[virt-tools-list] [virt-install PATCH v2 0/6] Introduce initial support for AMD SEV launch security

Erik Skultety eskultet at redhat.com
Tue Jun 11 15:41:55 UTC 2019 

* Since v1:
- dropped all validation checks from the parser and moved them into the
  DomainLaunchSecurity object, either into validate() or set_defaults()
- shortened the man page to contain only virt-install relevant bits with the
  promise that I'll use the stripped bits in a dedicated libvirt SEV docs page.
- dropped a couple of checks in order to let libvirt/QEMU fail and not bloat
  virt-install with such code

Please give it a try if you can, I'm looking at you Brijesh ;)

This series introduces a new cmdline parameter --launch-security. All of the
options the argument takes are either completely optional or there is a
reasonable default provided. More details are available in the individual
patches.

One thing that this series doesn't address is handling virtio devices with SEV.
See, to successfully use SEV with virtio devices, there are basically 2
conditions:
1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but
virtio-scsi is fine (which means handling the virtio-scsi controller) but as
Brijesh pointed out, this will be fixed in kernel 5.1.0

2) for the rest of the virtio devices, driver.iommu needs to be turned on as
the IOMMU flag enables usage of encrypted DMA.

So rather then spend more time on figuring out how to properly handle that, I
decided to start with the basic support first and continue from there.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1501608

Erik Skultety (6):
  Introduce real-world AMD SEV domain capabilities
  virtinst: cli: Introduce parser support for SEV launch security
  virtinst: cli: Provide a default value for the 'policy' argument
  virtinst: guest: Fill in SEV platform specific data automatically
  virtins: guest: Provide further SEV support checks
  man: Provide a documentation for the SEV feature

 man/virt-install.pod                          |  41 +++++
 .../kvm-x86_64-domcaps-amd-sev.xml            | 144 ++++++++++++++++++
 ...nstall-x86_64-launch-security-sev-full.xml |  63 ++++++++
 ...irt-install-x86_64-launch-security-sev.xml |  61 ++++++++
 tests/clitest.py                              |  11 ++
 tests/utils.py                                |   2 +
 virtinst/cli.py                               |  26 ++++
 virtinst/domain/__init__.py                   |   1 +
 virtinst/domain/launch_security.py            |  59 +++++++
 virtinst/domcapabilities.py                   |  19 +++
 virtinst/guest.py                             |   4 +-
 11 files changed, 430 insertions(+), 1 deletion(-)
 create mode 100644 tests/capabilities-xml/kvm-x86_64-domcaps-amd-sev.xml
 create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
 create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
 create mode 100644 virtinst/domain/launch_security.py

--
2.21.0

More information about the virt-tools-list mailing list