Hi Erik, On 6/11/19 10:41 AM, Erik Skultety wrote: > * Since v1: > - dropped all validation checks from the parser and moved them into the > DomainLaunchSecurity object, either into validate() or set_defaults() > - shortened the man page to contain only virt-install relevant bits with the > promise that I'll use the stripped bits in a dedicated libvirt SEV docs page. > - dropped a couple of checks in order to let libvirt/QEMU fail and not bloat > virt-install with such code > > Please give it a try if you can, I'm looking at you Brijesh ;) I will give this a try soon. Admittedly I am not familiar with virt-install, Do you have some instruction which I can follow to verify it ? > > This series introduces a new cmdline parameter --launch-security. All of the > options the argument takes are either completely optional or there is a > reasonable default provided. More details are available in the individual > patches. > > One thing that this series doesn't address is handling virtio devices with SEV. > See, to successfully use SEV with virtio devices, there are basically 2 > conditions: > 1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but > virtio-scsi is fine (which means handling the virtio-scsi controller) but as > Brijesh pointed out, this will be fixed in kernel 5.1.0 > > 2) for the rest of the virtio devices, driver.iommu needs to be turned on as > the IOMMU flag enables usage of encrypted DMA. > > So rather then spend more time on figuring out how to properly handle that, I > decided to start with the basic support first and continue from there. > > Resolves: > https://bugzilla.redhat.com/show_bug.cgi?id=1501608 > > Erik Skultety (6): > Introduce real-world AMD SEV domain capabilities > virtinst: cli: Introduce parser support for SEV launch security > virtinst: cli: Provide a default value for the 'policy' argument > virtinst: guest: Fill in SEV platform specific data automatically > virtins: guest: Provide further SEV support checks > man: Provide a documentation for the SEV feature > > man/virt-install.pod | 41 +++++ > .../kvm-x86_64-domcaps-amd-sev.xml | 144 ++++++++++++++++++ > ...nstall-x86_64-launch-security-sev-full.xml | 63 ++++++++ > ...irt-install-x86_64-launch-security-sev.xml | 61 ++++++++ > tests/clitest.py | 11 ++ > tests/utils.py | 2 + > virtinst/cli.py | 26 ++++ > virtinst/domain/__init__.py | 1 + > virtinst/domain/launch_security.py | 59 +++++++ > virtinst/domcapabilities.py | 19 +++ > virtinst/guest.py | 4 +- > 11 files changed, 430 insertions(+), 1 deletion(-) > create mode 100644 tests/capabilities-xml/kvm-x86_64-domcaps-amd-sev.xml > create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml > create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml > create mode 100644 virtinst/domain/launch_security.py > > -- > 2.21.0 > _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
