On Tue, Jan 29, 2019 at 01:26:46PM +0100, Michal Privoznik wrote:
> On 1/23/19 1:57 PM, Erik Skultety wrote:
> > Instead of exposing /dev/sev to every domain, do it selectively.
> >
> > Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx>
> > ---
> > src/qemu/qemu_domain.c | 23 +++++++++++++++++++++++
> > 1 file changed, 23 insertions(+)
> >
> > diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> > index 32a43f2064..a4cdb8d355 100644
> > --- a/src/qemu/qemu_domain.c
> > +++ b/src/qemu/qemu_domain.c
> > @@ -12112,6 +12112,26 @@ qemuDomainSetupLoader(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
> > }
> > +static int
> > +qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
> > + virDomainObjPtr vm,
> > + const struct qemuDomainCreateDeviceData *data)
> > +{
> > + virDomainSEVDefPtr sev = vm->def->sev;
> > +
> > + if (!sev || sev->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV)
> > + return 0;
> > +
> > + VIR_DEBUG("Setting up launch security");
> > +
> > + if (qemuDomainCreateDevice("/dev/sev", data, false) < 0)
>
> nitpick - I'd rather see this as a macro:
> #define SEV_PATH "/dev/sev"
> ...
> qemuDomainCreateDevice(SEV_PATH, ..)
Fixed,
although I didn't push the patches, as the SEV probing discussion upstream
concluded in libvirt using DAC_OVERRIDE capability, so I did that and applied
it on top of this series. Also, I forgot to make sure DAC relabels the device
within namespace so I fixed that in the new series as well.
Thanks,
Erik
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
