mirror of
https://github.com/virt-manager/virt-manager.git
synced 2024-12-22 13:34:07 +03:00
virtinst: cli: Provide a default value for the 'policy' argument
Policy is a 4-byte bitfield used to turn on/off certain behaviour within the SEV firmware. For a detailed table of supported flags, see https://libvirt.org/formatdomain.html#launchSecurity. Most of the flags are related to advanced features (some of them don't even exist at the moment), except for the first 2 bits which determine whether debug mode should be turned on and whether the same key should be used to encrypt memory of multiple guests respectively. >From security POV, most users will probably want separate keys for individual guests, thus the value 0x03 was selected as the policy default. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com>
This commit is contained in:
parent
45f3a47c84
commit
480a6834c2
@ -898,6 +898,7 @@ c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks") # Usi
|
||||
|
||||
c = vinst.add_category("kvm-x86_64-launch-security", "--disk none --noautoconsole")
|
||||
c.add_compare("--boot uefi --machine q35 --launchSecurity type=sev,reducedPhysBits=1,policy=0x0001,cbitpos=47,dhCert=BASE64CERT,session=BASE64SESSION --connect " + utils.URIs.kvm_amd_sev, "x86_64-launch-security-sev-full") # Full cmdline
|
||||
c.add_valid("--boot uefi --machine q35 --launchSecurity sev,reducedPhysBits=1,cbitpos=47 --connect " + utils.URIs.kvm_amd_sev) # Default policy == 0x0003 will be used
|
||||
c.add_invalid("--launchSecurity policy=0x0001 --connect " + utils.URIs.kvm_amd_sev) # Missing launchSecurity 'type'
|
||||
|
||||
|
||||
|
@ -23,3 +23,16 @@ class DomainLaunchSecurity(XMLBuilder):
|
||||
def validate(self):
|
||||
if not self.type:
|
||||
raise RuntimeError(_("Missing mandatory attribute 'type'"))
|
||||
|
||||
def _set_defaults_sev(self):
|
||||
# 'policy' is a mandatory 4-byte argument for the SEV firmware,
|
||||
# if missing, let's use 0x03 which, according to the table at
|
||||
# https://libvirt.org/formatdomain.html#launchSecurity:
|
||||
# (bit 0) - disables the debugging mode
|
||||
# (bit 1) - disables encryption key sharing across multiple guests
|
||||
if self.policy is None:
|
||||
self.policy = "0x03"
|
||||
|
||||
def set_defaults(self, guest):
|
||||
if self.is_sev():
|
||||
return self._set_defaults_sev()
|
||||
|
@ -684,6 +684,7 @@ class Guest(XMLBuilder):
|
||||
seclabel.set_defaults(self)
|
||||
self.pm.set_defaults(self)
|
||||
self.os.set_defaults(self)
|
||||
self.launchSecurity.set_defaults(self)
|
||||
|
||||
for dev in self.devices.get_all():
|
||||
dev.set_defaults(self)
|
||||
|
Loading…
Reference in New Issue
Block a user