On Tue, Jun 25, 2024 at 11:48:50 +0200, Michal Privoznik wrote:
> The inspiration for these rules comes from
> qemuValidateDomainDef().
>
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
...
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index adaf5f9c26..4f9895ba9c 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -6514,6 +6514,24 @@ virQEMUCapsFillDomainDeviceCryptoCaps(virQEMUCaps *qemuCaps,
> }
>
>
> +void
> +virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps,
> + virDomainCapsLaunchSecurity *launchSecurity)
> +{
> + launchSecurity->supported = VIR_TRISTATE_BOOL_YES;
> + launchSecurity->sectype.report = true;
> +
> + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST))
> + VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_SEV);
> + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_SNP_GUEST))
> + VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP);
> + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) &&
> + virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT))
> + VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_PV);
> +}
> +
> +
> +
Two empty lines would have been enough :-)
> /**
> * virQEMUCapsSupportsGICVersion:
> * @qemuCaps: QEMU capabilities
> @@ -6678,6 +6696,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
> virDomainCapsDeviceChannel *channel = &domCaps->channel;
> virDomainCapsMemoryBacking *memoryBacking = &domCaps->memoryBacking;
> virDomainCapsDeviceCrypto *crypto = &domCaps->crypto;
> + virDomainCapsLaunchSecurity *launchSecurity = &domCaps->launchSecurity;
>
> virQEMUCapsFillDomainFeaturesFromQEMUCaps(qemuCaps, domCaps);
>
> @@ -6717,6 +6736,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
> virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
> virQEMUCapsFillDomainFeatureHypervCaps(qemuCaps, domCaps);
> virQEMUCapsFillDomainDeviceCryptoCaps(qemuCaps, crypto);
> + virQEMUCapsFillDomainLaunchSecurity(qemuCaps, launchSecurity);
>
> return 0;
> }
> diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
> index a98da8c2eb..ef71e8511e 100644
> --- a/src/qemu/qemu_capabilities.h
> +++ b/src/qemu/qemu_capabilities.h
> @@ -867,6 +867,9 @@ void virQEMUCapsFillDomainDeviceChannelCaps(virQEMUCaps *qemuCaps,
> void virQEMUCapsFillDomainDeviceCryptoCaps(virQEMUCaps *qemuCaps,
> virDomainCapsDeviceCrypto *crypto);
>
> +void virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps,
> + virDomainCapsLaunchSecurity *launchSecurity);
> +
> bool virQEMUCapsGuestIsNative(virArch host,
> virArch guest);
>
> diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> index c42a20763f..f9aacbfbf9 100644
> --- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> +++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
> @@ -319,5 +319,8 @@
> <async-teardown supported='no'/>
> <sev supported='no'/>
> <sgx supported='no'/>
> + <launchSecurity supported='yes'>
> + <enum name='sectype'/>
> + </launchSecurity>
I think reporting launchSecurity as unsupported when no sectype is
available would make more sense.
> </features>
> </domainCapabilities>
Jirka
