12:59 p.m.
The API can be used by application to get the SEV capability
(which includes platform certificate chain and other releated information)
Signed-off-by: Brijesh Singh <<brijesh.singh(a)amd.com>>
---
include/libvirt/libvirt-host.h | 42 +++++++++++++++++
src/driver-hypervisor.h | 6 +++
src/libvirt-host.c | 48 +++++++++++++++++++
src/libvirt_public.syms | 5 ++
src/qemu/qemu_capabilities.c | 7 +++
src/qemu/qemu_capabilities.h | 4 ++
src/qemu/qemu_driver.c | 91 +++++++++++++++++++++++++++++++++++++
src/remote/remote_daemon_dispatch.c | 44 ++++++++++++++++++
src/remote/remote_driver.c | 41 +++++++++++++++++
src/remote/remote_protocol.x | 22 ++++++++-
src/remote_protocol-structs | 13 ++++++
11 files changed, 322 insertions(+), 1 deletion(-)
diff --git a/include/libvirt/libvirt-host.h b/include/libvirt/libvirt-host.h
index 84f4858..d020597 100644
--- a/include/libvirt/libvirt-host.h
+++ b/include/libvirt/libvirt-host.h
@@ -432,6 +432,48 @@ typedef virNodeCPUStats *virNodeCPUStatsPtr;
typedef virNodeMemoryStats *virNodeMemoryStatsPtr;
+
+/**
+ *
+ * SEV Parameters
+ */
+
+/**
+ * VIR_NODE_SEV_PDH:
+ *
+ * Marco represents the Platform Diffie-Hellman key, as VIR_TYPED_PARAMS_STRING.
+ */
+# define VIR_NODE_SEV_PDH "pdh"
+
+/**
+ * VIR_NODE_SEV_CERT_CHAIN:
+ *
+ * Marco represents the Platform certificate chain that includes the
+ * endorsement key (PEK), owner certificate authority (OCD) and chip
+ * endorsement key (CEK), as VIR_TYPED_PARAMS_STRING.
+ */
+# define VIR_NODE_SEV_CERT_CHAIN "cert-chain"
+
+/**
+ * VIR_NODE_SEV_CBITPOS:
+ *
+ * Marco represents the CBit Position used by hypervisor when SEV is enabled.
+ */
+# define VIR_NODE_SEV_CBITPOS "cbitpos"
+
+/**
+ * VIR_NODE_SEV_REDUCED_PHYS_BITS:
+ *
+ * Marco represents the number of bits we lose in physical address space
+ * when SEV is enabled in the guest.
+ */
+# define VIR_NODE_SEV_REDUCED_PHYS_BITS "reduced-phys-bits"
+
+int virNodeGetSEVCapability (virConnectPtr conn,
+ virTypedParameterPtr *params,
+ int *nparams,
+ unsigned int flags);
+
/**
* virConnectFlags
*
diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h
index aa99cbb..cb2ab9c 100644
--- a/src/driver-hypervisor.h
+++ b/src/driver-hypervisor.h
@@ -1309,6 +1309,11 @@ typedef int
unsigned int action,
unsigned int flags);
+typedef int
+(*virDrvNodeGetSEVCapability)(virConnectPtr conn,
+ virTypedParameterPtr *params,
+ int *nparams,
+ unsigned int flags);
typedef struct _virHypervisorDriver virHypervisorDriver;
typedef virHypervisorDriver *virHypervisorDriverPtr;
@@ -1558,6 +1563,7 @@ struct _virHypervisorDriver {
virDrvDomainSetLifecycleAction domainSetLifecycleAction;
virDrvConnectCompareHypervisorCPU connectCompareHypervisorCPU;
virDrvConnectBaselineHypervisorCPU connectBaselineHypervisorCPU;
+ virDrvNodeGetSEVCapability nodeGetSEVCapability;
};
diff --git a/src/libvirt-host.c b/src/libvirt-host.c
index 3aaf558..6c47b69 100644
--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
@@ -1639,3 +1639,51 @@ virNodeAllocPages(virConnectPtr conn,
virDispatchError(conn);
return -1;
}
+
+/*
+ * virNodeGetSEVCapability:
+ * @conn: pointer to the hypervisor connection
+ * @params: where to store SEV capabilities; output
+ * @nparams: pointer to number of SEV parameters; output
+ * @flags: extra flags; not used yet, so callers should always pass 0
+ *
+ * Get the SEV host capabilities, If hypervisor supports SEV then @params
+ * will contains PDH and certificate chain.
