[PATCH v5 06/11] conf: Add s390-pv as launch security type

Boris Fiuczynski fiuczy at linux.ibm.com
Fri Jul 16 09:44:30 UTC 2021


Add launch security type 's390-pv' as well as some tests.

Signed-off-by: Boris Fiuczynski <fiuczy at linux.ibm.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413 at gmail.com>
---
 docs/schemas/domaincommon.rng                 |  5 +++
 src/conf/domain_conf.c                        |  7 ++++
 src/conf/domain_conf.h                        |  1 +
 src/qemu/qemu_command.c                       | 26 ++++++++++++++
 src/qemu/qemu_firmware.c                      |  1 +
 src/qemu/qemu_namespace.c                     |  1 +
 src/qemu/qemu_process.c                       |  1 +
 src/qemu/qemu_validate.c                      | 10 ++++++
 .../launch-security-s390-pv.xml               | 18 ++++++++++
 tests/genericxml2xmltest.c                    |  1 +
 .../launch-security-s390-pv.s390x-latest.args | 35 +++++++++++++++++++
 .../launch-security-s390-pv.xml               | 30 ++++++++++++++++
 tests/qemuxml2argvmock.c                      | 16 +++++++++
 tests/qemuxml2argvtest.c                      |  2 ++
 14 files changed, 154 insertions(+)
 create mode 100644 tests/genericxml2xmlindata/launch-security-s390-pv.xml
 create mode 100644 tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args
 create mode 100644 tests/qemuxml2argvdata/launch-security-s390-pv.xml

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 045eb093dd..dbf372b6af 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -486,6 +486,11 @@
         <group>
           <ref name="launchSecuritySEV"/>
         </group>
+        <group>
+          <attribute name="type">
+            <value>s390-pv</value>
+          </attribute>
+        </group>
       </choice>
     </element>
   </define>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index af7b4f8ef8..0f49d537a5 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1401,6 +1401,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
               VIR_DOMAIN_LAUNCH_SECURITY_LAST,
               "",
               "sev",
+              "s390-pv",
 );
 
 static virClass *virDomainObjClass;
@@ -3501,6 +3502,7 @@ virDomainSecDefFree(virDomainSecDef *def)
         g_free(def->data.sev.dh_cert);
         g_free(def->data.sev.session);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         break;
@@ -14788,6 +14790,8 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
         if (virDomainSEVDefParseXML(&sec->data.sev, lsecNode, ctxt) < 0)
             return NULL;
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
     default:
@@ -26917,6 +26921,9 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
         break;
     }
 
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        break;
+
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         return;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 4e6426ee78..5c22f252d0 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2645,6 +2645,7 @@ struct _virDomainKeyWrapDef {
 typedef enum {
     VIR_DOMAIN_LAUNCH_SECURITY_NONE,
     VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+    VIR_DOMAIN_LAUNCH_SECURITY_PV,
 
     VIR_DOMAIN_LAUNCH_SECURITY_LAST,
 } virDomainLaunchSecurity;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 61fecc607b..513bd52a6c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6976,6 +6976,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
                 virBufferAddLit(&buf, ",memory-encryption=sev0");
             }
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            virBufferAddLit(&buf, ",confidential-guest-support=pv0");
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -9874,6 +9877,26 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
 }
 
 
+static int
+qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
+{
+    g_autoptr(virJSONValue) props = NULL;
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    qemuDomainObjPrivate *priv = vm->privateData;
+
+    if (qemuMonitorCreateObjectProps(&props, "s390-pv-guest", "pv0",
+                                     NULL) < 0)
+        return -1;
+
+    if (qemuBuildObjectCommandlineFromJSON(&buf, props, priv->qemuCaps) < 0)
+        return -1;
+
+    virCommandAddArg(cmd, "-object");
+    virCommandAddArgBuffer(cmd, &buf);
+    return 0;
+}
+
+
 static int
 qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
                         virDomainSecDef *sec)
@@ -9885,6 +9908,9 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        return qemuBuildPVCommandLine(vm, cmd);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 6f83ebafe9..77c452746f 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1069,6 +1069,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
                 return false;
             }
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index aa8b3c579b..42865a6497 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -607,6 +607,7 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
 
