Re: [PATCH v2 5/7] tools: secure guest check for AMD in virt-host-validate

8 Jun 2020

On Fri, May 29, 2020 at 12:10:07PM +0200, Paulo de Rezende Pinatti wrote:
...
From: Boris Fiuczynski <fiuczy@linux.ibm.com>
Add checking in virt-host-validate for secure guest support
on x86 for AMD Secure Encrypted Virtualization.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
---
 tools/virt-host-validate-common.c | 29 +++++++++++++++++++++++++++--
 tools/virt-host-validate-common.h |  1 +
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index 8ead68798f..de007f2c43 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -41,7 +41,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
               "vmx",
               "svm",
               "sie",
-              "158");
+              "158",
+              "sev");
static bool quiet;
@@ -447,15 +448,18 @@ int virHostValidateSecureGuests(const char *hvname,
                                 virHostValidateLevel level)
 {
     virBitmapPtr flags;
-    bool hasFac158 = false;
+    bool hasFac158 = false, hasAMDSev = false;
^one variable definition per line
...
virArch arch = virArchFromHost();
     g_autofree char *cmdline = NULL;
     static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
+    g_autofree char *mod_value = NULL;
flags = virHostValidateGetCPUFlags();
if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158))
         hasFac158 = true;
+    else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
+        hasAMDSev = true;
virBitmapFree(flags);
@@ -485,6 +489,27 @@ int virHostValidateSecureGuests(const char *hvname,
             virHostMsgFail(level, "Hardware or firmware does not provide "
                                   "support for IBM Secure Execution");
         }
+    } else if (hasAMDSev) {
+        if (virFileReadValueString(&mod_value, "/sys/module/kvm_amd/parameters/sev") < 0) {
+            virHostMsgFail(level, "AMD Secure Encrypted Virtualization not "
+                                  "supported by the currently used kernel");
+            return 0;
+        }
empty line here...
...
+        if (mod_value[0] != '1') {
+            virHostMsgFail(level,
+                           "AMD Secure Encrypted Virtualization appears to be "
+                           "disabled in kernel. Add mem_encrypt=on "
+                           "kvm_amd.sev=1 to kernel cmdline arguments");
+            return 0;
+        }
and here...

Reviewed-by: Erik Skultety <eskultet@redhat.com>

    