Policy is a 4-byte bitfield used to turn on/off certain behaviour within the SEV firmware. For a detailed table of supported flags, see https://libvirt.org/formatdomain.html#launchSecurity. Most of the flags are related to advanced features (some of them don't even exist at the moment), except for the first 2 bits which determine whether debug mode should be turned on and whether the same key should be used to encrypt memory of multiple guests respectively. >From security POV, most users will probably want separate keys for individual guests, thus the value 0x03 was selected as the policy default. Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx> --- tests/clitest.py | 1 + virtinst/domain/launch_security.py | 13 +++++++++++++ virtinst/guest.py | 1 + 3 files changed, 15 insertions(+) diff --git a/tests/clitest.py b/tests/clitest.py index e41607eb..03a1da90 100644 --- a/tests/clitest.py +++ b/tests/clitest.py @@ -898,6 +898,7 @@ c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks") # Usi c = vinst.add_category("kvm-x86_64-launch-security", "--disk none --noautoconsole") c.add_compare("--boot uefi --machine q35 --launchSecurity type=sev,reducedPhysBits=1,policy=0x0001,cbitpos=47,dhCert=BASE64CERT,session=BASE64SESSION --connect " + utils.URIs.kvm_amd_sev, "x86_64-launch-security-sev-full") # Full cmdline +c.add_valid("--boot uefi --machine q35 --launchSecurity sev,reducedPhysBits=1,cbitpos=47 --connect " + utils.URIs.kvm_amd_sev) # Default policy == 0x0003 will be used c.add_invalid("--launchSecurity policy=0x0001 --connect " + utils.URIs.kvm_amd_sev) # Missing launchSecurity 'type' diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py index d371f6fb..e99faa95 100644 --- a/virtinst/domain/launch_security.py +++ b/virtinst/domain/launch_security.py @@ -26,3 +26,16 @@ class DomainLaunchSecurity(XMLBuilder): def validate(self): if not self.type: raise RuntimeError(_("Missing mandatory attribute 'type'")) + + def _set_defaults_sev(self): + # 'policy' is a mandatory 4-byte argument for the SEV firmware, + # if missing, let's use 0x03 which, according to the table at + # https://libvirt.org/formatdomain.html#launchSecurity: + # (bit 0) - disables the debugging mode + # (bit 1) - disables encryption key sharing across multiple guests + if self.policy is None: + self.policy = "0x03" + + def set_defaults(self, guest): + if self.is_sev(): + return self._set_defaults_sev() diff --git a/virtinst/guest.py b/virtinst/guest.py index b0c66b81..f11da459 100644 --- a/virtinst/guest.py +++ b/virtinst/guest.py @@ -684,6 +684,7 @@ class Guest(XMLBuilder): seclabel.set_defaults(self) self.pm.set_defaults(self) self.os.set_defaults(self) + self.launchSecurity.set_defaults(self) for dev in self.devices.get_all(): dev.set_defaults(self) -- 2.21.0 _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list