[libvirt] libvirt/QEMU/SEV interaction
by Brijesh Singh
Hi All,
(sorry for the long message)
CPUs from AMD EPYC family supports Secure Encrypted Virtualization (SEV)
feature - the feature allows running encrypted VMs. To enable the feature,
I have been submitting patches to Linux kernel [1], Qemu [2] and OVMF [3].
We have been making some good progress in getting patches accepted upstream
in Linux and OVMF trees. SEV builds upon SME (Secure Memory Encryption)
feature -- SME support just got pulled into 4.14 merge window. The base
SEV patches are accepted in OVMF tree -- now we have SEV aware guest BIOS.
I am getting ready to take off "RFC" tag from remaining patches to get them
reviewed and accepted.
The boot flow for launching an SEV guest is a bit different from a typical
guest launch. In order to launch SEV guest from virt-manager or other
high-level VM management tools, we need to design and implement new
interface between libvirt and qemu, and probably add new APIs in libvirt
to be used by VM management tools. I am new to the libvirt and need some
expert advice while designing this interface. A pictorial representation
for a SEV guest launch flow is available in SEV Spec Appendix A [4].
A typical flow looks like this:
1. Guest owner (GO) asks the cloud provider to launch SEV guest.
2. VM tool asks libvirt to provide its Platform Diffie-Hellman (PDH) key.
3. libvirt opens /dev/sev device to get its PDH and return the blob to the
caller.
4. VM tool gives its PDH to GO.
5. GO provides its DH key, session-info and guest policy.
6. VM tool somehow communicates the GO provided information to libvirt.
7. libvirt adds "sev-guest" object in its xml file with all the information
obtained from #5
(currently my xml file looks like this)
<qemu:arg value='-object'>
<qemu:arg
value='sev-guest,id=sev0,policy=<GO_policy>,dh-key-file=<filename>,session-file=<filename>/>
<qemu:arg value='-machine'/>
<qemu:arg value='memory-encryption=sev0'/>
8. libvirt launches the guest with "-S"
9. While creating the SEV guest qemu does the following
i) create encryption context using GO's DH, session-info and guest policy
(LAUNCH_START)
ii) encrypts the guest bios (LAUNCH_UPDATE_DATA)
iii) calls LAUNCH_MEASUREMENT to get the encrypted bios measurement
10. By some interface we must propagate the measurement all the way to GO
before libvirt starts the guest.
11. GO verifies the measurement and if measurement matches then it may
give a secret blob -- which must be injected into the guest before
libvirt starts the VM. If verification failed, GO will request cloud
provider to destroy the VM.
12. After secret blob is injected into guest, we call LAUNCH_FINISH
to destory the encryption context.
13. libvirt issues "continue" command to resume the guest boot.
Please note that the measurement value is protected with transport
encryption key (TIK) and it changes on each run. Similarly the secret blob
provided by GO does not need to be protected using libvirt/qemu APIs. The
secret is protected by TIK. From qemu and libvirt point of view these are
blobs and must be passed as-is to the SEV FW.
Questions:
a) Do we need to add a new set of APIs in libvirt to return the PDH from
libvirt and VM tool ? Or can we use some pre-existing APIs to pass the
opaque blobs ? (this is mainly for step 3 and 6)
b) do we need to define a new xml tag to for memory-encryption ? or just
use the qemu:args tag ? (step 6)
c) what existing communicate interface can be used between libvirt and qemu
to get the measurement ? can we add a new qemu monitor command
'get_sev_measurement' to get the measurement ? (step 10)
d) how to pass the secret blob from libvirt to qemu ? should we consider
adding a new object (sev-guest-secret) -- libvirt can add the object through
qemu monitor.
[1] https://marc.info/?l=kvm&m=150092661105069&w=2
[2] https://marc.info/?l=qemu-devel&m=148901186615642&w=2
[3] https://lists.01.org/pipermail/edk2-devel/2017-July/012220.html
[4] http://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf
Thanks
Brijesh
7 years, 7 months
[libvirt] [perl PATCH 0/2] Add missing bindings
by Pavel Hrdina
Pavel Hrdina (2):
Add VIR_DOMAIN_JOB_MEMORY_PAGE_SIZE constant
Add set_lifecycle_action
Changes | 3 ++-
Virt.xs | 24 ++++++++++++++++++++
lib/Sys/Virt/Domain.pm | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 86 insertions(+), 1 deletion(-)
--
2.13.6
7 years, 7 months
[libvirt] [PATCH] util: Missing 'removeTimeoutImpl' check variable inside virEventRegisterImpl() function.
by Julio Faracco
The function virEventRegisterImpl() checks the attempt to replace the
registered events. But there is a duplicate variable inside the IF statement.
