Re: [libvirt PATCH v3 13/13] qemu: format sev-guest.kernel-hashes property

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 14, 2021 at 12:08:37PM +0100, Peter Krempa wrote:
> On Fri, Dec 10, 2021 at 16:47:13 +0000, Daniel P. Berrangé wrote:
> > Set the kernel-hashes property on the sev-guest object if
> > the config asked for it explicitly. While QEMU machine
> > types currently default to having this setting off, it
> > is not guaranteed to remain this way.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > ---
> >  src/qemu/qemu_command.c                       |  1 +
> >  src/qemu/qemu_validate.c                      |  7 ++++
> >  ...unch-security-sev-direct.x86_64-6.2.0.args | 40 +++++++++++++++++++
> >  .../launch-security-sev-direct.xml            | 39 ++++++++++++++++++
> >  tests/qemuxml2argvtest.c                      |  1 +
> >  5 files changed, 88 insertions(+)
> >  create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-6.2.0.args
> >  create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml
> > 
> > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> > index 613f7a5d2a..dfbf4973f5 100644
> > --- a/src/qemu/qemu_command.c
> > +++ b/src/qemu/qemu_command.c
> > @@ -9894,6 +9894,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
> >                                       "u:policy", sev->policy,
> >                                       "S:dh-cert-file", dhpath,
> >                                       "S:session-file", sessionpath,
> > +                                     "T:kernel-hashes", sev->kernel_hashes,
> 
> Since this is an '-object' ...
> 
> >                                       NULL) < 0)
> >          return -1;
> >  
> > diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
> > index 29b01495ad..c0dc1f7b53 100644
> > --- a/src/qemu/qemu_validate.c
> > +++ b/src/qemu/qemu_validate.c
> > @@ -1200,6 +1200,13 @@ qemuValidateDomainDef(const virDomainDef *def,
> >                                   "this QEMU binary"));
> >                  return -1;
> >              }
> > +
> > +            if (def->sec->data.sev.kernel_hashes == VIR_TRISTATE_BOOL_YES &&
> > +                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
> 
> ... and this flag means that the 'sev-guest' actually has the
> 'kernel-hashes' property, the above check should be
> 
> if (def->sec->data.sev.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT && ...

Lets do this, since if the user gave an explicit disable we want
to pass that through to the CLI, in case qemu changes the future
default for machine types to be enabled

> as an explicit disable will also cause a qemu error when the property is
> not defined inside sev-guest.
> 
> Other option is to use 'B:kernel-hashes' above and extract the value of
> sev->kernel_hashes into a temporary bool initialized to false via
> virTristateBoolToBool which preserves the default. In such case it will
> be always omitted when not enabled.
> 
> 
> 
> Reviewed-by: Peter Krempa <pkrempa@xxxxxxxxxx>
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux