9:43 a.m.
From: Tony Krowiak <aekrowia(a)us.ibm.com>
Introduces two new -machine option parameters to the QEMU command to
enable/disable the CPACF protected key management operations for a guest:
aes-key-wrap='on|off'
dea-key-wrap='on|off'
The QEMU code maps the corresponding domain configuration elements to the
QEMU -machine option parameters to create the QEMU command:
<cipher name='aes' state='on'> --> aes-key-wrap=on
<cipher name='aes' state='off'> --> aes-key-wrap=off
<cipher name='dea' state='on'> --> dea-key-wrap=on
<cipher name='dea' state='off'> --> dea-key-wrap=off
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 4 +++
src/qemu/qemu_capabilities.h | 2 ++
src/qemu/qemu_command.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 25c15bf..2757636 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -281,6 +281,8 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
"pc-dimm",
"machine-vmport-opt", /* 185 */
+ "aes-key-wrap",
+ "dea-key-wrap",
);
@@ -2523,6 +2525,8 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] =
{
{ "msg", "timestamp", QEMU_CAPS_MSG_TIMESTAMP },
{ "numa", NULL, QEMU_CAPS_NUMA },
{ "drive", "throttling.bps-total-max",
QEMU_CAPS_DRIVE_IOTUNE_MAX},
+ { "machine", "aes-key-wrap", QEMU_CAPS_AES_KEY_WRAP },
+ { "machine", "dea-key-wrap", QEMU_CAPS_DEA_KEY_WRAP },
};
static int
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 81557b7..4da9637 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -225,6 +225,8 @@ typedef enum {
QEMU_CAPS_QXL_VGA_VGAMEM = 183, /* -device qxl-vga.vgamem_mb */
QEMU_CAPS_DEVICE_PC_DIMM = 184, /* pc-dimm device */
QEMU_CAPS_MACHINE_VMPORT_OPT = 185, /* -machine xxx,vmport=on/off/auto */
+ QEMU_CAPS_AES_KEY_WRAP = 186, /* -machine aes_key_wrap */
+ QEMU_CAPS_DEA_KEY_WRAP = 187, /* -machine dea_key_wrap */
QEMU_CAPS_LAST, /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2939f8d..98fc5f8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -38,6 +38,7 @@
#include "virnetdevbridge.h"
#include "virstring.h"
#include "virtime.h"
+#include "virutil.h"
#include "viruuid.h"
#include "c-ctype.h"
#include "domain_nwfilter.h"
@@ -7286,6 +7287,39 @@ qemuBuildObsoleteAccelArg(virCommandPtr cmd,
return 0;
}
+static bool
+qemuAppendKeyWrapMachineParm(virBuffer *buf, virQEMUCapsPtr qemuCaps,
+ int flag, const char *pname, int pstate)
+{
+ if (pstate != VIR_TRISTATE_SWITCH_ABSENT) {
+ if (!virQEMUCapsGet(qemuCaps, flag)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is not available with this QEMU binary"),
pname);
+ return false;
+ }
+
+ virBufferAsprintf(buf, ",%s=%s", pname,
+ virTristateSwitchTypeToString(pstate));
+ }
+
+ return true;
+}
+
+static bool
+qemuAppendKeyWrapMachineParms(virBuffer *buf, virQEMUCapsPtr qemuCaps,
+ const virDomainKeyWrapDef *keywrap)
+{
+ if (!qemuAppendKeyWrapMachineParm(buf, qemuCaps, QEMU_CAPS_AES_KEY_WRAP,
+ "aes-key-wrap", keywrap->aes))
+ return false;
+
+ if (!qemuAppendKeyWrapMachineParm(buf, qemuCaps, QEMU_CAPS_DEA_KEY_WRAP,
+ "dea-key-wrap", keywrap->dea))
+ return false;
+
+ return true;
+}
+
static int
qemuBuildMachineArgStr(virCommandPtr cmd,
const virDomainDef *def,
@@ -7320,6 +7354,13 @@ qemuBuildMachineArgStr(virCommandPtr cmd,
}
obsoleteAccel = true;
+
+ if (def->keywrap) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("key wrap support is not available "
+ "with this QEMU binary"));
+ return -1;
+ }
} else {
virBuffer buf = VIR_BUFFER_INITIALIZER;
virTristateSwitch vmport = def->features[VIR_DOMAIN_FEATURE_VMPORT];
@@ -7378,6 +7419,12 @@ qemuBuildMachineArgStr(virCommandPtr cmd,
}
}
+ if (def->keywrap &&
+ !qemuAppendKeyWrapMachineParms(&buf, qemuCaps, def->keywrap)) {
+ virBufferFreeAndReset(&buf);
+ return -1;
+ }
+
virCommandAddArgBuffer(cmd, &buf);
}
@@ -12806,6 +12853,32 @@ qemuParseCommandLine(virCapsPtr qemuCaps,
} else if (STRPREFIX(param, "accel=kvm")) {
def->virtType = VIR_DOMAIN_VIRT_KVM;
def->features[VIR_DOMAIN_FEATURE_PAE] = VIR_TRISTATE_SWITCH_ON;
+ } else if (STRPREFIX(param, "aes-key-wrap=")) {
+ if (STREQ(arg, "-M")) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("aes-key-wrap is not supported with "
+ "this QEMU binary"));
+ goto error;
+ }
+ param += strlen("aes-key-wrap=");
+ if (!def->keywrap && VIR_ALLOC(def->keywrap) < 0)
+ goto error;
+ def->keywrap->aes = virTristateSwitchTypeFromString(param);
+ if (def->keywrap->aes < 0)
+ def->keywrap->aes = VIR_TRISTATE_SWITCH_ABSENT;
+ } else if (STRPREFIX(param, "dea-key-wrap=")) {
+ if (STREQ(arg, "-M")) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("dea-key-wrap is not supported with "
+ "this QEMU binary"));
+ goto error;
+ }
+ param += strlen("dea-key-wrap=");
+ if (!def->keywrap && VIR_ALLOC(def->keywrap) < 0)
+ goto error;
+ def->keywrap->dea = virTristateSwitchTypeFromString(param);
+ if (def->keywrap->dea < 0)
+ def->keywrap->dea = VIR_TRISTATE_SWITCH_ABSENT;
}
}
virStringFreeList(list);
--
2.3.6