Re: [PATCH v2 4/7] tools: secure guest check on s390 in virt-host-validate

8 Jun 2020

On Fri, May 29, 2020 at 12:10:06PM +0200, Paulo de Rezende Pinatti wrote:
...
From: Boris Fiuczynski <fiuczy@linux.ibm.com>
Add checking in virt-host-validate for secure guest support
on s390 for IBM Secure Execution.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Tested-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Reviewed-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
---
 tools/virt-host-validate-common.c | 58 +++++++++++++++++++++++++++++--
 tools/virt-host-validate-common.h |  4 +++
 tools/virt-host-validate-qemu.c   |  4 +++
 3 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index fbefbada96..8ead68798f 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -40,7 +40,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
               VIR_HOST_VALIDATE_CPU_FLAG_LAST,
               "vmx",
               "svm",
-              "sie");
+              "sie",
+              "158");
static bool quiet;
@@ -210,7 +211,8 @@ virBitmapPtr virHostValidateGetCPUFlags(void)
          * on the architecture, so check possible prefixes */
         if (!STRPREFIX(line, "flags") &&
             !STRPREFIX(line, "Features") &&
-            !STRPREFIX(line, "features"))
+            !STRPREFIX(line, "features") &&
+            !STRPREFIX(line, "facilities"))
             continue;
/* fgets() includes the trailing newline in the output buffer,
@@ -439,3 +441,55 @@ bool virHostKernelModuleIsLoaded(const char *module)
return ret;
 }
+
+
+int virHostValidateSecureGuests(const char *hvname,
+                                virHostValidateLevel level)
+{
+    virBitmapPtr flags;
+    bool hasFac158 = false;
+    virArch arch = virArchFromHost();
+    g_autofree char *cmdline = NULL;
+    static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
+
+    flags = virHostValidateGetCPUFlags();
+
+    if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158))
+        hasFac158 = true;
+
+    virBitmapFree(flags);
+
+    virHostMsgCheck(hvname, "%s", _("for secure guest support"));
+    if (ARCH_IS_S390(arch)) {
+        if (hasFac158) {
+            if (!virFileIsDir("/sys/firmware/uv")) {
+                virHostMsgFail(level, "IBM Secure Execution not supported by "
+                                      "the currently used kernel");
+                return 0;
+            }
Empty line here...
...
+            if (virFileReadValueString(&cmdline, "/proc/cmdline") < 0)
+                return -1;
and here..
...
+            if (virKernelCmdlineMatchParam(cmdline, "prot_virt", kIBMValues,
+                                           G_N_ELEMENTS(kIBMValues),
+                                           VIR_KERNEL_CMDLINE_FLAGS_SEARCH_STICKY |
+                                           VIR_KERNEL_CMDLINE_FLAGS_CMP_PREFIX)) {
Depending on whether we have an agreement on not needing to match according to
PREFIX, this would have to be reworked, for the rest:

Reviewed-by: Erik Skultety <eskultet@redhat.com>

    