Checks such as this one should be done at domain def validation time, not before starting the QEMU process. As for this change, existing domains will see some QEMU error when starting as opposed to a libvirt error that this QEMU binary doesn't support SEV, but that's okay, we never guaranteed error messages to remain the same. Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx> --- src/qemu/qemu_process.c | 9 --------- src/qemu/qemu_validate.c | 8 ++++++++ 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index f71bb21f09..16d6f54f66 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6393,8 +6393,6 @@ qemuProcessSEVCreateFile(virDomainObjPtr vm, static int qemuProcessPrepareSEVGuestInput(virDomainObjPtr vm) { - qemuDomainObjPrivatePtr priv = vm->privateData; - virQEMUCapsPtr qemuCaps = priv->qemuCaps; virDomainSEVDefPtr sev = vm->def->sev; if (!sev) @@ -6402,13 +6400,6 @@ qemuProcessPrepareSEVGuestInput(virDomainObjPtr vm) VIR_DEBUG("Preparing SEV guest"); - if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Domain %s asked for 'sev' launch but this " - "QEMU does not support SEV feature"), vm->def->name); - return -1; - } - if (sev->dh_cert) { if (qemuProcessSEVCreateFile(vm, "dh_cert", sev->dh_cert) < 0) return -1; diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c index 28eae76cca..949a5a59b7 100644 --- a/src/qemu/qemu_validate.c +++ b/src/qemu/qemu_validate.c @@ -1034,6 +1034,14 @@ qemuValidateDomainDef(const virDomainDef *def, return -1; } + if (def->sev && + !virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST)) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("SEV launch security is not supported with " + "this QEMU binary")); + return -1; + } + return 0; } -- 2.26.2