mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
conf: Add s390-pv as launch security type
Add launch security type 's390-pv' as well as some tests. Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
parent
13f4860c61
commit
9568a4d410
@ -486,6 +486,11 @@
|
|||||||
<group>
|
<group>
|
||||||
<ref name="launchSecuritySEV"/>
|
<ref name="launchSecuritySEV"/>
|
||||||
</group>
|
</group>
|
||||||
|
<group>
|
||||||
|
<attribute name="type">
|
||||||
|
<value>s390-pv</value>
|
||||||
|
</attribute>
|
||||||
|
</group>
|
||||||
</choice>
|
</choice>
|
||||||
</element>
|
</element>
|
||||||
</define>
|
</define>
|
||||||
|
@ -1401,6 +1401,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
|
|||||||
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
|
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
|
||||||
"",
|
"",
|
||||||
"sev",
|
"sev",
|
||||||
|
"s390-pv",
|
||||||
);
|
);
|
||||||
|
|
||||||
static virClass *virDomainObjClass;
|
static virClass *virDomainObjClass;
|
||||||
@ -3501,6 +3502,7 @@ virDomainSecDefFree(virDomainSecDef *def)
|
|||||||
g_free(def->data.sev.dh_cert);
|
g_free(def->data.sev.dh_cert);
|
||||||
g_free(def->data.sev.session);
|
g_free(def->data.sev.session);
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
break;
|
break;
|
||||||
@ -14784,6 +14786,8 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
|
|||||||
if (virDomainSEVDefParseXML(&sec->data.sev, ctxt) < 0)
|
if (virDomainSEVDefParseXML(&sec->data.sev, ctxt) < 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
break;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
default:
|
default:
|
||||||
@ -26912,6 +26916,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
|
|||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
return;
|
return;
|
||||||
|
@ -2645,6 +2645,7 @@ struct _virDomainKeyWrapDef {
|
|||||||
typedef enum {
|
typedef enum {
|
||||||
VIR_DOMAIN_LAUNCH_SECURITY_NONE,
|
VIR_DOMAIN_LAUNCH_SECURITY_NONE,
|
||||||
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
|
VIR_DOMAIN_LAUNCH_SECURITY_SEV,
|
||||||
|
VIR_DOMAIN_LAUNCH_SECURITY_PV,
|
||||||
|
|
||||||
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
|
VIR_DOMAIN_LAUNCH_SECURITY_LAST,
|
||||||
} virDomainLaunchSecurity;
|
} virDomainLaunchSecurity;
|
||||||
|
@ -6976,6 +6976,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
|
|||||||
virBufferAddLit(&buf, ",memory-encryption=sev0");
|
virBufferAddLit(&buf, ",memory-encryption=sev0");
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
virBufferAddLit(&buf, ",confidential-guest-support=pv0");
|
||||||
|
break;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
|
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
|
||||||
@ -9873,6 +9876,26 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
|
||||||
|
{
|
||||||
|
g_autoptr(virJSONValue) props = NULL;
|
||||||
|
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
|
||||||
|
qemuDomainObjPrivate *priv = vm->privateData;
|
||||||
|
|
||||||
|
if (qemuMonitorCreateObjectProps(&props, "s390-pv-guest", "pv0",
|
||||||
|
NULL) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (qemuBuildObjectCommandlineFromJSON(&buf, props, priv->qemuCaps) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
virCommandAddArg(cmd, "-object");
|
||||||
|
virCommandAddArgBuffer(cmd, &buf);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
|
qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
|
||||||
virDomainSecDef *sec)
|
virDomainSecDef *sec)
|
||||||
@ -9884,6 +9907,9 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
|
|||||||
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
|
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
|
||||||
return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
|
return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
return qemuBuildPVCommandLine(vm, cmd);
|
||||||
|
break;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
|
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
|
||||||
|
@ -1069,6 +1069,8 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
break;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
|
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
|
||||||
|
