9:43 a.m.
I've taken Tony's patches from here:
https://www.redhat.com/archives/libvir-list/2015-April/msg01395.html
polished them a bit, and resend.
Tony Krowiak (4):
libvirt: docs: XML to enable/disable protected key mgmt ops
libvirt: conf: parse XML for protected key management ops
libvirt: qemu: enable/disable protected key management ops
libvirt: tests: test protected key mgmt ops support
docs/formatdomain.html.in | 37 +++++
docs/schemas/domaincommon.rng | 24 ++++
src/conf/domain_conf.c | 156 +++++++++++++++++++++
src/conf/domain_conf.h | 17 +++
src/libvirt_private.syms | 2 +
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 2 +
src/qemu/qemu_command.c | 73 ++++++++++
tests/qemuargv2xmltest.c | 6 +
.../qemuxml2argv-machine-aeskeywrap-off-argv.args | 6 +
.../qemuxml2argv-machine-aeskeywrap-off-argv.xml | 27 ++++
.../qemuxml2argv-machine-aeskeywrap-off-cap.args | 7 +
.../qemuxml2argv-machine-aeskeywrap-off-cap.xml | 28 ++++
.../qemuxml2argv-machine-aeskeywrap-off-caps.args | 7 +
.../qemuxml2argv-machine-aeskeywrap-off-caps.xml | 28 ++++
.../qemuxml2argv-machine-aeskeywrap-on-argv.args | 6 +
.../qemuxml2argv-machine-aeskeywrap-on-argv.xml | 27 ++++
.../qemuxml2argv-machine-aeskeywrap-on-cap.args | 7 +
.../qemuxml2argv-machine-aeskeywrap-on-cap.xml | 28 ++++
.../qemuxml2argv-machine-aeskeywrap-on-caps.args | 7 +
.../qemuxml2argv-machine-aeskeywrap-on-caps.xml | 27 ++++
.../qemuxml2argv-machine-deakeywrap-off-argv.args | 6 +
.../qemuxml2argv-machine-deakeywrap-off-argv.xml | 27 ++++
.../qemuxml2argv-machine-deakeywrap-off-cap.args | 7 +
.../qemuxml2argv-machine-deakeywrap-off-cap.xml | 28 ++++
.../qemuxml2argv-machine-deakeywrap-off-caps.args | 7 +
.../qemuxml2argv-machine-deakeywrap-off-caps.xml | 28 ++++
.../qemuxml2argv-machine-deakeywrap-on-argv.args | 6 +
.../qemuxml2argv-machine-deakeywrap-on-argv.xml | 27 ++++
.../qemuxml2argv-machine-deakeywrap-on-cap.args | 7 +
.../qemuxml2argv-machine-deakeywrap-on-cap.xml | 28 ++++
.../qemuxml2argv-machine-deakeywrap-on-caps.args | 7 +
.../qemuxml2argv-machine-deakeywrap-on-caps.xml | 28 ++++
.../qemuxml2argv-machine-keywrap-none-argv.args | 6 +
.../qemuxml2argv-machine-keywrap-none-argv.xml | 24 ++++
.../qemuxml2argv-machine-keywrap-none-caps.args | 7 +
.../qemuxml2argv-machine-keywrap-none-caps.xml | 25 ++++
.../qemuxml2argv-machine-keywrap-none.args | 7 +
.../qemuxml2argv-machine-keywrap-none.xml | 25 ++++
tests/qemuxml2argvtest.c | 81 +++++++++++
40 files changed, 907 insertions(+)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.xml
--
2.3.6
9:43 a.m.
New subject: [libvirt] [PATCH v2 1/4] libvirt: docs: XML to enable/disable protected key mgmt ops
From: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Two new domain configuration XML elements have been added to enable/disable
the protected key management operations for a guest:
<domain>
...
<keywrap>
<cipher name='aes|dea' state='on|off'/>
</keywrap>
...
</domain>
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)de.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
docs/formatdomain.html.in | 37 +++++++++++++++++++++++++++++++++++++
docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index e0b6ba7..db3c81c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null
being on a file system that lacks security labeling.
</p>
+ <h3><a name="keywrap" shape="rect"
id="keywrap">Key Wrap</a></h3>
+
+ <p>The content of the optional <code>keywrap</code> element
specifies
+ whether the guest will be allowed to perform the S390 cryptographic key
+ management operations. A clear key can be protected by encrypting it
+ under a unique wrapping key that is generated for each guest VM running
+ on the host. Two variations of wrapping keys are generated: one version
+ for encrypting protected keys using the DEA/TDEA algorithm, and another
+ version for keys encrypted using the AES algorithm. If a
+ <code>keywrap</code> element is not included, the guest will be
granted
+ access to both AES and DEA/TDEA key wrapping by default.</p>
+
+ <pre xml:space="preserve">
+<domain>
+ ...
+ <keywrap>
+ <cipher name='aes' state='off'/>
+ <keywrap/>
+ ...
+</domain>
+</pre>
+ <p>At least one <code>cipher</code> element must be nested within
the
+ <code>keywrap</code> element.</p>
+ <dl><dt><code>cipher</code></dt>
+ <dd>The <code>name</code> attribute identifies the algorithm
+ for encrypting a protected key. The values supported for this attribute
+ are <code>aes</code> for encryption under the AES wrapping key, or
+ <code>dea</code> for encryption under the DEA/TDEA wrapping key. The
+ <code>state</code> attribute indicates whether the cryptographic key
+ management operations should be turned on for the specified encryption
+ algorithm. The value can be set to <code>on</code> or
<code>off</code>.
+ A default state of <code>on</code> will be assumed if a
+ <code>cipher</code> element is not included for the AES or DEA/TDEA
+ encryption algorithm.
+ </dd></dl>
+
+ Note: DEA/TDEA is synonymous with DES/TDES.
<h2><a name="examples">Example configs</a></h2>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index c151e92..1e67776 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -67,6 +67,9 @@
<optional>
<ref name='qemucmdline'/>
</optional>
+ <optional>
+ <ref name='keywrap'/>
+ </optional>
</interleave>
</element>
</define>
@@ -382,6 +385,27 @@
</element>
</define>
+ <define name="keywrap">
+ <element name="keywrap">
+ <oneOrMore>
+ <element name="cipher">
+ <attribute name="name">
+ <choice>
+ <value>aes</value>
+ <value>dea</value>
+ </choice>
+ </attribute>
+ <attribute name="state">
+ <choice>
+ <value>on</value>
+ <value>off</value>
+ </choice>
+ </attribute>
+ </element>
+ </oneOrMore>
+ </element>
+ </define>
+
<!--
The Identifiers can be:
- an optional id attribute with a number on the domain element
--
2.3.6
10:59 a.m.