+ *
+ * Returns 0 in case of success, and -1 in case of failure.
+ */
+int
+virNodeGetSEVCapability(virConnectPtr conn,
+ virTypedParameterPtr *params,
+ int *nparams,
+ unsigned int flags)
+{
+ VIR_DEBUG("conn=%p, params=%p, nparams=%p (%d), flags=0x%x",
+ conn, params, nparams, *nparams, flags);
+
+ virResetLastError();
+
+ virCheckConnectReturn(conn, -1);
+ virCheckNonNullArgGoto(nparams, error);
+ virCheckNonNegativeArgGoto(*nparams, error);
+ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (VIR_DRV_SUPPORTS_FEATURE(conn->driver, conn,
+ VIR_DRV_FEATURE_TYPED_PARAM_STRING))
+ flags |= VIR_TYPED_PARAM_STRING_OKAY;
+
+ if (conn->driver->nodeGetSEVCapability) {
+ int ret;
+ ret = conn->driver->nodeGetSEVCapability(conn, params,
+ nparams, flags);
+ if (ret < 0)
+ goto error;
+ return ret;
+ }
+
+ virReportUnsupportedError();
+
+ error:
+ virDispatchError(conn);
+ return -1;
+}
diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms
index 958601b..438205f 100644
--- a/src/libvirt_public.syms
+++ b/src/libvirt_public.syms
@@ -792,4 +792,9 @@ LIBVIRT_4.4.0 {
virConnectBaselineHypervisorCPU;
} LIBVIRT_4.1.0;
+LIBVIRT_4.5.0 {
+ global:
+ virNodeGetSEVCapability;
+} LIBVIRT_4.4.0;
+
# .... define new API here using predicted next version number ....
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 5db444c..82aec96 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -2080,6 +2080,13 @@ virQEMUCapsSetSEVCapabilities(virQEMUCapsPtr qemuCaps,
}
+virSEVCapabilityPtr
+virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps)
+{
+ return qemuCaps->sevCapabilities;
+}
+
+
static int
virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps,
qemuMonitorPtr mon)
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index ad25e6c..630ce77 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -615,4 +615,8 @@ bool virQEMUCapsGuestIsNative(virArch host,
bool virQEMUCapsCPUFilterFeatures(const char *name,
void *opaque);
+
+virSEVCapabilityPtr
+virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps);
+
#endif /* __QEMU_CAPABILITIES_H__*/
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index c200c5a..0fb1aba 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -21438,6 +21438,96 @@ qemuDomainSetLifecycleAction(virDomainPtr dom,
}
+static int
+qemuGetSEVCapabilities(virQEMUCapsPtr qemuCaps,
+ virTypedParameterPtr *params,
+ int *nparams,
+ unsigned int flags)
+{
+ int maxpar = 0;
+ virSEVCapabilityPtr sev = virQEMUCapsGetSEVCapabilities(qemuCaps);
+
+ virCheckFlags(VIR_TYPED_PARAM_STRING_OKAY, -1);
+
+ if (virTypedParamsAddString(params, nparams, &maxpar,
+ VIR_NODE_SEV_PDH, sev->pdh) < 0)
+ return -1;
+
+ if (virTypedParamsAddString(params, nparams, &maxpar,
+ VIR_NODE_SEV_CERT_CHAIN, sev->pdh) < 0)
+ goto cleanup;
+
+ if (virTypedParamsAddUInt(params, nparams, &maxpar,
+ VIR_NODE_SEV_CBITPOS, sev->cbitpos) < 0)
+ goto cleanup;
+
+ if (virTypedParamsAddUInt(params, nparams, &maxpar,
+ VIR_NODE_SEV_REDUCED_PHYS_BITS,
+ sev->reduced_phys_bits) < 0)
+ goto cleanup;
+
+ return 0;
+
+ cleanup:
+ return -1;
+}
+
+
+static int
+qemuNodeGetSEVCapability(virConnectPtr conn,
+ virTypedParameterPtr *params,
+ int *nparams,
+ unsigned int flags)
+{
+ virQEMUDriverPtr driver = conn->privateData;
+ virCapsPtr caps = NULL;
+ virQEMUCapsPtr qemucaps = NULL;
+ virArch hostarch;
+ virCapsDomainDataPtr capsdata;
+ int ret = -1;
+
+ if (virNodeGetSevCapabilityEnsureACL(conn) < 0)
+ return ret;
+
+ if (!(caps = virQEMUDriverGetCapabilities(driver, true)))
+ return ret;
+
+ hostarch = virArchFromHost();
+ if (!(capsdata = virCapabilitiesDomainDataLookup(caps,
+ VIR_DOMAIN_OSTYPE_HVM, hostarch, VIR_DOMAIN_VIRT_QEMU,
+ NULL, NULL))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Cannot find suitable emulator for %s"),
+ virArchToString(hostarch));
+ goto UnrefCaps;
+ }
+
+ qemucaps = virQEMUCapsCacheLookup(driver->qemuCapsCache,
+ capsdata->emulator);
+ VIR_FREE(capsdata);
+ if (!qemucaps)
+ goto UnrefCaps;
+
+ if (!virQEMUCapsGet(qemucaps, QEMU_CAPS_SEV_GUEST)) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("QEMU does not support SEV guest"));
+ goto UnrefQemuCaps;
+ }
+
+ if (qemuGetSEVCapabilities(qemucaps, params, nparams, flags) < 0)
+ goto UnrefQemuCaps;
+
+ ret = 0;
+
+ UnrefQemuCaps:
+ virObjectUnref(qemucaps);
+ UnrefCaps:
+ virObjectUnref(caps);
+
+ return ret;
+}
+
+
static virHypervisorDriver qemuHypervisorDriver = {
.name = QEMU_DRIVER_NAME,
.connectURIProbe = qemuConnectURIProbe,
@@ -21661,6 +21751,7 @@ static virHypervisorDriver qemuHypervisorDriver = {
.domainSetLifecycleAction = qemuDomainSetLifecycleAction, /* 3.9.0 */
.connectCompareHypervisorCPU = qemuConnectCompareHypervisorCPU, /* 4.4.0 */
.connectBaselineHypervisorCPU = qemuConnectBaselineHypervisorCPU, /* 4.4.0 */
+ .nodeGetSEVCapability = qemuNodeGetSEVCapability, /* 4.5.0 */
};
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index 81d0445..f974b71 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -5001,6 +5001,50 @@ remoteDispatchDomainGetDiskErrors(virNetServerPtr server
ATTRIBUTE_UNUSED,
static int
+remoteDispatchNodeGetSevCapability(virNetServerPtr server ATTRIBUTE_UNUSED,
+ virNetServerClientPtr client ATTRIBUTE_UNUSED,
+ virNetMessagePtr msg ATTRIBUTE_UNUSED,
+ virNetMessageErrorPtr rerr,
+ remote_node_get_sev_capability_args *args,
+ remote_node_get_sev_capability_ret *ret)
+{
+ virTypedParameterPtr params = NULL;
+ int nparams = 0;
+ int rv = -1;
+ struct daemonClientPrivate *priv =
+ virNetServerClientGetPrivateData(client);
+
+ if (!priv->conn) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("connection not
open"));
+ goto cleanup;
+ }
+
+ if (virNodeGetSEVCapability(priv->conn, ¶ms, &nparams, args->flags)
< 0)
+ goto cleanup;
+
+ if (nparams > REMOTE_NODE_SEV_CAPABILITY_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too
large"));
+ goto cleanup;
+ }
+
+
+ if (virTypedParamsSerialize(params, nparams,
+ (virTypedParameterRemotePtr *)
&ret->params.params_val,
+ &ret->params.params_len,
+ args->flags) < 0)
+ goto cleanup;
+
+ rv = 0;
+
+ cleanup:
+ if (rv < 0)
+ virNetMessageSaveError(rerr);
+ virTypedParamsFree(params, nparams);
+ return rv;
+}
+
+
+static int
remoteDispatchNodeGetMemoryParameters(virNetServerPtr server ATTRIBUTE_UNUSED,
virNetServerClientPtr client ATTRIBUTE_UNUSED,
virNetMessagePtr msg ATTRIBUTE_UNUSED,
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 3be30bd..cdc9a70 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -6776,6 +6776,46 @@ remoteNodeGetMemoryParameters(virConnectPtr conn,
return rv;
}
+
+static int
+remoteNodeGetSEVCapability(virConnectPtr conn,
+ virTypedParameterPtr *params,
+ int *nparams,
+ unsigned int flags)
+{
+ int rv = -1;
