From e4e873e9b653f4b8aa8c2ed64ce2d607e619e93d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 9 Dec 2021 09:57:05 -0500 Subject: [PATCH] qemu: format sev-guest.kernel-hashes property MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Set the kernel-hashes property on the sev-guest object if the config asked for it explicitly. While QEMU machine types currently default to having this setting off, it is not guaranteed to remain this way. We can't assume that the QEMU capabilities were generated on an AMD host with SEV, so we must force set the QEMU_CAPS_SEV_GUEST. This also means that the 'sev' info in the qemuCaps struct might be NULL, but this is harmless from POV of testing the CLI generator. Reviewed-by: Peter Krempa Signed-off-by: Daniel P. Berrangé --- src/qemu/qemu_capabilities.c | 5 +++ src/qemu/qemu_command.c | 1 + src/qemu/qemu_validate.c | 7 ++++ ...nch-security-sev-direct.x86_64-latest.args | 40 +++++++++++++++++++ .../launch-security-sev-direct.xml | 39 ++++++++++++++++++ tests/qemuxml2argvtest.c | 5 +++ 6 files changed, 97 insertions(+) create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index c1b06998af..4f63322a9e 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -1892,6 +1892,11 @@ virQEMUCapsSEVInfoCopy(virSEVCapability **dst, { g_autoptr(virSEVCapability) tmp = NULL; + if (!src) { + *dst = NULL; + return 0; + } + tmp = g_new0(virSEVCapability, 1); tmp->pdh = g_strdup(src->pdh); diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index b9105aa10b..964960cfaa 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9918,6 +9918,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, "u:policy", sev->policy, "S:dh-cert-file", dhpath, "S:session-file", sessionpath, + "T:kernel-hashes", sev->kernel_hashes, NULL) < 0) return -1; diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c index 46b40303f6..3a69733f81 100644 --- a/src/qemu/qemu_validate.c +++ b/src/qemu/qemu_validate.c @@ -1217,6 +1217,13 @@ qemuValidateDomainDef(const virDomainDef *def, "this QEMU binary")); return -1; } + + if (def->sec->data.sev.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT && + !virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("SEV measured direct kernel boot is not supported with this QEMU binary")); + return -1; + } break; case VIR_DOMAIN_LAUNCH_SECURITY_PV: if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) || diff --git a/tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args b/tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args new file mode 100644 index 0000000000..dac312e301 --- /dev/null +++ b/tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args @@ -0,0 +1,40 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/tmp/lib/domain--1-QEMUGuest1 \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \ +XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \ +XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=QEMUGuest1,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \ +-machine pc,usb=off,dump-guest-core=off,confidential-guest-support=lsec0,memory-backend=pc.ram \ +-accel kvm \ +-cpu qemu64 \ +-m 214 \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-no-acpi \ +-boot strict=on \ +-kernel /vmlinuz \ +-initrd /initrd \ +-append runme \ +-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ +-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \ +-device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-format","id":"ide0-0-0","bootindex":1}' \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/tmp/lib/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/tmp/lib/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvdata/launch-security-sev-direct.xml b/tests/qemuxml2argvdata/launch-security-sev-direct.xml new file mode 100644 index 0000000000..80ce6412dd --- /dev/null +++ b/tests/qemuxml2argvdata/launch-security-sev-direct.xml @@ -0,0 +1,39 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219100 + 219100 + 1 + + hvm + /vmlinuz + /initrd + runme + + + destroy + restart + destroy + + /usr/bin/qemu-system-x86_64 + + + + +
+ + + + + + + + + + 47 + 1 + 0x0001 + AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA + IHAVENOIDEABUTJUSTPROVIDINGASTRING + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 0b88b580c5..6c67b36d5c 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -3425,6 +3425,11 @@ mymain(void) DO_TEST_CAPS_VER("launch-security-sev", "2.12.0"); DO_TEST_CAPS_VER("launch-security-sev", "6.0.0"); DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0"); + DO_TEST_CAPS_ARCH_LATEST_FULL("launch-security-sev-direct", + "x86_64", + ARG_QEMU_CAPS, + QEMU_CAPS_SEV_GUEST, + QEMU_CAPS_LAST); DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");