[libvirt] AMD SEV's /dev/sev permissions and probing QEMU for capabilities

Daniel P. Berrangé berrange at redhat.com
Fri Mar 15 16:02:34 UTC 2019


On Fri, Mar 15, 2019 at 03:51:57PM +0000, Singh, Brijesh wrote:
> Hi Daniel,
> 
> 
> On 3/15/19 7:18 AM, Daniel P. Berrangé wrote:
> > On Fri, Jan 18, 2019 at 12:51:50PM +0000, Singh, Brijesh wrote:
> >>
> >> On 1/18/19 3:39 AM, Erik Skultety wrote:
> >>> I proceeded with cloning [1] to systemd and creating an udev rule that I planned
> >>> on submitting to systemd upstream - the initial idea was to mimic /dev/kvm and
> >>> make it world accessible to which Brijesh from AMD expressed a concern that
> >>> regular users might deplete the resources (limit on the number of guests
> >>> allowed by the platform).
> > 
> > [snip]
> > 
> >>> But since the limit is claimed to be around 4, Dan
> >>
> >>
> >> FYI, the limit on EPYC is 15.
> > 
> > Do any cRyzen CPUs support SEV, and if so is their limit also 15 ?
> > 
> 
> SEV support is *not* available on any of Ryzen's yet!

Ok, thanks for clarifying.

> > Regardless, I'm assuming this limit is liable to change at any time
> > in future CPU generations, so from the the mgmt app perspective I
> > think is is important that QEMU / libvirt can both report what this
> > limit is.
> > 
> 
> Yes, the limit may change on future CPU generations. We can query the
> limit through the CPUID Fn0x8000_001f[ECX].

That's nice!

> > For QEMU I think query-sev-capabilities probably should report the
> > guest limit.  I guess QEMU would in turn want to ask the kernel,
> > rather than hardcode info itself. So if this info isn't already
> > exposed by the kernel we might need work there too.
> > 
> 
> 
> I don't think we need to add a kernel interface for querying this
> information, it can be obtained using the cpuid instruction or
> access its via /dev/cpuid/<cpu>.

Agreed, using CPUID direct from QEMU ought to be sufficient.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the libvir-list mailing list