New subject: [libvirt] [PATCH v2 1/4] libvirt: docs: XML to enable/disable protected key mgmt ops
On Fri, May 15, 2015 at 04:43:27PM +0200, Michal Privoznik wrote:
From: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Two new domain configuration XML elements have been added to enable/disable
They haven't been added yet :)
This should be squashed in with the patch implementing XML parsing and
formatting of the attributes.
the protected key management operations for a guest:
<domain>
...
<keywrap>
<cipher name='aes|dea' state='on|off'/>
</keywrap>
...
</domain>
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)de.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
docs/formatdomain.html.in | 37 +++++++++++++++++++++++++++++++++++++
docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index e0b6ba7..db3c81c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null
being on a file system that lacks security labeling.
</p>
+ <h3><a name="keywrap" shape="rect"
id="keywrap">Key Wrap</a></h3>
Is the shape attribute needed here? We don't use it for other 'a name's.
+
+ <p>The content of the optional <code>keywrap</code> element
specifies
+ whether the guest will be allowed to perform the S390 cryptographic key
+ management operations. A clear key can be protected by encrypting it
+ under a unique wrapping key that is generated for each guest VM running
+ on the host. Two variations of wrapping keys are generated: one version
+ for encrypting protected keys using the DEA/TDEA algorithm, and another
+ version for keys encrypted using the AES algorithm. If a
+ <code>keywrap</code> element is not included, the guest will be
granted
+ access to both AES and DEA/TDEA key wrapping by default.</p>
+
+ <pre xml:space="preserve">
Same question about this attribute.
+<domain>
+ ...
+ <keywrap>
+ <cipher name='aes' state='off'/>
+ <keywrap/>
The / needs to be before the tag name.
+ ...
+</domain>
+</pre>
+ <p>At least one <code>cipher</code> element must be nested within
the
+ <code>keywrap</code> element.</p>
+ <dl><dt><code>cipher</code></dt>
+ <dd>The <code>name</code> attribute identifies the algorithm
+ for encrypting a protected key. The values supported for this attribute
+ are <code>aes</code> for encryption under the AES wrapping key, or
+ <code>dea</code> for encryption under the DEA/TDEA wrapping key.
The
+ <code>state</code> attribute indicates whether the cryptographic
key
+ management operations should be turned on for the specified encryption
+ algorithm. The value can be set to <code>on</code> or
<code>off</code>.
+ A default state of <code>on</code> will be assumed if a
+ <code>cipher</code> element is not included for the AES or DEA/TDEA
+ encryption algorithm.
+ </dd></dl>
+
+ Note: DEA/TDEA is synonymous with DES/TDES.
<h2><a name="examples">Example configs</a></h2>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index c151e92..1e67776 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -67,6 +67,9 @@
<optional>
<ref name='qemucmdline'/>
</optional>
+ <optional>
+ <ref name='keywrap'/>
+ </optional>
</interleave>
</element>
</define>
@@ -382,6 +385,27 @@
</element>
</define>
+ <define name="keywrap">
+ <element name="keywrap">
+ <oneOrMore>
+ <element name="cipher">
+ <attribute name="name">
+ <choice>
+ <value>aes</value>
+ <value>dea</value>
+ </choice>
+ </attribute>
+ <attribute name="state">
+ <choice>
+ <value>on</value>
+ <value>off</value>
+ </choice>
<ref name='virOnOff'/> can be used here
+ </attribute>
+ </element>
+ </oneOrMore>
+ </element>
+ </define>
+
<!--
The Identifiers can be:
- an optional id attribute with a number on the domain element
ACK with the attributes removed. (and squashing it with the XML
parser/formatter)
Jan
9:43 a.m.
New subject: [libvirt] [PATCH v2 2/4] libvirt: conf: parse XML for protected key management ops
From: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Parse the domain configuration XML elements that enable/disable access to
the protected key management operations for a guest:
<domain>
...
<keywrap>
<cipher name='aes|dea' state='on|off'/>
</keywrap>
...
</domain>
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)linux.vnet.ibm.com>
Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/conf/domain_conf.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 17 ++++++
src/libvirt_private.syms | 2 +
3 files changed, 175 insertions(+)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f3b706e..ee8b474 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -477,6 +477,11 @@ VIR_ENUM_IMPL(virDomainSoundModel, VIR_DOMAIN_SOUND_MODEL_LAST,
"ich9",
"usb")
+VIR_ENUM_IMPL(virDomainKeyWrapCipherName,
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_LAST,
+ "aes",
+ "dea")
+
VIR_ENUM_IMPL(virDomainMemballoonModel, VIR_DOMAIN_MEMBALLOON_MODEL_LAST,
"virtio",
"xen",
@@ -834,6 +839,131 @@ virDomainXMLOptionClassDispose(void *obj)
(xmlopt->config.privFree)(xmlopt->config.priv);
}
+/**
+ * virDomainKeyWrapCipherDefParseXML:
+ *
+ * @def Domain definition
+ * @node An XML cipher node
+ * @ctxt The XML context
+ *
+ * Parse the attributes from the cipher node and store the state
+ * attribute in @def.
