[PATCH 3/6] qemu: check if AMD secure guest support is enabled
Erik Skultety
eskultet at redhat.com
Thu May 14 07:06:06 UTC 2020
On Wed, May 13, 2020 at 11:26:52PM -0500, Brijesh Singh wrote:
>
> On 5/13/20 1:21 AM, Erik Skultety wrote:
> >>>>> 2) check if /dev/sev device exist (aka firmware is detected)
> >>>> This seems reasonable. Shouldn't it have been documented in
> >>>> docs/kbase/launch_security_sev.rst?
> >>> Sure, we can add a mention about this. Although, doesn't 1 imply 2? IOW can
> >>> you have the kernel module parameter set to 1 and yet kernel doesn't expose the
> >>> /dev/sev node?
> >>
> >> Currently, 1 does not imply 2, KVM driver does not initialize the
> >> firmware during the feature probe (i.e does not access the /dev/sev).
> >> The firmware initialization is delayed until the first guest launch. So
> >> only sane way to know whether firmware is been detected is check the
> >> existence of the /dev/sev or issue a query-sev command . The query-sev
> >> command will send the platform_status request to the firmware, if the
> >> firmware is not ready then this command will fail.
> > I see. Can query-sev fail or return that it's disabled, aka {"enabled":
> > false,...} in the SevInfo QMP response, but at the same time succeed in
> > returning the platform capabilities via query-sev-capabilities? I'm asking,
> > because libvirt only issues the latter to fill in the QEMU capabilities
> > structure.
>
> Just looked at qemu code, If /dev/sev does not exist then
> query-sev-capabilities should fail, and if SEV is not enabled in the
> guest then query-sev should returns false. So, basically what libvirt is
> doing correct, it should be using query-sev-capabilities to populate
> QEMU capabilities. It was my bad, I should have mentioned the
> query-sev-capabilities and not the query-sev check.
Perfect, now it makes much more sense to me after quite a period not closely
following this feature, thanks Brijesh.
Boris, I'll start with the review today, but for the IBM part, I'm not sure I
can get my hands on the necessary s390 HW (I'm also not familiar with s390), so
I can do code-only review here, but at least for the AMD bits I do have access
to the necessary HW and apart from scanning the filesystem (or parsing the
kernel cmdline) the outcome is the same, so I'll do some mirroring in the
review process.
Regards,
--
Erik Skultety
More information about the libvir-list
mailing list