|
 |
fbe740 |
From 71e87f4da22992c5d9f858535a1acaa7201aa7d3 Mon Sep 17 00:00:00 2001
|
|
|
fbe740 |
Message-Id: <71e87f4da22992c5d9f858535a1acaa7201aa7d3@dist-git>
|
|
|
fbe740 |
From: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
|
|
|
fbe740 |
Date: Wed, 24 Jun 2020 13:16:19 +0200
|
|
|
fbe740 |
Subject: [PATCH] qemu: Check if AMD secure guest support is enabled
|
|
|
fbe740 |
MIME-Version: 1.0
|
|
|
fbe740 |
Content-Type: text/plain; charset=UTF-8
|
|
|
fbe740 |
Content-Transfer-Encoding: 8bit
|
|
|
fbe740 |
|
|
|
fbe740 |
Implement secure guest check for AMD SEV (Secure Encrypted
|
|
|
fbe740 |
Virtualization) in order to invalidate the qemu capabilities
|
|
|
fbe740 |
cache in case the availability of the feature changed.
|
|
|
fbe740 |
|
|
|
fbe740 |
For AMD SEV the verification consists of:
|
|
|
fbe740 |
- checking if /sys/module/kvm_amd/parameters/sev contains the
|
|
|
fbe740 |
value '1': meaning SEV is enabled in the host kernel;
|
|
|
fbe740 |
- checking if /dev/sev exists
|
|
|
fbe740 |
|
|
|
fbe740 |
Signed-off-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
|
|
|
fbe740 |
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
|
|
|
fbe740 |
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
|
|
|
fbe740 |
Reviewed-by: Erik Skultety <eskultet@redhat.com>
|
|
|
fbe740 |
(cherry picked from commit 657365e74f489b70bfbf2eb014db63046c5e3888)
|
|
|
fbe740 |
|
|
|
fbe740 |
https://bugzilla.redhat.com/show_bug.cgi?id=1848997
|
|
|
fbe740 |
https://bugzilla.redhat.com/show_bug.cgi?id=1850351
|
|
|
fbe740 |
|
|
|
fbe740 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
fbe740 |
Message-Id: <1c3393cb71b731f5632d150d77f9920b591aa5ee.1592996194.git.jdenemar@redhat.com>
|
|
|
fbe740 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
fbe740 |
---
|
|
|
fbe740 |
src/qemu/qemu_capabilities.c | 25 +++++++++++++++++++++++++
|
|
|
fbe740 |
1 file changed, 25 insertions(+)
|
|
|
fbe740 |
|
|
|
fbe740 |
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
|
|
|
fbe740 |
index 8a4b43c269..278eaa0009 100644
|
|
|
fbe740 |
--- a/src/qemu/qemu_capabilities.c
|
|
|
fbe740 |
+++ b/src/qemu/qemu_capabilities.c
|
|
|
fbe740 |
@@ -4543,6 +4543,27 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
|
|
|
fbe740 |
}
|
|
|
fbe740 |
|
|
|
fbe740 |
|
|
|
fbe740 |
+/*
|
|
|
fbe740 |
+ * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
|
|
|
fbe740 |
+ */
|
|
|
fbe740 |
+static bool
|
|
|
fbe740 |
+virQEMUCapsKVMSupportsSecureGuestAMD(void)
|
|
|
fbe740 |
+{
|
|
|
fbe740 |
+ g_autofree char *modValue = NULL;
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+ if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
|
|
|
fbe740 |
+ return false;
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+ if (modValue[0] != '1')
|
|
|
fbe740 |
+ return false;
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+ if (virFileExists(QEMU_DEV_SEV))
|
|
|
fbe740 |
+ return true;
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+ return false;
|
|
|
fbe740 |
+}
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+
|
|
|
fbe740 |
/*
|
|
|
fbe740 |
* Check whether the secure guest functionality is enabled.
|
|
|
fbe740 |
* See the specific architecture function for details on the verifications made.
|
|
|
fbe740 |
@@ -4554,6 +4575,10 @@ virQEMUCapsKVMSupportsSecureGuest(void)
|
|
|
fbe740 |
|
|
|
fbe740 |
if (ARCH_IS_S390(arch))
|
|
|
fbe740 |
return virQEMUCapsKVMSupportsSecureGuestS390();
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+ if (ARCH_IS_X86(arch))
|
|
|
fbe740 |
+ return virQEMUCapsKVMSupportsSecureGuestAMD();
|
|
|
fbe740 |
+
|
|
|
fbe740 |
return false;
|
|
|
fbe740 |
}
|
|
|
fbe740 |
|
|
|
fbe740 |
--
|
|
|
fbe740 |
2.27.0
|
|
|
fbe740 |
|