Re: [PATCH 3/4] conf: add s390-pv as launch security type

Daniel Henrique Barboza <danielhb413@xxxxxxxxx> · Wed, 19 May 2021 17:05:00 -0300

On 5/19/21 4:34 PM, Daniel Henrique Barboza wrote:


On 5/19/21 2:40 PM, Boris Fiuczynski wrote:
Add launch security type 's390-pv' as well as some tests.

Signed-off-by: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxx>
---
  docs/schemas/domaincommon.rng                 |  1 +
  src/conf/domain_conf.c                        |  8 +++++
  src/conf/domain_conf.h                        |  1 +
  src/qemu/qemu_command.c                       | 26 ++++++++++++++
  src/qemu/qemu_namespace.c                     |  1 +
  src/qemu/qemu_process.c                       |  1 +
  src/qemu/qemu_validate.c                      |  8 +++++
  .../launch-security-s390-pv-ignore-policy.xml | 24 +++++++++++++
  .../launch-security-s390-pv.xml               | 18 ++++++++++
  .../launch-security-s390-pv-ignore-policy.xml |  1 +
  tests/genericxml2xmltest.c                    |  2 ++
  ...ty-s390-pv-ignore-policy.s390x-latest.args | 35 +++++++++++++++++++
  .../launch-security-s390-pv-ignore-policy.xml | 33 +++++++++++++++++
  .../launch-security-s390-pv.s390x-latest.args | 35 +++++++++++++++++++
  .../launch-security-s390-pv.xml               | 30 ++++++++++++++++
  tests/qemuxml2argvtest.c                      |  3 ++
  16 files changed, 227 insertions(+)
  create mode 100644 tests/genericxml2xmlindata/launch-security-s390-pv-ignore-policy.xml
  create mode 100644 tests/genericxml2xmlindata/launch-security-s390-pv.xml
  create mode 120000 tests/genericxml2xmloutdata/launch-security-s390-pv-ignore-policy.xml
  create mode 100644 tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.s390x-latest.args
  create mode 100644 tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.xml
  create mode 100644 tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args
  create mode 100644 tests/qemuxml2argvdata/launch-security-s390-pv.xml

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 3df13a0cf1..7c92e4c812 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -485,6 +485,7 @@
        <attribute name="type">
          <choice>
            <value>sev</value>
+          <value>s390-pv</value>
          </choice>
        </attribute>
        <interleave>

You added a new 's390-pv' security type, but down there you're using
the new confidential-guest-support feature from QEMU 6.0 which is also
valid for AMD and pSeries. I think you can do a little change in the idea
of these patches while keeping most of it. Instead of calling this new
support 's390-pv', call it 'confidential-guest-support' or 'CGS'.

My reasoning is that the QEMU community (namely David Gibson, qemu-ppc
maintainer) went into a lot of discussions back and forth to develop the
confidential-guest-support machine option, based on what was at first AMD-SEV
specific code, with the intention of make it easier for users to enable
secure guests across machine types. I believe Libvirt should follow suit
and do the same - a single option to enable secure guest supports for
all guests, with any differences in the support being handled by each arch
deep down in the driver.

Otherwise, what will end up happening is that when someone (probably myself)
come along with the secure guest support for pSeries (PEF), I will need to
create yet another launch type 'ppc64-pef' to do basically the same thing you're
already doing for s390x, which is adding '-machine confidential-guest-support=<>'
in the QEMU command line. Same thing with AMD SEV, and with any other
arch that QEMU might support with the confidential-guest-support option. We're
going to add extra XML parsing code and docs to handle the same thing.

Note that I'm not asking you to go ahead and implement the Libvirt support for
all the 3 archs. What I'm asking is to change the name of the launch security
type in the domain XML and docs to reflect that this will be the same type
that all other archs that has confidential-guest-support will end up using.



Just remembered that there's an open bug related to the generic
confidential-guest-support implementation in Libvirt like I mentioned
above:


https://bugzilla.redhat.com/show_bug.cgi?id=1961032



Pavel, CCing you since you're the current assignee of the bug.




