This introduces the new "model" field in sev elements, returned by domain capabilities API, so that client can ensure SEV-ES is available in this hypervisor. Signed-off-by: Takashi Kajinami <kajinamit@xxxxxxxxxxxxxxx> --- src/conf/domain_capabilities.c | 2 + src/conf/domain_capabilities.h | 1 + src/conf/domain_conf.c | 7 +++ src/conf/domain_conf.h | 8 ++++ src/qemu/qemu_capabilities.c | 78 ++++++++++++++++++++++++---------- 5 files changed, 74 insertions(+), 22 deletions(-) diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c index 68eb3c9797..26d9b0a21c 100644 --- a/src/conf/domain_capabilities.c +++ b/src/conf/domain_capabilities.c @@ -654,6 +654,8 @@ virDomainCapsFeatureSEVFormat(virBuffer *buf, if (sev->cpu0_id != NULL) virBufferAsprintf(buf, "<cpu0Id>%s</cpu0Id>\n", sev->cpu0_id); + ENUM_PROCESS(sev, model, virDomainSevModelTypeToString); + virBufferAdjustIndent(buf, -2); virBufferAddLit(buf, "</sev>\n"); } diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h index fadc30cdd7..1a84ea6101 100644 --- a/src/conf/domain_capabilities.h +++ b/src/conf/domain_capabilities.h @@ -213,6 +213,7 @@ struct _virSEVCapability { unsigned int reduced_phys_bits; unsigned int max_guests; unsigned int max_es_guests; + virDomainCapsEnum model; }; typedef struct _virSGXSection virSGXSection; diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 3597959e33..cf0077d584 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -1509,6 +1509,13 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity, "s390-pv", ); +VIR_ENUM_IMPL(virDomainSevModel, + VIR_DOMAIN_SEV_MODEL_LAST, + "", + "sev", + "sev-es", +); + typedef enum { VIR_DOMAIN_NET_VHOSTUSER_MODE_NONE, VIR_DOMAIN_NET_VHOSTUSER_MODE_CLIENT, diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index c7e5005b3b..a06fde1032 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2854,6 +2854,13 @@ typedef enum { VIR_DOMAIN_LAUNCH_SECURITY_LAST, } virDomainLaunchSecurity; +typedef enum { + VIR_DOMAIN_SEV_MODEL_NONE, + VIR_DOMAIN_SEV_MODEL_SEV, + VIR_DOMAIN_SEV_MODEL_SEV_ES, + + VIR_DOMAIN_SEV_MODEL_LAST, +} virDomainSevModel; struct _virDomainSEVDef { char *dh_cert; @@ -4237,6 +4244,7 @@ VIR_ENUM_DECL(virDomainCryptoType); VIR_ENUM_DECL(virDomainCryptoBackend); VIR_ENUM_DECL(virDomainShmemModel); VIR_ENUM_DECL(virDomainShmemRole); +VIR_ENUM_DECL(virDomainSevModel); VIR_ENUM_DECL(virDomainLaunchSecurity); /* from libvirt.h */ VIR_ENUM_DECL(virDomainState); diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index e383d85920..22c9fcae6a 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -3402,6 +3402,60 @@ virQEMUCapsGetSEVMaxGuests(virSEVCapability *caps) } } + +/* + * Check whether AMD Secure Encrypted Virtualization (x86) is enabled + */ +static bool +virQEMUCapsKVMSupportsSecureGuestSEV(void) +{ + g_autofree char *modValue = NULL; + + if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0) + return false; + + if (modValue[0] != '1' && modValue[0] != 'Y' && modValue[0] != 'y') + return false; + + if (virFileExists(QEMU_DEV_SEV)) + return true; + + return false; +} + + +/* + * Check whether AMD Secure Encrypted Virtualization-Encrypted State (x86) is enabled + */ +static bool +virQEMUCapsKVMSupportsSecureGuestSEVES(void) +{ + g_autofree char *modValue = NULL; + + if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev_es") < 0) + return false; + + if (modValue[0] != '1' && modValue[0] != 'Y' && modValue[0] != 'y') + return false; + + if (virFileExists(QEMU_DEV_SEV)) + return true; + + return false; +} + + +static void +virQEMUCapsGetSEVModels(virSEVCapability *caps) +{ + if (virQEMUCapsKVMSupportsSecureGuestSEV()) + VIR_DOMAIN_CAPS_ENUM_SET(caps->model, VIR_DOMAIN_SEV_MODEL_SEV); + + if (virQEMUCapsKVMSupportsSecureGuestSEVES()) + VIR_DOMAIN_CAPS_ENUM_SET(caps->model, VIR_DOMAIN_SEV_MODEL_SEV_ES); +} + + static int virQEMUCapsProbeQMPSEVCapabilities(virQEMUCaps *qemuCaps, qemuMonitor *mon) @@ -3422,6 +3476,7 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCaps *qemuCaps, } virQEMUCapsGetSEVMaxGuests(caps); + virQEMUCapsGetSEVModels(caps); virSEVCapabilitiesFree(qemuCaps->sevCapabilities); qemuCaps->sevCapabilities = caps; @@ -5038,27 +5093,6 @@ virQEMUCapsKVMSupportsSecureGuestS390(void) } -/* - * Check whether AMD Secure Encrypted Virtualization (x86) is enabled - */ -static bool -virQEMUCapsKVMSupportsSecureGuestAMD(void) -{ - g_autofree char *modValue = NULL; - - if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0) - return false; - - if (modValue[0] != '1' && modValue[0] != 'Y' && modValue[0] != 'y') - return false; - - if (virFileExists(QEMU_DEV_SEV)) - return true; - - return false; -} - - /* * Check whether the secure guest functionality is enabled. * See the specific architecture function for details on the verifications made. @@ -5072,7 +5106,7 @@ virQEMUCapsKVMSupportsSecureGuest(void) return virQEMUCapsKVMSupportsSecureGuestS390(); if (ARCH_IS_X86(arch)) - return virQEMUCapsKVMSupportsSecureGuestAMD(); + return virQEMUCapsKVMSupportsSecureGuestSEV(); return false; } -- 2.43.0 _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx