[virt-tools-list] [virt-manager PATCH 6/8] domcapabilities: introduce get_cpu_security_features
Pavel Hrdina
phrdina at redhat.com
Fri Mar 15 16:41:40 UTC 2019
Get all CPU security features that we should enable for guests.
In order to do that we need to get CPU definition from domain
capabilities and modify the XML so it is in required format for
libvirt CPU baseline APIs. We will prefer the baselineHypervisorCPU
API because that considers what QEMU actually supports and we will
fallback to baselineCPU API if the better one is not supported by
libvirt.
This way we can figure out which of the security features are actually
available on that specific host for that specific QEMU binary.
Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
---
virtinst/domcapabilities.py | 43 +++++++++++++++++++++++++++++++++++++
virtinst/support.py | 4 ++++
2 files changed, 47 insertions(+)
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
index deef9e6a..7576472d 100644
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@@ -8,7 +8,11 @@
import logging
import re
+import xml.etree.ElementTree as ET
+import libvirt
+
+from .domain import DomainCpu
from .xmlbuilder import XMLBuilder, XMLChildProperty, XMLProperty
@@ -243,6 +247,45 @@ class DomainCapabilities(XMLBuilder):
return models
+ def _convert_mode_to_cpu(self, xml):
+ root = ET.fromstring(xml)
+ root.tag = "cpu"
+ root.attrib = None
+ arch = ET.SubElement(root, "arch")
+ arch.text = self.arch
+ return ET.tostring(root, encoding="unicode")
+
+ def get_cpu_security_features(self):
+ sec_features = [
+ 'pcid',
+ 'spec-ctrl',
+ 'ssbd',
+ 'pdpe1gb',
+ 'ibpb',
+ 'virt-ssbd',
+ 'amd-ssbd',
+ 'amd-no-ssb']
+
+ features = []
+
+ for m in self.cpu.modes:
+ if m.name == "host-model":
+ cpuXML = self._convert_mode_to_cpu(m.get_xml())
+ if self.conn.check_support(self.conn.SUPPORT_CONN_HYPERVISOR_BASELINE):
+ expandedXML = self.conn.baselineHypervisorCPU(
+ self.path, self.arch, self.machine, self.domain, [cpuXML],
+ libvirt.VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES)
+ else:
+ expandedXML = self.conn.baselineCPU([cpuXML],
+ libvirt.VIR_CONNECT_BASELINE_CPU_EXPAND_FEATURES)
+ cpu = DomainCpu(self.conn, expandedXML)
+
+ for feature in cpu.features:
+ if feature.name in sec_features:
+ features.append(feature.name)
+
+ return features
+
XML_NAME = "domainCapabilities"
os = XMLChildProperty(_OS, is_single=True)
diff --git a/virtinst/support.py b/virtinst/support.py
index 7ace3ef6..077be426 100644
--- a/virtinst/support.py
+++ b/virtinst/support.py
@@ -278,6 +278,10 @@ SUPPORT_CONN_DISK_DRIVER_NAME_QEMU = _make(
hv_version={"qemu": 0, "xen": "4.2.0"},
hv_libvirt_version={"qemu": 0, "xen": "1.1.0"})
+SUPPORT_CONN_HYPERVISOR_BASELINE = _make(
+ version="4.4.0",
+ hv_libvirt_version={"test": 0})
+
#################
# Domain checks #
--
2.20.1
More information about the virt-tools-list
mailing list