On Tue, Jun 25, 2024 at 11:48:50 +0200, Michal Privoznik wrote: > The inspiration for these rules comes from > qemuValidateDomainDef(). > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- ... > diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c > index adaf5f9c26..4f9895ba9c 100644 > --- a/src/qemu/qemu_capabilities.c > +++ b/src/qemu/qemu_capabilities.c > @@ -6514,6 +6514,24 @@ virQEMUCapsFillDomainDeviceCryptoCaps(virQEMUCaps *qemuCaps, > } > > > +void > +virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps, > + virDomainCapsLaunchSecurity *launchSecurity) > +{ > + launchSecurity->supported = VIR_TRISTATE_BOOL_YES; > + launchSecurity->sectype.report = true; > + > + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST)) > + VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_SEV); > + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_SNP_GUEST)) > + VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP); > + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) && > + virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT)) > + VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype, VIR_DOMAIN_LAUNCH_SECURITY_PV); > +} > + > + > + Two empty lines would have been enough :-) > /** > * virQEMUCapsSupportsGICVersion: > * @qemuCaps: QEMU capabilities > @@ -6678,6 +6696,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps, > virDomainCapsDeviceChannel *channel = &domCaps->channel; > virDomainCapsMemoryBacking *memoryBacking = &domCaps->memoryBacking; > virDomainCapsDeviceCrypto *crypto = &domCaps->crypto; > + virDomainCapsLaunchSecurity *launchSecurity = &domCaps->launchSecurity; > > virQEMUCapsFillDomainFeaturesFromQEMUCaps(qemuCaps, domCaps); > > @@ -6717,6 +6736,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps, > virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps); > virQEMUCapsFillDomainFeatureHypervCaps(qemuCaps, domCaps); > virQEMUCapsFillDomainDeviceCryptoCaps(qemuCaps, crypto); > + virQEMUCapsFillDomainLaunchSecurity(qemuCaps, launchSecurity); > > return 0; > } > diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h > index a98da8c2eb..ef71e8511e 100644 > --- a/src/qemu/qemu_capabilities.h > +++ b/src/qemu/qemu_capabilities.h > @@ -867,6 +867,9 @@ void virQEMUCapsFillDomainDeviceChannelCaps(virQEMUCaps *qemuCaps, > void virQEMUCapsFillDomainDeviceCryptoCaps(virQEMUCaps *qemuCaps, > virDomainCapsDeviceCrypto *crypto); > > +void virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps, > + virDomainCapsLaunchSecurity *launchSecurity); > + > bool virQEMUCapsGuestIsNative(virArch host, > virArch guest); > > diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml > index c42a20763f..f9aacbfbf9 100644 > --- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml > +++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml > @@ -319,5 +319,8 @@ > <async-teardown supported='no'/> > <sev supported='no'/> > <sgx supported='no'/> > + <launchSecurity supported='yes'> > + <enum name='sectype'/> > + </launchSecurity> I think reporting launchSecurity as unsupported when no sectype is available would make more sense. > </features> > </domainCapabilities> Jirka