On Tue, Jan 29, 2019 at 01:26:46PM +0100, Michal Privoznik wrote:
On 1/23/19 1:57 PM, Erik Skultety wrote:
Instead of exposing /dev/sev to every domain, do it selectively.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- src/qemu/qemu_domain.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 32a43f2064..a4cdb8d355 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -12112,6 +12112,26 @@ qemuDomainSetupLoader(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED, } +static int +qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED, + virDomainObjPtr vm, + const struct qemuDomainCreateDeviceData *data) +{ + virDomainSEVDefPtr sev = vm->def->sev; + + if (!sev || sev->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV) + return 0; + + VIR_DEBUG("Setting up launch security"); + + if (qemuDomainCreateDevice("/dev/sev", data, false) < 0)
nitpick - I'd rather see this as a macro: #define SEV_PATH "/dev/sev" ... qemuDomainCreateDevice(SEV_PATH, ..)
Fixed, although I didn't push the patches, as the SEV probing discussion upstream concluded in libvirt using DAC_OVERRIDE capability, so I did that and applied it on top of this series. Also, I forgot to make sure DAC relabels the device within namespace so I fixed that in the new series as well. Thanks, Erik