Re: [PATCH 3/6] qemu: check if AMD secure guest support is enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/11/20 9:40 PM, Brijesh Singh wrote:
Thanks for the patch Paulo, Few comments.

On 5/11/20 11:41 AM, Boris Fiuczynski wrote:
From: Paulo de Rezende Pinatti <ppinatti@xxxxxxxxxxxxx>

Implement secure guest check for AMD SEV (Secure Encrypted
Virtualization) in order to invalidate the qemu capabilities
cache in case the availability of the feature changed.

For AMD SEV the verification consists of:
- checking if /sys/module/kvm_amd/parameters/sev contains the
value '1': meaning SEV is enabled in the host kernel;
- checking if the kernel cmdline contains 'mem_encrypt=on': meaning
SME memory encryption feature on the host is enabled


In addition to the kernel module parameter, we probably also need to
check whether QEMU supports the feature. e.g, what if user has newer
kernel but older qemu. e.g kernel > 4.18 but Qemu < 2.12.  To check the
SEV feature support, we should verify the following conditions:

1) check kernel module parameter is set
Paulo implemented the checks following the documentation in docs/kbase/launch_security_sev.rst. The check for the module parameter sev is included. Is the check for the kernel cmdline parameter "mem_encrypt" not necessary? Or would that be covered by your suggested check in 2)?


2) check if /dev/sev device exist (aka firmware is detected)
This seems reasonable. Shouldn't it have been documented in docs/kbase/launch_security_sev.rst?


3) Check if Qemu supports SEV feature (maybe we can detect the existence
of the query-sev QMP command or detect Qemu version >= 2.12)
The idea is to check the host capabilities to detect if qemus capabilities need to be reprobed. Therefore this would be a result if checks 1+2 change but it would not be a cache invalidation trigger.


thanks

Signed-off-by: Paulo de Rezende Pinatti <ppinatti@xxxxxxxxxxxxx>
Reviewed-by: Bjoern Walk <bwalk@xxxxxxxxxxxxx>
Reviewed-by: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxx>
---
  docs/kbase/launch_security_sev.rst |  2 +-
  src/qemu/qemu_capabilities.c       | 27 +++++++++++++++++++++++++++
  2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
index 65f258587d..fa602c7432 100644
--- a/docs/kbase/launch_security_sev.rst
+++ b/docs/kbase/launch_security_sev.rst
@@ -109,7 +109,7 @@ following:
       </features>
     </domainCapabilities>
-Note that if libvirt was already installed and libvirtd running before
+Note that if libvirt (<6.4.0) was already installed and libvirtd running before
  enabling SEV in the kernel followed by the host reboot you need to force
  libvirtd to re-probe both the host and QEMU capabilities. First stop
  libvirtd:
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 2874bb1e7c..6cf926d52d 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -4604,6 +4604,31 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
  }
+/*
+ * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestAMD(void)
+{
+    g_autofree char *cmdline = NULL;
+    g_autofree char *modValue = NULL;
+    static const char *kValues[] = {"on"};
+
+    if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
+        return false;
+    if (modValue[0] != '1')
+        return false;
+    if (virFileReadValueString(&cmdline, "/proc/cmdline") < 0)
+        return false;
+    if (virKernelCmdlineMatchParam(cmdline, "mem_encrypt", kValues,
+                                   G_N_ELEMENTS(kValues),
+                                   VIR_KERNEL_CMDLINE_FLAGS_SEARCH_LAST |
+                                   VIR_KERNEL_CMDLINE_FLAGS_CMP_EQ))
+        return true;
+    return false;
+}
+
+
  /*
   * Check whether the secure guest functionality is enabled.
   * See the specific architecture function for details on the verifications made.
@@ -4615,6 +4640,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
if (ARCH_IS_S390(arch))
          return virQEMUCapsKVMSupportsSecureGuestS390();
+    if (ARCH_IS_X86(arch))
+        return virQEMUCapsKVMSupportsSecureGuestAMD();
      return false;
  }


--
Mit freundlichen Grüßen/Kind regards
   Boris Fiuczynski

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux