virt-manager/virtinst/domain/launch_security.py

from ..xmlbuilder import XMLBuilder, XMLProperty


class DomainLaunchSecurity(XMLBuilder):
    """
    Class for generating <launchSecurity> XML element
    """

    XML_NAME = "launchSecurity"
    _XML_PROP_ORDER = ["type", "cbitpos", "reducedPhysBits", "policy",
            "session", "dhCert"]

    type = XMLProperty("./@type")
    cbitpos = XMLProperty("./cbitpos", is_int=True)
    reducedPhysBits = XMLProperty("./reducedPhysBits", is_int=True)
    policy = XMLProperty("./policy")
    session = XMLProperty("./session")
    dhCert = XMLProperty("./dhCert")

    def is_sev(self):
        return self.type == "sev"

    def validate(self):
        if not self.type:
            raise RuntimeError(_("Missing mandatory attribute 'type'"))

    def _set_defaults_sev(self, guest):
        # SeaBIOS doesn't have support for SEV. Q35 defaults to virtio 1.0,
        # which we need so let's not go through the 'virtio-transitional'
        # exercise for pc-i440fx to make SEV work, AMD recommends Q35 anyway
        # NOTE: at some point both of these platform checks should be put in
        # validate(), once that accepts the 'guest' instance
        if guest.os.machine != "q35" or guest.os.loader_type != "pflash":
            raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine"))

        # libvirt or QEMU might not support SEV
        domcaps = guest.lookup_domcaps()
        if not domcaps.supports_sev_launch_security():
            raise RuntimeError(_("SEV launch security is not supported on this platform"))

        # 'policy' is a mandatory 4-byte argument for the SEV firmware,
        # if missing, let's use 0x03 which, according to the table at
        # https://libvirt.org/formatdomain.html#launchSecurity:
        # (bit 0) - disables the debugging mode
        # (bit 1) - disables encryption key sharing across multiple guests
        if self.policy is None:
            self.policy = "0x03"

        if self.cbitpos is None:
            self.cbitpos = domcaps.features.sev.cbitpos
        if self.reducedPhysBits is None:
            self.reducedPhysBits = domcaps.features.sev.reducedPhysBits

    def set_defaults(self, guest):
        if self.is_sev():
            return self._set_defaults_sev(guest)
virtinst: cli: Introduce parser support for SEV launch security Introduce both the launchSecurity XML and parser classes. While at it, add launchSecurity as a property instance to the Guest class too. The parser requires the 'type' argument to be mandatory since in the future it will determine different code paths, therefore '--launchSecurity foo=bar' is incorrect. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:57 +02:00			`from ..xmlbuilder import XMLBuilder, XMLProperty`


			`class DomainLaunchSecurity(XMLBuilder):`
			`"""`
			`Class for generating <launchSecurity> XML element`
			`"""`

			`XML_NAME = "launchSecurity"`
			`_XML_PROP_ORDER = ["type", "cbitpos", "reducedPhysBits", "policy",`
			`"session", "dhCert"]`

			`type = XMLProperty("./@type")`
			`cbitpos = XMLProperty("./cbitpos", is_int=True)`
			`reducedPhysBits = XMLProperty("./reducedPhysBits", is_int=True)`
			`policy = XMLProperty("./policy")`
			`session = XMLProperty("./session")`
			`dhCert = XMLProperty("./dhCert")`

			`def is_sev(self):`
			`return self.type == "sev"`

			`def validate(self):`
			`if not self.type:`
			`raise RuntimeError(_("Missing mandatory attribute 'type'"))`
virtinst: cli: Provide a default value for the 'policy' argument Policy is a 4-byte bitfield used to turn on/off certain behaviour within the SEV firmware. For a detailed table of supported flags, see https://libvirt.org/formatdomain.html#launchSecurity. Most of the flags are related to advanced features (some of them don't even exist at the moment), except for the first 2 bits which determine whether debug mode should be turned on and whether the same key should be used to encrypt memory of multiple guests respectively. >From security POV, most users will probably want separate keys for individual guests, thus the value 0x03 was selected as the policy default. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:58 +02:00
virtinst: guest: Fill in SEV platform specific data automatically The data in question are 'cbitpos' denoting which addressing bit is the encryption bit and 'reduced_phys_bits' denoting how many physical address space we lose by turning on the encryption. Both of these are hypervisor dependent and thus will be the same for all the guest residing on the same host, but need to be specified for future migration purposes. But given we can probe them from domain capabilities, we don't need the user to provide them and thus enhancing cli user experience. This requires a new _SEV domaincapabilities XML class to be created so that we can query the specific properties. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:59 +02:00			`def _set_defaults_sev(self, guest):`
virtinst: guest: Provide further SEV support checks These include platform checks - libvirt & QEMU - as well as configuration - SEV is only supported with UEFI. Another configuration requirement made in this patch is Q35 machine, since ADM recommends Q35 in their setups even though SEV can work with the legacy PC machine type, but we'd have to turn on virtio-non-transitional for all virtio devices with some other potential pitfalls along the way. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:42:00 +02:00			`# SeaBIOS doesn't have support for SEV. Q35 defaults to virtio 1.0,`
			`# which we need so let's not go through the 'virtio-transitional'`
			`# exercise for pc-i440fx to make SEV work, AMD recommends Q35 anyway`
			`# NOTE: at some point both of these platform checks should be put in`
			`# validate(), once that accepts the 'guest' instance`
			`if guest.os.machine != "q35" or guest.os.loader_type != "pflash":`
			`raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine"))`

