Re: [PATCH 5/8] qemu: Fill launchSecurity in domaincaps
On Tue, Jun 25, 2024 at 11:48:50 +0200, Michal Privoznik wrote:
The inspiration for these rules comes from
qemuValidateDomainDef().
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
...
diff --git a/src/qemu/qemu_capabilities.c
b/src/qemu/qemu_capabilities.c
index adaf5f9c26..4f9895ba9c 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -6514,6 +6514,24 @@ virQEMUCapsFillDomainDeviceCryptoCaps(virQEMUCaps *qemuCaps,
}
+void
+virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps,
+ virDomainCapsLaunchSecurity *launchSecurity)
+{
+ launchSecurity->supported = VIR_TRISTATE_BOOL_YES;
+ launchSecurity->sectype.report = true;
+
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST))
+ VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype,
VIR_DOMAIN_LAUNCH_SECURITY_SEV);
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_SNP_GUEST))
+ VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype,
VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP);
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) &&
+ virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT))
+ VIR_DOMAIN_CAPS_ENUM_SET(launchSecurity->sectype,
VIR_DOMAIN_LAUNCH_SECURITY_PV);
+}
+
+
+
Two empty lines would have been enough :-)
/**
* virQEMUCapsSupportsGICVersion:
* @qemuCaps: QEMU capabilities
@@ -6678,6 +6696,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virDomainCapsDeviceChannel *channel = &domCaps->channel;
virDomainCapsMemoryBacking *memoryBacking = &domCaps->memoryBacking;
virDomainCapsDeviceCrypto *crypto = &domCaps->crypto;
+ virDomainCapsLaunchSecurity *launchSecurity = &domCaps->launchSecurity;
virQEMUCapsFillDomainFeaturesFromQEMUCaps(qemuCaps, domCaps);
@@ -6717,6 +6736,7 @@ virQEMUCapsFillDomainCaps(virQEMUCaps *qemuCaps,
virQEMUCapsFillDomainFeatureSGXCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainFeatureHypervCaps(qemuCaps, domCaps);
virQEMUCapsFillDomainDeviceCryptoCaps(qemuCaps, crypto);
+ virQEMUCapsFillDomainLaunchSecurity(qemuCaps, launchSecurity);
return 0;
}
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index a98da8c2eb..ef71e8511e 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -867,6 +867,9 @@ void virQEMUCapsFillDomainDeviceChannelCaps(virQEMUCaps *qemuCaps,
void virQEMUCapsFillDomainDeviceCryptoCaps(virQEMUCaps *qemuCaps,
virDomainCapsDeviceCrypto *crypto);
+void virQEMUCapsFillDomainLaunchSecurity(virQEMUCaps *qemuCaps,
+ virDomainCapsLaunchSecurity *launchSecurity);
+
bool virQEMUCapsGuestIsNative(virArch host,
virArch guest);
diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
index c42a20763f..f9aacbfbf9 100644
--- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
@@ -319,5 +319,8 @@
<async-teardown supported='no'/>
<sev supported='no'/>
<sgx supported='no'/>
+ <launchSecurity supported='yes'>
+ <enum name='sectype'/>
+ </launchSecurity>
I think reporting launchSecurity as unsupported when no sectype is
available would make more sense.
</features>
</domainCapabilities>
Jirka