b971b8
From 71e87f4da22992c5d9f858535a1acaa7201aa7d3 Mon Sep 17 00:00:00 2001
b971b8
Message-Id: <71e87f4da22992c5d9f858535a1acaa7201aa7d3@dist-git>
b971b8
From: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
b971b8
Date: Wed, 24 Jun 2020 13:16:19 +0200
b971b8
Subject: [PATCH] qemu: Check if AMD secure guest support is enabled
b971b8
MIME-Version: 1.0
b971b8
Content-Type: text/plain; charset=UTF-8
b971b8
Content-Transfer-Encoding: 8bit
b971b8
b971b8
Implement secure guest check for AMD SEV (Secure Encrypted
b971b8
Virtualization) in order to invalidate the qemu capabilities
b971b8
cache in case the availability of the feature changed.
b971b8
b971b8
For AMD SEV the verification consists of:
b971b8
 - checking if /sys/module/kvm_amd/parameters/sev contains the
b971b8
   value '1': meaning SEV is enabled in the host kernel;
b971b8
 - checking if /dev/sev exists
b971b8
b971b8
Signed-off-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
b971b8
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
b971b8
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
b971b8
Reviewed-by: Erik Skultety <eskultet@redhat.com>
b971b8
(cherry picked from commit 657365e74f489b70bfbf2eb014db63046c5e3888)
b971b8
b971b8
https://bugzilla.redhat.com/show_bug.cgi?id=1848997
b971b8
https://bugzilla.redhat.com/show_bug.cgi?id=1850351
b971b8
b971b8
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
b971b8
Message-Id: <1c3393cb71b731f5632d150d77f9920b591aa5ee.1592996194.git.jdenemar@redhat.com>
b971b8
Reviewed-by: Ján Tomko <jtomko@redhat.com>
b971b8
---
b971b8
 src/qemu/qemu_capabilities.c | 25 +++++++++++++++++++++++++
b971b8
 1 file changed, 25 insertions(+)
b971b8
b971b8
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
b971b8
index 8a4b43c269..278eaa0009 100644
b971b8
--- a/src/qemu/qemu_capabilities.c
b971b8
+++ b/src/qemu/qemu_capabilities.c
b971b8
@@ -4543,6 +4543,27 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
b971b8
 }
b971b8
 
b971b8
 
b971b8
+/*
b971b8
+ * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
b971b8
+ */
b971b8
+static bool
b971b8
+virQEMUCapsKVMSupportsSecureGuestAMD(void)
b971b8
+{
b971b8
+    g_autofree char *modValue = NULL;
b971b8
+
b971b8
+    if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
b971b8
+        return false;
b971b8
+
b971b8
+    if (modValue[0] != '1')
b971b8
+        return false;
b971b8
+
b971b8
+    if (virFileExists(QEMU_DEV_SEV))
b971b8
+        return true;
b971b8
+
b971b8
+    return false;
b971b8
+}
b971b8
+
b971b8
+
b971b8
 /*
b971b8
  * Check whether the secure guest functionality is enabled.
b971b8
  * See the specific architecture function for details on the verifications made.
b971b8
@@ -4554,6 +4575,10 @@ virQEMUCapsKVMSupportsSecureGuest(void)
b971b8
 
b971b8
     if (ARCH_IS_S390(arch))
b971b8
         return virQEMUCapsKVMSupportsSecureGuestS390();
b971b8
+
b971b8
+    if (ARCH_IS_X86(arch))
b971b8
+        return virQEMUCapsKVMSupportsSecureGuestAMD();
b971b8
+
b971b8
     return false;
b971b8
 }
b971b8
 
b971b8
-- 
b971b8
2.27.0
b971b8