+ *
+ * A cipher node has the form of
+ *
+ * <cipher name='aes|dea' state='on|off'/>
+ *
+ * Returns: 0 if the parse succeeded
+ * -1 otherwise
+ */
+static int
+virDomainKeyWrapCipherDefParseXML(virDomainKeyWrapDefPtr keywrap,
+ xmlNodePtr node,
+ xmlXPathContextPtr ctxt)
+{
+
+ char *name = NULL;
+ char *state = NULL;
+ int state_type;
+ int name_type;
+ int ret = -1;
+ xmlNodePtr oldnode = ctxt->node;
+
+ ctxt->node = node;
+ if (!(name = virXPathString("string(./@name)", ctxt))) {
+ virReportError(VIR_ERR_CONF_SYNTAX, "%s",
+ _("missing name for cipher"));
+ goto cleanup;
+ }
+
+ if ((name_type = virDomainKeyWrapCipherNameTypeFromString(name)) < 0) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("%s is not a supported cipher name"), name);
+ goto cleanup;
+ }
+
+ if (!(state = virXPathString("string(./@state)", ctxt))) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("missing state for cipher named %s"), name);
+ goto cleanup;
+ }
+
+ if ((state_type = virTristateSwitchTypeFromString(state)) < 0) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("%s is not a supported cipher state"), state);
+ goto cleanup;
+ }
+
+ switch ((virDomainKeyWrapCipherName) name_type) {
+ case VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_AES:
+ if (keywrap->aes != VIR_TRISTATE_SWITCH_ABSENT) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("A domain definition can have no more than "
+ "one cipher node with name %s"),
+ virDomainKeyWrapCipherNameTypeToString(name_type));
+
+ goto cleanup;
+ }
+ keywrap->aes = state_type;
+ break;
+
+ case VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_DEA:
+ if (keywrap->dea != VIR_TRISTATE_SWITCH_ABSENT) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("A domain definition can have no more than "
+ "one cipher node with name %s"),
+ virDomainKeyWrapCipherNameTypeToString(name_type));
+
+ goto cleanup;
+ }
+ keywrap->dea = state_type;
+ break;
+
+ case VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_LAST:
+ break;
+ }
+
+ ret = 0;
+
+ cleanup:
+ VIR_FREE(name);
+ VIR_FREE(state);
+ ctxt->node = oldnode;
+ return ret;
+}
+
+static int
+virDomainKeyWrapDefParseXML(virDomainDefPtr def, xmlXPathContextPtr ctxt)
+{
+ size_t i;
+ int ret = -1;
+ xmlNodePtr *nodes = NULL;
+ int n;
+
+ if (!(n = virXPathNodeSet("./keywrap/cipher", ctxt, &nodes)))
+ return 0;
+
+ if (VIR_ALLOC(def->keywrap) < 0)
+ goto cleanup;
+
+ for (i = 0; i < n; i++) {
+ if (virDomainKeyWrapCipherDefParseXML(def->keywrap, nodes[i], ctxt) < 0)
+ goto cleanup;
+ }
+
+ if (!def->keywrap->aes &&
+ !def->keywrap->dea)
+ VIR_FREE(def->keywrap);
+
+ ret = 0;
+
+ cleanup:
+ if (ret < 0)
+ VIR_FREE(def->keywrap);
+ VIR_FREE(nodes);
+ return ret;
+}
+
/**
* virDomainXMLOptionNew:
@@ -2361,6 +2491,8 @@ void virDomainDefFree(virDomainDefPtr def)
virDomainShmemDefFree(def->shmems[i]);
VIR_FREE(def->shmems);
+ VIR_FREE(def->keywrap);
+
if (def->namespaceData && def->ns.free)
(def->ns.free)(def->namespaceData);
@@ -15535,6 +15667,9 @@ virDomainDefParseXML(xmlDocPtr xml,
VIR_FREE(tmp);
}
+ if (virDomainKeyWrapDefParseXML(def, ctxt) < 0)
+ goto error;
+
/* Extract custom metadata */
if ((node = virXPathNode("./metadata[1]", ctxt)) != NULL)
def->metadata = xmlCopyNode(node, 1);
@@ -20588,6 +20723,24 @@ virDomainLoaderDefFormat(virBufferPtr buf,
}
}
+static void
+virDomainKeyWrapDefFormat(virBufferPtr buf, virDomainKeyWrapDefPtr keywrap)
+{
+ virBufferAddLit(buf, "<keywrap>\n");
+ virBufferAdjustIndent(buf, 2);
+
+ if (keywrap->aes)
+ virBufferAsprintf(buf, "<cipher name='aes'
state='%s'/>\n",
+ virTristateSwitchTypeToString(keywrap->aes));
+
+ if (keywrap->dea)
+ virBufferAsprintf(buf, "<cipher name='dea'
state='%s'/>\n",
+ virTristateSwitchTypeToString(keywrap->dea));
+
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</keywrap>\n");
+}
+
static bool
virDomainDefHasCapabilitiesFeatures(virDomainDefPtr def)
{
@@ -21490,6 +21643,9 @@ virDomainDefFormatInternal(virDomainDefPtr def,
goto error;
}
+ if (def->keywrap)
+ virDomainKeyWrapDefFormat(buf, def->keywrap);
+
virBufferAdjustIndent(buf, -2);
virBufferAddLit(buf, "</domain>\n");
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 8312c20..7b29008 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2119,6 +2119,13 @@ struct _virDomainPowerManagement {
int s4;
};
+typedef struct _virDomainKeyWrapDef virDomainKeyWrapDef;
+typedef virDomainKeyWrapDef *virDomainKeyWrapDefPtr;
+struct _virDomainKeyWrapDef {
+ int aes; /* enum virTristateSwitch */
+ int dea; /* enum virTristateSwitch */
+};
+
/*
* Guest VM main configuration
*
@@ -2255,6 +2262,8 @@ struct _virDomainDef {
void *namespaceData;
virDomainXMLNamespace ns;
+ virDomainKeyWrapDefPtr keywrap;
+
/* Application-specific custom metadata */
xmlNodePtr metadata;
};
@@ -2264,6 +2273,13 @@ void virDomainDefSetMemoryInitial(virDomainDefPtr def, unsigned
long long size);
unsigned long long virDomainDefGetMemoryActual(virDomainDefPtr def);
typedef enum {
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_AES,
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_DEA,
+
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_LAST
+} virDomainKeyWrapCipherName;
+
+typedef enum {
VIR_DOMAIN_TAINT_CUSTOM_ARGV, /* Custom ARGV passthrough from XML */
VIR_DOMAIN_TAINT_CUSTOM_MONITOR, /* Custom monitor commands issued */
VIR_DOMAIN_TAINT_HIGH_PRIVILEGES, /* Running with undesirably high privileges */
@@ -2951,6 +2967,7 @@ VIR_ENUM_DECL(virDomainChrTcpProtocol)
VIR_ENUM_DECL(virDomainChrSpicevmc)
VIR_ENUM_DECL(virDomainSoundCodec)
VIR_ENUM_DECL(virDomainSoundModel)
+VIR_ENUM_DECL(virDomainKeyWrapCipherName)
VIR_ENUM_DECL(virDomainMemballoonModel)
VIR_ENUM_DECL(virDomainSmbiosMode)
VIR_ENUM_DECL(virDomainWatchdogModel)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index f80fc70..afd0cb6 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -329,6 +329,8 @@ virDomainIOThreadIDDefFree;
virDomainIOThreadIDDel;
virDomainIOThreadIDFind;
virDomainIOThreadSchedDelId;
+virDomainKeyWrapCipherNameTypeFromString;
+virDomainKeyWrapCipherNameTypeToString;
virDomainLeaseDefFree;
virDomainLeaseIndex;
virDomainLeaseInsert;
--
2.3.6
11:09 a.m.
