mirror of
https://github.com/virt-manager/virt-manager.git
synced 2025-01-06 13:17:58 +03:00
8ab9dcd33f
These include platform checks - libvirt & QEMU - as well as configuration - SEV is only supported with UEFI. Another configuration requirement made in this patch is Q35 machine, since ADM recommends Q35 in their setups even though SEV can work with the legacy PC machine type, but we'd have to turn on virtio-non-transitional for all virtio devices with some other potential pitfalls along the way. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Erik Skultety <eskultet@redhat.com>
57 lines
2.2 KiB
Python
57 lines
2.2 KiB
Python
from ..xmlbuilder import XMLBuilder, XMLProperty
|
|
|
|
|
|
class DomainLaunchSecurity(XMLBuilder):
|
|
"""
|
|
Class for generating <launchSecurity> XML element
|
|
"""
|
|
|
|
XML_NAME = "launchSecurity"
|
|
_XML_PROP_ORDER = ["type", "cbitpos", "reducedPhysBits", "policy",
|
|
"session", "dhCert"]
|
|
|
|
type = XMLProperty("./@type")
|
|
cbitpos = XMLProperty("./cbitpos", is_int=True)
|
|
reducedPhysBits = XMLProperty("./reducedPhysBits", is_int=True)
|
|
policy = XMLProperty("./policy")
|
|
session = XMLProperty("./session")
|
|
dhCert = XMLProperty("./dhCert")
|
|
|
|
def is_sev(self):
|
|
return self.type == "sev"
|
|
|
|
def validate(self):
|
|
if not self.type:
|
|
raise RuntimeError(_("Missing mandatory attribute 'type'"))
|
|
|
|
def _set_defaults_sev(self, guest):
|
|
# SeaBIOS doesn't have support for SEV. Q35 defaults to virtio 1.0,
|
|
# which we need so let's not go through the 'virtio-transitional'
|
|
# exercise for pc-i440fx to make SEV work, AMD recommends Q35 anyway
|
|
# NOTE: at some point both of these platform checks should be put in
|
|
# validate(), once that accepts the 'guest' instance
|
|
if guest.os.machine != "q35" or guest.os.loader_type != "pflash":
|
|
raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine"))
|
|
|
|
# libvirt or QEMU might not support SEV
|
|
domcaps = guest.lookup_domcaps()
|
|
if not domcaps.supports_sev_launch_security():
|
|
raise RuntimeError(_("SEV launch security is not supported on this platform"))
|
|
|
|
# 'policy' is a mandatory 4-byte argument for the SEV firmware,
|
|
# if missing, let's use 0x03 which, according to the table at
|
|
# https://libvirt.org/formatdomain.html#launchSecurity:
|
|
# (bit 0) - disables the debugging mode
|
|
# (bit 1) - disables encryption key sharing across multiple guests
|
|
if self.policy is None:
|
|
self.policy = "0x03"
|
|
|
|
if self.cbitpos is None:
|
|
self.cbitpos = domcaps.features.sev.cbitpos
|
|
if self.reducedPhysBits is None:
|
|
self.reducedPhysBits = domcaps.features.sev.reducedPhysBits
|
|
|
|
def set_defaults(self, guest):
|
|
if self.is_sev():
|
|
return self._set_defaults_sev(guest)
|