[virt-tools-list] [virt-install PATCH 0/7] Introduce initial support for AMD SEV launch security
Cole Robinson
crobinso at redhat.com
Thu Jun 6 21:24:32 UTC 2019
On 6/6/19 6:00 AM, Erik Skultety wrote:
> This series introduces a new cmdline parameter --launch-security. All of the
> options the argument takes are either completely optional or there is a
> reasonable default provided. More details are available in the individual
> patches.
>
> One thing that this series doesn't address is handling virtio devices with SEV.
> See, to successfully use SEV with virtio devices, there are basically 2
> conditions:
> 1) the boot disk cannot be virtio-blk, as that doesn't work with SEV, but
> virtio-scsi is fine (which means handling the virtio-scsi controller)
>
> 2) for the rest of the virtio devices, driver.iommu needs to be turned on as
> the IOMMU flag enables usage of encrypted DMA.
>
Yeah that's a bit tricky. As your example in patch 6 points out, libvirt
adds implicit virtio devices for us in some cases, so even if we wanted
to set this default value in virtinst code we would need to add some
implicit devices as well, which is annoying. It's worth asking if
libvirt should handle this for us and save apps the pain of dealing with
it. First thing to understand is what the failure scenario is for
missing iommu=on, does qemu or libvirt error or is there some valid case
where you would want iommu=off with sev ?
- Cole
> So rather then spend more time on figuring out how to properly handle that, I
> decided to start with the basic support first and continue from there.
>
> Resolves:
> https://bugzilla.redhat.com/show_bug.cgi?id=1501608
>
> Erik Skultety (7):
> Introduce real-world AMD SEV domain capabilities
> virtinst: cli: Introduce parser support for SEV launch security
> virtinst: cli: Provide a default value for the 'policy' argument
> virtinst: guest: Fill in SEV platform specific data automatically
> virtins: guest: Provide further SEV support checks
> man: Provide a documentation for the SEV feature
> DO NOT MERGE: showcase a functional SEV cmdline in a simple script
>
> man/virt-install.pod | 75 ++++++++-
> .../kvm-x86_64-amd-domcaps-q35.xml | 146 ++++++++++++++++++
> ...nstall-x86_64-launch-security-sev-full.xml | 63 ++++++++
> ...irt-install-x86_64-launch-security-sev.xml | 61 ++++++++
> tests/clitest.py | 10 ++
> tests/utils.py | 2 +
> virt-install-sev.sh | 19 +++
> virtinst/cli.py | 62 ++++++++
> virtinst/domain/__init__.py | 1 +
> virtinst/domain/launch_security.py | 37 +++++
> virtinst/domcapabilities.py | 22 +++
> virtinst/guest.py | 25 ++-
> 12 files changed, 521 insertions(+), 2 deletions(-)
> create mode 100644 tests/capabilities-xml/kvm-x86_64-amd-domcaps-q35.xml
> create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev-full.xml
> create mode 100644 tests/cli-test-xml/compare/virt-install-x86_64-launch-security-sev.xml
> create mode 100644 virt-install-sev.sh
> create mode 100644 virtinst/domain/launch_security.py
>
> --
> 2.20.1
>
> _______________________________________________
> virt-tools-list mailing list
> virt-tools-list at redhat.com
> https://www.redhat.com/mailman/listinfo/virt-tools-list
>
- Cole
More information about the virt-tools-list
mailing list