New subject: [libvirt] [PATCH v2 2/4] libvirt: conf: parse XML for protected key management ops
On Fri, May 15, 2015 at 04:43:28PM +0200, Michal Privoznik wrote:
From: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Parse the domain configuration XML elements that enable/disable access to
the protected key management operations for a guest:
<domain>
...
<keywrap>
<cipher name='aes|dea' state='on|off'/>
</keywrap>
...
</domain>
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)linux.vnet.ibm.com>
Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/conf/domain_conf.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_conf.h | 17 ++++++
src/libvirt_private.syms | 2 +
3 files changed, 175 insertions(+)
ACK after squashing it together with the previous patch.
Jan
7:40 a.m.
New subject: [libvirt] [PATCH v2 2/4] libvirt: conf: parse XML for protected key management ops
On 05/15/2015 10:43 AM, Michal Privoznik wrote:
...
Coverity complaint...
+static int
+virDomainKeyWrapDefParseXML(virDomainDefPtr def, xmlXPathContextPtr ctxt)
+{
+ size_t i;
+ int ret = -1;
+ xmlNodePtr *nodes = NULL;
+ int n;
+
+ if (!(n = virXPathNodeSet("./keywrap/cipher", ctxt, &nodes)))
Can return a negative number...
+ return 0;
+
+ if (VIR_ALLOC(def->keywrap) < 0)
+ goto cleanup;
+
+ for (i = 0; i < n; i++) {
Causing this to run a long time.
I'll append something to my current on list Coverity patches to resolve.
John
+ if (virDomainKeyWrapCipherDefParseXML(def->keywrap,
nodes[i], ctxt) < 0)
+ goto cleanup;
+ }
+
+ if (!def->keywrap->aes &&
+ !def->keywrap->dea)
+ VIR_FREE(def->keywrap);
+
+ ret = 0;
+
+ cleanup:
+ if (ret < 0)
+ VIR_FREE(def->keywrap);
+ VIR_FREE(nodes);
+ return ret;
+}
+
/**
* virDomainXMLOptionNew:
@@ -2361,6 +2491,8 @@ void virDomainDefFree(virDomainDefPtr def)
virDomainShmemDefFree(def->shmems[i]);
VIR_FREE(def->shmems);
+ VIR_FREE(def->keywrap);
+
if (def->namespaceData && def->ns.free)
(def->ns.free)(def->namespaceData);
@@ -15535,6 +15667,9 @@ virDomainDefParseXML(xmlDocPtr xml,
VIR_FREE(tmp);
}
+ if (virDomainKeyWrapDefParseXML(def, ctxt) < 0)
+ goto error;
+
/* Extract custom metadata */
if ((node = virXPathNode("./metadata[1]", ctxt)) != NULL)
def->metadata = xmlCopyNode(node, 1);
@@ -20588,6 +20723,24 @@ virDomainLoaderDefFormat(virBufferPtr buf,
}
}
+static void
+virDomainKeyWrapDefFormat(virBufferPtr buf, virDomainKeyWrapDefPtr keywrap)
+{
+ virBufferAddLit(buf, "<keywrap>\n");
+ virBufferAdjustIndent(buf, 2);
+
+ if (keywrap->aes)
+ virBufferAsprintf(buf, "<cipher name='aes'
state='%s'/>\n",
+ virTristateSwitchTypeToString(keywrap->aes));
+
+ if (keywrap->dea)
+ virBufferAsprintf(buf, "<cipher name='dea'
state='%s'/>\n",
+ virTristateSwitchTypeToString(keywrap->dea));
+
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</keywrap>\n");
+}
+
static bool
virDomainDefHasCapabilitiesFeatures(virDomainDefPtr def)
{
@@ -21490,6 +21643,9 @@ virDomainDefFormatInternal(virDomainDefPtr def,
goto error;
}
+ if (def->keywrap)
+ virDomainKeyWrapDefFormat(buf, def->keywrap);
+
virBufferAdjustIndent(buf, -2);
virBufferAddLit(buf, "</domain>\n");
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 8312c20..7b29008 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2119,6 +2119,13 @@ struct _virDomainPowerManagement {
int s4;
};
+typedef struct _virDomainKeyWrapDef virDomainKeyWrapDef;
+typedef virDomainKeyWrapDef *virDomainKeyWrapDefPtr;
+struct _virDomainKeyWrapDef {
+ int aes; /* enum virTristateSwitch */
+ int dea; /* enum virTristateSwitch */
+};
+
/*
* Guest VM main configuration
*
@@ -2255,6 +2262,8 @@ struct _virDomainDef {
void *namespaceData;
virDomainXMLNamespace ns;
+ virDomainKeyWrapDefPtr keywrap;
+
/* Application-specific custom metadata */
xmlNodePtr metadata;
};
@@ -2264,6 +2273,13 @@ void virDomainDefSetMemoryInitial(virDomainDefPtr def, unsigned
long long size);
unsigned long long virDomainDefGetMemoryActual(virDomainDefPtr def);
typedef enum {
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_AES,
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_DEA,
+
+ VIR_DOMAIN_KEY_WRAP_CIPHER_NAME_LAST
+} virDomainKeyWrapCipherName;
+
+typedef enum {
VIR_DOMAIN_TAINT_CUSTOM_ARGV, /* Custom ARGV passthrough from XML */
VIR_DOMAIN_TAINT_CUSTOM_MONITOR, /* Custom monitor commands issued */
VIR_DOMAIN_TAINT_HIGH_PRIVILEGES, /* Running with undesirably high privileges */
@@ -2951,6 +2967,7 @@ VIR_ENUM_DECL(virDomainChrTcpProtocol)
VIR_ENUM_DECL(virDomainChrSpicevmc)
VIR_ENUM_DECL(virDomainSoundCodec)
VIR_ENUM_DECL(virDomainSoundModel)
+VIR_ENUM_DECL(virDomainKeyWrapCipherName)
VIR_ENUM_DECL(virDomainMemballoonModel)
VIR_ENUM_DECL(virDomainSmbiosMode)
VIR_ENUM_DECL(virDomainWatchdogModel)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index f80fc70..afd0cb6 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -329,6 +329,8 @@ virDomainIOThreadIDDefFree;
virDomainIOThreadIDDel;
virDomainIOThreadIDFind;
virDomainIOThreadSchedDelId;
+virDomainKeyWrapCipherNameTypeFromString;
+virDomainKeyWrapCipherNameTypeToString;
virDomainLeaseDefFree;
virDomainLeaseIndex;
virDomainLeaseInsert;
9:43 a.m.
