qemu: Build cmd line for SEV-SNP

Pretty straightforward as qemu has 'sev-snp-guest' object which
attributes maps pretty much 1:1 to our XML model. Except for
@vcek where QEMU has 'vcek-disabled`, an inverted boolean, while
we model it as virTristateBool. But that's easy to map too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Michal Privoznik 2024-06-12 15:22:00 +02:00
parent c65eba1f57
commit a1d850b300
2 changed files with 44 additions and 3 deletions

View File

@ -7056,14 +7056,13 @@ qemuBuildMachineCommandLine(virCommand *cmd,
if (def->sec) { if (def->sec) {
switch (def->sec->sectype) { switch (def->sec->sectype) {
case VIR_DOMAIN_LAUNCH_SECURITY_SEV: case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT)) { if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT)) {
virBufferAddLit(&buf, ",confidential-guest-support=lsec0"); virBufferAddLit(&buf, ",confidential-guest-support=lsec0");
} else { } else {
virBufferAddLit(&buf, ",memory-encryption=lsec0"); virBufferAddLit(&buf, ",memory-encryption=lsec0");
} }
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_PV:
virBufferAddLit(&buf, ",confidential-guest-support=lsec0"); virBufferAddLit(&buf, ",confidential-guest-support=lsec0");
break; break;
@ -9755,6 +9754,46 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
} }
static int
qemuBuildSEVSNPCommandLine(virDomainObj *vm,
virCommand *cmd,
virDomainSEVSNPDef *def)
{
g_autoptr(virJSONValue) props = NULL;
qemuDomainObjPrivate *priv = vm->privateData;
virTristateBool vcek_disabled = VIR_TRISTATE_BOOL_ABSENT;
VIR_DEBUG("policy=0x%llx cbitpos=%d reduced_phys_bits=%d",
def->policy, def->common.cbitpos, def->common.reduced_phys_bits);
/* On QEMU cmd line, there's vcek-disabled which is an inverted boolean. */
if (def->vcek == VIR_TRISTATE_BOOL_YES) {
vcek_disabled = VIR_TRISTATE_BOOL_NO;
} else if (def->vcek == VIR_TRISTATE_BOOL_NO) {
vcek_disabled = VIR_TRISTATE_BOOL_YES;
}
if (qemuMonitorCreateObjectProps(&props, "sev-snp-guest", "lsec0",
"u:cbitpos", def->common.cbitpos,
"u:reduced-phys-bits", def->common.reduced_phys_bits,
"T:kernel-hashes", def->common.kernel_hashes,
"U:policy", def->policy,
"S:guest-visible-workarounds", def->guest_visible_workarounds,
"S:id-block", def->id_block,
"S:id-auth", def->id_auth,
"S:host-data", def->host_data,
"T:author-key-enabled", def->author_key,
"T:vcek-disabled", vcek_disabled,
NULL) < 0)
return -1;
if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
return -1;
return 0;
}
static int static int
qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd) qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
{ {
@ -9784,6 +9823,7 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev); return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP: case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
return qemuBuildSEVSNPCommandLine(vm, cmd, &sec->data.sev_snp);
break; break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_PV:
return qemuBuildPVCommandLine(vm, cmd); return qemuBuildPVCommandLine(vm, cmd);

File diff suppressed because one or more lines are too long