[PATCH 3/6] qemu: check if AMD secure guest support is enabled

Tue May 12 07:08:38 UTC 2020

On 5/11/20 9:40 PM, Brijesh Singh wrote:
> Thanks for the patch Paulo, Few comments.
> 
> On 5/11/20 11:41 AM, Boris Fiuczynski wrote:
>> From: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>
>>
>> Implement secure guest check for AMD SEV (Secure Encrypted
>> Virtualization) in order to invalidate the qemu capabilities
>> cache in case the availability of the feature changed.
>>
>> For AMD SEV the verification consists of:
>> - checking if /sys/module/kvm_amd/parameters/sev contains the
>> value '1': meaning SEV is enabled in the host kernel;
>> - checking if the kernel cmdline contains 'mem_encrypt=on': meaning
>> SME memory encryption feature on the host is enabled
> 
> 
> In addition to the kernel module parameter, we probably also need to
> check whether QEMU supports the feature. e.g, what if user has newer
> kernel but older qemu. e.g kernel > 4.18 but Qemu < 2.12.  To check the
> SEV feature support, we should verify the following conditions:
> 
> 1) check kernel module parameter is set
Paulo implemented the checks following the documentation in 
docs/kbase/launch_security_sev.rst. The check for the module parameter 
sev is included. Is the check for the kernel cmdline parameter 
"mem_encrypt" not necessary? Or would that be covered by your suggested 
check in 2)?

> 
> 2) check if /dev/sev device exist (aka firmware is detected)
This seems reasonable. Shouldn't it have been documented in 
docs/kbase/launch_security_sev.rst?

> 
> 3) Check if Qemu supports SEV feature (maybe we can detect the existence
> of the query-sev QMP command or detect Qemu version >= 2.12)
The idea is to check the host capabilities to detect if qemus 
capabilities need to be reprobed. Therefore this would be a result if 
checks 1+2 change but it would not be a cache invalidation trigger.

> 
> thanks
> 
>> Signed-off-by: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>
>> Reviewed-by: Bjoern Walk <bwalk at linux.ibm.com>
>> Reviewed-by: Boris Fiuczynski <fiuczy at linux.ibm.com>
>> ---
>>   docs/kbase/launch_security_sev.rst |  2 +-
>>   src/qemu/qemu_capabilities.c       | 27 +++++++++++++++++++++++++++
>>   2 files changed, 28 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
>> index 65f258587d..fa602c7432 100644
>> --- a/docs/kbase/launch_security_sev.rst
>> +++ b/docs/kbase/launch_security_sev.rst
>> @@ -109,7 +109,7 @@ following:
>>        </features>
>>      </domainCapabilities>
>>   
>> -Note that if libvirt was already installed and libvirtd running before
>> +Note that if libvirt (<6.4.0) was already installed and libvirtd running before
>>   enabling SEV in the kernel followed by the host reboot you need to force
>>   libvirtd to re-probe both the host and QEMU capabilities. First stop
>>   libvirtd:
>> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
>> index 2874bb1e7c..6cf926d52d 100644
>> --- a/src/qemu/qemu_capabilities.c
>> +++ b/src/qemu/qemu_capabilities.c
>> @@ -4604,6 +4604,31 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
>>   }
>>   
>>   
>> +/*
>> + * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
>> + */
>> +static bool
>> +virQEMUCapsKVMSupportsSecureGuestAMD(void)
>> +{
>> +    g_autofree char *cmdline = NULL;
>> +    g_autofree char *modValue = NULL;
>> +    static const char *kValues[] = {"on"};
>> +
>> +    if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
>> +        return false;
>> +    if (modValue[0] != '1')
>> +        return false;
>> +    if (virFileReadValueString(&cmdline, "/proc/cmdline") < 0)
>> +        return false;
>> +    if (virKernelCmdlineMatchParam(cmdline, "mem_encrypt", kValues,
>> +                                   G_N_ELEMENTS(kValues),
>> +                                   VIR_KERNEL_CMDLINE_FLAGS_SEARCH_LAST |
>> +                                   VIR_KERNEL_CMDLINE_FLAGS_CMP_EQ))
>> +        return true;
>> +    return false;
>> +}
>> +
>> +
>>   /*
>>    * Check whether the secure guest functionality is enabled.
>>    * See the specific architecture function for details on the verifications made.
>> @@ -4615,6 +4640,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
>>   
>>       if (ARCH_IS_S390(arch))
>>           return virQEMUCapsKVMSupportsSecureGuestS390();
>> +    if (ARCH_IS_X86(arch))
>> +        return virQEMUCapsKVMSupportsSecureGuestAMD();
>>       return false;
>>   }
>>   


-- 
Mit freundlichen Grüßen/Kind regards
    Boris Fiuczynski

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294