The variable 'removeHandleImpl' was wrongly repeated. One of them needs to be
replaced by 'removeTimeoutImpl'.
Signed-off-by: Julio Faracco <jcfaracco(a)gmail.com>
---
src/util/virevent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virevent.c b/src/util/virevent.c
index 51d8714..87069e3 100644
--- a/src/util/virevent.c
+++ b/src/util/virevent.c
@@ -241,7 +241,7 @@ void virEventRegisterImpl(virEventAddHandleFunc addHandle,
addTimeout, updateTimeout, removeTimeout);
if (addHandleImpl || updateHandleImpl || removeHandleImpl ||
- addTimeoutImpl || updateTimeoutImpl || removeHandleImpl) {
+ addTimeoutImpl || updateTimeoutImpl || removeTimeoutImpl) {
VIR_WARN("Ignoring attempt to replace registered event loop");
return;
}
--
2.7.4
7 years, 7 months
[libvirt] [PATCH 0/7] Preparation for new QEMU migration states
by Jiri Denemark
Mostly refactoring of the horrible mess in qemuMigrationRun.
Jiri Denemark (7):
qemu: Use switch in qemuMigrationCompleted
qemu: Refactor qemuMigrationRun a bit
qemu: Split cleanup and error code in qemuMigrationRun
qemu: Unite error handling in qemuMigrationRun
qemu: Don't misuse "ret" in qemuMigrationRun
qemu: Consistently use exit_monitor in qemuMigrationRun
qemu: Set correct job status when qemuMigrationRun fails
src/qemu/qemu_migration.c | 196 +++++++++++++++++++++++++---------------------
1 file changed, 105 insertions(+), 91 deletions(-)
--
2.14.2
7 years, 7 months
[libvirt] [jenkins-ci PATCH 0/2] guests: Minor fixes and tweaks
by Andrea Bolognani
1/2 is a bug fix, 2/2 a small improvement.
Andrea Bolognani (2):
guests: Reorder configuration steps for root authentication
guests: Don't warn when bootstrapping package manager
guests/tasks/base.yml | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--
2.13.6
7 years, 7 months
[libvirt] [go PATCH 0/2] Add missing bindings
by Pavel Hrdina
Pavel Hrdina (2):
Add VIR_DOMAIN_JOB_MEMORY_PAGE_SIZE constant
Add virDomainSetLifecycleAction API support
domain.go | 39 +++++++++++++++++++++++++++++++++++++++
domain_compat.go | 12 ++++++++++++
domain_compat.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
--
2.13.6
7 years, 7 months
[libvirt] [PATCH v1 00/14] Never ending story of user supplied aliases
by Michal Privoznik
As discussed earlier [1], we should allow users to set device
aliases at the define time. While the discussed approach calls
for generating missing aliases too, I'm saving that for another
patch set. There are couple of reasons for that:
a) I don't think it's really necessary (if users are interested
in a device they can just set the alias).
b) This patch set is already big enough as is.
c) Generating aliases is going to have its own problems.
Therefore, for now I'm only proposing parsing user supplied
aliases. The idea is that it's not enabled by default for all
drivers. Any driver that want to/can provide this feature has to
set VIR_DOMAIN_DEF_FEATURE_USER_ALIAS. Note that we have some
drivers that don't have notion of device aliases. But the code is
generic enough so that it should be easy to use in the drivers
that do know what aliases are.
