esort=on,apqi=on,apft=on,els=on,iep=on,apqci=on,cte=on,ais=on,bpb=on,gs=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \
-m 214 \
-object '{"qom-type":"memory-backend-ram","id":"s390.ram","size":224395264}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
-device virtio-blk-ccw,devno=fe.0.0000,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 \
-audiodev id=audio1,driver=none \
-device virtio-balloon-ccw,id=balloon0,devno=fe.0.0001 \
-object '{"qom-type":"s390-pv-guest","id":"pv0"}' \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on

View File

@ -0,0 +1,30 @@
<domain type='kvm'>
<name>QEMUGuest1</name>
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219100</memory>
<currentMemory unit='KiB'>219100</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-s390x</emulator>
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/HostVG/QEMUGuest1'/>
<target dev='hda' bus='virtio'/>
<address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
</disk>
<controller type='pci' index='0' model='pci-root'/>
<memballoon model='virtio'>
<address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
</memballoon>
<panic model='s390'/>
</devices>
<launchSecurity type='s390-pv'/>
</domain>

View File

@ -41,6 +41,7 @@
#include "virutil.h" #include "virutil.h"
#include "qemu/qemu_interface.h" #include "qemu/qemu_interface.h"
#include "qemu/qemu_command.h" #include "qemu/qemu_command.h"
#include "qemu/qemu_capabilities.h"
#include <time.h> #include <time.h>
#include <unistd.h> #include <unistd.h>
#include <fcntl.h> #include <fcntl.h>
@ -301,3 +302,18 @@ virIdentityEnsureSystemToken(void)
{ {
return g_strdup("3de80bcbf22d4833897f1638e01be9b2"); return g_strdup("3de80bcbf22d4833897f1638e01be9b2");
} }
static bool (*real_virQEMUCapsGetKVMSupportsSecureGuest)(virQEMUCaps *qemuCaps);
bool
virQEMUCapsGetKVMSupportsSecureGuest(virQEMUCaps *qemuCaps)
{
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) &&
virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST))
return true;
if (!real_virQEMUCapsGetKVMSupportsSecureGuest)
VIR_MOCK_REAL_INIT(virQEMUCapsGetKVMSupportsSecureGuest);
return real_virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps);
}

View File

@ -3469,6 +3469,8 @@ mymain(void)
DO_TEST_CAPS_VER("launch-security-sev", "6.0.0"); DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0"); DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");
DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory"); DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages"); DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
DO_TEST_CAPS_LATEST_PARSE_ERROR("vhost-user-fs-readonly"); DO_TEST_CAPS_LATEST_PARSE_ERROR("vhost-user-fs-readonly");