[virt-install PATCH 0/7] Introduce initial support for AMD SEV launch security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This series introduces a new cmdline parameter --launch-security. All of the
options the argument takes are either completely optional or there is a
reasonable default provided. More details are available in the individual
patches.

One thing that this series doesn't address is handling virtio devices with SEV.
See, to successfully use SEV with virtio devices, there are basically 2
conditions:
1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but
virtio-scsi is fine (which means handling the virtio-scsi controller)

2) for the rest of the virtio devices, driver.iommu needs to be turned on as
the IOMMU flag enables usage of encrypted DMA.

So rather then spend more time on figuring out how to properly handle that, I
decided to start with the basic support first and continue from there.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1501608

Erik Skultety (7):
  Introduce real-world AMD SEV domain capabilities
  virtinst: cli: Introduce parser support for SEV launch security
  virtinst: cli: Provide a default value for the 'policy' argument
  virtinst: guest: Fill in SEV platform specific data automatically
  virtins: guest: Provide further SEV support checks
  man: Provide a documentation for the SEV feature
  DO NOT MERGE: showcase a functional SEV cmdline in a simple script

 man/virt-install.pod                          |  75 ++++++++-
 .../kvm-x86_64-amd-domcaps-q35.xml            | 146 ++++++++++++++++++
 ...nstall-x86_64-launch-security-sev-full.xml |  63 ++++++++
 ...irt-install-x86_64-launch-security-sev.xml |  61 ++++++++
 tests/clitest.py                              |  10 ++
 tests/utils.py                                |   2 +
 virt-install-sev.sh                           |  19 +++
 virtinst/cli.py                               |  62 ++++++++
 virtinst/domain/__init__.py                   |   1 +
 virtinst/domain/launch_security.py            |  37 +++++
 virtinst/domcapabilities.py                   |  22 +++
 virtinst/guest.py                             |  25 ++-
 12 files changed, 521 insertions(+), 2 deletions(-)
 create mode 100644 tests/capabilities-xml/kvm-x86_64-amd-domcaps-q35.xml
 create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
 create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
 create mode 100644 virt-install-sev.sh
 create mode 100644 virtinst/domain/launch_security.py

--
2.20.1

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux