Re: [PATCH 11/12] qemu: Allow setting launch security for SEV-SNP
On Thu, Jun 20, 2024 at 01:22:48PM +0200, Michal Privoznik wrote:
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_driver.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index fc1704f4fc..3a76df8ddb 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19185,9 +19185,10 @@ qemuDomainSetLaunchSecurityState(virDomainPtr domain,
/* Currently only SEV is supported */
if (!vm->def->sec ||
- vm->def->sec->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV) {
+ (vm->def->sec->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV &&
+ vm->def->sec->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP)) {
virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
- _("setting a launch secret is only supported in SEV-enabled
domains"));
+ _("setting a launch secret is only supported in SEV/SEV-SNP
enabled domains"));
goto cleanup;
}
I've not tested to be 100% sure, but I'm thinking this method is not
supportable on SNP. Its use case is related to host initiated
attestation workflow, where you inject a secret after attesting.
Conceptually this workflow isn't relevant for SNP with guest
initiated attestation workflows.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|