1. Patchew
  2. Libvirt
  3. View series

[PATCH v2 0/7] Add Security Guest doc and check for capabilities cache validation

Paulo de Rezende Pinatti posted 7 patches 3 years, 11 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20200529101009.130358-1-ppinatti@linux.ibm.com
There is a newer version of this series
docs/kbase.html.in                 |   3 +
docs/kbase/launch_security_sev.rst |   9 +-
docs/kbase/s390_protected_virt.rst | 189 +++++++++++++++++++++++++++++
src/libvirt_private.syms           |   2 +
src/qemu/qemu_capabilities.c       |  76 ++++++++++++
src/util/virutil.c                 | 169 ++++++++++++++++++++++++++
src/util/virutil.h                 |  17 +++
tests/utiltest.c                   | 141 +++++++++++++++++++++
tools/virt-host-validate-common.c  |  83 ++++++++++++-
tools/virt-host-validate-common.h  |   5 +
tools/virt-host-validate-qemu.c    |   4 +
11 files changed, 693 insertions(+), 5 deletions(-)
create mode 100644 docs/kbase/s390_protected_virt.rst
[PATCH v2 0/7] Add Security Guest doc and check for capabilities cache validation
Posted by Paulo de Rezende Pinatti 3 years, 11 months ago 
This series introduces the concept of a 'Secure Guest' feature
which covers on s390 IBM Secure Execution and on x86 AMD Secure
Encrypted Virtualization.

Besides adding documentation for IBM Secure Execution it also adds
checks during validation of the qemu capabilities cache.
These checks per architecture can be performed for IBM Secure
Execution on s390 and AMD Secure Encrypted Virtualization on AMD x86
CPUs (both checks implemented in this series).

For s390 the verification consists of:
- checking if /sys/firmware/uv is available: meaning the HW
facility is available and the host OS supports it;
- checking if the kernel cmdline contains 'prot_virt=1': meaning
the host OS wants to use the feature.

For AMD Secure Encrypted Virtualization the verification consists of:
- checking if /sys/module/kvm_amd/parameters/sev contains the
value '1': meaning SEV is enabled in the host kernel;
- checking if /dev/sev exists

Whenever the availability of the feature does not match the secure
guest flag in the cache then libvirt will re-build it in order to
pick up the new set of capabilities available.

Additionally, this series adds the same aforementioned checks to the
virt-host-validate tool to facilitate the manual verification
process for users.

Changes in v2:

[Patch 1]
  Reworked kernel cmdline parser into a parameter based processing.
[Patch 2]
  Added missing value "on" to kvalue list
[Patch 3]
  Changed AMD SEV support check to module parameter is set and /dev/sev exists.
  Moved doc changes to a new standalone patch 6.
[Patch 4]
  Added missing value "on" to kvalue list
[Patch 5]
  Changed AMD SEV support check to align with patch 3.
  Moved doc changes to a new standalone patch 6.
[Patch 6]
  Summarized AMD SEV doc changes from patches 3 and 5.
  Adjusted libvirt version number
[Patch 7 (v1: Patch 6)]
  Adjusted libvirt version number

link to v1: https://www.redhat.com/archives/libvir-list/2020-May/msg00416.html

Boris Fiuczynski (3):
  tools: secure guest check on s390 in virt-host-validate
  tools: secure guest check for AMD in virt-host-validate
  docs: update AMD launch secure description

Paulo de Rezende Pinatti (3):
  util: introduce a parser for kernel cmdline arguments
  qemu: check if s390 secure guest support is enabled
  qemu: check if AMD secure guest support is enabled

Viktor Mihajlovski (1):
  docs: Describe protected virtualization guest setup

 docs/kbase.html.in                 |   3 +
 docs/kbase/launch_security_sev.rst |   9 +-
 docs/kbase/s390_protected_virt.rst | 189 +++++++++++++++++++++++++++++
 src/libvirt_private.syms           |   2 +
 src/qemu/qemu_capabilities.c       |  76 ++++++++++++
 src/util/virutil.c                 | 169 ++++++++++++++++++++++++++
 src/util/virutil.h                 |  17 +++
 tests/utiltest.c                   | 141 +++++++++++++++++++++
 tools/virt-host-validate-common.c  |  83 ++++++++++++-
 tools/virt-host-validate-common.h  |   5 +
 tools/virt-host-validate-qemu.c    |   4 +
 11 files changed, 693 insertions(+), 5 deletions(-)
 create mode 100644 docs/kbase/s390_protected_virt.rst

-- 
2.25.4
Re: [PATCH v2 0/7] Add Security Guest doc and check for capabilities cache validation
Posted by Paulo de Rezende Pinatti 3 years, 10 months ago 
Ping for reviews.

