Re: [libvirt] [PATCH 3/3] qemu: domain: Add /dev/sev into the domain mount namespace selectively
On 1/23/19 1:57 PM, Erik Skultety wrote:
Instead of exposing /dev/sev to every domain, do it selectively.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
src/qemu/qemu_domain.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 32a43f2064..a4cdb8d355 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -12112,6 +12112,26 @@ qemuDomainSetupLoader(virQEMUDriverConfigPtr cfg
ATTRIBUTE_UNUSED,
}
+static int
+qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm,
+ const struct qemuDomainCreateDeviceData *data)
+{
+ virDomainSEVDefPtr sev = vm->def->sev;
+
+ if (!sev || sev->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV)
+ return 0;
+
+ VIR_DEBUG("Setting up launch security");
+
+ if (qemuDomainCreateDevice("/dev/sev", data, false) < 0)
nitpick - I'd rather see this as a macro:
#define SEV_PATH "/dev/sev"
...
qemuDomainCreateDevice(SEV_PATH, ..)
+ return -1;
+
+ VIR_DEBUG("Set up launch security");
+ return 0;
+}
+
+
ACK
Michal