Re: [libvirt PATCH v2 12/12] qemu: format sev-guest.kernel-hashes property

Friday, 10 December 2021

On Fri, Dec 10, 2021 at 11:37:35 +0000, Daniel P. Berrangé wrote:
...
 Set the kernel-hashes property on the sev-guest object if
 the config asked for it explicitly. While QEMU machine
 types currently default to having this setting off, it
 is not guaranteed to remain this way.

 Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;
 ---
  src/qemu/qemu_command.c                       |  7 ++++
  src/qemu/qemu_validate.c                      |  8 ++++
  ...unch-security-sev-direct.x86_64-6.2.0.args | 40 +++++++++++++++++++
  .../launch-security-sev-direct.xml            | 39 ++++++++++++++++++
  tests/qemuxml2argvtest.c                      |  1 +
  5 files changed, 95 insertions(+)
  create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-6.2.0.args
  create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml

 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
 index c47998aabd..6999afe5aa 100644
 --- a/src/qemu/qemu_command.c
 +++ b/src/qemu/qemu_command.c
 @@ -10112,6 +10112,13 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
                                       NULL) < 0)
          return -1; 
Replace all of this hunk with

        "T:kernel-hashes", sev->kernel_hashes,

put into the call to qemuMonitorCreateObjectProps just above the NULL
sentinel.

...

 +    if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT) {
 +        bool val;
 +        virTristateBoolToBool(sev->kernel_hashes, &val);
 +        if (virJSONValueObjectAppendBoolean(props, "kernel-hashes", val) <
0)
 +            return -1;
 +    }
 +
      if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
          return -1;

 diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
 index 29b01495ad..0150b0f082 100644
 --- a/src/qemu/qemu_validate.c
 +++ b/src/qemu/qemu_validate.c
 @@ -1200,6 +1200,14 @@ qemuValidateDomainDef(const virDomainDef *def,
                                   "this QEMU binary"));
                  return -1;
              }
 +
 +            if (def->sec->data.sev.kernel_hashes == VIR_TRISTATE_BOOL_YES
&&
 +                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
 +                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
 +                               _("SEV launch security measured direct kernel
"
 +                                 "boot is not supported with this QEMU
binary")); 
Error message on a single line please.

...
 +                return -1;
 +            }
              break;
          case VIR_DOMAIN_LAUNCH_SECURITY_PV:
              if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT)
|| 

Reviewed-by: Peter Krempa <pkrempa(a)redhat.com&gt;

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt PATCH v2 12/12] qemu: format sev-guest.kernel-hashes property