[virt-tools-list] [virt-install PATCH v2 2/6] virtinst: cli: Introduce parser support for SEV launch security
Erik Skultety
eskultet at redhat.com
Tue Jun 11 15:41:57 UTC 2019
Introduce both the launchSecurity XML and parser classes. While at it,
add launchSecurity as a property instance to the Guest class too.
The parser requires the 'type' argument to be mandatory since in the
future it will determine different code paths, therefore
'--launchSecurity foo=bar' is incorrect.
Signed-off-by: Erik Skultety <eskultet at redhat.com>
---
...nstall-x86_64-launch-security-sev-full.xml | 63 +++++++++++++++++++
tests/clitest.py | 6 ++
virtinst/cli.py | 26 ++++++++
virtinst/domain/__init__.py | 1 +
virtinst/domain/launch_security.py | 28 +++++++++
virtinst/guest.py | 3 +-
6 files changed, 126 insertions(+), 1 deletion(-)
create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
create mode 100644 virtinst/domain/launch_security.py
diff --git a/tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml b/tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
new file mode 100644
index 00000000..1ed28af7
--- /dev/null
+++ b/tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
@@ -0,0 +1,63 @@
+<domain type="kvm">
+ <name>foobar</name>
+ <uuid>00000000-1111-2222-3333-444444444444</uuid>
+ <memory>65536</memory>
+ <currentMemory>65536</currentMemory>
+ <vcpu>1</vcpu>
+ <os>
+ <type arch="x86_64" machine="q35">hvm</type>
+ <loader readonly="yes" type="pflash">/usr/share/edk2/ovmf/OVMF_CODE.fd</loader>
+ <boot dev="hd"/>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <vmport state="off"/>
+ </features>
+ <cpu mode="host-model"/>
+ <clock offset="utc">
+ <timer name="rtc" tickpolicy="catchup"/>
+ <timer name="pit" tickpolicy="delay"/>
+ <timer name="hpet" present="no"/>
+ </clock>
+ <pm>
+ <suspend-to-mem enabled="no"/>
+ <suspend-to-disk enabled="no"/>
+ </pm>
+ <devices>
+ <emulator>/usr/bin/qemu-kvm</emulator>
+ <controller type="usb" index="0" model="ich9-ehci1"/>
+ <controller type="usb" index="0" model="ich9-uhci1">
+ <master startport="0"/>
+ </controller>
+ <controller type="usb" index="0" model="ich9-uhci2">
+ <master startport="2"/>
+ </controller>
+ <controller type="usb" index="0" model="ich9-uhci3">
+ <master startport="4"/>
+ </controller>
+ <interface type="bridge">
+ <source bridge="testsuitebr0"/>
+ <mac address="00:11:22:33:44:55"/>
+ <model type="e1000e"/>
+ </interface>
+ <console type="pty"/>
+ <input type="tablet" bus="usb"/>
+ <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
+ <image compression="off"/>
+ </graphics>
+ <sound model="ich9"/>
+ <video>
+ <model type="qxl"/>
+ </video>
+ <redirdev bus="usb" type="spicevmc"/>
+ <redirdev bus="usb" type="spicevmc"/>
+ </devices>
+ <launchSecurity type="sev">
+ <cbitpos>47</cbitpos>
+ <reducedPhysBits>1</reducedPhysBits>
+ <policy>0x0001</policy>
+ <session>BASE64SESSION</session>
+ <dhCert>BASE64CERT</dhCert>
+ </launchSecurity>
+</domain>
diff --git a/tests/clitest.py b/tests/clitest.py
index 8b316174..e41607eb 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -895,6 +895,12 @@ c.add_invalid("--nodisks --boot network --arch mips --virt-type kvm") # Invalid
c.add_invalid("--nodisks --boot network --paravirt --arch mips") # Invalid arch/virt combo
c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks") # Using --location nfs, no longer supported
+
+c = vinst.add_category("kvm-x86_64-launch-security", "--disk none --noautoconsole")
+c.add_compare("--boot uefi --machine q35 --launchSecurity type=sev,reducedPhysBits=1,policy=0x0001,cbitpos=47,dhCert=BASE64CERT,session=BASE64SESSION --connect " + utils.URIs.kvm_amd_sev, "x86_64-launch-security-sev-full") # Full cmdline
+c.add_invalid("--launchSecurity policy=0x0001 --connect " + utils.URIs.kvm_amd_sev) # Missing launchSecurity 'type'
+
+
