[virt-tools-list] [virt-install PATCH v2 4/6] virtinst: guest: Fill in SEV platform specific data automatically
Erik Skultety
eskultet at redhat.com
Tue Jun 11 15:41:59 UTC 2019
The data in question are 'cbitpos' denoting which addressing bit is the
encryption bit and 'reduced_phys_bits' denoting how many physical
address space we lose by turning on the encryption. Both of these are
hypervisor dependent and thus will be the same for all the guest
residing on the same host, but need to be specified for future migration
purposes.
But given we can probe them from domain capabilities, we don't need the
user to provide them and thus enhancing cli user experience. This
requires a new _SEV domaincapabilities XML class to be created so that
we can query the specific properties.
Signed-off-by: Erik Skultety <eskultet at redhat.com>
---
...irt-install-x86_64-launch-security-sev.xml | 61 +++++++++++++++++++
tests/clitest.py | 1 +
virtinst/domain/launch_security.py | 11 +++-
virtinst/domcapabilities.py | 11 ++++
4 files changed, 82 insertions(+), 2 deletions(-)
create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
diff --git a/tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml b/tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
new file mode 100644
index 00000000..aff37975
--- /dev/null
+++ b/tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
@@ -0,0 +1,61 @@
+<domain type="kvm">
+ <name>foobar</name>
+ <uuid>00000000-1111-2222-3333-444444444444</uuid>
+ <memory>65536</memory>
+ <currentMemory>65536</currentMemory>
+ <vcpu>1</vcpu>
+ <os>
+ <type arch="x86_64" machine="q35">hvm</type>
+ <loader readonly="yes" type="pflash">/usr/share/edk2/ovmf/OVMF_CODE.fd</loader>
+ <boot dev="hd"/>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <vmport state="off"/>
+ </features>
+ <cpu mode="host-model"/>
+ <clock offset="utc">
+ <timer name="rtc" tickpolicy="catchup"/>
+ <timer name="pit" tickpolicy="delay"/>
+ <timer name="hpet" present="no"/>
+ </clock>
+ <pm>
+ <suspend-to-mem enabled="no"/>
+ <suspend-to-disk enabled="no"/>
+ </pm>
+ <devices>
+ <emulator>/usr/bin/qemu-kvm</emulator>
+ <controller type="usb" index="0" model="ich9-ehci1"/>
+ <controller type="usb" index="0" model="ich9-uhci1">
+ <master startport="0"/>
+ </controller>
+ <controller type="usb" index="0" model="ich9-uhci2">
+ <master startport="2"/>
+ </controller>
+ <controller type="usb" index="0" model="ich9-uhci3">
+ <master startport="4"/>
+ </controller>
+ <interface type="bridge">
+ <source bridge="testsuitebr0"/>
+ <mac address="00:11:22:33:44:55"/>
+ <model type="e1000e"/>
+ </interface>
+ <console type="pty"/>
+ <input type="tablet" bus="usb"/>
+ <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
+ <image compression="off"/>
+ </graphics>
+ <sound model="ich9"/>
+ <video>
+ <model type="qxl"/>
+ </video>
+ <redirdev bus="usb" type="spicevmc"/>
+ <redirdev bus="usb" type="spicevmc"/>
+ </devices>
+ <launchSecurity type="sev">
+ <cbitpos>47</cbitpos>
+ <reducedPhysBits>1</reducedPhysBits>
+ <policy>0x0001</policy>
+ </launchSecurity>
+</domain>
diff --git a/tests/clitest.py b/tests/clitest.py
index 03a1da90..4fb939dd 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -898,6 +898,7 @@ c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks") # Usi
c = vinst.add_category("kvm-x86_64-launch-security", "--disk none --noautoconsole")
c.add_compare("--boot uefi --machine q35 --launchSecurity type=sev,reducedPhysBits=1,policy=0x0001,cbitpos=47,dhCert=BASE64CERT,session=BASE64SESSION --connect " + utils.URIs.kvm_amd_sev, "x86_64-launch-security-sev-full") # Full cmdline
+c.add_compare("--boot uefi --machine q35 --launchSecurity sev,policy=0x0001 --connect " + utils.URIs.kvm_amd_sev, "x86_64-launch-security-sev") # Fill in platform data from domcaps
c.add_valid("--boot uefi --machine q35 --launchSecurity sev,reducedPhysBits=1,cbitpos=47 --connect " + utils.URIs.kvm_amd_sev) # Default policy == 0x0003 will be used
c.add_invalid("--launchSecurity policy=0x0001 --connect " + utils.URIs.kvm_amd_sev) # Missing launchSecurity 'type'
diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py
index e99faa95..a91ee752 100644
--- a/virtinst/domain/launch_security.py
+++ b/virtinst/domain/launch_security.py
@@ -27,7 +27,9 @@ class DomainLaunchSecurity(XMLBuilder):
if not self.type:
raise RuntimeError(_("Missing mandatory attribute 'type'"))
- def _set_defaults_sev(self):
+ def _set_defaults_sev(self, guest):
+ domcaps = guest.lookup_domcaps()
+
# 'policy' is a mandatory 4-byte argument for the SEV firmware,
# if missing, let's use 0x03 which, according to the table at
# https://libvirt.org/formatdomain.html#launchSecurity:
@@ -36,6 +38,11 @@ class DomainLaunchSecurity(XMLBuilder):
if self.policy is None:
self.policy = "0x03"
+ if self.cbitpos is None:
+ self.cbitpos = domcaps.features.sev.cbitpos
+ if self.reducedPhysBits is None:
+ self.reducedPhysBits = domcaps.features.sev.reducedPhysBits
+
def set_defaults(self, guest):
if self.is_sev():
- return self._set_defaults_sev()
+ return self._set_defaults_sev(guest)
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
index 7295d68a..fcad3646 100644
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@@ -71,6 +71,16 @@ def _make_capsblock(xml_root_name):
return TmpClass
+################################
+# SEV launch security handling #
+################################
+
+class _SEV(XMLBuilder):
+ XML_NAME = "sev"
+ cbitpos = XMLProperty("./cbitpos", is_int=True)
+ reducedPhysBits = XMLProperty("./reducedPhysBits", is_int=True)
+
+
#############################
# Misc toplevel XML classes #
#############################
@@ -89,6 +99,7 @@ class _Devices(_CapsBlock):
class _Features(_CapsBlock):
XML_NAME = "features"
gic = XMLChildProperty(_make_capsblock("gic"), is_single=True)
+ sev = XMLChildProperty(_SEV, is_single=True)
###############
--
2.21.0
More information about the virt-tools-list
mailing list