From: Boris Fiuczynski <fiuczy@linux.ibm.com>
Add checking in virt-host-validate for secure guest support
on x86 for AMD Secure Encrypted Virtualization.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
---
tools/virt-host-validate-common.c | 29 +++++++++++++++++++++++++++--
tools/virt-host-validate-common.h | 1 +
2 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index 8ead68798f..de007f2c43 100644
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -41,7 +41,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
"vmx",
"svm",
"sie",
- "158");
+ "158",
+ "sev");
static bool quiet;
@@ -447,15 +448,18 @@ int virHostValidateSecureGuests(const char *hvname,
virHostValidateLevel level)
{
virBitmapPtr flags;
- bool hasFac158 = false;
+ bool hasFac158 = false, hasAMDSev = false;
virArch arch = virArchFromHost();
g_autofree char *cmdline = NULL;
static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
+ g_autofree char *mod_value = NULL;
flags = virHostValidateGetCPUFlags();
if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158))
hasFac158 = true;
+ else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
+ hasAMDSev = true;
virBitmapFree(flags);
@@ -485,6 +489,27 @@ int virHostValidateSecureGuests(const char *hvname,
virHostMsgFail(level, "Hardware or firmware does not provide "
"support for IBM Secure Execution");
}
+ } else if (hasAMDSev) {
+ if (virFileReadValueString(&mod_value, "/sys/module/kvm_amd/parameters/sev") < 0) {
+ virHostMsgFail(level, "AMD Secure Encrypted Virtualization not "
+ "supported by the currently used kernel");
+ return 0;
+ }
+ if (mod_value[0] != '1') {
+ virHostMsgFail(level,
+ "AMD Secure Encrypted Virtualization appears to be "
+ "disabled in kernel. Add mem_encrypt=on "
+ "kvm_amd.sev=1 to kernel cmdline arguments");
+ return 0;
+ }
+ if (virFileExists("/dev/sev")) {
+ virHostMsgPass();
+ return 1;
+ } else {
+ virHostMsgFail(level,
+ "AMD Secure Encrypted Virtualization appears to be "
+ "disabled in firemare.");
+ }
} else {
virHostMsgFail(level,
"Unknown if this platform has Secure Guest support");
diff --git a/tools/virt-host-validate-common.h b/tools/virt-host-validate-common.h
index 44b5544a12..3df5ea0c7e 100644
--- a/tools/virt-host-validate-common.h
+++ b/tools/virt-host-validate-common.h
@@ -38,6 +38,7 @@ typedef enum {
VIR_HOST_VALIDATE_CPU_FLAG_SVM,
VIR_HOST_VALIDATE_CPU_FLAG_SIE,
VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158,
+ VIR_HOST_VALIDATE_CPU_FLAG_SEV,
VIR_HOST_VALIDATE_CPU_FLAG_LAST,
} virHostValidateCPUFlag;
--
2.25.4
On Fri, May 29, 2020 at 12:10:07PM +0200, Paulo de Rezende Pinatti wrote:
> From: Boris Fiuczynski <fiuczy@linux.ibm.com>
>
> Add checking in virt-host-validate for secure guest support
> on x86 for AMD Secure Encrypted Virtualization.
>
> Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
> Reviewed-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
> Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
> ---
> tools/virt-host-validate-common.c | 29 +++++++++++++++++++++++++++--
> tools/virt-host-validate-common.h | 1 +
> 2 files changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
> index 8ead68798f..de007f2c43 100644
> --- a/tools/virt-host-validate-common.c
> +++ b/tools/virt-host-validate-common.c
> @@ -41,7 +41,8 @@ VIR_ENUM_IMPL(virHostValidateCPUFlag,
> "vmx",
> "svm",
> "sie",
> - "158");
> + "158",
> + "sev");
>
> static bool quiet;
>
> @@ -447,15 +448,18 @@ int virHostValidateSecureGuests(const char *hvname,
> virHostValidateLevel level)
> {
> virBitmapPtr flags;
> - bool hasFac158 = false;
> + bool hasFac158 = false, hasAMDSev = false;
^one variable definition per line
> virArch arch = virArchFromHost();
> g_autofree char *cmdline = NULL;
> static const char *kIBMValues[] = {"y", "Y", "on", "ON", "oN", "On", "1"};
> + g_autofree char *mod_value = NULL;
>
> flags = virHostValidateGetCPUFlags();
>
> if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_FACILITY_158))
> hasFac158 = true;
> + else if (flags && virBitmapIsBitSet(flags, VIR_HOST_VALIDATE_CPU_FLAG_SEV))
> + hasAMDSev = true;
>
> virBitmapFree(flags);
>
> @@ -485,6 +489,27 @@ int virHostValidateSecureGuests(const char *hvname,
> virHostMsgFail(level, "Hardware or firmware does not provide "
> "support for IBM Secure Execution");
> }
> + } else if (hasAMDSev) {
> + if (virFileReadValueString(&mod_value, "/sys/module/kvm_amd/parameters/sev") < 0) {
> + virHostMsgFail(level, "AMD Secure Encrypted Virtualization not "
> + "supported by the currently used kernel");
> + return 0;
> + }
empty line here...
> + if (mod_value[0] != '1') {
> + virHostMsgFail(level,
> + "AMD Secure Encrypted Virtualization appears to be "
> + "disabled in kernel. Add mem_encrypt=on "
> + "kvm_amd.sev=1 to kernel cmdline arguments");
> + return 0;
> + }
and here...
Reviewed-by: Erik Skultety <eskultet@redhat.com>
© 2016 - 2026 Red Hat, Inc.