qemu_validate: Use domaincaps to validate supported launchSecurity type

Now that the logic for detecting supported launchSecurity types has been moved to domain capabilities generation, we can just use it when validating launchSecurity type. Just like we do for device models and so on. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2025-02-06 20:00:05 +00:00 · 2024-06-25 10:51:55 +02:00 · 2024-06-25 10:51:55 +02:00 · fbe97ee17d
commit fbe97ee17d
parent 66df7992d8
1 changed files with 12 additions and 17 deletions
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@ -1310,14 +1310,20 @@ qemuValidateDomainDef(const virDomainDef *def,
        return -1;

    if (def->sec) {
+        virDomainCapsLaunchSecurity launchSecurity = { };
+
+        virQEMUCapsFillDomainLaunchSecurity(qemuCaps, &launchSecurity);
+
+        if (!VIR_DOMAIN_CAPS_ENUM_IS_SET(launchSecurity.sectype,
+                                         def->sec->sectype)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("'%1$s' launch security is not supported with this QEMU binary"),
+                           virDomainLaunchSecurityTypeToString(def->sec->sectype));
+            return -1;
+        }
+
        switch (def->sec->sectype) {
        case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
-            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST)) {
-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
-                               _("SEV launch security is not supported with this QEMU binary"));
-                return -1;
-            }
-
            if (def->sec->data.sev.common.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
@ -1327,20 +1333,9 @@ qemuValidateDomainDef(const virDomainDef *def,
            break;

        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
-            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_SNP_GUEST)) {
-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
-                               _("SEV SNP launch security is not supported with this QEMU binary"));
-                return -1;
-            }
            break;

        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
-            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
-                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST)) {
-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
-                               _("S390 PV launch security is not supported with this QEMU binary"));
-                return -1;
-            }
            if (!virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) {
                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                               _("S390 PV launch security is not supported by this host or kernel"));