Re: [libvirt] [PATCH v8 06/11] conf: introduce launch-security element in domain
On Wed, Jun 06, 2018 at 12:50:12PM -0500, Brijesh Singh wrote:
The launch-security element can be used to define the security
model to use when launching a domain. Currently we support 'sev'.
When 'sev' is used, the VM will be launched with AMD SEV feature enabled.
SEV feature supports running encrypted VM under the control of KVM.
Encrypted VMs have their pages (code and data) secured such that only the
guest itself has access to the unencrypted version. Each encrypted VM is
associated with a unique encryption key; if its data is accessed to a
different entity using a different key the encrypted guests data will be
incorrectly decrypted, leading to unintelligible data.
Signed-off-by: Brijesh Singh <brijesh.singh(a)amd.com>
---
docs/formatdomain.html.in | 115 ++++++++++++++++++
docs/schemas/domaincommon.rng | 37 ++++++
src/conf/domain_conf.c | 133 +++++++++++++++++++++
src/conf/domain_conf.h | 27 +++++
tests/genericxml2xmlindata/launch-security-sev.xml | 24 ++++
tests/genericxml2xmltest.c | 2 +
6 files changed, 338 insertions(+)
create mode 100644 tests/genericxml2xmlindata/launch-security-sev.xml
There were a few minor alignment issues, please squash in the diff below, with
that:
Reviewed-by: Erik Skultety <eskultet(a)redhat.com>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 05b3ffa689..051c54a609 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -15868,25 +15868,25 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
def->sectype = virDomainLaunchSecurityTypeFromString(type);
switch ((virDomainLaunchSecurity) def->sectype) {
- case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
- break;
- case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
- case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
- default:
- virReportError(VIR_ERR_XML_ERROR,
- _("unsupported launch-security type
'%s'"),
- type);
- goto error;
+ case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+ case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+ default:
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unsupported launch-security type '%s'"),
+ type);
+ goto error;
}
if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos) < 0)
{
virReportError(VIR_ERR_XML_ERROR, "%s",
- _("failed to get launch-security cbitpos"));
+ _("failed to get launch-security cbitpos"));
goto error;
}
if (virXPathUInt("string(./reduced-phys-bits)", ctxt,
- &def->reduced_phys_bits) < 0) {
+ &def->reduced_phys_bits) < 0) {
virReportError(VIR_ERR_XML_ERROR, "%s",
_("failed to get launch-security reduced-phys-bits"));
goto error;
@@ -15894,7 +15894,7 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
virReportError(VIR_ERR_XML_ERROR, "%s",
- _("failed to get launch-security policy"));
+ _("failed to get launch-security policy"));
goto error;
}