[virt-tools-list] [virt-install PATCH v2 0/6] Introduce initial support for AMD SEV launch security
Singh, Brijesh
brijesh.singh at amd.com
Wed Jun 12 15:43:44 UTC 2019
Hi Erik,
On 6/11/19 10:41 AM, Erik Skultety wrote:
> * Since v1:
> - dropped all validation checks from the parser and moved them into the
> DomainLaunchSecurity object, either into validate() or set_defaults()
> - shortened the man page to contain only virt-install relevant bits with the
> promise that I'll use the stripped bits in a dedicated libvirt SEV docs page.
> - dropped a couple of checks in order to let libvirt/QEMU fail and not bloat
> virt-install with such code
>
> Please give it a try if you can, I'm looking at you Brijesh ;)
I will give this a try soon. Admittedly I am not familiar with
virt-install, Do you have some instruction which I can follow to
verify it ?
>
> This series introduces a new cmdline parameter --launch-security. All of the
> options the argument takes are either completely optional or there is a
> reasonable default provided. More details are available in the individual
> patches.
>
> One thing that this series doesn't address is handling virtio devices with SEV.
> See, to successfully use SEV with virtio devices, there are basically 2
> conditions:
> 1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but
> virtio-scsi is fine (which means handling the virtio-scsi controller) but as
> Brijesh pointed out, this will be fixed in kernel 5.1.0
>
> 2) for the rest of the virtio devices, driver.iommu needs to be turned on as
> the IOMMU flag enables usage of encrypted DMA.
>
> So rather then spend more time on figuring out how to properly handle that, I
> decided to start with the basic support first and continue from there.
>
> Resolves:
> https://bugzilla.redhat.com/show_bug.cgi?id=1501608
>
> Erik Skultety (6):
> Introduce real-world AMD SEV domain capabilities
> virtinst: cli: Introduce parser support for SEV launch security
> virtinst: cli: Provide a default value for the 'policy' argument
> virtinst: guest: Fill in SEV platform specific data automatically
> virtins: guest: Provide further SEV support checks
> man: Provide a documentation for the SEV feature
>
> man/virt-install.pod | 41 +++++
> .../kvm-x86_64-domcaps-amd-sev.xml | 144 ++++++++++++++++++
> ...nstall-x86_64-launch-security-sev-full.xml | 63 ++++++++
> ...irt-install-x86_64-launch-security-sev.xml | 61 ++++++++
> tests/clitest.py | 11 ++
> tests/utils.py | 2 +
> virtinst/cli.py | 26 ++++
> virtinst/domain/__init__.py | 1 +
> virtinst/domain/launch_security.py | 59 +++++++
> virtinst/domcapabilities.py | 19 +++
> virtinst/guest.py | 4 +-
> 11 files changed, 430 insertions(+), 1 deletion(-)
> create mode 100644 tests/capabilities-xml/kvm-x86_64-domcaps-amd-sev.xml
> create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
> create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
> create mode 100644 virtinst/domain/launch_security.py
>
> --
> 2.21.0
>
More information about the virt-tools-list
mailing list