New subject: [libvirt] [PATCH v2 3/4] libvirt: qemu: enable/disable protected key management ops
From: Tony Krowiak <aekrowia(a)us.ibm.com>
Introduces two new -machine option parameters to the QEMU command to
enable/disable the CPACF protected key management operations for a guest:
aes-key-wrap='on|off'
dea-key-wrap='on|off'
The QEMU code maps the corresponding domain configuration elements to the
QEMU -machine option parameters to create the QEMU command:
<cipher name='aes' state='on'> --> aes-key-wrap=on
<cipher name='aes' state='off'> --> aes-key-wrap=off
<cipher name='dea' state='on'> --> dea-key-wrap=on
<cipher name='dea' state='off'> --> dea-key-wrap=off
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 4 +++
src/qemu/qemu_capabilities.h | 2 ++
src/qemu/qemu_command.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 25c15bf..2757636 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -281,6 +281,8 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
"pc-dimm",
"machine-vmport-opt", /* 185 */
+ "aes-key-wrap",
+ "dea-key-wrap",
);
@@ -2523,6 +2525,8 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] =
{
{ "msg", "timestamp", QEMU_CAPS_MSG_TIMESTAMP },
{ "numa", NULL, QEMU_CAPS_NUMA },
{ "drive", "throttling.bps-total-max",
QEMU_CAPS_DRIVE_IOTUNE_MAX},
+ { "machine", "aes-key-wrap", QEMU_CAPS_AES_KEY_WRAP },
+ { "machine", "dea-key-wrap", QEMU_CAPS_DEA_KEY_WRAP },
};
static int
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 81557b7..4da9637 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -225,6 +225,8 @@ typedef enum {
QEMU_CAPS_QXL_VGA_VGAMEM = 183, /* -device qxl-vga.vgamem_mb */
QEMU_CAPS_DEVICE_PC_DIMM = 184, /* pc-dimm device */
QEMU_CAPS_MACHINE_VMPORT_OPT = 185, /* -machine xxx,vmport=on/off/auto */
+ QEMU_CAPS_AES_KEY_WRAP = 186, /* -machine aes_key_wrap */
+ QEMU_CAPS_DEA_KEY_WRAP = 187, /* -machine dea_key_wrap */
QEMU_CAPS_LAST, /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2939f8d..98fc5f8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -38,6 +38,7 @@
#include "virnetdevbridge.h"
#include "virstring.h"
#include "virtime.h"
+#include "virutil.h"
#include "viruuid.h"
#include "c-ctype.h"
#include "domain_nwfilter.h"
@@ -7286,6 +7287,39 @@ qemuBuildObsoleteAccelArg(virCommandPtr cmd,
return 0;
}
+static bool
+qemuAppendKeyWrapMachineParm(virBuffer *buf, virQEMUCapsPtr qemuCaps,
+ int flag, const char *pname, int pstate)
+{
+ if (pstate != VIR_TRISTATE_SWITCH_ABSENT) {
+ if (!virQEMUCapsGet(qemuCaps, flag)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is not available with this QEMU binary"),
pname);
+ return false;
+ }
+
+ virBufferAsprintf(buf, ",%s=%s", pname,
+ virTristateSwitchTypeToString(pstate));
+ }
+
+ return true;
+}
+
+static bool
+qemuAppendKeyWrapMachineParms(virBuffer *buf, virQEMUCapsPtr qemuCaps,
+ const virDomainKeyWrapDef *keywrap)
+{
+ if (!qemuAppendKeyWrapMachineParm(buf, qemuCaps, QEMU_CAPS_AES_KEY_WRAP,
+ "aes-key-wrap", keywrap->aes))
+ return false;
+
+ if (!qemuAppendKeyWrapMachineParm(buf, qemuCaps, QEMU_CAPS_DEA_KEY_WRAP,
+ "dea-key-wrap", keywrap->dea))
+ return false;
+
+ return true;
+}
+
static int
qemuBuildMachineArgStr(virCommandPtr cmd,
const virDomainDef *def,
@@ -7320,6 +7354,13 @@ qemuBuildMachineArgStr(virCommandPtr cmd,
}
obsoleteAccel = true;
+
+ if (def->keywrap) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("key wrap support is not available "
+ "with this QEMU binary"));
+ return -1;
+ }
} else {
virBuffer buf = VIR_BUFFER_INITIALIZER;
virTristateSwitch vmport = def->features[VIR_DOMAIN_FEATURE_VMPORT];
@@ -7378,6 +7419,12 @@ qemuBuildMachineArgStr(virCommandPtr cmd,
}
}
+ if (def->keywrap &&
+ !qemuAppendKeyWrapMachineParms(&buf, qemuCaps, def->keywrap)) {
+ virBufferFreeAndReset(&buf);
+ return -1;
+ }
+
virCommandAddArgBuffer(cmd, &buf);
}
@@ -12806,6 +12853,32 @@ qemuParseCommandLine(virCapsPtr qemuCaps,
} else if (STRPREFIX(param, "accel=kvm")) {
def->virtType = VIR_DOMAIN_VIRT_KVM;
def->features[VIR_DOMAIN_FEATURE_PAE] = VIR_TRISTATE_SWITCH_ON;
+ } else if (STRPREFIX(param, "aes-key-wrap=")) {
+ if (STREQ(arg, "-M")) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("aes-key-wrap is not supported with "
+ "this QEMU binary"));
+ goto error;
+ }
+ param += strlen("aes-key-wrap=");
+ if (!def->keywrap && VIR_ALLOC(def->keywrap) < 0)
+ goto error;
+ def->keywrap->aes = virTristateSwitchTypeFromString(param);
+ if (def->keywrap->aes < 0)
+ def->keywrap->aes = VIR_TRISTATE_SWITCH_ABSENT;
+ } else if (STRPREFIX(param, "dea-key-wrap=")) {
+ if (STREQ(arg, "-M")) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("dea-key-wrap is not supported with "
+ "this QEMU binary"));
+ goto error;
+ }
+ param += strlen("dea-key-wrap=");
+ if (!def->keywrap && VIR_ALLOC(def->keywrap) < 0)
+ goto error;
+ def->keywrap->dea = virTristateSwitchTypeFromString(param);
+ if (def->keywrap->dea < 0)
+ def->keywrap->dea = VIR_TRISTATE_SWITCH_ABSENT;
}
}
virStringFreeList(list);
--
2.3.6
11:23 a.m.