On 29/05/20 12:10, Paulo de Rezende Pinatti wrote:
> This series introduces the concept of a 'Secure Guest' feature
> which covers on s390 IBM Secure Execution and on x86 AMD Secure
> Encrypted Virtualization.
> 
> Besides adding documentation for IBM Secure Execution it also adds
> checks during validation of the qemu capabilities cache.
> These checks per architecture can be performed for IBM Secure
> Execution on s390 and AMD Secure Encrypted Virtualization on AMD x86
> CPUs (both checks implemented in this series).
> 
> For s390 the verification consists of:
> - checking if /sys/firmware/uv is available: meaning the HW
> facility is available and the host OS supports it;
> - checking if the kernel cmdline contains 'prot_virt=1': meaning
> the host OS wants to use the feature.
> 
> For AMD Secure Encrypted Virtualization the verification consists of:
> - checking if /sys/module/kvm_amd/parameters/sev contains the
> value '1': meaning SEV is enabled in the host kernel;
> - checking if /dev/sev exists
> 
> Whenever the availability of the feature does not match the secure
> guest flag in the cache then libvirt will re-build it in order to
> pick up the new set of capabilities available.
> 
> Additionally, this series adds the same aforementioned checks to the
> virt-host-validate tool to facilitate the manual verification
> process for users.
> 
> Changes in v2:
> 
> [Patch 1]
>    Reworked kernel cmdline parser into a parameter based processing.
> [Patch 2]
>    Added missing value "on" to kvalue list
> [Patch 3]
>    Changed AMD SEV support check to module parameter is set and /dev/sev exists.
>    Moved doc changes to a new standalone patch 6.
> [Patch 4]
>    Added missing value "on" to kvalue list
> [Patch 5]
>    Changed AMD SEV support check to align with patch 3.
>    Moved doc changes to a new standalone patch 6.
> [Patch 6]
>    Summarized AMD SEV doc changes from patches 3 and 5.
>    Adjusted libvirt version number
> [Patch 7 (v1: Patch 6)]
>    Adjusted libvirt version number
> 
> link to v1: https://www.redhat.com/archives/libvir-list/2020-May/msg00416.html
> 
> Boris Fiuczynski (3):
>    tools: secure guest check on s390 in virt-host-validate
>    tools: secure guest check for AMD in virt-host-validate
>    docs: update AMD launch secure description
> 
> Paulo de Rezende Pinatti (3):
>    util: introduce a parser for kernel cmdline arguments
>    qemu: check if s390 secure guest support is enabled
>    qemu: check if AMD secure guest support is enabled
> 
> Viktor Mihajlovski (1):
>    docs: Describe protected virtualization guest setup
> 
>   docs/kbase.html.in                 |   3 +
>   docs/kbase/launch_security_sev.rst |   9 +-
>   docs/kbase/s390_protected_virt.rst | 189 +++++++++++++++++++++++++++++
>   src/libvirt_private.syms           |   2 +
>   src/qemu/qemu_capabilities.c       |  76 ++++++++++++
>   src/util/virutil.c                 | 169 ++++++++++++++++++++++++++
>   src/util/virutil.h                 |  17 +++
>   tests/utiltest.c                   | 141 +++++++++++++++++++++
>   tools/virt-host-validate-common.c  |  83 ++++++++++++-
>   tools/virt-host-validate-common.h  |   5 +
>   tools/virt-host-validate-qemu.c    |   4 +
>   11 files changed, 693 insertions(+), 5 deletions(-)
>   create mode 100644 docs/kbase/s390_protected_virt.rst
> 

-- 
Best regards,

Paulo de Rezende Pinatti

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.