mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-27 23:15:18 +00:00
qemu_firmware: select correct firmware for AMD SEV-ES
When using firmware auto-selection and user enables AMD SEV-ES we need to pick correct firmware that actually supports it. This can be detected by having `amd-sev-es` in the firmware JSON description. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
2b20f3e0fa
commit
f14ca48ef4
@ -129,6 +129,7 @@ typedef enum {
|
|||||||
QEMU_FIRMWARE_FEATURE_ACPI_S3,
|
QEMU_FIRMWARE_FEATURE_ACPI_S3,
|
||||||
QEMU_FIRMWARE_FEATURE_ACPI_S4,
|
QEMU_FIRMWARE_FEATURE_ACPI_S4,
|
||||||
QEMU_FIRMWARE_FEATURE_AMD_SEV,
|
QEMU_FIRMWARE_FEATURE_AMD_SEV,
|
||||||
|
QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
|
||||||
QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
|
QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
|
||||||
QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
|
QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
|
||||||
QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
|
QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
|
||||||
@ -145,6 +146,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
|
|||||||
"acpi-s3",
|
"acpi-s3",
|
||||||
"acpi-s4",
|
"acpi-s4",
|
||||||
"amd-sev",
|
"amd-sev",
|
||||||
|
"amd-sev-es",
|
||||||
"enrolled-keys",
|
"enrolled-keys",
|
||||||
"requires-smm",
|
"requires-smm",
|
||||||
"secure-boot",
|
"secure-boot",
|
||||||
@ -913,6 +915,9 @@ qemuFirmwareOSInterfaceTypeFromOsDefFirmware(int fw)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#define VIR_QEMU_FIRMWARE_AMD_SEV_ES_POLICY (1 << 2)
|
||||||
|
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
qemuFirmwareMatchDomain(const virDomainDef *def,
|
qemuFirmwareMatchDomain(const virDomainDef *def,
|
||||||
const qemuFirmware *fw,
|
const qemuFirmware *fw,
|
||||||
@ -924,6 +929,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|||||||
bool supportsS4 = false;
|
bool supportsS4 = false;
|
||||||
bool requiresSMM = false;
|
bool requiresSMM = false;
|
||||||
bool supportsSEV = false;
|
bool supportsSEV = false;
|
||||||
|
bool supportsSEVES = false;
|
||||||
bool supportsSecureBoot = false;
|
bool supportsSecureBoot = false;
|
||||||
bool hasEnrolledKeys = false;
|
bool hasEnrolledKeys = false;
|
||||||
int reqSecureBoot;
|
int reqSecureBoot;
|
||||||
@ -972,6 +978,11 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|||||||
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
||||||
supportsSEV = true;
|
supportsSEV = true;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
|
||||||
|
supportsSEVES = true;
|
||||||
|
break;
|
||||||
|
|
||||||
case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
|
case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
|
||||||
requiresSMM = true;
|
requiresSMM = true;
|
||||||
break;
|
break;
|
||||||
@ -1043,10 +1054,19 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (def->sev &&
|
if (def->sev &&
|
||||||
def->sev->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV &&
|
def->sev->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV) {
|
||||||
!supportsSEV) {
|
if (!supportsSEV) {
|
||||||
VIR_DEBUG("Domain requires SEV, firmware '%s' doesn't support it", path);
|
VIR_DEBUG("Domain requires SEV, firmware '%s' doesn't support it",
|
||||||
return false;
|
path);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (def->sev->policy & VIR_QEMU_FIRMWARE_AMD_SEV_ES_POLICY &&
|
||||||
|
!supportsSEVES) {
|
||||||
|
VIR_DEBUG("Domain requires SEV-ES, firmware '%s' doesn't support it",
|
||||||
|
path);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
VIR_DEBUG("Firmware '%s' matches domain requirements", path);
|
VIR_DEBUG("Firmware '%s' matches domain requirements", path);
|
||||||
@ -1148,6 +1168,7 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver,
|
|||||||
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
||||||
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
||||||
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
||||||
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
|
||||||
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
||||||
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
|
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
|
||||||
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
||||||
@ -1181,6 +1202,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
|
|||||||
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
||||||
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
||||||
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
||||||
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
|
||||||
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
||||||
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
||||||
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
|
||||||
@ -1412,6 +1434,7 @@ qemuFirmwareGetSupported(const char *machine,
|
|||||||
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
case QEMU_FIRMWARE_FEATURE_ACPI_S3:
|
||||||
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
case QEMU_FIRMWARE_FEATURE_ACPI_S4:
|
||||||
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV:
|
||||||
|
case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
|
||||||
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
|
||||||
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
|
case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
|
||||||
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user