[libvirt] [PATCH v5 03/10] conf: introduce launch-security element in domain
John Ferlan
jferlan at redhat.com
Mon Apr 2 19:19:17 UTC 2018
On 04/02/2018 10:18 AM, Brijesh Singh wrote:
> The launch-security element can be used to define the security
> model to use when launching a domain. Currently we support 'sev'.
>
> When 'sev' is used, the VM will be launched with AMD SEV feature enabled.
> SEV feature supports running encrypted VM under the control of KVM.
> Encrypted VMs have their pages (code and data) secured such that only the
> guest itself has access to the unencrypted version. Each encrypted VM is
> associated with a unique encryption key; if its data is accessed to a
> different entity using a different key the encrypted guests data will be
> incorrectly decrypted, leading to unintelligible data.
>
> Reviewed-by: "Daniel P. Berrangé" <berrange at redhat.com>
> Signed-off-by: Brijesh Singh <brijesh.singh at amd.com>
> ---
> docs/formatdomain.html.in | 120 ++++++++++++++++++++++++++++++++++++++++++
> docs/schemas/domaincommon.rng | 39 ++++++++++++++
> src/conf/domain_conf.c | 110 ++++++++++++++++++++++++++++++++++++++
> src/conf/domain_conf.h | 26 +++++++++
> 4 files changed, 295 insertions(+)
>
Missed in my original pass...
[...]
> static void
> +virDomainSevDefFormat(virBufferPtr buf, virDomainSevDefPtr sev)
> +{
> + virBufferAddLit(buf, "<launch-security type='sev'>\n");
> + virBufferAdjustIndent(buf, 2);
> +
> + virBufferAsprintf(buf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
> + virBufferAsprintf(buf, "<reduced-phys-bits>%d</reduced-phys-bits>\n",
> + sev->reduced_phys_bits);
> + virBufferAsprintf(buf, "<policy>%d</policy>\n", sev->policy);
> + if (sev->dh_cert)
> + virBufferAsprintf(buf, "<dh_cert>%s</dh_cert>\n", sev->dh_cert);
s/<dh_cert/<dh-cert
s/dh_cert>/dh-cert>
As a test, I moved the genericxml2xmlin and qemuxml2xmltest adjustments
into this patch *and* filled some sort of default value and found this
one...
> +
> + if (sev->session)
> + virBufferAsprintf(buf, "<session>%s</session>\n", sev->session);
> +
> + virBufferAdjustIndent(buf, -2);
> + virBufferAddLit(buf, "</launch-security>\n");
> +}
> +
[...]
John
More information about the libvir-list
mailing list