diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 77845fe5f7..7e710d7c4a 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -8458,12 +8458,12 @@ qemu-kvm -net nic,model=? /dev/null

Note: DEA/TDEA is synonymous with DES/TDES.

-

Secure Encrypted Virtualization (SEV)

+

Launch Security

- The contents of the <launch-security type='sev'> element + The contents of the <launchSecurity type='sev'> element is used to provide the guest owners input used for creating an encrypted - VM using the AMD SEV feature. + VM using the AMD SEV feature (Secure Encrypted Virtualization). SEV is an extension to the AMD-V architecture which supports running encrypted virtual machine (VMs) under the control of KVM. Encrypted @@ -8480,13 +8480,13 @@ qemu-kvm -net nic,model=? /dev/null 

 <domain>
   ...
-  <launch-security type='sev'>
+  <launchSecurity type='sev'>
     <policy> 0x0001 </policy>
     <cbitpos> 47 </cbitpos>
-    <reduced-phys-bits> 1 </reduced-phys-bits>
+    <reducedPhysBits> 1 </reducedPhysBits>
+    <dhCert> RBBBSDDD=FDDCCCDDDG </dhCert>
     <session> AAACCCDD=FFFCCCDSDS </session>
-    <dh-cert> RBBBSDDD=FDDCCCDDDG </dh>
-  </sev>
+  </launchSecurity>
   ...
 </domain>
@@ -8498,8 +8498,8 @@ qemu-kvm -net nic,model=? /dev/null hypervisor dependent and can be obtained through the sev element from the domain capabilities. -
reduced-phys-bits
-
The required reduced-phys-bits element provides the physical +
reducedPhysBits
+
The required reducedPhysBits element provides the physical address bit reducation. Similar to cbitpos the value of reduced-phys-bit is hypervisor dependent and can be obtained through the sev element from the domain capabilities. @@ -8558,8 +8558,8 @@ qemu-kvm -net nic,model=? /dev/null
-
dh-cert
-
The optional dh-cert element provides the guest owners +
dhCert
+
The optional dhCert element provides the guest owners base64 encoded Diffie-Hellman (DH) key. The key is used to negotiate a master secret key between the SEV firmware and guest owner. This master secret key is then used to establish a trusted channel between SEV diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 1d06a5ea89..4a454dddb4 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -78,7 +78,7 @@ - + @@ -439,8 +439,8 @@ - - + + sev @@ -448,7 +448,7 @@ - + @@ -460,7 +460,7 @@ - + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 85f07af46e..ac5484d070 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -15862,7 +15862,7 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode, if (!(type = virXMLPropString(sevNode, "type"))) { virReportError(VIR_ERR_XML_ERROR, "%s", - _("missing launch-security type")); + _("missing launch security type")); goto error; } @@ -15874,33 +15874,33 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode, case VIR_DOMAIN_LAUNCH_SECURITY_LAST: default: virReportError(VIR_ERR_XML_ERROR, - _("unsupported launch-security type '%s'"), + _("unsupported launch security type '%s'"), type); goto error; } if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos) < 0) { virReportError(VIR_ERR_XML_ERROR, "%s", - _("failed to get launch-security cbitpos")); + _("failed to get launch security cbitpos")); goto error; } - if (virXPathUInt("string(./reduced-phys-bits)", ctxt, + if (virXPathUInt("string(./reducedPhysBits)", ctxt, &def->reduced_phys_bits) < 0) { virReportError(VIR_ERR_XML_ERROR, "%s", - _("failed to get launch-security reduced-phys-bits")); + _("failed to get launch security reduced-phys-bits")); goto error; } if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) { virReportError(VIR_ERR_XML_ERROR, "%s", - _("failed to get launch-security policy")); + _("failed to get launch security policy")); goto error; } def->policy = policy; - if ((tmp = virXPathString("string(./dh-cert)", ctxt))) { + if ((tmp = virXPathString("string(./dhCert)", ctxt))) { if (VIR_STRDUP(def->dh_cert, tmp) < 0) goto error; @@ -20730,7 +20730,7 @@ virDomainDefParseXML(xmlDocPtr xml, VIR_FREE(nodes); /* Check for SEV feature */ - if ((node = virXPathNode("./launch-security", ctxt)) != NULL) { + if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) { def->sev = virDomainSEVDefParseXML(node, ctxt); if (!def->sev) goto error; @@ -26771,22 +26771,22 @@ virDomainSEVDefFormat(virBufferPtr buf, virDomainSevDefPtr sev) if (!sev) return; - virBufferAsprintf(buf, "\n", + virBufferAsprintf(buf, "\n", virDomainLaunchSecurityTypeToString(sev->sectype)); virBufferAdjustIndent(buf, 2); virBufferAsprintf(buf, "%d\n", sev->cbitpos); - virBufferAsprintf(buf, "%d\n", + virBufferAsprintf(buf, "%d\n", sev->reduced_phys_bits); virBufferAsprintf(buf, "0x%04x\n", sev->policy); if (sev->dh_cert) - virBufferEscapeString(buf, "%s\n", sev->dh_cert); + virBufferEscapeString(buf, "%s\n", sev->dh_cert); if (sev->session) virBufferEscapeString(buf, "%s\n", sev->session); virBufferAdjustIndent(buf, -2); - virBufferAddLit(buf, "\n"); + virBufferAddLit(buf, "\n"); } diff --git a/tests/genericxml2xmlindata/launch-security-sev.xml b/tests/genericxml2xmlindata/launch-security-sev.xml index fb64e1e4be..c25cfbbf14 100644 --- a/tests/genericxml2xmlindata/launch-security-sev.xml +++ b/tests/genericxml2xmlindata/launch-security-sev.xml @@ -14,11 +14,11 @@ destroy - + 47 - 1 + 1 0x0001 - AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA + AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA IHAVENOIDEABUTJUSTPROVIDINGASTRING - + diff --git a/tests/qemuxml2argvdata/launch-security-sev.xml b/tests/qemuxml2argvdata/launch-security-sev.xml index 5ae83f61c1..b73defd6ee 100644 --- a/tests/qemuxml2argvdata/launch-security-sev.xml +++ b/tests/qemuxml2argvdata/launch-security-sev.xml @@ -27,11 +27,11 @@ - + 47 - 1 + 1 0x0001 - AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA + AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA IHAVENOIDEABUTJUSTPROVIDINGASTRING - +