         VIR_DEBUG("Set up launch security for SEV");
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 07e695f311..f2a523e4f7 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6705,6 +6705,7 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainObj *vm)
     switch ((virDomainLaunchSecurity) sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         return qemuProcessPrepareSEVGuestInput(vm);
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index c54c18160e..7482bedee6 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1224,6 +1224,16 @@ qemuValidateDomainDef(const virDomainDef *def,
                 return -1;
             }
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
+                !virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST) ||
+                !virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("S390 PV launch security is not supported with "
+                                 "this QEMU binary"));
+                return -1;
+            }
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
diff --git a/tests/genericxml2xmlindata/launch-security-s390-pv.xml b/tests/genericxml2xmlindata/launch-security-s390-pv.xml
new file mode 100644
index 0000000000..29c7fc152d
--- /dev/null
+++ b/tests/genericxml2xmlindata/launch-security-s390-pv.xml
@@ -0,0 +1,18 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+  </devices>
+  <launchSecurity type='s390-pv'/>
+</domain>
diff --git a/tests/genericxml2xmltest.c b/tests/genericxml2xmltest.c
index ac89422a32..8f817e2cb5 100644
--- a/tests/genericxml2xmltest.c
+++ b/tests/genericxml2xmltest.c
@@ -233,6 +233,7 @@ mymain(void)
     DO_TEST("tseg");
 
     DO_TEST("launch-security-sev");
+    DO_TEST("launch-security-s390-pv");
 
     DO_TEST_DIFFERENT("cputune");
     DO_TEST("device-backenddomain");
diff --git a/tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args b/tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args
new file mode 100644
index 0000000000..c9d9b84dd3
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-s390-pv.s390x-latest.args
@@ -0,0 +1,35 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-s390x \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine s390-ccw-virtio,accel=kvm,usb=off,dump-guest-core=off,confidential-guest-support=pv0,memory-backend=s390.ram \
+-cpu gen15a-base,aen=on,cmmnt=on,vxpdeh=on,aefsi=on,diag318=on,csske=on,mepoch=on,msa9=on,msa8=on,msa7=on,msa6=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,sthyi=on,edat=on,ri=on,deflate=on,edat2=on,etoken=on,vx=on,ipter=on,mepochptff=on,ap=on,vxeh=on,vxpd=on,esop=on,msa9_pckmo=on,vxeh2=on,esort=on,apqi=on,apft=on,els=on,iep=on,apqci=on,cte=on,ais=on,bpb=on,gs=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \
+-m 214 \
+-object '{"qom-type":"memory-backend-ram","id":"s390.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
+-device virtio-blk-ccw,devno=fe.0.0000,drive=libvirt-1-format,id=virtio-disk0,bootindex=1 \
+-audiodev id=audio1,driver=none \
+-device virtio-balloon-ccw,id=balloon0,devno=fe.0.0001 \
+-object '{"qom-type":"s390-pv-guest","id":"pv0"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/launch-security-s390-pv.xml b/tests/qemuxml2argvdata/launch-security-s390-pv.xml
new file mode 100644
index 0000000000..c40c2b4bf2
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-s390-pv.xml
@@ -0,0 +1,30 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-s390x</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='virtio'/>
+      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
+    </disk>
+    <controller type='pci' index='0' model='pci-root'/>
+    <memballoon model='virtio'>
+      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
+    </memballoon>
+    <panic model='s390'/>
+  </devices>
+  <launchSecurity type='s390-pv'/>
+</domain>
diff --git a/tests/qemuxml2argvmock.c b/tests/qemuxml2argvmock.c
index 2265492f1e..d7f77eabf7 100644
--- a/tests/qemuxml2argvmock.c
+++ b/tests/qemuxml2argvmock.c
@@ -41,6 +41,7 @@
 #include "virutil.h"
 #include "qemu/qemu_interface.h"
 #include "qemu/qemu_command.h"
+#include "qemu/qemu_capabilities.h"
 #include <time.h>
 #include <unistd.h>
 #include <fcntl.h>
@@ -301,3 +302,18 @@ virIdentityEnsureSystemToken(void)
 {
     return g_strdup("3de80bcbf22d4833897f1638e01be9b2");
 }
+
+static bool (*real_virQEMUCapsGetKVMSupportsSecureGuest)(virQEMUCaps *qemuCaps);
+
+bool
+virQEMUCapsGetKVMSupportsSecureGuest(virQEMUCaps *qemuCaps)
+{
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) &&
+        virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST))
+        return true;
+
+    if (!real_virQEMUCapsGetKVMSupportsSecureGuest)
+        VIR_MOCK_REAL_INIT(virQEMUCapsGetKVMSupportsSecureGuest);
+
+    return real_virQEMUCapsGetKVMSupportsSecureGuest(qemuCaps);
+}
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index e315335e81..67c056b887 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -3469,6 +3469,8 @@ mymain(void)
     DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
     DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
 
+    DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");
+
     DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
     DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
     DO_TEST_CAPS_LATEST_PARSE_ERROR("vhost-user-fs-readonly");
-- 
2.31.1




More information about the libvir-list mailing list