diff options
-rw-r--r-- | tests/data/cli/compare/virt-install-amd-sev.xml | 89 | ||||
-rw-r--r-- | tests/test_cli.py | 1 | ||||
-rw-r--r-- | virtinst/domain/launch_security.py | 12 | ||||
-rw-r--r-- | virtinst/domcapabilities.py | 6 |
4 files changed, 102 insertions, 6 deletions
diff --git a/tests/data/cli/compare/virt-install-amd-sev.xml b/tests/data/cli/compare/virt-install-amd-sev.xml new file mode 100644 index 00000000..68b236dd --- /dev/null +++ b/tests/data/cli/compare/virt-install-amd-sev.xml @@ -0,0 +1,89 @@ +<domain type="kvm"> + <name>linux2020</name> + <uuid>00000000-1111-2222-3333-444444444444</uuid> + <metadata> + <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> + <libosinfo:os id="http://libosinfo.org/linux/2020"/> + </libosinfo:libosinfo> + </metadata> + <memory>65536</memory> + <currentMemory>65536</currentMemory> + <vcpu>2</vcpu> + <os> + <type arch="x86_64" machine="q35">hvm</type> + <loader readonly="yes" type="pflash">/usr/share/OVMF/OVMF_CODE.fd</loader> + <boot dev="hd"/> + </os> + <features> + <acpi/> + <apic/> + <vmport state="off"/> + </features> + <cpu mode="host-passthrough"/> + <clock offset="utc"> + <timer name="rtc" tickpolicy="catchup"/> + <timer name="pit" tickpolicy="delay"/> + <timer name="hpet" present="no"/> + </clock> + <pm> + <suspend-to-mem enabled="no"/> + <suspend-to-disk enabled="no"/> + </pm> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type="file" device="disk"> + <driver name="qemu" type="qcow2" discard="unmap"/> + <source file="/var/lib/libvirt/images/linux2020.qcow2"/> + <target dev="vda" bus="virtio"/> + </disk> + <controller type="usb" model="qemu-xhci" ports="15"/> + <controller type="pci" model="pcie-root"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <controller type="pci" model="pcie-root-port"/> + <interface type="bridge"> + <source bridge="testsuitebr0"/> + <mac address="00:11:22:33:44:55"/> + <model type="virtio"/> + </interface> + <console type="pty"/> + <channel type="unix"> + <source mode="bind"/> + <target type="virtio" name="org.qemu.guest_agent.0"/> + </channel> + <channel type="spicevmc"> + <target type="virtio" name="com.redhat.spice.0"/> + </channel> + <input type="tablet" bus="usb"/> + <tpm model="tpm-crb"> + <backend type="emulator"/> + </tpm> + <graphics type="spice" port="-1" tlsPort="-1" autoport="yes"> + <image compression="off"/> + </graphics> + <sound model="ich9"/> + <video> + <model type="virtio"/> + </video> + <redirdev bus="usb" type="spicevmc"/> + <redirdev bus="usb" type="spicevmc"/> + <memballoon model="virtio"/> + <rng model="virtio"> + <backend model="random">/dev/urandom</backend> + </rng> + </devices> + <launchSecurity type="sev"> + <policy>0x07</policy> + </launchSecurity> +</domain> diff --git a/tests/test_cli.py b/tests/test_cli.py index 47b59055..7d7b5a9b 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -1108,6 +1108,7 @@ c.add_compare("--connect " + utils.URIs.kvm_x86_remote + " --import --disk %(EXI c.add_compare("--connect %(URI-KVM-X86)s --os-variant fedora26 --graphics spice --controller usb,model=none", "graphics-usb-disable") c.add_compare("--osinfo generic --boot uefi --disk size=1", "boot-uefi") c.add_compare("--osinfo generic --boot uefi --disk size=1 --tpm none --connect " + utils.URIs.kvm_x86_oldfirmware, "boot-uefi-oldcaps") +c.add_compare("--osinfo linux2020 --boot uefi --launchSecurity sev --connect " + utils.URIs.kvm_amd_sev, "amd-sev") c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks", grep="NFS URL installs are no longer supported") c.add_invalid("--disk none --boot network --machine foobar", grep="domain type None with machine 'foobar'") diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py index 7af71811..9d2998d9 100644 --- a/virtinst/domain/launch_security.py +++ b/virtinst/domain/launch_security.py @@ -22,13 +22,15 @@ class DomainLaunchSecurity(XMLBuilder): if not guest.os.is_q35() or not guest.is_uefi(): raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine")) - # 'policy' is a mandatory 4-byte argument for the SEV firmware, - # if missing, let's use 0x03 which, according to the table at - # https://libvirt.org/formatdomain.html#launchSecurity: - # (bit 0) - disables the debugging mode - # (bit 1) - disables encryption key sharing across multiple guests + # The 'policy' is a mandatory 4-byte argument for the SEV firmware. + # If missing, we use 0x03 for the original SEV implementation and + # 0x07 for SEV-ES. + # Reference: https://libvirt.org/formatdomain.html#launchSecurity if self.policy is None: + domcaps = guest.lookup_domcaps() self.policy = "0x03" + if domcaps.supports_sev_launch_security(check_es=True): + self.policy = "0x07" def set_defaults(self, guest): if self.type == "sev": diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py index 6ba3e71c..d22ce6a2 100644 --- a/virtinst/domcapabilities.py +++ b/virtinst/domcapabilities.py @@ -93,6 +93,7 @@ def _make_capsblock(xml_root_name): class _SEV(XMLBuilder): XML_NAME = "sev" supported = XMLProperty("./@supported", is_yesno=True) + maxESGuests = XMLProperty("./maxESGuests") ############################# @@ -392,12 +393,15 @@ class DomainCapabilities(XMLBuilder): # Misc support methods # ######################## - def supports_sev_launch_security(self): + def supports_sev_launch_security(self, check_es=False): """ Returns False if either libvirt doesn't advertise support for SEV at all (< libvirt-4.5.0) or if it explicitly advertises it as unsupported on the platform """ + if check_es: + return bool(self.features.sev.supported and + self.features.sev.maxESGuests) return bool(self.features.sev.supported) def supports_video_bochs(self): |