domcapabilities: introduce get_cpu_security_features

Get all CPU security features that we should enable for guests. In order to do that we need to get CPU definition from domain capabilities and modify the XML so it is in required format for libvirt CPU baseline APIs. We will prefer the baselineHypervisorCPU API because that considers what QEMU actually supports and we will fallback to baselineCPU API if the better one is not supported by libvirt. This way we can figure out which of the security features are actually available on that specific host for that specific QEMU binary. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
2025-03-09 08:58:27 +03:00 · 2019-03-15 09:49:56 +01:00 · 2019-03-15 09:49:56 +01:00 · 4a8b6363c0
commit 4a8b6363c0
parent 95d1275f57
1 changed files with 57 additions and 0 deletions
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@ -8,7 +8,11 @@

 import logging
 import re
+import xml.etree.ElementTree as ET

+import libvirt
+
+from .domain import DomainCpu
 from .xmlbuilder import XMLBuilder, XMLChildProperty, XMLProperty


@ -244,6 +248,59 @@ class DomainCapabilities(XMLBuilder):

        return models

+    def _convert_mode_to_cpu(self, xml):
+        root = ET.fromstring(xml)
+        root.tag = "cpu"
+        root.attrib = None
+        arch = ET.SubElement(root, "arch")
+        arch.text = self.arch
+        return ET.tostring(root, encoding="unicode")
+
+    def _get_expandned_cpu(self, mode):
+        cpuXML = self._convert_mode_to_cpu(mode.get_xml())
+        logging.debug("CPU XML for security flag baseline: %s", cpuXML)
+
+        try:
+            expandedXML = self.conn.baselineHypervisorCPU(
+                    self.path, self.arch, self.machine, self.domain, [cpuXML],
+                    libvirt.VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES)
+        except libvirt.libvirtError:
+            expandedXML = self.conn.baselineCPU([cpuXML],
+                    libvirt.VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES)
+
+        logging.debug("Expanded CPU XML: %s", expandedXML)
+
+        return DomainCpu(self.conn, expandedXML)
+
+    def get_cpu_security_features(self):
+        sec_features = [
+                'pcid',
+                'spec-ctrl',
+                'ssbd',
+                'pdpe1gb',
+                'ibpb',
+                'virt-ssbd',
+                'amd-ssbd',
+                'amd-no-ssb']
+
+        features = []
+
+        for m in self.cpu.modes:
+            if m.name != "host-model" or not m.supported:
+                continue
+
+            try:
+                cpu = self._get_expandned_cpu(m)
+            except libvirt.libvirtError as e:
+                logging.warning(_("Failed to get expanded CPU XML: %s"), e)
+                break
+
+            for feature in cpu.features:
+                if feature.name in sec_features:
+                    features.append(feature.name)
+
+        return features
+

    XML_NAME = "domainCapabilities"
    os = XMLChildProperty(_OS, is_single=True)