[PATCH v3 1/6] schemas: Make SEV policy on launch security optional

Daniel Henrique Barboza danielhb413 at gmail.com
Tue Jun 22 17:43:14 UTC 2021 


On 6/22/21 10:10 AM, Boris Fiuczynski wrote:
> Change launch security policy of type SEV from required to
> optional and add a test to ensure the required launch security
> policy remains required when launch security type is SEV.
> 
> Signed-off-by: Boris Fiuczynski <fiuczy at linux.ibm.com>
> ---

Reviewed-by: Daniel Henrique Barboza <danielhb413 at gmail.com>

>   docs/schemas/domaincommon.rng                 | 12 ++++---
>   src/conf/domain_conf.c                        |  3 +-
>   ...urity-sev-missing-policy.x86_64-2.12.0.err |  1 +
>   .../launch-security-sev-missing-policy.xml    | 34 +++++++++++++++++++
>   tests/qemuxml2argvtest.c                      |  1 +
>   5 files changed, 46 insertions(+), 5 deletions(-)
>   create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
>   create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
> 
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 5ea14b6dbf..8c1b6c3a09 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -483,7 +483,9 @@
>     <define name="launchSecurity">
>       <element name="launchSecurity">
>         <attribute name="type">
> -        <value>sev</value>
> +        <choice>
> +          <value>sev</value>
> +        </choice>
>         </attribute>
>         <interleave>
>           <optional>
> @@ -496,9 +498,11 @@
>               <data type="unsignedInt"/>
>             </element>
>           </optional>
> -        <element name="policy">
> -          <ref name="hexuint"/>
> -        </element>
> +        <optional>
> +          <element name="policy">
> +            <ref name="hexuint"/>
> +          </element>
> +        </optional>
>           <optional>
>             <element name="handle">
>               <ref name="unsignedInt"/>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index f65509d8ec..af2fd03d3c 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -14749,7 +14749,8 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
>   
>       if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
>           virReportError(VIR_ERR_XML_ERROR, "%s",
> -                       _("failed to get launch security policy"));
> +                       _("failed to get launch security policy for "
> +                         "launch security type SEV"));
>           goto error;
>       }
>   
> diff --git a/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
> new file mode 100644
> index 0000000000..2019c8bb13
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
> @@ -0,0 +1 @@
> +XML error: failed to get launch security policy for launch security type SEV
> diff --git a/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
> new file mode 100644
> index 0000000000..5461b06c9d
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
> @@ -0,0 +1,34 @@
> +<domain type='kvm'>
> +  <name>QEMUGuest1</name>
> +  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
> +  <memory unit='KiB'>219100</memory>
> +  <currentMemory unit='KiB'>219100</currentMemory>
> +  <vcpu placement='static'>1</vcpu>
> +  <os>
> +    <type arch='x86_64' machine='pc-1.0'>hvm</type>
> +    <boot dev='hd'/>
> +  </os>
> +  <clock offset='utc'/>
> +  <on_poweroff>destroy</on_poweroff>
> +  <on_reboot>restart</on_reboot>
> +  <on_crash>destroy</on_crash>
> +  <devices>
> +    <emulator>/usr/bin/qemu-system-x86_64</emulator>
> +    <disk type='block' device='disk'>
> +      <driver name='qemu' type='raw'/>
> +      <source dev='/dev/HostVG/QEMUGuest1'/>
> +      <target dev='hda' bus='ide'/>
> +      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> +    </disk>
> +    <controller type='usb' index='0'/>
> +    <controller type='ide' index='0'/>
> +    <controller type='pci' index='0' model='pci-root'/>
> +    <input type='mouse' bus='ps2'/>
> +    <input type='keyboard' bus='ps2'/>
> +    <memballoon model='none'/>
> +  </devices>
> +  <launchSecurity type='sev'>
> +    <dhCert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dhCert>
> +    <session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
> +  </launchSecurity>
> +</domain>
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index 9df28658b9..ef6afae586 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -3459,6 +3459,7 @@ mymain(void)
>       DO_TEST_CAPS_VER("launch-security-sev", "2.12.0");
>       DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
>       DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
> +    DO_TEST_CAPS_VER_PARSE_ERROR("launch-security-sev-missing-policy", "2.12.0");
>   
>       DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
>       DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
>

More information about the libvir-list mailing list