[PATCH 8/8] virt-host-validate: Detect SEV-ES and SEV-SNP
With a simple cpuid (Section "E.4.17 Function
8000_001Fh—Encrypted Memory Capabilities" in "AMD64 Architecture
Programmer’s Manual Vol. 3") we can detect whether CPU is capable
of running SEV-ES and/or SEV-SNP guests. Report these in
virt-host-validate tool.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
tools/virt-host-validate-common.c | 33 +++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index 7dca1d795b..2985c0c826 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -34,6 +34,7 @@
#include "virstring.h"
#include "virarch.h"
#include "virutil.h"
+#include "virhostcpu.h"
#define VIR_FROM_THIS VIR_FROM_NONE
@@ -380,9 +381,11 @@ bool virHostKernelModuleIsLoaded(const char *module)
static int
-virHostValidateAMDSev(virValidateLevel level)
+virHostValidateAMDSev(const char *hvname,
+ virValidateLevel level)
{
g_autofree char *mod_value = NULL;
+ uint32_t eax, ebx;
if (virFileReadValueString(&mod_value,
"/sys/module/kvm_amd/parameters/sev") < 0) {
virValidateFail(level, "AMD Secure Encrypted Virtualization not "
@@ -405,6 +408,32 @@ virHostValidateAMDSev(virValidateLevel level)
return VIR_VALIDATE_FAILURE(level);
}
+ virValidatePass();
+
+ virValidateCheck(hvname, "%s",
+ _("Checking for AMD Secure Encrypted Virtualization-Encrypted
State (SEV-ES)"));
+
+ virHostCPUX86GetCPUID(0x8000001F, 0, &eax, &ebx, NULL, NULL);
+
+ if (eax & (1U << 3)) {
+ virValidatePass();
+ } else {
+ virValidateFail(level,
+ "AMD SEV-ES is not supported");
+ return VIR_VALIDATE_FAILURE(level);
+ }
+
+ virValidateCheck(hvname, "%s",
+ _("Checking for AMD Secure Encrypted Virtualization-Secure
Nested Paging (SEV-SNP)"));
+
+ if (eax & (1U << 4)) {
+ virValidatePass();
+ } else {
+ virValidateFail(level,
+ "AMD SEV-SNP is not supported");
+ return VIR_VALIDATE_FAILURE(level);
+ }
+
return 1;
}
@@ -458,7 +487,7 @@ int virHostValidateSecureGuests(const char *hvname,
return VIR_VALIDATE_FAILURE(level);
}
} else if (hasAMDSev) {
- int rc = virHostValidateAMDSev(level);
+ int rc = virHostValidateAMDSev(hvname, level);
if (rc > 0)
virValidatePass();
--
2.44.2