[PATCH 0/5] tools: improve virt-host-validate output
It now gives some details for certain checks: QEMU: Checking for hardware virtualization : PASS (VMX) QEMU: Checking if device '/dev/kvm' exists : PASS QEMU: Checking if device '/dev/kvm' is accessible : PASS QEMU: Checking if device '/dev/vhost-net' exists : PASS QEMU: Checking if device '/dev/net/tun' exists : PASS QEMU: Checking for cgroup 'cpu' controller support : PASS QEMU: Checking for cgroup 'cpuacct' controller support : PASS QEMU: Checking for cgroup 'cpuset' controller support : PASS QEMU: Checking for cgroup 'memory' controller support : PASS QEMU: Checking for cgroup 'devices' controller support : PASS QEMU: Checking for cgroup 'blkio' controller support : PASS QEMU: Checking for device assignment IOMMU support : PASS (DMAR) QEMU: Checking if IOMMU is enabled by kernel : PASS QEMU: Checking for secure guest support : PASS (TDX) Daniel P. Berrangé (5): tools: allow passing details for passed validation tests tools: inform user which IOMMU was found during validation tools: inform user which CVM is found during validation tools: be explicit about failure to find x86 secure virt tools: inform user which hardware virt was found during validation tools/virt-host-validate-common.c | 60 ++++++++++++------------------- tools/virt-host-validate-qemu.c | 16 ++++++--- tools/virt-validate-common.c | 12 ++++++- tools/virt-validate-common.h | 1 + 4 files changed, 47 insertions(+), 42 deletions(-) -- 2.51.1
From: Daniel P. Berrangé <berrange@redhat.com> In a number of virt-host-validte tests we are testing for at least one out of multiple acceptable features. For example the 'secure guest' test can be satisfied by s390x protvirt, or x86 TDX, SEV, SEV-ES, SEV-SNP. It would be useful to inform the user which one we detected when the test passes. This introduces virValidatePassDetails to enable that. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-validate-common.c | 12 +++++++++++- tools/virt-validate-common.h | 1 + 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/virt-validate-common.c b/tools/virt-validate-common.c index 9768fd9208..ef6130ff2a 100644 --- a/tools/virt-validate-common.c +++ b/tools/virt-validate-common.c @@ -62,14 +62,24 @@ static bool virValidateWantEscape(void) } void virValidatePass(void) +{ + virValidatePassDetails(NULL); +} + +void virValidatePassDetails(const char *info) { if (quiet) return; if (virValidateWantEscape()) - fprintf(stdout, "\033[32m%s\033[0m\n", _("PASS")); + fprintf(stdout, "\033[32m%s\033[0m", _("PASS")); else fprintf(stdout, "%s\n", _("PASS")); + + if (info) + fprintf(stdout, " (%s)\n", info); + else + fprintf(stdout, "\n"); } diff --git a/tools/virt-validate-common.h b/tools/virt-validate-common.h index 7f7c373a66..8981f5af71 100644 --- a/tools/virt-validate-common.h +++ b/tools/virt-validate-common.h @@ -52,6 +52,7 @@ void virValidateCheck(const char *prefix, ...) G_GNUC_PRINTF(2, 3); void virValidatePass(void); +void virValidatePassDetails(const char *info); void virValidateFail(virValidateLevel level, const char *format, ...) G_GNUC_PRINTF(2, 3); -- 2.51.1
On Thu, Nov 20, 2025 at 10:14:47 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
In a number of virt-host-validte tests we are testing for at least one out of multiple acceptable features. For example the 'secure guest' test can be satisfied by s390x protvirt, or x86 TDX, SEV, SEV-ES, SEV-SNP.
It would be useful to inform the user which one we detected when the test passes. This introduces virValidatePassDetails to enable that.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-validate-common.c | 12 +++++++++++- tools/virt-validate-common.h | 1 + 2 files changed, 12 insertions(+), 1 deletion(-)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c index 59f6ac3319..6516d96484 100644 --- a/tools/virt-host-validate-common.c +++ b/tools/virt-host-validate-common.c @@ -260,7 +260,7 @@ int virHostValidateIOMMU(const char *hvname, if (isIntel) { if (access("/sys/firmware/acpi/tables/DMAR", F_OK) == 0) { - virValidatePass(); + virValidatePassDetails("DMAR"); bootarg = "intel_iommu=on"; } else { virValidateFail(level, @@ -271,7 +271,7 @@ int virHostValidateIOMMU(const char *hvname, } } else if (isAMD) { if (access("/sys/firmware/acpi/tables/IVRS", F_OK) == 0) { - virValidatePass(); + virValidatePassDetails("IVRS"); bootarg = "iommu=pt iommu=1"; } else { virValidateFail(level, @@ -318,7 +318,7 @@ int virHostValidateIOMMU(const char *hvname, "No SMMU found"); return VIR_VALIDATE_FAILURE(level); } else { - virValidatePass(); + virValidatePassDetails("SMMU"); } } } else { -- 2.51.1
On Thu, Nov 20, 2025 at 10:14:48 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
I presume we don't consider virt-host-validate as machine readable and thus stable, right? Reviewed-by: Peter Krempa <pkrempa@redhat.com>
On Thu, Nov 20, 2025 at 02:32:37PM +0100, Peter Krempa wrote:
On Thu, Nov 20, 2025 at 10:14:48 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
I presume we don't consider virt-host-validate as machine readable and thus stable, right?
