External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 13:45:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

qemu: format sev-guest.kernel-hashes property

Browse Source 
Set the kernel-hashes property on the sev-guest object if the config
asked for it explicitly. While QEMU machine types currently default to
having this setting off, it is not guaranteed to remain this way.

We can't assume that the QEMU capabilities were generated on an AMD host
with SEV, so we must force set the QEMU_CAPS_SEV_GUEST. This also means
that the 'sev' info in the qemuCaps struct might be NULL, but this is
harmless from POV of testing the CLI generator.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2021-12-09 09:57:05 -05:00
parent a4efca7695
commit e4e873e9b6
6 changed files with 97 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/qemu/qemu_capabilities.c
View File

@ -1892,6 +1892,11 @@ virQEMUCapsSEVInfoCopy(virSEVCapability **dst,
{
g_autoptr(virSEVCapability) tmp = NULL;
if (!src) {
*dst = NULL;
return 0;
}
tmp = g_new0(virSEVCapability, 1);
tmp->pdh = g_strdup(src->pdh);

1
src/qemu/qemu_command.c
View File

@ -9918,6 +9918,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
"u:policy", sev->policy,
"S:dh-cert-file", dhpath,
"S:session-file", sessionpath,
"T:kernel-hashes", sev->kernel_hashes,
NULL) < 0)
return -1;

7
src/qemu/qemu_validate.c
View File

@ -1217,6 +1217,13 @@ qemuValidateDomainDef(const virDomainDef *def,
"this QEMU binary"));
return -1;
}
if (def->sec->data.sev.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("SEV measured direct kernel boot is not supported with this QEMU binary"));
return -1;
}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||

40
tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args Normal file
View File

@ -0,0 +1,40 @@
LC_ALL=C \
PATH=/bin \
HOME=/tmp/lib/domain--1-QEMUGuest1 \
USER=test \
LOGNAME=test \
XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
/usr/bin/qemu-system-x86_64 \
-name guest=QEMUGuest1,debug-threads=on \
-S \
-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
-machine pc,usb=off,dump-guest-core=off,confidential-guest-support=lsec0,memory-backend=pc.ram \
-accel kvm \
-cpu qemu64 \
-m 214 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-no-acpi \
-boot strict=on \
-kernel /vmlinuz \
-initrd /initrd \
-append runme \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
-device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-format","id":"ide0-0-0","bootindex":1}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/tmp/lib/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/tmp/lib/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on

39
tests/qemuxml2argvdata/launch-security-sev-direct.xml Normal file
View File

@ -0,0 +1,39 @@
<domain type='kvm'>
<name>QEMUGuest1</name>
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219100</memory>
<currentMemory unit='KiB'>219100</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<kernel>/vmlinuz</kernel>
<initrd>/initrd</initrd>
<cmdline>runme</cmdline>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/HostVG/QEMUGuest1'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'/>
<controller type='ide' index='0'/>
<controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<memballoon model='none'/>
</devices>
<launchSecurity type='sev' kernelHashes='yes'>
<cbitpos>47</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<policy>0x0001</policy>
<dhCert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dhCert>
<session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
</launchSecurity>
</domain>

5
tests/qemuxml2argvtest.c
View File

@ -3425,6 +3425,11 @@ mymain(void)
DO_TEST_CAPS_VER("launch-security-sev", "2.12.0");
DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
DO_TEST_CAPS_ARCH_LATEST_FULL("launch-security-sev-direct",
"x86_64",
ARG_QEMU_CAPS,
QEMU_CAPS_SEV_GUEST,
QEMU_CAPS_LAST);
DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");