On 6/11/19 11:41 AM, Erik Skultety wrote: > * Since v1: > - dropped all validation checks from the parser and moved them into the > DomainLaunchSecurity object, either into validate() or set_defaults() > - shortened the man page to contain only virt-install relevant bits with the > promise that I'll use the stripped bits in a dedicated libvirt SEV docs page. > - dropped a couple of checks in order to let libvirt/QEMU fail and not bloat > virt-install with such code > > Please give it a try if you can, I'm looking at you Brijesh ;) > > This series introduces a new cmdline parameter --launch-security. All of the > options the argument takes are either completely optional or there is a > reasonable default provided. More details are available in the individual > patches. > > One thing that this series doesn't address is handling virtio devices with SEV. > See, to successfully use SEV with virtio devices, there are basically 2 > conditions: > 1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but > virtio-scsi is fine (which means handling the virtio-scsi controller) but as > Brijesh pointed out, this will be fixed in kernel 5.1.0 > > 2) for the rest of the virtio devices, driver.iommu needs to be turned on as > the IOMMU flag enables usage of encrypted DMA. > > So rather then spend more time on figuring out how to properly handle that, I > decided to start with the basic support first and continue from there. > > Resolves: > https://bugzilla.redhat.com/show_bug.cgi?id=1501608 > > Erik Skultety (6): > Introduce real-world AMD SEV domain capabilities > virtinst: cli: Introduce parser support for SEV launch security > virtinst: cli: Provide a default value for the 'policy' argument > virtinst: guest: Fill in SEV platform specific data automatically > virtins: guest: Provide further SEV support checks > man: Provide a documentation for the SEV feature Nice work! Reviewed-by: Cole Robinson <crobinso@xxxxxxxxxx> I pushed with the following small tweaks - enabled() was unused, so I removed it - s/--launch-security/--launchSecurity/ in cli.py comment - there wasn't a test case covering plain --launchSecurity sev, so I adjusted one of the existing ones to cover it Thanks, Cole _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