New subject: [libvirt] [PATCH v2 3/4] libvirt: qemu: enable/disable protected key management ops
On Fri, May 15, 2015 at 04:43:29PM +0200, Michal Privoznik wrote:
From: Tony Krowiak <aekrowia(a)us.ibm.com>
Introduces two new -machine option parameters to the QEMU command to
enable/disable the CPACF protected key management operations for a guest:
aes-key-wrap='on|off'
dea-key-wrap='on|off'
The QEMU code maps the corresponding domain configuration elements to the
QEMU -machine option parameters to create the QEMU command:
<cipher name='aes' state='on'> --> aes-key-wrap=on
<cipher name='aes' state='off'> --> aes-key-wrap=off
<cipher name='dea' state='on'> --> dea-key-wrap=on
<cipher name='dea' state='off'> --> dea-key-wrap=off
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 4 +++
src/qemu/qemu_capabilities.h | 2 ++
src/qemu/qemu_command.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
So the difference to v1 is that they are no longer turned on by default
if QEMU supports it. (I hope I did not miss anything else; it would
have been helpful if you listed the important changes)
I agree that this should not be done on XML parsing as was done in v1.
Would it make sense to treat the missing option (STATE_ABSENT) as
'turn it on if qemu supports it'?
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2939f8d..98fc5f8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -38,6 +38,7 @@
#include "virnetdevbridge.h"
#include "virstring.h"
#include "virtime.h"
+#include "virutil.h"
Why is this include needed?
#include "viruuid.h"
#include "c-ctype.h"
#include "domain_nwfilter.h"
@@ -7286,6 +7287,39 @@ qemuBuildObsoleteAccelArg(virCommandPtr cmd,
return 0;
}
+static bool
+qemuAppendKeyWrapMachineParm(virBuffer *buf, virQEMUCapsPtr qemuCaps,
+ int flag, const char *pname, int pstate)
+{
+ if (pstate != VIR_TRISTATE_SWITCH_ABSENT) {
+ if (!virQEMUCapsGet(qemuCaps, flag)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is not available with this QEMU binary"),
pname);
+ return false;
+ }
Can't we allow state='off' with QEMU that does not support it?
You have an ACK from me with the include removed. Please wait for
feedback from the author before pushing.
Jan
1:39 p.m.
New subject: [libvirt] [PATCH v2 3/4] libvirt: qemu: enable/disable protected key management ops
On 05/15/2015 12:23 PM, Ján Tomko wrote:
On Fri, May 15, 2015 at 04:43:29PM +0200, Michal Privoznik wrote:
> From: Tony Krowiak <aekrowia(a)us.ibm.com>
>
> Introduces two new -machine option parameters to the QEMU command to
> enable/disable the CPACF protected key management operations for a guest:
>
> aes-key-wrap='on|off'
> dea-key-wrap='on|off'
>
> The QEMU code maps the corresponding domain configuration elements to the
> QEMU -machine option parameters to create the QEMU command:
>
> <cipher name='aes' state='on'> --> aes-key-wrap=on
> <cipher name='aes' state='off'> --> aes-key-wrap=off
> <cipher name='dea' state='on'> --> dea-key-wrap=on
> <cipher name='dea' state='off'> --> dea-key-wrap=off
>
> Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
> Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
> Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
> Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> ---
> src/qemu/qemu_capabilities.c | 4 +++
> src/qemu/qemu_capabilities.h | 2 ++
> src/qemu/qemu_command.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 79 insertions(+)
>
So the difference to v1 is that they are no longer turned on by default
if QEMU supports it. (I hope I did not miss anything else; it would
have been helpful if you listed the important changes)
I agree that this should not be done on XML parsing as was done in v1.
Would it make sense to treat the missing option (STATE_ABSENT) as
'turn it on if qemu supports it'?
Some background:
My original design was similar to Michal's in that if key wrapping was not
configured for the guest in the domain XML, then the machine options
would not
be inserted into the QEMU command line. Our internal reviewers commented
that
there should be default values for libvirt that match the QEMU defaults, so
I did exactly as you suggested here, inserting default values into the QEMU
command line on STATE_ABSENT. Our internal reviewers then pointed out
that the
dumpxml command would return a configuration that did not match that of
the running
guest, so I added the XML post parsing piece to set default values into
virDomainDef if
QEMU supports the key wrapping machine options. In any case, I'm not
married to
any of these ideas, so you have my ACK pending Jan's suggestions.
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 2939f8d..98fc5f8 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -38,6 +38,7 @@
> #include "virnetdevbridge.h"
> #include "virstring.h"
> #include "virtime.h"
> +#include "virutil.h"
Why is this include needed?
I believe that this is no longer needed and is a
remnant of an earlier
iteration that I failed to
remove. My bad.
> #include "viruuid.h"
> #include "c-ctype.h"
> #include "domain_nwfilter.h"
> @@ -7286,6 +7287,39 @@ qemuBuildObsoleteAccelArg(virCommandPtr cmd,
> return 0;
> }
>
> +static bool
> +qemuAppendKeyWrapMachineParm(virBuffer *buf, virQEMUCapsPtr qemuCaps,
> + int flag, const char *pname, int pstate)
> +{
> + if (pstate != VIR_TRISTATE_SWITCH_ABSENT) {
> + if (!virQEMUCapsGet(qemuCaps, flag)) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> + _("%s is not available with this QEMU binary"),
pname);
> + return false;
> + }
Can't we allow state='off' with QEMU that does not support it?
We can
certainly bypass the appending of the machine option if
state='off', but if I am
not mistaken, sending a machine option to QEMU that it does not support
will cause
QEMU to throw an error. I think it is wisest to inform the user of a
configuration
error here.
You have an ACK from me with the include removed. Please wait for
feedback from the author before pushing.
Jan
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
1:48 p.m.
New subject: [libvirt] [PATCH v2 3/4] libvirt: qemu: enable/disable protected key management ops
On 05/15/2015 12:23 PM, Ján Tomko wrote:
On Fri, May 15, 2015 at 04:43:29PM +0200, Michal Privoznik wrote:
> From: Tony Krowiak <aekrowia(a)us.ibm.com>
>
> Introduces two new -machine option parameters to the QEMU command to
> enable/disable the CPACF protected key management operations for a guest:
>
> aes-key-wrap='on|off'
> dea-key-wrap='on|off'
>
> The QEMU code maps the corresponding domain configuration elements to the
> QEMU -machine option parameters to create the QEMU command:
>
> <cipher name='aes' state='on'> --> aes-key-wrap=on
> <cipher name='aes' state='off'> --> aes-key-wrap=off
> <cipher name='dea' state='on'> --> dea-key-wrap=on
> <cipher name='dea' state='off'> --> dea-key-wrap=off
>
> Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
> Signed-off-by: Daniel Hansel <daniel.hansel(a)linux.vnet.ibm.com>
> Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
> Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> ---
> src/qemu/qemu_capabilities.c | 4 +++
> src/qemu/qemu_capabilities.h | 2 ++
> src/qemu/qemu_command.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 79 insertions(+)
>
So the difference to v1 is that they are no longer turned on by default
if QEMU supports it. (I hope I did not miss anything else; it would
have been helpful if you listed the important changes)
I agree that this should not be done on XML parsing as was done in v1.
