diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 2f1e99865b..9179cc18bb 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -13621,8 +13621,8 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr node,
static int
-virDomainSEVDefParseXML(virDomainSEVDef *def,
- xmlXPathContextPtr ctxt)
+virDomainSEVCommonDefParseXML(virDomainSEVCommonDef *def,
+ xmlXPathContextPtr ctxt)
{
int rc;
@@ -13630,12 +13630,6 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
&def->kernel_hashes) < 0)
return -1;
- if (virXPathUIntBase("string(./policy)", ctxt, 16, &def->policy) < 0) {
- virReportError(VIR_ERR_XML_ERROR, "%s",
- _("failed to get launch security policy"));
- return -1;
- }
-
/* the following attributes are platform dependent and if missing, we can
* autofill them from domain capabilities later
*/
@@ -13658,6 +13652,23 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
return -1;
}
+ return 0;
+}
+
+
+static int
+virDomainSEVDefParseXML(virDomainSEVDef *def,
+ xmlXPathContextPtr ctxt)
+{
+ if (virDomainSEVCommonDefParseXML(&def->common, ctxt) < 0)
+ return -1;
+
+ if (virXPathUIntBase("string(./policy)", ctxt, 16, &def->policy) < 0) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("failed to get launch security policy"));
+ return -1;
+ }
+
def->dh_cert = virXPathString("string(./dhCert)", ctxt);
def->session = virXPathString("string(./session)", ctxt);
@@ -26641,6 +26652,24 @@ virDomainKeyWrapDefFormat(virBuffer *buf, virDomainKeyWrapDef *keywrap)
}
+static void
+virDomainSEVCommonDefFormat(virBuffer *attrBuf,
+ virBuffer *childBuf,
+ virDomainSEVCommonDef *def)
+{
+ if (def->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
+ virBufferAsprintf(attrBuf, " kernelHashes='%s'",
+ virTristateBoolTypeToString(def->kernel_hashes));
+
+ if (def->haveCbitpos)
+ virBufferAsprintf(childBuf, "%d\n", def->cbitpos);
+
+ if (def->haveReducedPhysBits)
+ virBufferAsprintf(childBuf, "%d\n",
+ def->reduced_phys_bits);
+}
+
+
static void
virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
{
@@ -26657,16 +26686,8 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
case VIR_DOMAIN_LAUNCH_SECURITY_SEV: {
virDomainSEVDef *sev = &sec->data.sev;
- if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
- virBufferAsprintf(&attrBuf, " kernelHashes='%s'",
- virTristateBoolTypeToString(sev->kernel_hashes));
+ virDomainSEVCommonDefFormat(&attrBuf, &childBuf, &sev->common);
- if (sev->haveCbitpos)
- virBufferAsprintf(&childBuf, "%d\n", sev->cbitpos);
-
- if (sev->haveReducedPhysBits)
- virBufferAsprintf(&childBuf, "%d\n",
- sev->reduced_phys_bits);
virBufferAsprintf(&childBuf, "0x%04x\n", sev->policy);
virBufferEscapeString(&childBuf, "%s\n", sev->dh_cert);
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index cdab6ef2da..c6c3c2e2a5 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2866,10 +2866,7 @@ typedef enum {
} virDomainLaunchSecurity;
-struct _virDomainSEVDef {
- char *dh_cert;
- char *session;
- unsigned int policy;
+struct _virDomainSEVCommonDef {
bool haveCbitpos;
unsigned int cbitpos;
bool haveReducedPhysBits;
@@ -2877,6 +2874,14 @@ struct _virDomainSEVDef {
virTristateBool kernel_hashes;
};
+
+struct _virDomainSEVDef {
+ virDomainSEVCommonDef common;
+ char *dh_cert;
+ char *session;
+ unsigned int policy;
+};
+
struct _virDomainSecDef {
virDomainLaunchSecurity sectype;
union {
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index a46a824f88..9a7649df1c 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -524,6 +524,19 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
sev
@@ -534,16 +547,7 @@
-
-
-
-
-
-
-
-
-
-
+
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 0779bc224b..34bb1e262f 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -210,6 +210,8 @@ typedef struct _virDomainResctrlMonDef virDomainResctrlMonDef;
typedef struct _virDomainResourceDef virDomainResourceDef;
+typedef struct _virDomainSEVCommonDef virDomainSEVCommonDef;
+
typedef struct _virDomainSEVDef virDomainSEVDef;
typedef struct _virDomainSecDef virDomainSecDef;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2d0eddc79e..a32cb8f8e9 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9728,7 +9728,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
g_autofree char *sessionpath = NULL;
VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d",
- sev->policy, sev->cbitpos, sev->reduced_phys_bits);
+ sev->policy, sev->common.cbitpos, sev->common.reduced_phys_bits);
if (sev->dh_cert)
dhpath = g_strdup_printf("%s/dh_cert.base64", priv->libDir);
@@ -9737,12 +9737,12 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
sessionpath = g_strdup_printf("%s/session.base64", priv->libDir);
if (qemuMonitorCreateObjectProps(&props, "sev-guest", "lsec0",
- "u:cbitpos", sev->cbitpos,
- "u:reduced-phys-bits", sev->reduced_phys_bits,
+ "u:cbitpos", sev->common.cbitpos,
+ "u:reduced-phys-bits", sev->common.reduced_phys_bits,
"u:policy", sev->policy,
"S:dh-cert-file", dhpath,
"S:session-file", sessionpath,
- "T:kernel-hashes", sev->kernel_hashes,
+ "T:kernel-hashes", sev->common.kernel_hashes,
NULL) < 0)
return -1;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index ae6594e10e..9886a11245 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6569,14 +6569,14 @@ qemuProcessUpdateSEVInfo(virDomainObj *vm)
* mandatory on QEMU cmdline
*/
sevCaps = virQEMUCapsGetSEVCapabilities(qemuCaps);
- if (!sev->haveCbitpos) {
- sev->cbitpos = sevCaps->cbitpos;
- sev->haveCbitpos = true;
+ if (!sev->common.haveCbitpos) {
+ sev->common.cbitpos = sevCaps->cbitpos;
+ sev->common.haveCbitpos = true;
}
- if (!sev->haveReducedPhysBits) {
- sev->reduced_phys_bits = sevCaps->reduced_phys_bits;
- sev->haveReducedPhysBits = true;
+ if (!sev->common.haveReducedPhysBits) {
+ sev->common.reduced_phys_bits = sevCaps->reduced_phys_bits;
+ sev->common.haveReducedPhysBits = true;
}
return 0;
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index b82d937a0d..a00ec8e940 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1318,7 +1318,7 @@ qemuValidateDomainDef(const virDomainDef *def,
return -1;
}
- if (def->sec->data.sev.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
+ if (def->sec->data.sev.common.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("SEV measured direct kernel boot is not supported with this QEMU binary"));