			`# libvirt or QEMU might not support SEV`
virtinst: guest: Fill in SEV platform specific data automatically The data in question are 'cbitpos' denoting which addressing bit is the encryption bit and 'reduced_phys_bits' denoting how many physical address space we lose by turning on the encryption. Both of these are hypervisor dependent and thus will be the same for all the guest residing on the same host, but need to be specified for future migration purposes. But given we can probe them from domain capabilities, we don't need the user to provide them and thus enhancing cli user experience. This requires a new _SEV domaincapabilities XML class to be created so that we can query the specific properties. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:59 +02:00			`domcaps = guest.lookup_domcaps()`
virtinst: guest: Provide further SEV support checks These include platform checks - libvirt & QEMU - as well as configuration - SEV is only supported with UEFI. Another configuration requirement made in this patch is Q35 machine, since ADM recommends Q35 in their setups even though SEV can work with the legacy PC machine type, but we'd have to turn on virtio-non-transitional for all virtio devices with some other potential pitfalls along the way. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:42:00 +02:00			`if not domcaps.supports_sev_launch_security():`
			`raise RuntimeError(_("SEV launch security is not supported on this platform"))`
virtinst: guest: Fill in SEV platform specific data automatically The data in question are 'cbitpos' denoting which addressing bit is the encryption bit and 'reduced_phys_bits' denoting how many physical address space we lose by turning on the encryption. Both of these are hypervisor dependent and thus will be the same for all the guest residing on the same host, but need to be specified for future migration purposes. But given we can probe them from domain capabilities, we don't need the user to provide them and thus enhancing cli user experience. This requires a new _SEV domaincapabilities XML class to be created so that we can query the specific properties. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:59 +02:00
virtinst: cli: Provide a default value for the 'policy' argument Policy is a 4-byte bitfield used to turn on/off certain behaviour within the SEV firmware. For a detailed table of supported flags, see https://libvirt.org/formatdomain.html#launchSecurity. Most of the flags are related to advanced features (some of them don't even exist at the moment), except for the first 2 bits which determine whether debug mode should be turned on and whether the same key should be used to encrypt memory of multiple guests respectively. >From security POV, most users will probably want separate keys for individual guests, thus the value 0x03 was selected as the policy default. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:58 +02:00			`# 'policy' is a mandatory 4-byte argument for the SEV firmware,`
			`# if missing, let's use 0x03 which, according to the table at`
			`# https://libvirt.org/formatdomain.html#launchSecurity:`
			`# (bit 0) - disables the debugging mode`
			`# (bit 1) - disables encryption key sharing across multiple guests`
			`if self.policy is None:`
			`self.policy = "0x03"`

virtinst: guest: Fill in SEV platform specific data automatically The data in question are 'cbitpos' denoting which addressing bit is the encryption bit and 'reduced_phys_bits' denoting how many physical address space we lose by turning on the encryption. Both of these are hypervisor dependent and thus will be the same for all the guest residing on the same host, but need to be specified for future migration purposes. But given we can probe them from domain capabilities, we don't need the user to provide them and thus enhancing cli user experience. This requires a new _SEV domaincapabilities XML class to be created so that we can query the specific properties. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:59 +02:00			`if self.cbitpos is None:`
			`self.cbitpos = domcaps.features.sev.cbitpos`
			`if self.reducedPhysBits is None:`
			`self.reducedPhysBits = domcaps.features.sev.reducedPhysBits`

virtinst: cli: Provide a default value for the 'policy' argument Policy is a 4-byte bitfield used to turn on/off certain behaviour within the SEV firmware. For a detailed table of supported flags, see https://libvirt.org/formatdomain.html#launchSecurity. Most of the flags are related to advanced features (some of them don't even exist at the moment), except for the first 2 bits which determine whether debug mode should be turned on and whether the same key should be used to encrypt memory of multiple guests respectively. >From security POV, most users will probably want separate keys for individual guests, thus the value 0x03 was selected as the policy default. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:58 +02:00			`def set_defaults(self, guest):`
			`if self.is_sev():`
virtinst: guest: Fill in SEV platform specific data automatically The data in question are 'cbitpos' denoting which addressing bit is the encryption bit and 'reduced_phys_bits' denoting how many physical address space we lose by turning on the encryption. Both of these are hypervisor dependent and thus will be the same for all the guest residing on the same host, but need to be specified for future migration purposes. But given we can probe them from domain capabilities, we don't need the user to provide them and thus enhancing cli user experience. This requires a new _SEV domaincapabilities XML class to be created so that we can query the specific properties. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com> 2019-06-11 17:41:59 +02:00			`return self._set_defaults_sev(guest)`