[PATCH v3 0/7] Add Security Guest doc and check for capabilities cache validation

Erik Skultety eskultet at redhat.com
Mon Jun 15 14:22:52 UTC 2020


On Mon, Jun 15, 2020 at 10:28:05AM +0200, Paulo de Rezende Pinatti wrote:
> This series introduces the concept of a 'Secure Guest' feature
> which covers on s390 IBM Secure Execution and on x86 AMD Secure
> Encrypted Virtualization.
>
> Besides adding documentation for IBM Secure Execution it also adds
> checks during validation of the qemu capabilities cache.
> These checks per architecture can be performed for IBM Secure
> Execution on s390 and AMD Secure Encrypted Virtualization on AMD x86
> CPUs (both checks implemented in this series).
>
> For s390 the verification consists of:
> - checking if /sys/firmware/uv is available: meaning the HW
> facility is available and the host OS supports it;
> - checking if the kernel cmdline contains 'prot_virt=1': meaning
> the host OS wants to use the feature.
>
> For AMD Secure Encrypted Virtualization the verification consists of:
> - checking if /sys/module/kvm_amd/parameters/sev contains the
> value '1': meaning SEV is enabled in the host kernel;
> - checking if /dev/sev exists
>
> Whenever the availability of the feature does not match the secure
> guest flag in the cache then libvirt will re-build it in order to
> pick up the new set of capabilities available.
>
> Additionally, this series adds the same aforementioned checks to the
> virt-host-validate tool to facilitate the manual verification
> process for users.

ACK to the series, let me know whether you agree with the micro fixups I
attached to the individual patch review and I'll squash them before pushing.

Thanks for bearing with me,
Erik




More information about the libvir-list mailing list