diff options
author | Charles Arnold <carnold@suse.com> | 2022-08-03 08:47:02 -0400 |
---|---|---|
committer | Cole Robinson <crobinso@redhat.com> | 2022-08-03 08:47:35 -0400 |
commit | 424283ad1db9c4da519fac698486967e6b6557b0 (patch) | |
tree | b59ced42c1166e06045a6ad0707295b1d71b365e /virtinst | |
parent | 2984c13cffd39cd2fd607d66ce6acfe9709b494c (diff) | |
download | virt-manager-424283ad1db9c4da519fac698486967e6b6557b0.tar.gz |
launch_security: Use SEV-ES policy=0x07 if host supports it
Diffstat (limited to 'virtinst')
-rw-r--r-- | virtinst/domain/launch_security.py | 12 | ||||
-rw-r--r-- | virtinst/domcapabilities.py | 6 |
2 files changed, 12 insertions, 6 deletions
diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py index 7af71811..9d2998d9 100644 --- a/virtinst/domain/launch_security.py +++ b/virtinst/domain/launch_security.py @@ -22,13 +22,15 @@ class DomainLaunchSecurity(XMLBuilder): if not guest.os.is_q35() or not guest.is_uefi(): raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine")) - # 'policy' is a mandatory 4-byte argument for the SEV firmware, - # if missing, let's use 0x03 which, according to the table at - # https://libvirt.org/formatdomain.html#launchSecurity: - # (bit 0) - disables the debugging mode - # (bit 1) - disables encryption key sharing across multiple guests + # The 'policy' is a mandatory 4-byte argument for the SEV firmware. + # If missing, we use 0x03 for the original SEV implementation and + # 0x07 for SEV-ES. + # Reference: https://libvirt.org/formatdomain.html#launchSecurity if self.policy is None: + domcaps = guest.lookup_domcaps() self.policy = "0x03" + if domcaps.supports_sev_launch_security(check_es=True): + self.policy = "0x07" def set_defaults(self, guest): if self.type == "sev": diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py index 6ba3e71c..d22ce6a2 100644 --- a/virtinst/domcapabilities.py +++ b/virtinst/domcapabilities.py @@ -93,6 +93,7 @@ def _make_capsblock(xml_root_name): class _SEV(XMLBuilder): XML_NAME = "sev" supported = XMLProperty("./@supported", is_yesno=True) + maxESGuests = XMLProperty("./maxESGuests") ############################# @@ -392,12 +393,15 @@ class DomainCapabilities(XMLBuilder): # Misc support methods # ######################## - def supports_sev_launch_security(self): + def supports_sev_launch_security(self, check_es=False): """ Returns False if either libvirt doesn't advertise support for SEV at all (< libvirt-4.5.0) or if it explicitly advertises it as unsupported on the platform """ + if check_es: + return bool(self.features.sev.supported and + self.features.sev.maxESGuests) return bool(self.features.sev.supported) def supports_video_bochs(self): |