[PATCH 3/6] qemu: check if AMD secure guest support is enabled
Boris Fiuczynski
fiuczy at linux.ibm.com
Tue May 12 07:08:38 UTC 2020
On 5/11/20 9:40 PM, Brijesh Singh wrote:
> Thanks for the patch Paulo, Few comments.
>
> On 5/11/20 11:41 AM, Boris Fiuczynski wrote:
>> From: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>
>>
>> Implement secure guest check for AMD SEV (Secure Encrypted
>> Virtualization) in order to invalidate the qemu capabilities
>> cache in case the availability of the feature changed.
>>
>> For AMD SEV the verification consists of:
>> - checking if /sys/module/kvm_amd/parameters/sev contains the
>> value '1': meaning SEV is enabled in the host kernel;
>> - checking if the kernel cmdline contains 'mem_encrypt=on': meaning
>> SME memory encryption feature on the host is enabled
>
>
> In addition to the kernel module parameter, we probably also need to
> check whether QEMU supports the feature. e.g, what if user has newer
> kernel but older qemu. e.g kernel > 4.18 but Qemu < 2.12. To check the
> SEV feature support, we should verify the following conditions:
>
> 1) check kernel module parameter is set
Paulo implemented the checks following the documentation in
docs/kbase/launch_security_sev.rst. The check for the module parameter
sev is included. Is the check for the kernel cmdline parameter
"mem_encrypt" not necessary? Or would that be covered by your suggested
check in 2)?
>
> 2) check if /dev/sev device exist (aka firmware is detected)
This seems reasonable. Shouldn't it have been documented in
docs/kbase/launch_security_sev.rst?
>
> 3) Check if Qemu supports SEV feature (maybe we can detect the existence
> of the query-sev QMP command or detect Qemu version >= 2.12)
The idea is to check the host capabilities to detect if qemus
capabilities need to be reprobed. Therefore this would be a result if
checks 1+2 change but it would not be a cache invalidation trigger.
>
> thanks
>
>> Signed-off-by: Paulo de Rezende Pinatti <ppinatti at linux.ibm.com>
>> Reviewed-by: Bjoern Walk <bwalk at linux.ibm.com>
>> Reviewed-by: Boris Fiuczynski <fiuczy at linux.ibm.com>
>> ---
>> docs/kbase/launch_security_sev.rst | 2 +-
>> src/qemu/qemu_capabilities.c | 27 +++++++++++++++++++++++++++
>> 2 files changed, 28 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst
>> index 65f258587d..fa602c7432 100644
>> --- a/docs/kbase/launch_security_sev.rst
>> +++ b/docs/kbase/launch_security_sev.rst
>> @@ -109,7 +109,7 @@ following:
>> </features>
>> </domainCapabilities>
>>
>> -Note that if libvirt was already installed and libvirtd running before
>> +Note that if libvirt (<6.4.0) was already installed and libvirtd running before
>> enabling SEV in the kernel followed by the host reboot you need to force
>> libvirtd to re-probe both the host and QEMU capabilities. First stop
>> libvirtd:
>> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
>> index 2874bb1e7c..6cf926d52d 100644
>> --- a/src/qemu/qemu_capabilities.c
>> +++ b/src/qemu/qemu_capabilities.c
>> @@ -4604,6 +4604,31 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
>> }
>>
>>
>> +/*
>> + * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
>> + */
>> +static bool
>> +virQEMUCapsKVMSupportsSecureGuestAMD(void)
>> +{
>> + g_autofree char *cmdline = NULL;
>> + g_autofree char *modValue = NULL;
>> + static const char *kValues[] = {"on"};
>> +
>> + if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
>> + return false;
>> + if (modValue[0] != '1')
>> + return false;
>> + if (virFileReadValueString(&cmdline, "/proc/cmdline") < 0)
>> + return false;
>> + if (virKernelCmdlineMatchParam(cmdline, "mem_encrypt", kValues,
>> + G_N_ELEMENTS(kValues),
>> + VIR_KERNEL_CMDLINE_FLAGS_SEARCH_LAST |
>> + VIR_KERNEL_CMDLINE_FLAGS_CMP_EQ))
>> + return true;
>> + return false;
>> +}
>> +
>> +
>> /*
>> * Check whether the secure guest functionality is enabled.
>> * See the specific architecture function for details on the verifications made.
>> @@ -4615,6 +4640,8 @@ virQEMUCapsKVMSupportsSecureGuest(void)
>>
>> if (ARCH_IS_S390(arch))
>> return virQEMUCapsKVMSupportsSecureGuestS390();
>> + if (ARCH_IS_X86(arch))
>> + return virQEMUCapsKVMSupportsSecureGuestAMD();
>> return false;
>> }
>>
--
Mit freundlichen Grüßen/Kind regards
Boris Fiuczynski
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
More information about the libvir-list
mailing list