On Mon, May 11, 2020 at 06:41:58PM +0200, Boris Fiuczynski wrote:
> From: Paulo de Rezende Pinatti <ppinatti@xxxxxxxxxxxxx>
>
> Implement secure guest check for AMD SEV (Secure Encrypted
> Virtualization) in order to invalidate the qemu capabilities
> cache in case the availability of the feature changed.
>
> For AMD SEV the verification consists of:
> - checking if /sys/module/kvm_amd/parameters/sev contains the
> value '1': meaning SEV is enabled in the host kernel;
> - checking if the kernel cmdline contains 'mem_encrypt=on': meaning
> SME memory encryption feature on the host is enabled
>
> Signed-off-by: Paulo de Rezende Pinatti <ppinatti@xxxxxxxxxxxxx>
> Reviewed-by: Bjoern Walk <bwalk@xxxxxxxxxxxxx>
> Reviewed-by: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxx>
> ---
> docs/kbase/launch_security_sev.rst | 2 +-
> src/qemu/qemu_capabilities.c | 27 +++++++++++++++++++++++++++
> 2 files changed, 28 insertions(+), 1 deletion(-)
>
> diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
> index 65f258587d..fa602c7432 100644
> --- a/docs/kbase/launch_security_sev.rst
> +++ b/docs/kbase/launch_security_sev.rst
> @@ -109,7 +109,7 @@ following:
> </features>
> </domainCapabilities>
>
> -Note that if libvirt was already installed and libvirtd running before
> +Note that if libvirt (<6.4.0) was already installed and libvirtd running before
> enabling SEV in the kernel followed by the host reboot you need to force
> libvirtd to re-probe both the host and QEMU capabilities. First stop
> libvirtd:
Docs updates tend to go to a separate patch.
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 2874bb1e7c..6cf926d52d 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -4604,6 +4604,31 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
> }
>
>
> +/*
> + * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
> + */
> +static bool
> +virQEMUCapsKVMSupportsSecureGuestAMD(void)
> +{
> + g_autofree char *cmdline = NULL;
> + g_autofree char *modValue = NULL;
> + static const char *kValues[] = {"on"};
> +
> + if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
> + return false;
> + if (modValue[0] != '1')
> + return false;
> + if (virFileReadValueString(&cmdline, "/proc/cmdline") < 0)
> + return false;
> + if (virKernelCmdlineMatchParam(cmdline, "mem_encrypt", kValues,
> + G_N_ELEMENTS(kValues),
> + VIR_KERNEL_CMDLINE_FLAGS_SEARCH_LAST |
> + VIR_KERNEL_CMDLINE_FLAGS_CMP_EQ))
As discussed already, the last 2 checks will not be necessary.
> + return true;
> + return false;
> +}
> +
> +
> /*
> * Check whether the secure guest functionality is enabled.
> * See the specific architecture function for details on the verifications made.
> @@ -4615,6 +4640,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
>
> if (ARCH_IS_S390(arch))
> return virQEMUCapsKVMSupportsSecureGuestS390();
> + if (ARCH_IS_X86(arch))
> + return virQEMUCapsKVMSupportsSecureGuestAMD();
For s390 the check will most likely suffice, but for x86, there isn't just SEV,
there's also MKTME from Intel. However, given there's no support for that in
libvirt, we can figure out later how to propagate host caps in here so that
CPU vendor can be extracted. I just wanted to make it clear, that we'll need
to differentiate the x86 callbacks according to the CPU vendor at some point.
--
Erik Skultety
