Re: [PATCH v2 4/7] tools: secure guest check on s390 in virt-host-validate
On Fri, May 29, 2020 at 12:10:06PM +0200, Paulo de Rezende Pinatti wrote:
From: Boris Fiuczynski <fiuczy(a)linux.ibm.com>
Add checking in virt-host-validate for secure guest support
on s390 for IBM Secure Execution.
Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.ibm.com>
Tested-by: Viktor Mihajlovski <mihajlov(a)linux.ibm.com>
Reviewed-by: Paulo de Rezende Pinatti <ppinatti(a)linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk(a)linux.ibm.com>
---
tools/virt-host-validate-common.c | 58 +++++++++++++++++++++++++++++--
tools/virt-host-validate-common.h | 4 +++
tools/virt-host-validate-qemu.c | 4 +++
3 files changed, 64 insertions(+), 2 deletions(-)
diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index fbefbada96..8ead68798f 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -40,7 +40,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
VIR_HOST_VALIDATE_CPU_FLAG_LAST,
"vmx",
"svm",
- "sie");
+ "sie",
+ "158");
static bool quiet;
@@ -210,7 +211,8 @@ virBitmapPtr virHostValidateGetCPUFlags(void)
* on the architecture, so check possible prefixes */
if (!STRPREFIX(line, "flags") &&
!STRPREFIX(line, "Features") &&
- !STRPREFIX(line, "features"))
+ !STRPREFIX(line, "features") &&
+ !STRPREFIX(line, "facilities"))
continue;
/* fgets() includes the trailing newline in the output buffer,
@@ -439,3 +441,55 @@ bool virHostKernelModuleIsLoaded(const char *module)
return ret;
}
+
+
+int virHostValidateSecureGuests(const char *hvname,
+ virHostValidateLevel level)
+{
+ virBitmapPtr flags;
+ bool hasFac158 = false;
+ virArch arch = virArchFromHost();
+ g_autofree char *cmdline = NULL;
+ static const char *kIBMValues[] = {"y", "Y", "on",
"ON", "oN", "On", "1"};
+
+ flags = virHostValidateGetCPUFlags();
+
+ if (flags && virBitmapIsBitSet(flags,
VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158))
+ hasFac158 = true;
+
+ virBitmapFree(flags);
+
+ virHostMsgCheck(hvname, "%s", _("for secure guest support"));
+ if (ARCH_IS_S390(arch)) {
+ if (hasFac158) {
+ if (!virFileIsDir("/sys/firmware/uv")) {
+ virHostMsgFail(level, "IBM Secure Execution not supported by
"
+ "the currently used kernel");
+ return 0;
+ }
Empty line here...
+ if (virFileReadValueString(&cmdline,
"/proc/cmdline") < 0)
+ return -1;
and here..
+ if (virKernelCmdlineMatchParam(cmdline,
"prot_virt", kIBMValues,
+ G_N_ELEMENTS(kIBMValues),
+ VIR_KERNEL_CMDLINE_FLAGS_SEARCH_STICKY |
+ VIR_KERNEL_CMDLINE_FLAGS_CMP_PREFIX)) {
Depending on whether we have an agreement on not needing to match according to
PREFIX, this would have to be reworked, for the rest:
Reviewed-by: Erik Skultety <eskultet(a)redhat.com>