[PATCH 3/6] qemu: check if AMD secure guest support is enabled

[Boris Fiuczynski]

From: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>

Implement secure guest check for AMD SEV (Secure Encrypted
Virtualization) in order to invalidate the qemu capabilities
cache in case the availability of the feature changed.

For AMD SEV the verification consists of:
- checking if /sys/module/kvm_amd/parameters/sev contains the
value '1': meaning SEV is enabled in the host kernel;
- checking if the kernel cmdline contains 'mem_encrypt=on': meaning
SME memory encryption feature on the host is enabled

Signed-off-by: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk at linux.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy at linux.ibm.com>
---
 docs/kbase/launch_security_sev.rst |  2 +-
 src/qemu/qemu_capabilities.c       | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
index 65f258587d..fa602c7432 100644
--- a/docs/kbase/launch_security_sev.rst
+++ b/docs/kbase/launch_security_sev.rst
@@ -109,7 +109,7 @@ following:
      </features>
    </domainCapabilities>
 
-Note that if libvirt was already installed and libvirtd running before
+Note that if libvirt (<6.4.0) was already installed and libvirtd running before
 enabling SEV in the kernel followed by the host reboot you need to force
 libvirtd to re-probe both the host and QEMU capabilities. First stop
 libvirtd:
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 2874bb1e7c..6cf926d52d 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -4604,6 +4604,31 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
 }
 
 
+/*
+ * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestAMD(void)
+{
+    g_autofree char *cmdline = NULL;
+    g_autofree char *modValue = NULL;
+    static const char *kValues[] = {"on"};
+
+    if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
+        return false;
+    if (modValue[0] != '1')
+        return false;
+    if (virFileReadValueString(&cmdline, "/proc/cmdline") < 0)
+        return false;
+    if (virKernelCmdlineMatchParam(cmdline, "mem_encrypt", kValues,
+                                   G_N_ELEMENTS(kValues),
+                                   VIR_KERNEL_CMDLINE_FLAGS_SEARCH_LAST |
+                                   VIR_KERNEL_CMDLINE_FLAGS_CMP_EQ))
+        return true;
+    return false;
+}
+
+
 /*
  * Check whether the secure guest functionality is enabled.
  * See the specific architecture function for details on the verifications made.
@@ -4615,6 +4640,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
 
     if (ARCH_IS_S390(arch))
         return virQEMUCapsKVMSupportsSecureGuestS390();
+    if (ARCH_IS_X86(arch))
+        return virQEMUCapsKVMSupportsSecureGuestAMD();
     return false;
 }
 
-- 
2.25.1