[PATCH 2/2] qemu_command: Enable sev-guest.legacy-vm-type when possible
With recent enough QEMU (yet unreleased) there's 'legacy-vm-type'
attribute of 'sev-guest' object. It controls whether QEMU uses
newer or older interface to init SEV guests. As a result, the
measurements (e.g. implemented in tools/virt-qemu-sev-validate)
are affected. There's no clear benefit in switching to the new
interface and thus we should set the attribute to keep old style
of measurements.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_command.c | 9 +++++++++
.../launch-security-sev-direct.x86_64-latest.args | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6ec1e9cbef..0bc3c1b521 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9729,6 +9729,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
qemuDomainObjPrivate *priv = vm->privateData;
g_autofree char *dhpath = NULL;
g_autofree char *sessionpath = NULL;
+ bool legacyVMType = false;
VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d",
sev->policy, sev->common.cbitpos, sev->common.reduced_phys_bits);
@@ -9739,6 +9740,13 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
if (sev->session)
sessionpath = g_strdup_printf("%s/session.base64", priv->libDir);
+ /* Starting from QEMU 9.1.0 (v9.0.0-rc4-45-g023267334d specifically), QEMU
+ * uses new interface to create SEV guests. This changes what is measured.
+ * Toggle this knob to preserve old style of measurements. */
+ if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_SEV_GUEST_LEGACY_VM_TYPE)) {
+ legacyVMType = true;
+ }
+
if (qemuMonitorCreateObjectProps(&props, "sev-guest",
"lsec0",
"u:cbitpos", sev->common.cbitpos,
"u:reduced-phys-bits",
sev->common.reduced_phys_bits,
@@ -9746,6 +9754,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
"S:dh-cert-file", dhpath,
"S:session-file", sessionpath,
"T:kernel-hashes",
sev->common.kernel_hashes,
+ "B:legacy-vm-type", legacyVMType,
NULL) < 0)
return -1;
diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
index 09df8a7cb6..93cc2f71b9 100644
--- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args
@@ -33,6 +33,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-blockdev
'{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}'
\
-device
'{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}'
\
-audiodev
'{"id":"audio1","driver":"none"}' \
--object
'{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}'
\
+-object
'{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true,"legacy-vm-type":true}'
\
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
--
2.44.2