Would it make sense to treat the missing option (STATE_ABSENT) as
'turn it on if qemu supports it'?
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 2939f8d..98fc5f8 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -38,6 +38,7 @@
> #include "virnetdevbridge.h"
> #include "virstring.h"
> #include "virtime.h"
> +#include "virutil.h"
Why is this include needed?
> #include "viruuid.h"
> #include "c-ctype.h"
> #include "domain_nwfilter.h"
> @@ -7286,6 +7287,39 @@ qemuBuildObsoleteAccelArg(virCommandPtr cmd,
> return 0;
> }
>
> +static bool
> +qemuAppendKeyWrapMachineParm(virBuffer *buf, virQEMUCapsPtr qemuCaps,
> + int flag, const char *pname, int pstate)
> +{
> + if (pstate != VIR_TRISTATE_SWITCH_ABSENT) {
> + if (!virQEMUCapsGet(qemuCaps, flag)) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> + _("%s is not available with this QEMU binary"),
pname);
> + return false;
> + }
Can't we allow state='off' with QEMU that does not support it?
You have an ACK from me with the include removed. Please wait for
feedback from the author before pushing.
These changes will break the test cases,
so they will need to be updated
to reflect
these changes before pushing.
Jan
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
9:43 a.m.
New subject: [libvirt] [PATCH v2 4/4] libvirt: tests: test protected key mgmt ops support
From: Tony Krowiak <aekrowia(a)us.ibm.com>
Test the support for enabling/disabling CPACF protected key management
operations for a guest.
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
tests/qemuargv2xmltest.c | 6 ++
.../qemuxml2argv-machine-aeskeywrap-off-argv.args | 6 ++
.../qemuxml2argv-machine-aeskeywrap-off-argv.xml | 27 ++++++++
.../qemuxml2argv-machine-aeskeywrap-off-cap.args | 7 ++
.../qemuxml2argv-machine-aeskeywrap-off-cap.xml | 28 ++++++++
.../qemuxml2argv-machine-aeskeywrap-off-caps.args | 7 ++
.../qemuxml2argv-machine-aeskeywrap-off-caps.xml | 28 ++++++++
.../qemuxml2argv-machine-aeskeywrap-on-argv.args | 6 ++
.../qemuxml2argv-machine-aeskeywrap-on-argv.xml | 27 ++++++++
.../qemuxml2argv-machine-aeskeywrap-on-cap.args | 7 ++
.../qemuxml2argv-machine-aeskeywrap-on-cap.xml | 28 ++++++++
.../qemuxml2argv-machine-aeskeywrap-on-caps.args | 7 ++
.../qemuxml2argv-machine-aeskeywrap-on-caps.xml | 27 ++++++++
.../qemuxml2argv-machine-deakeywrap-off-argv.args | 6 ++
.../qemuxml2argv-machine-deakeywrap-off-argv.xml | 27 ++++++++
.../qemuxml2argv-machine-deakeywrap-off-cap.args | 7 ++
.../qemuxml2argv-machine-deakeywrap-off-cap.xml | 28 ++++++++
.../qemuxml2argv-machine-deakeywrap-off-caps.args | 7 ++
.../qemuxml2argv-machine-deakeywrap-off-caps.xml | 28 ++++++++
.../qemuxml2argv-machine-deakeywrap-on-argv.args | 6 ++
.../qemuxml2argv-machine-deakeywrap-on-argv.xml | 27 ++++++++
.../qemuxml2argv-machine-deakeywrap-on-cap.args | 7 ++
.../qemuxml2argv-machine-deakeywrap-on-cap.xml | 28 ++++++++
.../qemuxml2argv-machine-deakeywrap-on-caps.args | 7 ++
.../qemuxml2argv-machine-deakeywrap-on-caps.xml | 28 ++++++++
.../qemuxml2argv-machine-keywrap-none-argv.args | 6 ++
.../qemuxml2argv-machine-keywrap-none-argv.xml | 24 +++++++
.../qemuxml2argv-machine-keywrap-none-caps.args | 7 ++
.../qemuxml2argv-machine-keywrap-none-caps.xml | 25 +++++++
.../qemuxml2argv-machine-keywrap-none.args | 7 ++
.../qemuxml2argv-machine-keywrap-none.xml | 25 +++++++
tests/qemuxml2argvtest.c | 81 ++++++++++++++++++++++
32 files changed, 592 insertions(+)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.xml
diff --git a/tests/qemuargv2xmltest.c b/tests/qemuargv2xmltest.c
index d6df116..ea85913 100644
--- a/tests/qemuargv2xmltest.c
+++ b/tests/qemuargv2xmltest.c
@@ -292,6 +292,12 @@ mymain(void)
DO_TEST_FULL("qemu-ns-no-env", FLAG_EXPECT_WARNING);
+ DO_TEST("machine-aeskeywrap-on-argv");
+ DO_TEST("machine-aeskeywrap-off-argv");
+ DO_TEST("machine-deakeywrap-on-argv");
+ DO_TEST("machine-deakeywrap-off-argv");
+ DO_TEST("machine-keywrap-none-argv");
+
virObjectUnref(driver.config);
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.args
new file mode 100644
index 0000000..4ef9fc0
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.args
@@ -0,0 +1,6 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,aes-key-wrap=off \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=virtio,index=0,id=drive-virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.xml
new file mode 100644
index 0000000..0975d4a
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-argv.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='aes' state='off'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.args
new file mode 100644
index 0000000..80caba7
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,aes-key-wrap=off \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.xml
new file mode 100644
index 0000000..a0c0037
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-cap.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='aes' state='off'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.args
new file mode 100644
index 0000000..80caba7
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,aes-key-wrap=off \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.xml
new file mode 100644
index 0000000..a0c0037
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-off-caps.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='aes' state='off'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.args
new file mode 100644
index 0000000..2b238d5
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.args
@@ -0,0 +1,6 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,aes-key-wrap=on \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=virtio,index=0,id=drive-virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.xml
new file mode 100644
index 0000000..8aa8f8e
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-argv.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='aes' state='on'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.args
new file mode 100644
index 0000000..6f6366b
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,aes-key-wrap=on \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.xml
new file mode 100644
index 0000000..768eed1
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-cap.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='aes' state='on'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.args
new file mode 100644
index 0000000..6f6366b
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,aes-key-wrap=on \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.xml
new file mode 100644
index 0000000..1702e6e
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-aeskeywrap-on-caps.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='aes' state='on'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.args
new file mode 100644
index 0000000..f38c914
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.args
@@ -0,0 +1,6 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,dea-key-wrap=off \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=virtio,index=0,id=drive-virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.xml
new file mode 100644
index 0000000..90b6d9f
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-argv.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='dea' state='off'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.args
new file mode 100644
index 0000000..e379f15
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,dea-key-wrap=off \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.xml
new file mode 100644
index 0000000..dbc22fc