+ remote_node_get_sev_capability_args args;
+ remote_node_get_sev_capability_ret ret;
+ struct private_data *priv = conn->privateData;
+
+ remoteDriverLock(priv);
+
+ args.flags = flags;
+
+ memset(&ret, 0, sizeof(ret));
+ if (call(conn, priv, 0, REMOTE_PROC_NODE_GET_SEV_CAPABILITY,
+ (xdrproc_t) xdr_remote_node_get_sev_capability_args, (char *) &args,
+ (xdrproc_t) xdr_remote_node_get_sev_capability_ret, (char *) &ret) ==
-1)
+ goto done;
+
+ if (virTypedParamsDeserialize((virTypedParameterRemotePtr) ret.params.params_val,
+ ret.params.params_len,
+ REMOTE_NODE_SEV_CAPABILITY_MAX,
+ params,
+ nparams) < 0)
+ goto cleanup;
+
+ rv = 0;
+
+ cleanup:
+ xdr_free((xdrproc_t) xdr_remote_node_get_sev_capability_ret,
+ (char *) &ret);
+ done:
+ remoteDriverUnlock(priv);
+ return rv;
+}
+
+
static int
remoteNodeGetCPUMap(virConnectPtr conn,
unsigned char **cpumap,
@@ -8452,6 +8492,7 @@ static virHypervisorDriver hypervisor_driver = {
.domainSetLifecycleAction = remoteDomainSetLifecycleAction, /* 3.9.0 */
.connectCompareHypervisorCPU = remoteConnectCompareHypervisorCPU, /* 4.4.0 */
.connectBaselineHypervisorCPU = remoteConnectBaselineHypervisorCPU, /* 4.4.0 */
+ .nodeGetSEVCapability = remoteNodeGetSEVCapability, /* 4.5.0 */
};
static virNetworkDriver network_driver = {
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index a0ab7e9..a4e1166 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -253,6 +253,9 @@ const REMOTE_DOMAIN_IP_ADDR_MAX = 2048;
/* Upper limit on number of guest vcpu information entries */
const REMOTE_DOMAIN_GUEST_VCPU_PARAMS_MAX = 64;
+/* Upper limit on number of SEV parameters */
+const REMOTE_NODE_SEV_CAPABILITY_MAX = 64;
+
/* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */
typedef opaque remote_uuid[VIR_UUID_BUFLEN];
@@ -3480,6 +3483,17 @@ struct remote_connect_baseline_hypervisor_cpu_ret {
remote_nonnull_string cpu;
};
+struct remote_node_get_sev_capability_args {
+ int nparams;
+ unsigned int flags;
+};
+
+struct remote_node_get_sev_capability_ret {
+ remote_typed_param params<REMOTE_NODE_SEV_CAPABILITY_MAX>;
+ int nparams;
+};
+
+
/*----- Protocol. -----*/
/* Define the program number, protocol version and procedure numbers here. */
@@ -6187,5 +6201,11 @@ enum remote_procedure {
* @generate: both
* @acl: connect:write
*/
- REMOTE_PROC_CONNECT_BASELINE_HYPERVISOR_CPU = 394
+ REMOTE_PROC_CONNECT_BASELINE_HYPERVISOR_CPU = 394,
+
+ /**
+ * @generate: none
+ * @acl: connect:read
+ */
+ REMOTE_PROC_NODE_GET_SEV_CAPABILITY = 395
};
diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs
index 0c4cfc6..7705821 100644
--- a/src/remote_protocol-structs
+++ b/src/remote_protocol-structs
@@ -2907,6 +2907,18 @@ struct remote_connect_baseline_hypervisor_cpu_args {
struct remote_connect_baseline_hypervisor_cpu_ret {
remote_nonnull_string cpu;
};
+struct remote_node_get_sev_capability_args {
+ int nparams;
+ u_int flags;
+};
+struct remote_node_get_sev_capability_ret {
+ struct {
+ u_int params_len;
+ remote_typed_param * params_val;
+ } params;
+ int nparams;
+};
+
enum remote_procedure {
REMOTE_PROC_CONNECT_OPEN = 1,
REMOTE_PROC_CONNECT_CLOSE = 2,
@@ -3302,4 +3314,5 @@ enum remote_procedure {
REMOTE_PROC_DOMAIN_DETACH_DEVICE_ALIAS = 392,
REMOTE_PROC_CONNECT_COMPARE_HYPERVISOR_CPU = 393,
REMOTE_PROC_CONNECT_BASELINE_HYPERVISOR_CPU = 394,
+ REMOTE_PROC_NODE_SEV_CAPABILITY = 395,
};
--
2.7.4