[PATCH v2 0/7] Add Security Guest doc and check for capabilities cache validation
Paulo de Rezende Pinatti
ppinatti at linux.ibm.com
Mon Jun 8 14:11:57 UTC 2020
Ping for reviews.
On 29/05/20 12:10, Paulo de Rezende Pinatti wrote:
> This series introduces the concept of a 'Secure Guest' feature
> which covers on s390 IBM Secure Execution and on x86 AMD Secure
> Encrypted Virtualization.
>
> Besides adding documentation for IBM Secure Execution it also adds
> checks during validation of the qemu capabilities cache.
> These checks per architecture can be performed for IBM Secure
> Execution on s390 and AMD Secure Encrypted Virtualization on AMD x86
> CPUs (both checks implemented in this series).
>
> For s390 the verification consists of:
> - checking if /sys/firmware/uv is available: meaning the HW
> facility is available and the host OS supports it;
> - checking if the kernel cmdline contains 'prot_virt=1': meaning
> the host OS wants to use the feature.
>
> For AMD Secure Encrypted Virtualization the verification consists of:
> - checking if /sys/module/kvm_amd/parameters/sev contains the
> value '1': meaning SEV is enabled in the host kernel;
> - checking if /dev/sev exists
>
> Whenever the availability of the feature does not match the secure
> guest flag in the cache then libvirt will re-build it in order to
> pick up the new set of capabilities available.
>
> Additionally, this series adds the same aforementioned checks to the
> virt-host-validate tool to facilitate the manual verification
> process for users.
>
> Changes in v2:
>
> [Patch 1]
> Reworked kernel cmdline parser into a parameter based processing.
> [Patch 2]
> Added missing value "on" to kvalue list
> [Patch 3]
> Changed AMD SEV support check to module parameter is set and /dev/sev exists.
> Moved doc changes to a new standalone patch 6.
> [Patch 4]
> Added missing value "on" to kvalue list
> [Patch 5]
> Changed AMD SEV support check to align with patch 3.
> Moved doc changes to a new standalone patch 6.
> [Patch 6]
> Summarized AMD SEV doc changes from patches 3 and 5.
> Adjusted libvirt version number
> [Patch 7 (v1: Patch 6)]
> Adjusted libvirt version number
>
> link to v1: https://www.redhat.com/archives/libvir-list/2020-May/msg00416.html
>
> Boris Fiuczynski (3):
> tools: secure guest check on s390 in virt-host-validate
> tools: secure guest check for AMD in virt-host-validate
> docs: update AMD launch secure description
>
> Paulo de Rezende Pinatti (3):
> util: introduce a parser for kernel cmdline arguments
> qemu: check if s390 secure guest support is enabled
> qemu: check if AMD secure guest support is enabled
>
> Viktor Mihajlovski (1):
> docs: Describe protected virtualization guest setup
>
> docs/kbase.html.in | 3 +
> docs/kbase/launch_security_sev.rst | 9 +-
> docs/kbase/s390_protected_virt.rst | 189 +++++++++++++++++++++++++++++
> src/libvirt_private.syms | 2 +
> src/qemu/qemu_capabilities.c | 76 ++++++++++++
> src/util/virutil.c | 169 ++++++++++++++++++++++++++
> src/util/virutil.h | 17 +++
> tests/utiltest.c | 141 +++++++++++++++++++++
> tools/virt-host-validate-common.c | 83 ++++++++++++-
> tools/virt-host-validate-common.h | 5 +
> tools/virt-host-validate-qemu.c | 4 +
> 11 files changed, 693 insertions(+), 5 deletions(-)
> create mode 100644 docs/kbase/s390_protected_virt.rst
>
--
Best regards,
Paulo de Rezende Pinatti
More information about the libvir-list
mailing list