[virt-tools-list] [virt-install PATCH v2 0/6] Introduce initial support for AMD SEV launch security
Cole Robinson
crobinso at redhat.com
Tue Jun 11 17:08:39 UTC 2019
On 6/11/19 11:41 AM, Erik Skultety wrote:
> * Since v1:
> - dropped all validation checks from the parser and moved them into the
> DomainLaunchSecurity object, either into validate() or set_defaults()
> - shortened the man page to contain only virt-install relevant bits with the
> promise that I'll use the stripped bits in a dedicated libvirt SEV docs page.
> - dropped a couple of checks in order to let libvirt/QEMU fail and not bloat
> virt-install with such code
>
> Please give it a try if you can, I'm looking at you Brijesh ;)
>
> This series introduces a new cmdline parameter --launch-security. All of the
> options the argument takes are either completely optional or there is a
> reasonable default provided. More details are available in the individual
> patches.
>
> One thing that this series doesn't address is handling virtio devices with SEV.
> See, to successfully use SEV with virtio devices, there are basically 2
> conditions:
> 1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but
> virtio-scsi is fine (which means handling the virtio-scsi controller) but as
> Brijesh pointed out, this will be fixed in kernel 5.1.0
>
> 2) for the rest of the virtio devices, driver.iommu needs to be turned on as
> the IOMMU flag enables usage of encrypted DMA.
>
> So rather then spend more time on figuring out how to properly handle that, I
> decided to start with the basic support first and continue from there.
>
> Resolves:
> https://bugzilla.redhat.com/show_bug.cgi?id=1501608
>
> Erik Skultety (6):
> Introduce real-world AMD SEV domain capabilities
> virtinst: cli: Introduce parser support for SEV launch security
> virtinst: cli: Provide a default value for the 'policy' argument
> virtinst: guest: Fill in SEV platform specific data automatically
> virtins: guest: Provide further SEV support checks
> man: Provide a documentation for the SEV feature
Nice work!
Reviewed-by: Cole Robinson <crobinso at redhat.com>
I pushed with the following small tweaks
- enabled() was unused, so I removed it
- s/--launch-security/--launchSecurity/ in cli.py comment
- there wasn't a test case covering plain --launchSecurity sev, so I
adjusted one of the existing ones to cover it
Thanks,
Cole
More information about the virt-tools-list
mailing list