Daniel





Thanks,


Daniel





diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 228de5d715..11ec8c8b0c 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1393,6 +1393,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
                VIR_DOMAIN_LAUNCH_SECURITY_LAST,
                "",
                "sev",
+              "s390-pv",
  );
  static virClass *virDomainObjClass;
@@ -14762,6 +14763,8 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
          if (!sec->sev)
              return NULL;
          break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        break;
      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
      default:
@@ -26896,6 +26899,11 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
          break;
      }
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        virBufferAsprintf(buf, "<launchSecurity type='%s'/>\n",
+                          virDomainLaunchSecurityTypeToString(sec->sectype));
+        break;
+
      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
          break;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index dd78f30ace..1d92065c7b 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2631,6 +2631,7 @@ struct _virDomainKeyWrapDef {
  typedef enum {
      VIR_DOMAIN_LAUNCH_SECURITY_NONE,
      VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+    VIR_DOMAIN_LAUNCH_SECURITY_PV,
      VIR_DOMAIN_LAUNCH_SECURITY_LAST,
  } virDomainLaunchSecurity;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 10dcf11d5b..67024f99b9 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6992,6 +6992,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
          case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
              virBufferAddLit(&buf, ",memory-encryption=sev0");
              break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            virBufferAddLit(&buf, ",confidential-guest-support=pv0");
+            break;
          case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
              break;
          case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -9879,6 +9882,26 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
  }
+static int
+qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
+{
+    g_autoptr(virJSONValue) props = NULL;
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    qemuDomainObjPrivate *priv = vm->privateData;
+
+    if (qemuMonitorCreateObjectProps(&props, "s390-pv-guest", "pv0",
+                                     NULL) < 0)
+        return -1;
+
+    if (qemuBuildObjectCommandlineFromJSON(&buf, props, priv->qemuCaps) < 0)
+        return -1;
+
+    virCommandAddArg(cmd, "-object");
+    virCommandAddArgBuffer(cmd, &buf);
+    return 0;
+}
+
+
  static int
  qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
                          virDomainSecDef *sec)
@@ -9890,6 +9913,9 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
      case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
          return qemuBuildSEVCommandLine(vm, cmd, sec->sev);
          break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        return qemuBuildPVCommandLine(vm, cmd);
+        break;
      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
          break;
      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 0dd1291c5d..7cc35986da 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -607,6 +607,7 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
          VIR_DEBUG("Set up launch security for SEV");
          break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
          break;
      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index a7d88015ba..cb94979b26 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6637,6 +6637,7 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainObj *vm)
      switch ((virDomainLaunchSecurity) sec->sectype) {
      case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
          return qemuProcessPrepareSEVGuestInput(vm, sec);
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
          break;
      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 78582a7c2a..0dea33d08c 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1224,6 +1224,14 @@ qemuValidateDomainDef(const virDomainDef *def,
                  return -1;
              }
              break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("S390 PV launch security is not supported with "
+                                 "this QEMU binary"));
+                return -1;
+            }
+            break;
          case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
              break;
          case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/tests/genericxml2xmlindata/launch-security-s390-pv-ignore-policy.xml b/tests/genericxml2xmlindata/launch-security-s390-pv-ignore-policy.xml
new file mode 100644
index 0000000000..0c398cced8
--- /dev/null
+++ b/tests/genericxml2xmlindata/launch-security-s390-pv-ignore-policy.xml
@@ -0,0 +1,24 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+  </devices>
+  <launchSecurity type='s390-pv'>
+    <cbitpos>47</cbitpos>
+    <reducedPhysBits>1</reducedPhysBits>
+    <policy>0x0001</policy>
+    <dhCert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dhCert>
+    <session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
+  </launchSecurity>
+</domain>
diff --git a/tests/genericxml2xmlindata/launch-security-s390-pv.xml b/tests/genericxml2xmlindata/launch-security-s390-pv.xml
new file mode 100644
index 0000000000..29c7fc152d
--- /dev/null