1: https://www.redhat.com/archives/libvir-list/2017-October/msg00201.html
Michal Privoznik (14):
conf: Fix virDomainDeviceGetInfo const correctness
virDomainObjGetOneDefState: Fix error message
qemuAssignDeviceAliases: Use qemuAssignDeviceRNGAlias for assigning
RNG aliases
qemu: Move device alias assignment to separate functions
qemu: Be tolerant to preexisting aliases
conf: Pass xmlopt down to virDomainDeviceInfoParseXML
conf: Parse user supplied aliases
conf: Validate user supplied aliases
virDomainDeviceInfoCheckABIStability: Check for alias too
qemuxml2argvdata: Drop device aliases
qemuhotplugtest: Load active XML
conf: Format alias even for inactive XMLs
docs: Document user aliases
qemu: Parse alias from inactive XMLs
docs/formatdomain.html.in | 23 ++
src/conf/domain_conf.c | 353 ++++++++++++++++-----
src/conf/domain_conf.h | 8 +-
src/libvirt_private.syms | 1 +
src/qemu/qemu_alias.c | 139 +++++++-
src/qemu/qemu_domain.c | 3 +-
src/qemu/qemu_driver.c | 3 +
src/qemu/qemu_hotplug.c | 6 +-
tests/qemuhotplugtest.c | 3 +-
.../qemuxml2argv-disk-cdrom-network-ftp.xml | 1 -
.../qemuxml2argv-disk-cdrom-network-ftps.xml | 1 -
.../qemuxml2argv-disk-cdrom-network-http.xml | 1 -
.../qemuxml2argv-disk-cdrom-network-https.xml | 1 -
.../qemuxml2argv-disk-cdrom-network-tftp.xml | 1 -
.../qemuxml2argv-usb-redir-filter.xml | 1 -
15 files changed, 444 insertions(+), 101 deletions(-)
--
2.13.6
7 years, 7 months
[libvirt] [PATCH 0/5] qemu: Improve the way we handle migration capabilities
by Jiri Denemark
Jiri Denemark (5):
qemu: Create a wrapper around qemuMonitorSetCapabilities
qemu: Store supported migration capabilities in a bitmap
qemu: Use bitmap with migration capabilities
qemu: Drop qemuMonitorGetMigrationCapability
qemu: Enhance debug message in qemuMonitorSetMigrationCapability
src/qemu/qemu_domain.c | 75 ++++++++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_domain.h | 9 ++++++
src/qemu/qemu_driver.c | 32 ++++++++-----------
src/qemu/qemu_migration.c | 45 +++++++++++++++-----------
src/qemu/qemu_migration.h | 4 +++
src/qemu/qemu_monitor.c | 22 ++-----------
src/qemu/qemu_monitor.h | 2 --
src/qemu/qemu_monitor_json.c | 18 -----------
src/qemu/qemu_monitor_json.h | 2 --
src/qemu/qemu_process.c | 43 ++++++++++++++-----------
tests/qemumonitorjsontest.c | 16 ++++++----
11 files changed, 163 insertions(+), 105 deletions(-)
--
2.14.2
7 years, 7 months
[libvirt] [PATCH 0/6] vbox: Improve handling of storage devices.
by Dawid Zamirski
Hello,
This patch series reworks the VirtualBox storage device handling code,
brief summary:
* Extend libvirt schema to specify IDE controller model as VBox supports
changing IDE model to PIIX3, PIIX4 or ICH6 and there are known cases
of legacy guest OSes being very sensitive to that.
* Make the driver recognize <controller> element at define time which
allows to specify controller model. Previously the driver was
completely ignoring that element.
* Allow to create vbox SAS controllers via
<controller type="scsi" model="lsisas1068" />
* Handle removable devices - define and dump devices without media.
* Make sure media is closed when undefining VMs. Leaving media unclosed
may cause errors when defining VMs pointing at the same local path.
Dawid Zamirski (6):
vbox: Close media when undefining domains.
domain: Allow 'model' attribute for ide controller.
docs: Add info about ide model attribute.
vbox: Add more IStorageController API mappings.
vbox: Process controller definitions from xml.
vbox: Update XML dump of storage devices.
docs/formatdomain.html.in | 3 +
docs/schemas/domaincommon.rng | 18 +-
src/conf/domain_conf.c | 9 +
src/conf/domain_conf.h | 9 +
src/libvirt_private.syms | 2 +
src/vbox/vbox_common.c | 1212 +++++++++++++++++++++++------------------
src/vbox/vbox_common.h | 21 +
src/vbox/vbox_tmpl.c | 87 +--
src/vbox/vbox_uniformed_api.h | 3 +
9 files changed, 790 insertions(+), 574 deletions(-)
--
2.14.2
7 years, 7 months
[libvirt] [PATCH v5 00/16] Use secret objects to pass iSCSI passwords
by John Ferlan
v4: https://www.redhat.com/archives/libvir-list/2017-September/msg00944.html
Changes since v4 are minor - mostly to change from 3.8.0 to 3.9.0... Update
the news.xml once <auth> is allowed for <source>. Add a news.xml to describe
the bug fix. Beyond that - merge changes up to git commit '5d7659027'.
I ran the changes through my Coverity checker too.
Repeated from the cover of v4:
v3: https://www.redhat.com/archives/libvir-list/2017-September/msg00881.html
Difference with v3:
Add patch 3 to perform virStorageSourceCopy for qemu and storage source
private data.