Yeah, I don't consider it machine readable. Also this additional information is in the same format as info we print for WARN/FAIL results.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
From: Daniel P. Berrangé <berrange@redhat.com> For AMD, the virt-host-validate 'secure guest' check reports support for SEV, and there are then further check results printed for SEV-ES/SEV-SNP which are overly verbose and the long lines break output alignment. This uses the new ability to report details with PASS results to concisely tell the user which out of SEV/SEV-ES/SEV-SNP are found. Only a single answer is neede, as SEV-SNP implies SEV & SEV-ES, and SEV-ES implies SEV. The TDX s390x PROT-VIRT checks also identify themselves. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 36 ++++++++----------------------- 1 file changed, 9 insertions(+), 27 deletions(-) diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c index 6516d96484..344f9656e5 100644 --- a/tools/virt-host-validate-common.c +++ b/tools/virt-host-validate-common.c @@ -378,8 +378,7 @@ bool virHostKernelModuleIsLoaded(const char *module) static int -virHostValidateAMDSev(const char *hvname, - virValidateLevel level) +virHostValidateAMDSev(virValidateLevel level) { g_autofree char *mod_value = NULL; uint32_t eax, ebx; @@ -405,31 +404,14 @@ virHostValidateAMDSev(const char *hvname, return VIR_VALIDATE_FAILURE(level); } - virValidatePass(); - - virValidateCheck(hvname, "%s", - _("Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)")); - virHostCPUX86GetCPUID(0x8000001F, 0, &eax, &ebx, NULL, NULL); - if (eax & (1U << 3)) { - virValidatePass(); - } else { - virValidateFail(level, - "AMD SEV-ES is not supported"); - return VIR_VALIDATE_FAILURE(level); - } - - virValidateCheck(hvname, "%s", - _("Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)")); - - if (eax & (1U << 4)) { - virValidatePass(); - } else { - virValidateFail(level, - "AMD SEV-SNP is not supported"); - return VIR_VALIDATE_FAILURE(level); - } + if (eax & (1U << 4)) + virValidatePassDetails("SEV-SNP"); + else if (eax & (1U << 3)) + virValidatePassDetails("SEV-ES"); + else + virValidatePassDetails("SEV"); return 1; } @@ -453,7 +435,7 @@ static int virHostValidateIntelTDX(virValidateLevel level) return VIR_VALIDATE_FAILURE(level); } - virValidatePass(); + virValidatePassDetails("TDX"); return 1; } @@ -496,7 +478,7 @@ int virHostValidateSecureGuests(const char *hvname, G_N_ELEMENTS(kIBMValues), VIR_KERNEL_CMDLINE_FLAGS_SEARCH_FIRST | VIR_KERNEL_CMDLINE_FLAGS_CMP_PREFIX)) { - virValidatePass(); + virValidatePassDetails("PROT-VIRT"); return 1; } else { virValidateFail(level, -- 2.51.1
On Thu, Nov 20, 2025 at 10:14:49 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
For AMD, the virt-host-validate 'secure guest' check reports support for SEV, and there are then further check results printed for SEV-ES/SEV-SNP which are overly verbose and the long lines break output alignment.
This uses the new ability to report details with PASS results to concisely tell the user which out of SEV/SEV-ES/SEV-SNP are found. Only a single answer is neede, as SEV-SNP implies SEV & SEV-ES, and SEV-ES implies SEV.
