[virt-manager RFC PATCH 3/3] Add GUI support for enabling Secure Encrypted Virtualization
Charles Arnold
carnold at suse.com
Tue May 5 15:25:11 UTC 2020
Wire up the GUI changes for enabling launch security (SEV). The
checkbox remains desensitized unless the underlying hardware and
guest supports SEV.
---
virtManager/details/details.py | 31 +++++++++++++++++++++++++++++++
virtManager/object/domain.py | 29 ++++++++++++++++++++++++++++-
virtinst/domain/memorybacking.py | 3 +++
3 files changed, 62 insertions(+), 1 deletion(-)
diff --git a/virtManager/details/details.py b/virtManager/details/details.py
index e6ca45b9..2603f296 100644
--- a/virtManager/details/details.py
+++ b/virtManager/details/details.py
@@ -465,6 +465,7 @@ class vmmDetails(vmmGObjectUI):
"on_cpu_topology_enable_toggled": self.config_cpu_topology_enable,
"on_mem_memory_changed": self.config_memory_changed,
+ "on_enable_launch_security_changed": self.config_launch_security_changed,
"on_boot_list_changed": self.config_bootdev_selected,
@@ -733,6 +734,24 @@ class vmmDetails(vmmGObjectUI):
uiutil.set_grid_row_visible(
self.widget("overview-firmware-title"), show_firmware)
+ # Launch Security
+ warn_icon = self.widget("sev-warn")
+ warn_icon.set_visible(True)
+ if (domcaps.supports_sev_launch_security() and
+ self.vm.get_xmlobj().is_uefi() and self.vm.get_xmlobj().os.is_q35()):
+ self.widget("enable-launch-security").set_sensitive(True)
+ self.widget("enable-launch-security-label").set_sensitive(True)
+ warn_icon.set_tooltip_text(
+ _("Enabling launch security also enables iommu for all virtio devices. "
+ "It is recommended you backup your guest definition before enabling "
+ "this feature. See 'virsh dumpxml <guest>'"))
+ else:
+ self.widget("enable-launch-security").set_sensitive(False)
+ self.widget("enable-launch-security-label").set_sensitive(False)
+ warn_icon.set_tooltip_text(
+ _("Enable Launch Security requires SEV compatible hardware "
+ "and a guest created with OVMF (UEFI) boot."))
+
# Chipset
combo = self.widget("overview-chipset")
model = Gtk.ListStore(str, str)
@@ -1204,6 +1223,8 @@ class vmmDetails(vmmGObjectUI):
def config_memory_changed(self, src_ignore):
self.enable_apply(EDIT_MEM)
+ def config_launch_security_changed(self, src_ignore):
+ self.enable_apply(EDIT_MEM)
# VCPUS
def config_get_vcpus(self):
@@ -1542,6 +1563,7 @@ class vmmDetails(vmmGObjectUI):
if self.edited(EDIT_MEM):
memory = uiutil.spin_get_helper(self.widget("mem-memory"))
kwargs["memory"] = int(memory) * 1024
+ kwargs["sevmem"] = self.widget("enable-launch-security").get_active()
return vmmAddHardware.change_config_helper(self.vm.define_memory,
kwargs, self.vm, self.err)
@@ -2068,6 +2090,15 @@ class vmmDetails(vmmGObjectUI):
curmem = self.widget("mem-memory")
curmem.set_value(int(round(vm_cur_mem)))
+ domcaps = self.vm.get_domain_capabilities()
+ show_sev = domcaps.supports_sev_launch_security()
+ self.widget("enable-launch-security").set_sensitive(show_sev)
+ self.widget("enable-launch-security-label").set_sensitive(show_sev)
+ if self.vm.get_launch_security_type():
+ self.widget("enable-launch-security").set_active(True)
+ else:
+ self.widget("enable-launch-security").set_active(False)
+
def refresh_disk_page(self, disk):
path = disk.path
devtype = disk.device
diff --git a/virtManager/object/domain.py b/virtManager/object/domain.py
index 9621eb97..8d6f6250 100644
--- a/virtManager/object/domain.py
+++ b/virtManager/object/domain.py
@@ -562,12 +562,36 @@ class vmmDomain(vmmLibvirtObject):
guest.cpu.set_model(guest, model)
self._redefine_xmlobj(guest)
- def define_memory(self, memory=_SENTINEL):
+ def define_memory(self, memory=_SENTINEL, sevmem=_SENTINEL):
guest = self._make_xmlobj_to_define()
if memory != _SENTINEL:
guest.currentMemory = int(memory)
guest.memory = int(memory)
+ if sevmem != _SENTINEL:
+ if sevmem is True:
+ guest.launchSecurity.type = "sev"
+ guest.launchSecurity.set_defaults(guest)
+ guest.memoryBacking.set_locked(True)
+ devtypes = guest.devices._XML_PROP_ORDER
+ # Enable iommu for all virtio devices
+ for devtype in devtypes:
+ devices = getattr(guest.devices, devtype)
+ if not devices:
+ continue
+ for dev in devices:
+ if hasattr(dev, 'virtio_driver') is True:
+ if ((hasattr(dev, 'bus') is True and 'virtio' in dev.bus) or
+ (hasattr(dev, 'model') is True and dev.model and 'virtio' in dev.model) or
+ (hasattr(dev, 'type') is True and dev.type and 'virtio' in dev.type) or
+ (hasattr(dev, 'target_type') is True and dev.target_type and 'virtio' in dev.target_type)):
+ dev.virtio_driver.iommu = True
+ else:
+ guest.launchSecurity.type = None
+ guest.launchSecurity.cbitpos = None
+ guest.launchSecurity.reducedPhysBits = None
+ guest.launchSecurity.policy = None
+ guest.memoryBacking.set_locked(False)
self._redefine_xmlobj(guest)
def define_overview(self, machine=_SENTINEL, description=_SENTINEL,
@@ -1239,6 +1263,9 @@ class vmmDomain(vmmLibvirtObject):
def get_description(self):
return self.get_xmlobj().description
+ def get_launch_security_type(self):
+ return self.get_xmlobj().launchSecurity.type
+
def get_cpu_config(self):
return self.get_xmlobj().cpu
diff --git a/virtinst/domain/memorybacking.py b/virtinst/domain/memorybacking.py
index c883c57d..e2ee1c66 100644
--- a/virtinst/domain/memorybacking.py
+++ b/virtinst/domain/memorybacking.py
@@ -36,3 +36,6 @@ class DomainMemoryBacking(XMLBuilder):
allocation_mode = XMLProperty("./allocation/@mode")
pages = XMLChildProperty(_HugepagesPage, relative_xpath="./hugepages")
+
+ def set_locked(self, value):
+ self.locked = value
--
2.26.1
More information about the virt-tools-list
mailing list