Adjust the move encinfo from private disk to private disk src to handle
the Copy for the @encinfo too
Repeated from cover of v3 (although perhaps just too much information for
the eyes to consume):
v2: https://www.redhat.com/archives/libvir-list/2017-September/msg00466.html
Changes since v2:
* Former Patch 1 & 2 were pushed
* New Patch 1 is former Patches 3 and parts of 4 combined appropriately
-> Allow <auth> under <disk> or <source> - keep track of where it was found
so that format prints in the right place
-> Cleaned up the tests and new xml/args files
* Patch 2 is part of the former patch 6 - just the new _virStorageSource
* Patch 3 is new - to introduced an allocator for domain_conf to create
a _virStorageSource
* Patch 4 is new - as stated found that the @diskPriv->encinfo wasn't
cleaned up properly
* Patch 5 is the rest of the former patch 6
* Patch 6 is the former patch 7 with some minor adjustments to allow
<encryption> to follow <auth> and be both child of <disk> and <source>
* Patch 7 is the former patch 10 with minor change to perform free of
encinfo properly (e.g. from patch 4)
* Patch 8 is former patch 5 and 9 combined
* Patch 9 is new - to use the virStorageSource for iscsisrc instead of
just three fields we wanted
* Patch 10 is new to alter the existing hostdevPriv to use diskSrcPriv
* Patch 11 is new to remove the hostdevPriv as it's no longer necesary
* Patch 12 is new to split up a change in qemuBuildSCSIiSCSIHostdevDrvStr
from the last patch
* Patch 13 is the former patch 13
* Patch 14 is altered to accomodate the hostdev usage if virStorageSource
for iscsisrc->src instead of that hack that was there before.
John Ferlan (16):
conf: Add/Allow parsing the auth in the disk source
qemu: Introduce privateData for _virStorageSource
qemu: Introduce qemuDomainStorageSourceCopy
conf: Introduce virDomainDiskStorageSourceNew
qemu: Add missing encinfo cleanup
qemu: Relocate qemuDomainSecretInfoPtr from disk private
conf: Add/Allow parsing the encryption in the disk source
qemu: Move encinfo from private disk to private disk src
docs: Add news article regarding auth/encryption placement
conf,qemu: Replace iscsisrc fields with virStorageSourcePtr
qemu: Use private disksrc for iscsi instead of private hostdev
qemu: Remove private hostdev
qemu: Refactor qemuBuildSCSIiSCSIHostdevDrvStr slightly
qemu: Get capabilities to use iscsi password-secret argument
qemu: Use secret objects to pass iSCSI passwords
docs: Add news article to describe iSCSI usage of secret object
docs/formatdomain.html.in | 82 ++++---
docs/news.xml | 23 ++
docs/schemas/domaincommon.rng | 48 +++-
src/conf/domain_conf.c | 255 ++++++++++++++++-----
src/conf/domain_conf.h | 10 +-
src/lxc/lxc_native.c | 2 +-
src/qemu/qemu_block.c | 64 +++++-
src/qemu/qemu_blockjob.c | 2 +-
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 84 +++++--
src/qemu/qemu_command.h | 3 +-
src/qemu/qemu_domain.c | 162 +++++++++----
src/qemu/qemu_domain.h | 37 ++-
src/qemu/qemu_driver.c | 8 +-
src/qemu/qemu_hotplug.c | 71 +++++-
src/qemu/qemu_parse_command.c | 4 +-
src/util/virstoragefile.c | 2 +
src/util/virstoragefile.h | 5 +
src/vbox/vbox_common.c | 2 +-
src/xenconfig/xen_common.c | 2 +-
src/xenconfig/xen_sxpr.c | 2 +-
src/xenconfig/xen_xl.c | 2 +-
.../qemuargv2xml-disk-drive-network-rbd-auth.xml | 6 +-
tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 +
...xml2argv-disk-drive-network-iscsi-auth-AES.args | 41 ++++
...uxml2argv-disk-drive-network-iscsi-auth-AES.xml | 43 ++++
...ml2argv-disk-drive-network-source-auth-both.xml | 51 +++++
...emuxml2argv-disk-drive-network-source-auth.args | 32 +++
...qemuxml2argv-disk-drive-network-source-auth.xml | 45 ++++
...ml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args | 45 ++++
...xml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml | 48 ++++
.../qemuxml2argv-luks-disks-source-both.xml | 40 ++++
.../qemuxml2argv-luks-disks-source.args | 62 +++++
.../qemuxml2argv-luks-disks-source.xml | 81 +++++++
tests/qemuxml2argvtest.c | 14 ++
...muxml2xmlout-disk-drive-network-source-auth.xml | 49 ++++
.../qemuxml2xmlout-luks-disks-source.xml | 84 +++++++
.../qemuxml2xmlout-luks-disks.xml | 46 +++-
tests/qemuxml2xmltest.c | 2 +
tests/virhostdevtest.c | 2 +-
tests/virstoragetest.c | 6 +
46 files changed, 1356 insertions(+), 219 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-iscsi-auth-AES.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-source-auth-both.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-source-auth.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-source-auth.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-scsi-virtio-iscsi-auth-AES.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source-both.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-luks-disks-source.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-drive-network-source-auth.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks-source.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-luks-disks.xml
--
2.13.6
7 years, 7 months