The TDX s390x PROT-VIRT checks also identify themselves.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 36 ++++++++----------------------- 1 file changed, 9 insertions(+), 27 deletions(-)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com> If we fail to find either SEV or TDX on x86, we can explicitly say there is no secure guest support on the platform. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c index 344f9656e5..6bca661ffc 100644 --- a/tools/virt-host-validate-common.c +++ b/tools/virt-host-validate-common.c @@ -492,13 +492,17 @@ int virHostValidateSecureGuests(const char *hvname, "support for IBM Secure Execution"); return VIR_VALIDATE_FAILURE(level); } - } else if (hasAMDSev) { - return virHostValidateAMDSev(hvname, level); - } else if (hasIntelTDX) { - return virHostValidateIntelTDX(level); + } else if (arch == VIR_ARCH_X86_64) { + if (hasAMDSev) { + return virHostValidateAMDSev(level); + } else if (hasIntelTDX) { + return virHostValidateIntelTDX(level); + } else { + virValidateFail(level, "None of SEV, SEV-ES, SEV-SNP, TDX available"); + } + } else { + virValidateFail(level, + "Unknown if this platform has Secure Guest support"); } - - virValidateFail(level, - "Unknown if this platform has Secure Guest support"); return VIR_VALIDATE_FAILURE(level); } -- 2.51.1
On Thu, Nov 20, 2025 at 10:14:50 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
If we fail to find either SEV or TDX on x86, we can explicitly say there is no secure guest support on the platform.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-common.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com> On x86 we can indicate VMX or SVM, while s390x would be SIE. There are several choices on ppc64 and virt-host-validate does not try to detect any, so don't report a specific technology on ppc64 arch. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-qemu.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tools/virt-host-validate-qemu.c b/tools/virt-host-validate-qemu.c index 833bb1b914..f04fc61cb3 100644 --- a/tools/virt-host-validate-qemu.c +++ b/tools/virt-host-validate-qemu.c @@ -34,6 +34,7 @@ int virHostValidateQEMU(void) bool hasHwVirt = false; bool hasVirtFlag = false; virArch arch = virArchFromHost(); + const char *hwVirtName = NULL; const char *kvmhint = _("Check that CPU and firmware supports virtualization and kvm module is loaded"); if (!(flags = virHostValidateGetCPUFlags())) @@ -44,15 +45,22 @@ int virHostValidateQEMU(void) case VIR_ARCH_X86_64: hasVirtFlag = true; kvmhint = _("Check that the 'kvm-intel' or 'kvm-amd' modules are loaded & the BIOS has enabled virtualization"); - if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SVM) || - virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_VMX)) + if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SVM)) { + hwVirtName = "SVM"; hasHwVirt = true; + } + if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_VMX)) { + hwVirtName = "VMX"; + hasHwVirt = true; + } break; case VIR_ARCH_S390: case VIR_ARCH_S390X: hasVirtFlag = true; - if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SIE)) + if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SIE)) { + hwVirtName = "SIE"; hasHwVirt = true; + } break; case VIR_ARCH_PPC64: case VIR_ARCH_PPC64LE: @@ -66,7 +74,7 @@ int virHostValidateQEMU(void) if (hasVirtFlag) { virValidateCheck("QEMU", "%s", _("Checking for hardware virtualization")); if (hasHwVirt) { - virValidatePass(); + virValidatePassDetails(hwVirtName); } else { virValidateFail(VIR_VALIDATE_FAIL, _("Host not compatible with KVM; HW virtualization CPU features not found. Only emulated CPUs are available; performance will be significantly limited")); -- 2.51.1
On Thu, Nov 20, 2025 at 10:14:51 +0000, Daniel P. Berrangé via Devel wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
On x86 we can indicate VMX or SVM, while s390x would be SIE.
There are several choices on ppc64 and virt-host-validate does not try to detect any, so don't report a specific technology on ppc64 arch.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-qemu.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
On Thu, Nov 20, 2025 at 10:14:51AM +0000, Daniel P. Berrangé wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
On x86 we can indicate VMX or SVM, while s390x would be SIE.
There are several choices on ppc64 and virt-host-validate does not try to detect any, so don't report a specific technology on ppc64 arch.
After advice from some PowerPC experts, I'll add "LPCR" as the annotation for ppc64 (Logical Parititoning Control Register).
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-host-validate-qemu.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/tools/virt-host-validate-qemu.c b/tools/virt-host-validate-qemu.c index 833bb1b914..f04fc61cb3 100644 --- a/tools/virt-host-validate-qemu.c +++ b/tools/virt-host-validate-qemu.c @@ -34,6 +34,7 @@ int virHostValidateQEMU(void) bool hasHwVirt = false; bool hasVirtFlag = false; virArch arch = virArchFromHost(); + const char *hwVirtName = NULL; const char *kvmhint = _("Check that CPU and firmware supports virtualization and kvm module is loaded");
if (!(flags = virHostValidateGetCPUFlags())) @@ -44,15 +45,22 @@ int virHostValidateQEMU(void) case VIR_ARCH_X86_64: hasVirtFlag = true; kvmhint = _("Check that the 'kvm-intel' or 'kvm-amd' modules are loaded & the BIOS has enabled virtualization"); - if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SVM) || - virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_VMX)) + if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SVM)) { + hwVirtName = "SVM"; hasHwVirt = true; + } + if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_VMX)) { + hwVirtName = "VMX"; + hasHwVirt = true; + } break; case VIR_ARCH_S390: case VIR_ARCH_S390X: hasVirtFlag = true; - if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SIE)) + if (virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SIE)) { + hwVirtName = "SIE"; hasHwVirt = true; + } break; case VIR_ARCH_PPC64: case VIR_ARCH_PPC64LE: @@ -66,7 +74,7 @@ int virHostValidateQEMU(void) if (hasVirtFlag) { virValidateCheck("QEMU", "%s", _("Checking for hardware virtualization")); if (hasHwVirt) { - virValidatePass(); + virValidatePassDetails(hwVirtName); } else { virValidateFail(VIR_VALIDATE_FAIL, _("Host not compatible with KVM; HW virtualization CPU features not found. Only emulated CPUs are available; performance will be significantly limited")); -- 2.51.1
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Peter Krempa