c = vinst.add_category("kvm-q35", "--noautoconsole --connect " + utils.URIs.kvm_q35)
c.add_compare("--boot uefi --disk none", "boot-uefi")
diff --git a/virtinst/cli.py b/virtinst/cli.py
index 2efee5ef..ff242536 100644
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -825,6 +825,12 @@ def add_guest_xml_options(geng):
"--qemu-commandline='-display gtk,gl=on'\n"
"--qemu-commandline env=DISPLAY=:0.1"))
+ ParserLaunchSecurity.register()
+ geng.add_argument("--launchSecurity", "--launchsecurity", action="append",
+ help=_("Configure VM launch security (e.g. SEV memory encryption). Ex:\n"
+ "--launchSecurity type=sev,cbitpos=47,reducedPhysBits=1,policy=0x0001,dhCert=BASE64CERT\n"
+ "--launchSecurity sev"))
+
def add_boot_options(insg):
ParserBoot.register()
@@ -3828,6 +3834,26 @@ class ParserHostdev(VirtCLIParser):
cls.add_arg("rom.bar", "rom_bar", is_onoff=True)
+#############################
+# --launch-security parsing #
+#############################
+
+class ParserLaunchSecurity(VirtCLIParser):
+ cli_arg_name = "launchSecurity"
+ guest_propname = "launchSecurity"
+ remove_first = "type"
+
+ @classmethod
+ def _init_class(cls, **kwargs):
+ VirtCLIParser._init_class(**kwargs)
+ cls.add_arg("type", "type")
+ cls.add_arg("cbitpos", "cbitpos")
+ cls.add_arg("reducedPhysBits", "reducedPhysBits")
+ cls.add_arg("policy", "policy")
+ cls.add_arg("session", "session")
+ cls.add_arg("dhCert", "dhCert")
+
+
###########################
# Public virt parser APIs #
###########################
diff --git a/virtinst/domain/__init__.py b/virtinst/domain/__init__.py
index f942ee59..b7157c9c 100644
--- a/virtinst/domain/__init__.py
+++ b/virtinst/domain/__init__.py
@@ -19,5 +19,6 @@ from .seclabel import DomainSeclabel
from .sysinfo import DomainSysinfo
from .vcpus import DomainVCPUs
from .xmlnsqemu import DomainXMLNSQemu
+from .launch_security import DomainLaunchSecurity
__all__ = [l for l in locals() if l.startswith("Domain")]
diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py
new file mode 100644
index 00000000..d371f6fb
--- /dev/null
+++ b/virtinst/domain/launch_security.py
@@ -0,0 +1,28 @@
+from ..xmlbuilder import XMLBuilder, XMLProperty
+
+
+class DomainLaunchSecurity(XMLBuilder):
+ """
+ Class for generating <launchSecurity> XML element
+ """
+
+ XML_NAME = "launchSecurity"
+ _XML_PROP_ORDER = ["type", "cbitpos", "reducedPhysBits", "policy",
+ "session", "dhCert"]
+
+ type = XMLProperty("./@type")
+ cbitpos = XMLProperty("./cbitpos", is_int=True)
+ reducedPhysBits = XMLProperty("./reducedPhysBits", is_int=True)
+ policy = XMLProperty("./policy")
+ session = XMLProperty("./session")
+ dhCert = XMLProperty("./dhCert")
+
+ def enabled(self):
+ return self.type is not None
+
+ def is_sev(self):
+ return self.type == "sev"
+
+ def validate(self):
+ if not self.type:
+ raise RuntimeError(_("Missing mandatory attribute 'type'"))
diff --git a/virtinst/guest.py b/virtinst/guest.py
index a65b2a0b..b0c66b81 100644
--- a/virtinst/guest.py
+++ b/virtinst/guest.py
@@ -181,7 +181,7 @@ class Guest(XMLBuilder):
"vcpu_cpuset", "vcpulist", "numatune", "resource", "sysinfo",
"bootloader", "os", "idmap", "features", "cpu", "clock",
"on_poweroff", "on_reboot", "on_crash",
- "pm", "emulator", "devices", "seclabels"]
+ "pm", "emulator", "devices", "launchSecurity", "seclabels"]
def __init__(self, *args, **kwargs):
XMLBuilder.__init__(self, *args, **kwargs)
@@ -272,6 +272,7 @@ class Guest(XMLBuilder):
idmap = XMLChildProperty(DomainIdmap, is_single=True)
resource = XMLChildProperty(DomainResource, is_single=True)
sysinfo = XMLChildProperty(DomainSysinfo, is_single=True)
+ launchSecurity = XMLChildProperty(DomainLaunchSecurity, is_single=True)
_metadata = XMLChildProperty(DomainMetadata, is_single=True)
xmlns_qemu = XMLChildProperty(DomainXMLNSQemu, is_single=True)
--
2.21.0
More information about the virt-tools-list
mailing list