[libvirt] [PATCH v5 03/10] conf: introduce launch-security element in domain

John Ferlan jferlan at redhat.com
Mon Apr 2 19:19:17 UTC 2018 


On 04/02/2018 10:18 AM, Brijesh Singh wrote:
> The launch-security element can be used to define the security
> model to use when launching a domain. Currently we support 'sev'.
> 
> When 'sev' is used, the VM will be launched with AMD SEV feature enabled.
> SEV feature supports running encrypted VM under the control of KVM.
> Encrypted VMs have their pages (code and data) secured such that only the
> guest itself has access to the unencrypted version. Each encrypted VM is
> associated with a unique encryption key; if its data is accessed to a
> different entity using a different key the encrypted guests data will be
> incorrectly decrypted, leading to unintelligible data.
> 
> Reviewed-by: "Daniel P. Berrangé" <berrange at redhat.com>
> Signed-off-by: Brijesh Singh <brijesh.singh at amd.com>
> ---
>  docs/formatdomain.html.in     | 120 ++++++++++++++++++++++++++++++++++++++++++
>  docs/schemas/domaincommon.rng |  39 ++++++++++++++
>  src/conf/domain_conf.c        | 110 ++++++++++++++++++++++++++++++++++++++
>  src/conf/domain_conf.h        |  26 +++++++++
>  4 files changed, 295 insertions(+)
> 

Missed in my original pass...

[...]


>  static void
> +virDomainSevDefFormat(virBufferPtr buf, virDomainSevDefPtr sev)
> +{
> +    virBufferAddLit(buf, "<launch-security type='sev'>\n");
> +    virBufferAdjustIndent(buf, 2);
> +
> +    virBufferAsprintf(buf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
> +    virBufferAsprintf(buf, "<reduced-phys-bits>%d</reduced-phys-bits>\n",
> +                      sev->reduced_phys_bits);
> +    virBufferAsprintf(buf, "<policy>%d</policy>\n", sev->policy);
> +    if (sev->dh_cert)
> +        virBufferAsprintf(buf, "<dh_cert>%s</dh_cert>\n", sev->dh_cert);

s/<dh_cert/<dh-cert
s/dh_cert>/dh-cert>

As a test, I moved the genericxml2xmlin and qemuxml2xmltest adjustments
into this patch *and* filled some sort of default value and found this
one...

> +
> +    if (sev->session)
> +        virBufferAsprintf(buf, "<session>%s</session>\n", sev->session);
> +
> +    virBufferAdjustIndent(buf, -2);
> +    virBufferAddLit(buf, "</launch-security>\n");
> +}
> +

[...]

John

More information about the libvir-list mailing list