+++ b/tests/genericxml2xmlindata/launch-security-s390-pv.xml
@@ -0,0 +1,18 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+  </devices>
+  <launchSecurity type='s390-pv'/>
+</domain>
diff --git a/tests/genericxml2xmloutdata/launch-security-s390-pv-ignore-policy.xml b/tests/genericxml2xmloutdata/launch-security-s390-pv-ignore-policy.xml
new file mode 120000
index 0000000000..075c72603d
--- /dev/null
+++ b/tests/genericxml2xmloutdata/launch-security-s390-pv-ignore-policy.xml
@@ -0,0 +1 @@
+../genericxml2xmlindata/launch-security-s390-pv.xml
\ No newline at end of file
diff --git a/tests/genericxml2xmltest.c b/tests/genericxml2xmltest.c
index ac89422a32..eb15f66c3c 100644
--- a/tests/genericxml2xmltest.c
+++ b/tests/genericxml2xmltest.c
@@ -233,6 +233,8 @@ mymain(void)
      DO_TEST("tseg");
      DO_TEST("launch-security-sev");
+    DO_TEST("launch-security-s390-pv");
+    DO_TEST_DIFFERENT("launch-security-s390-pv-ignore-policy");
      DO_TEST_DIFFERENT("cputune");
      DO_TEST("device-backenddomain");
diff --git a/tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.s390x-latest.args b/tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.s390x-latest.args
new file mode 100644
index 0000000000..c9d9b84dd3
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.s390x-latest.args
@@ -0,0 +1,35 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-s390x \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine s390-ccw-virtio,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=pv0,memory-backend=s390.ram \
+-cpu gen15a-base,aen=on,cmmnt=on,vxpdeh=on,aefsi=on,diag318=on,csske=on,mepoch=on,msa9=on,msa8=on,msa7=on,msa6=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,sthyi=on,edat=on,ri=on,deflate=on,edat2=on,etoken=on,vx=on,ipter=on,mepochptff=on,ap=on,vxeh=on,vxpd=on,esop=on,msa9_pckmo=on,vxeh2=on,esort=on,apqi=on,apft=on,els=on,iep=on,apqci=on,cte=on,ais=on,bpb=on,gs=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \
+-m 214 \
+-object '{"qom-type":"memory-backend-ram","id":"s390.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 \
+-audiodev id=audio1,driver=none \
+-device virtio-balloon-ccw,id=balloon0,devno=fe.0.0001 \
+-object '{"qom-type":"s390-pv-guest","id":"pv0"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.xml b/tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.xml
new file mode 100644
index 0000000000..052d96dedb
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-s390-pv-ignore-policy.xml
@@ -0,0 +1,33 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-s390x</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='virtio'/>
+      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
+    </disk>
+    <controller type='pci' index='0' model='pci-root'/>
+    <memballoon model='virtio'>
+      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
+    </memballoon>
+    <panic model='s390'/>
+  </devices>
+  <launchSecurity type='s390-pv'>
+    <dhCert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dhCert>
+    <session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
+  </launchSecurity>
+</domain>
diff --git a/tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args b/tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args
new file mode 100644
index 0000000000..c9d9b84dd3
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args
@@ -0,0 +1,35 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-s390x \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine s390-ccw-virtio,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=pv0,memory-backend=s390.ram \
+-cpu gen15a-base,aen=on,cmmnt=on,vxpdeh=on,aefsi=on,diag318=on,csske=on,mepoch=on,msa9=on,msa8=on,msa7=on,msa6=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,sthyi=on,edat=on,ri=on,deflate=on,edat2=on,etoken=on,vx=on,ipter=on,mepochptff=on,ap=on,vxeh=on,vxpd=on,esop=on,msa9_pckmo=on,vxeh2=on,esort=on,apqi=on,apft=on,els=on,iep=on,apqci=on,cte=on,ais=on,bpb=on,gs=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \
+-m 214 \
+-object '{"qom-type":"memory-backend-ram","id":"s390.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 \
+-audiodev id=audio1,driver=none \
+-device virtio-balloon-ccw,id=balloon0,devno=fe.0.0001 \
+-object '{"qom-type":"s390-pv-guest","id":"pv0"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/launch-security-s390-pv.xml b/tests/qemuxml2argvdata/launch-security-s390-pv.xml
new file mode 100644
index 0000000000..c40c2b4bf2
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-s390-pv.xml
@@ -0,0 +1,30 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-s390x</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='virtio'/>
+      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
+    </disk>
+    <controller type='pci' index='0' model='pci-root'/>
+    <memballoon model='virtio'>
+      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
+    </memballoon>
+    <panic model='s390'/>
+  </devices>
+  <launchSecurity type='s390-pv'/>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 594a01de45..f1475dc700 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -3498,6 +3498,9 @@ mymain(void)
      DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
      DO_TEST_CAPS_VER_PARSE_ERROR("launch-security-sev-missing-policy", "2.12.0");
+    DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");
+    DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv-ignore-policy", "s390x");
+
      DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
      DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
      DO_TEST_CAPS_LATEST_PARSE_ERROR("vhost-user-fs-readonly");