@ -607,6 +607,8 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
|
|||||||
|
|
||||||
VIR_DEBUG("Set up launch security for SEV");
|
VIR_DEBUG("Set up launch security for SEV");
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
break;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
|
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
|
||||||
|
@ -6705,6 +6705,8 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainObj *vm)
|
|||||||
switch ((virDomainLaunchSecurity) sec->sectype) {
|
switch ((virDomainLaunchSecurity) sec->sectype) {
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
|
case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
|
||||||
return qemuProcessPrepareSEVGuestInput(vm);
|
return qemuProcessPrepareSEVGuestInput(vm);
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
return 0;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
|
virReportEnumRangeError(virDomainLaunchSecurity, sec->sectype);
|
||||||
|
@ -1224,6 +1224,16 @@ qemuValidateDomainDef(const virDomainDef *def,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
||||||
|
if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
|
||||||
|
!virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) ||
|
||||||
|
!virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) {
|
||||||
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
|
_("S390 PV launch security is not supported with "
|
||||||
|
"this QEMU binary"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
|
||||||
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
|
||||||
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
|
virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
|
||||||
|
18
tests/genericxml2xmlindata/launch-security-s390-pv.xml
Normal file
18
tests/genericxml2xmlindata/launch-security-s390-pv.xml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
<domain type='kvm'>
|
||||||
|
<name>QEMUGuest1</name>
|
||||||
|
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||||
|
<memory unit='KiB'>219100</memory>
|
||||||
|
<currentMemory unit='KiB'>219100</currentMemory>
|
||||||
|
<vcpu placement='static'>1</vcpu>
|
||||||
|
<os>
|
||||||
|
<type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
|
||||||
|
<boot dev='hd'/>
|
||||||
|
</os>
|
||||||
|
<clock offset='utc'/>
|
||||||
|
<on_poweroff>destroy</on_poweroff>
|
||||||
|
<on_reboot>restart</on_reboot>
|
||||||
|
<on_crash>destroy</on_crash>
|
||||||
|
<devices>
|
||||||
|
</devices>
|
||||||
|
<launchSecurity type='s390-pv'/>
|
||||||
|
</domain>
|
@ -233,6 +233,7 @@ mymain(void)
|
|||||||
DO_TEST("tseg");
|
DO_TEST("tseg");
|
||||||
|
|
||||||
DO_TEST("launch-security-sev");
|
DO_TEST("launch-security-sev");
|
||||||
|
DO_TEST("launch-security-s390-pv");
|
||||||
|
|
||||||
DO_TEST_DIFFERENT("cputune");
|
DO_TEST_DIFFERENT("cputune");
|
||||||
DO_TEST("device-backenddomain");
|
DO_TEST("device-backenddomain");
|
||||||
|
@ -0,0 +1,35 @@
|
|||||||
|
LC_ALL=C \
|
||||||
|
PATH=/bin \
|
||||||
|
HOME=/tmp/lib/domain--1-QEMUGuest1 \
|
||||||
|
USER=test \
|
||||||
|
LOGNAME=test \
|
||||||
|
XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
|
||||||
|
XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
|
||||||
|
XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
|
||||||
|
/usr/bin/qemu-system-s390x \
|
||||||
|
-name guest=QEMUGuest1,debug-threads=on \
|
||||||
|
-S \
|
||||||
|
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
|
||||||
|
-machine s390-ccw-virtio,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=pv0,memory-backend=s390.ram \
|
||||||
|
-cpu gen15a-base,aen=on,cmmnt=on,vxpdeh=on,aefsi=on,diag318=on,csske=on,mepoch=on,msa9=on,msa8=on,msa7=on,msa6=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,sthyi=on,edat=on,ri=on,deflate=on,edat2=on,etoken=on,vx=on,ipter=on,mepochptff=on,ap=on,vxeh=on,vxpd=on,esop=on,msa9_pckmo=on,vxeh2=on,esort=on,apqi=on,apft=on,els=on,iep=on,apqci=on,cte=on,ais=on,bpb=on,gs=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \
|
||||||
|
-m 214 \
|
||||||
|
-object '{"qom-type":"memory-backend-ram","id":"s390.ram","size":224395264}' \
|
||||||
|
-overcommit mem-lock=off \
|
||||||
|
-smp 1,sockets=1,cores=1,threads=1 \
|
||||||
|