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-cap.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='dea' state='off'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.args
new file mode 100644
index 0000000..e379f15
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,dea-key-wrap=off \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.xml
new file mode 100644
index 0000000..dbc22fc
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-off-caps.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='dea' state='off'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.args
new file mode 100644
index 0000000..f64e57f
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.args
@@ -0,0 +1,6 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,dea-key-wrap=on \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=virtio,index=0,id=drive-virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.xml
new file mode 100644
index 0000000..76a6a51
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-argv.xml
@@ -0,0 +1,27 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='dea' state='on'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.args
new file mode 100644
index 0000000..9c4b513
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,dea-key-wrap=on \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.xml
new file mode 100644
index 0000000..c0a063b
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-cap.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='dea' state='on'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.args
new file mode 100644
index 0000000..9c4b513
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg,dea-key-wrap=on \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.xml
new file mode 100644
index 0000000..c0a063b
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-deakeywrap-on-caps.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+ <keywrap>
+ <cipher name='dea' state='on'/>
+ </keywrap>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.args
new file mode 100644
index 0000000..9264ec4
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.args
@@ -0,0 +1,6 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=virtio,index=0,id=drive-virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.xml
new file mode 100644
index 0000000..0a963a1
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-argv.xml
@@ -0,0 +1,24 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.args
new file mode 100644
index 0000000..f4bd156
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.xml
new file mode 100644
index 0000000..9727686
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none-caps.xml
@@ -0,0 +1,25 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.args
b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.args
new file mode 100644
index 0000000..f4bd156
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.args
@@ -0,0 +1,7 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-s390x -S \
+-machine s390-ccw-virtio,accel=tcg \
+-m 214 -smp 1 -nographic -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \
+-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.xml
b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.xml
new file mode 100644
index 0000000..9727686
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-machine-keywrap-none.xml
@@ -0,0 +1,25 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-s390x</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='vda' bus='virtio'/>
+ <address type='ccw' cssid='0xfe' ssid='0x0'
devno='0x0000'/>
+ </disk>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index e67d909..1d42c0a 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1574,6 +1574,87 @@ mymain(void)
DO_TEST("memory-hotplug-dimm-addr", QEMU_CAPS_DEVICE_PC_DIMM,
QEMU_CAPS_NUMA,
QEMU_CAPS_DEVICE, QEMU_CAPS_OBJECT_MEMORY_RAM);
+ DO_TEST("machine-aeskeywrap-on-caps",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP,
+ QEMU_CAPS_DEA_KEY_WRAP, QEMU_CAPS_DRIVE,
+ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-on-caps", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-on-caps", NONE);
+
+ DO_TEST("machine-aeskeywrap-on-cap",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-on-cap", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-on-cap", NONE);
+
+ DO_TEST("machine-aeskeywrap-off-caps",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP, QEMU_CAPS_DEA_KEY_WRAP,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-off-caps", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-off-caps", NONE);
+
+ DO_TEST("machine-aeskeywrap-off-cap",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP, QEMU_CAPS_DRIVE,
+ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-off-cap", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-aeskeywrap-off-cap", NONE);
+
+ DO_TEST("machine-deakeywrap-on-caps",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP, QEMU_CAPS_DEA_KEY_WRAP,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-on-caps", QEMU_CAPS_MACHINE_OPT,
QEMU_CAPS_DRIVE,
+ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-on-caps", NONE);
+
+ DO_TEST("machine-deakeywrap-on-cap",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_DEA_KEY_WRAP, QEMU_CAPS_DRIVE,
+ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-on-cap", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-on-cap", NONE);
+
+ DO_TEST("machine-deakeywrap-off-caps",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP, QEMU_CAPS_DEA_KEY_WRAP,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-off-caps", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-off-caps", NONE);
+
+ DO_TEST("machine-deakeywrap-off-cap",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_DEA_KEY_WRAP, QEMU_CAPS_DRIVE,
+ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-off-cap", QEMU_CAPS_MACHINE_OPT,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST_FAILURE("machine-deakeywrap-off-cap", NONE);
+
+ DO_TEST("machine-keywrap-none-caps",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_AES_KEY_WRAP, QEMU_CAPS_DEA_KEY_WRAP,
+ QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE,
+ QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+ DO_TEST("machine-keywrap-none",
+ QEMU_CAPS_MACHINE_OPT, QEMU_CAPS_DRIVE, QEMU_CAPS_VIRTIO_SCSI,
+ QEMU_CAPS_DEVICE, QEMU_CAPS_VIRTIO_CCW, QEMU_CAPS_VIRTIO_S390);
+
virObjectUnref(driver.config);
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
--
2.3.6
11:27 a.m.
New subject: [libvirt] [PATCH v2 4/4] libvirt: tests: test protected key mgmt ops support
On Fri, May 15, 2015 at 04:43:30PM +0200, Michal Privoznik wrote:
From: Tony Krowiak <aekrowia(a)us.ibm.com>
Test the support for enabling/disabling CPACF protected key management
operations for a guest.
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
ACK, this should be squashed with the patch adding the qemu command line
formatting.
Jan
3 a.m.
On 15.05.2015 16:43, Michal Privoznik wrote:
I've taken Tony's patches from here:
https://www.redhat.com/archives/libvir-list/2015-April/msg01395.html
polished them a bit, and resend.
Tony Krowiak (4):
libvirt: docs: XML to enable/disable protected key mgmt ops
libvirt: conf: parse XML for protected key management ops
libvirt: qemu: enable/disable protected key management ops
libvirt: tests: test protected key mgmt ops support
Thank you guys, I've fixed all the nits and pushed.
Michal
3476
days inactive
3479
days old
12 comments
4 participants
participants (4)
-
John Ferlan -
Ján Tomko -
Michal Privoznik -
Tony Krowiak