These include platform checks - libvirt & QEMU - as well as
configuration - SEV is only supported with UEFI.
Another configuration requirement made in this patch is Q35 machine,
since ADM recommends Q35 in their setups even though SEV can work with
the legacy PC machine type, but we'd have to turn on
virtio-non-transitional for all virtio devices with some other potential
pitfalls along the way.
Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx>
---
tests/clitest.py | 3 +++
virtinst/domain/launch_security.py | 11 +++++++++++
virtinst/domcapabilities.py | 8 ++++++++
3 files changed, 22 insertions(+)
diff --git a/tests/clitest.py b/tests/clitest.py
index 4fb939dd..809280c8 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -901,6 +901,9 @@ c.add_compare("--boot uefi --machine q35 --launchSecurity type=sev,reducedPhysBi
c.add_compare("--boot uefi --machine q35 --launchSecurity sev,policy=0x0001 --connect " + utils.URIs.kvm_amd_sev, "x86_64-launch-security-sev") # Fill in platform data from domcaps
c.add_valid("--boot uefi --machine q35 --launchSecurity sev,reducedPhysBits=1,cbitpos=47 --connect " + utils.URIs.kvm_amd_sev) # Default policy == 0x0003 will be used
c.add_invalid("--launchSecurity policy=0x0001 --connect " + utils.URIs.kvm_amd_sev) # Missing launchSecurity 'type'
+c.add_invalid("--launchSecurity sev --connect " + utils.URIs.kvm_amd_sev) # Fail if loader isn't UEFI
+c.add_invalid("--boot uefi --launchSecurity sev --connect " + utils.URIs.kvm_amd_sev) # Fail if machine type isn't Q35
+c.add_invalid("--boot uefi --machine q35 --launchSecurity sev,policy=0x0001 --connect " + utils.URIs.kvm_q35) # Fail with no SEV capabilities
c = vinst.add_category("kvm-q35", "--noautoconsole --connect " + utils.URIs.kvm_q35)
diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py
index a91ee752..cb210b28 100644
--- a/virtinst/domain/launch_security.py
+++ b/virtinst/domain/launch_security.py
@@ -28,7 +28,18 @@ class DomainLaunchSecurity(XMLBuilder):
raise RuntimeError(_("Missing mandatory attribute 'type'"))
def _set_defaults_sev(self, guest):
+ # SeaBIOS doesn't have support for SEV. Q35 defaults to virtio 1.0,
+ # which we need so let's not go through the 'virtio-transitional'
+ # exercise for pc-i440fx to make SEV work, AMD recommends Q35 anyway
+ # NOTE: at some point both of these platform checks should be put in
+ # validate(), once that accepts the 'guest' instance
+ if guest.os.machine != "q35" or guest.os.loader_type != "pflash":
+ raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine"))
+
+ # libvirt or QEMU might not support SEV
domcaps = guest.lookup_domcaps()
+ if not domcaps.supports_sev_launch_security():
+ raise RuntimeError(_("SEV launch security is not supported on this platform"))
# 'policy' is a mandatory 4-byte argument for the SEV firmware,
# if missing, let's use 0x03 which, according to the table at
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
index fcad3646..302ed8c7 100644
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@@ -77,6 +77,7 @@ def _make_capsblock(xml_root_name):
class _SEV(XMLBuilder):
XML_NAME = "sev"
+ supported = XMLProperty("./@supported", is_yesno=True)
cbitpos = XMLProperty("./cbitpos", is_int=True)
reducedPhysBits = XMLProperty("./reducedPhysBits", is_int=True)
@@ -315,6 +316,13 @@ class DomainCapabilities(XMLBuilder):
return self._features
+ def supports_sev_launch_security(self):
+ """
+ Returns False if either libvirt doesn't advertise support for SEV at
+ all (< libvirt-4.5.0) or if it explicitly advertises it as unsupported
+ on the platform
+ """
+ return bool(self.features.sev.supported)
XML_NAME = "domainCapabilities"
os = XMLChildProperty(_OS, is_single=True)
--
2.21.0
_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
