[libvirt] [PATCH 3/3] qemu: domain: Add /dev/sev into the domain mount namespace selectively

Tue Jan 29 12:26:46 UTC 2019

On 1/23/19 1:57 PM, Erik Skultety wrote:
> Instead of exposing /dev/sev to every domain, do it selectively.
> 
> Signed-off-by: Erik Skultety <eskultet at redhat.com>
> ---
>   src/qemu/qemu_domain.c | 23 +++++++++++++++++++++++
>   1 file changed, 23 insertions(+)
> 
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 32a43f2064..a4cdb8d355 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -12112,6 +12112,26 @@ qemuDomainSetupLoader(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
>   }
>   
>   
> +static int
> +qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
> +                              virDomainObjPtr vm,
> +                              const struct qemuDomainCreateDeviceData *data)
> +{
> +    virDomainSEVDefPtr sev = vm->def->sev;
> +
> +    if (!sev || sev->sectype != VIR_DOMAIN_LAUNCH_SECURITY_SEV)
> +        return 0;
> +
> +    VIR_DEBUG("Setting up launch security");
> +
> +    if (qemuDomainCreateDevice("/dev/sev", data, false) < 0)

nitpick - I'd rather see this as a macro:
   #define SEV_PATH "/dev/sev"
   ...
   qemuDomainCreateDevice(SEV_PATH, ..)

> +        return -1;
> +
> +    VIR_DEBUG("Set up launch security");
> +    return 0;
> +}
> +
> +

ACK

Michal