-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
|
||||||
|
-display none \
|
||||||
|
-no-user-config \
|
||||||
|
-nodefaults \
|
||||||
|
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
|
||||||
|
-mon chardev=charmonitor,id=monitor,mode=control \
|
||||||
|
-rtc base=utc \
|
||||||
|
-no-shutdown \
|
||||||
|
-boot strict=on \
|
||||||
|
-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||||
|
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
|
||||||
|
-device virtio-blk-ccw,devno=fe.0.0000,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 \
|
||||||
|
-audiodev id=audio1,driver=none \
|
||||||
|
-device virtio-balloon-ccw,id=balloon0,devno=fe.0.0001 \
|
||||||
|
-object '{"qom-type":"s390-pv-guest","id":"pv0"}' \
|
||||||
|
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
|
||||||
|
-msg timestamp=on
|
30
tests/qemuxml2argvdata/launch-security-s390-pv.xml
Normal file
30
tests/qemuxml2argvdata/launch-security-s390-pv.xml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
<domain type='kvm'>
|
||||||
|
<name>QEMUGuest1</name>
|
||||||
|
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||||
|
<memory unit='KiB'>219100</memory>
|
||||||
|
<currentMemory unit='KiB'>219100</currentMemory>
|
||||||
|
<vcpu placement='static'>1</vcpu>
|
||||||
|
<os>
|
||||||
|
<type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
|
||||||
|
<boot dev='hd'/>
|
||||||
|
</os>
|
||||||
|
<clock offset='utc'/>
|
||||||
|
<on_poweroff>destroy</on_poweroff>
|
||||||
|
<on_reboot>restart</on_reboot>
|
||||||
|
<on_crash>destroy</on_crash>
|
||||||
|
<devices>
|
||||||
|
<emulator>/usr/bin/qemu-system-s390x</emulator>
|
||||||
|
<disk type='block' device='disk'>
|
||||||
|
<driver name='qemu' type='raw'/>
|
||||||
|
<source dev='/dev/HostVG/QEMUGuest1'/>
|
||||||
|
<target dev='hda' bus='virtio'/>
|
||||||
|
<address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
|
||||||
|
</disk>
|
||||||
|
<controller type='pci' index='0' model='pci-root'/>
|
||||||
|
<memballoon model='virtio'>
|
||||||
|
<address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
|
||||||
|
</memballoon>
|
||||||
|
<panic model='s390'/>
|
||||||
|
</devices>
|
||||||
|
<launchSecurity type='s390-pv'/>
|
||||||
|
</domain>
|
@ -41,6 +41,7 @@
|
|||||||
#include "virutil.h"
|
#include "virutil.h"
|
||||||
#include "qemu/qemu_interface.h"
|
#include "qemu/qemu_interface.h"
|
||||||
#include "qemu/qemu_command.h"
|
#include "qemu/qemu_command.h"
|
||||||
|
#include "qemu/qemu_capabilities.h"
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
@ -301,3 +302,18 @@ virIdentityEnsureSystemToken(void)
|
|||||||
{
|
{
|
||||||
return g_strdup("3de80bcbf22d4833897f1638e01be9b2");
|
return g_strdup("3de80bcbf22d4833897f1638e01be9b2");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool (*real_virQEMUCapsGetKVMSupportsSecureGuest)(virQEMUCaps *qemuCaps);
|
||||||
|
|
||||||
|
bool
|
||||||
|
virQEMUCapsGetKVMSupportsSecureGuest(virQEMUCaps *qemuCaps)
|
||||||
|
{
|
||||||
|
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) &&
|
||||||
|
virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST))
|
||||||
|
return true;
|
||||||
|
|
||||||
|
if (!real_virQEMUCapsGetKVMSupportsSecureGuest)
|
||||||
|
VIR_MOCK_REAL_INIT(virQEMUCapsGetKVMSupportsSecureGuest);
|
||||||
|
|
||||||
|
return real_virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps);
|
||||||
|
}
|
||||||
|
@ -3469,6 +3469,8 @@ mymain(void)
|
|||||||
DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
|
DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
|
||||||
DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
|
DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
|
||||||
|
|
||||||
|
DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");
|
||||||
|
|
||||||
DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
|
DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
|
||||||
DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
|
DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
|
||||||
DO_TEST_CAPS_LATEST_PARSE_ERROR("vhost-user-fs-readonly");
|
DO_TEST_CAPS_LATEST_PARSE_ERROR("vhost-user-fs-readonly");
|
||||||
|
Loading…
Reference in New Issue
Block a user