Change launch security policy of type SEV from required to
optional and add a test to ensure the required launch security
policy remains required when launch security type is SEV.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
---
docs/schemas/domaincommon.rng | 12 ++++---
src/conf/domain_conf.c | 3 +-
...urity-sev-missing-policy.x86_64-2.12.0.err | 1 +
.../launch-security-sev-missing-policy.xml | 34 +++++++++++++++++++
tests/qemuxml2argvtest.c | 1 +
5 files changed, 46 insertions(+), 5 deletions(-)
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 5ea14b6dbf..8c1b6c3a09 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -483,7 +483,9 @@
<define name="launchSecurity">
<element name="launchSecurity">
<attribute name="type">
- <value>sev</value>
+ <choice>
+ <value>sev</value>
+ </choice>
</attribute>
<interleave>
<optional>
@@ -496,9 +498,11 @@
<data type="unsignedInt"/>
</element>
</optional>
- <element name="policy">
- <ref name="hexuint"/>
- </element>
+ <optional>
+ <element name="policy">
+ <ref name="hexuint"/>
+ </element>
+ </optional>
<optional>
<element name="handle">
<ref name="unsignedInt"/>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f65509d8ec..af2fd03d3c 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -14749,7 +14749,8 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
virReportError(VIR_ERR_XML_ERROR, "%s",
- _("failed to get launch security policy"));
+ _("failed to get launch security policy for "
+ "launch security type SEV"));
goto error;
}
diff --git a/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
new file mode 100644
index 0000000000..2019c8bb13
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
@@ -0,0 +1 @@
+XML error: failed to get launch security policy for launch security type SEV
diff --git a/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
new file mode 100644
index 0000000000..5461b06c9d
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
@@ -0,0 +1,34 @@
+<domain type='kvm'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-1.0'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='ide' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='none'/>
+ </devices>
+ <launchSecurity type='sev'>
+ <dhCert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dhCert>
+ <session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
+ </launchSecurity>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 9df28658b9..ef6afae586 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -3459,6 +3459,7 @@ mymain(void)
DO_TEST_CAPS_VER("launch-security-sev", "2.12.0");
DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
+ DO_TEST_CAPS_VER_PARSE_ERROR("launch-security-sev-missing-policy", "2.12.0");
DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
--
2.30.2
On 6/22/21 10:10 AM, Boris Fiuczynski wrote:
> Change launch security policy of type SEV from required to
> optional and add a test to ensure the required launch security
> policy remains required when launch security type is SEV.
>
> Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
> ---
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
> docs/schemas/domaincommon.rng | 12 ++++---
> src/conf/domain_conf.c | 3 +-
> ...urity-sev-missing-policy.x86_64-2.12.0.err | 1 +
> .../launch-security-sev-missing-policy.xml | 34 +++++++++++++++++++
> tests/qemuxml2argvtest.c | 1 +
> 5 files changed, 46 insertions(+), 5 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
> create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
>
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 5ea14b6dbf..8c1b6c3a09 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -483,7 +483,9 @@
> <define name="launchSecurity">
> <element name="launchSecurity">
> <attribute name="type">
> - <value>sev</value>
> + <choice>
> + <value>sev</value>
> + </choice>
> </attribute>
> <interleave>
> <optional>
> @@ -496,9 +498,11 @@
> <data type="unsignedInt"/>
> </element>
> </optional>
> - <element name="policy">
> - <ref name="hexuint"/>
> - </element>
> + <optional>
> + <element name="policy">
> + <ref name="hexuint"/>
> + </element>
> + </optional>
> <optional>
> <element name="handle">
> <ref name="unsignedInt"/>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index f65509d8ec..af2fd03d3c 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -14749,7 +14749,8 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
>
> if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
> virReportError(VIR_ERR_XML_ERROR, "%s",
> - _("failed to get launch security policy"));
> + _("failed to get launch security policy for "
> + "launch security type SEV"));
> goto error;
> }
>
> diff --git a/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
> new file mode 100644
> index 0000000000..2019c8bb13
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err
> @@ -0,0 +1 @@
> +XML error: failed to get launch security policy for launch security type SEV
> diff --git a/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
> new file mode 100644
> index 0000000000..5461b06c9d
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml
> @@ -0,0 +1,34 @@
> +<domain type='kvm'>
> + <name>QEMUGuest1</name>
> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
> + <memory unit='KiB'>219100</memory>
> + <currentMemory unit='KiB'>219100</currentMemory>
> + <vcpu placement='static'>1</vcpu>
> + <os>
> + <type arch='x86_64' machine='pc-1.0'>hvm</type>
> + <boot dev='hd'/>
> + </os>
> + <clock offset='utc'/>
> + <on_poweroff>destroy</on_poweroff>
> + <on_reboot>restart</on_reboot>
> + <on_crash>destroy</on_crash>
> + <devices>
> + <emulator>/usr/bin/qemu-system-x86_64</emulator>
> + <disk type='block' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source dev='/dev/HostVG/QEMUGuest1'/>
> + <target dev='hda' bus='ide'/>
> + <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> + </disk>
> + <controller type='usb' index='0'/>
> + <controller type='ide' index='0'/>
> + <controller type='pci' index='0' model='pci-root'/>
> + <input type='mouse' bus='ps2'/>
> + <input type='keyboard' bus='ps2'/>
> + <memballoon model='none'/>
> + </devices>
> + <launchSecurity type='sev'>
> + <dhCert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dhCert>
> + <session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
> + </launchSecurity>
> +</domain>
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index 9df28658b9..ef6afae586 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -3459,6 +3459,7 @@ mymain(void)
> DO_TEST_CAPS_VER("launch-security-sev", "2.12.0");
> DO_TEST_CAPS_VER("launch-security-sev", "6.0.0");
> DO_TEST_CAPS_VER("launch-security-sev-missing-platform-info", "2.12.0");
> + DO_TEST_CAPS_VER_PARSE_ERROR("launch-security-sev-missing-policy", "2.12.0");
>
> DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
> DO_TEST_CAPS_LATEST("vhost-user-fs-hugepages");
>
On Tue, Jun 22, 2021 at 03:10:44PM +0200, Boris Fiuczynski wrote: > Change launch security policy of type SEV from required to > optional and add a test to ensure the required launch security > policy remains required when launch security type is SEV. > > Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> > --- > docs/schemas/domaincommon.rng | 12 ++++--- > src/conf/domain_conf.c | 3 +- > ...urity-sev-missing-policy.x86_64-2.12.0.err | 1 + > .../launch-security-sev-missing-policy.xml | 34 +++++++++++++++++++ > tests/qemuxml2argvtest.c | 1 + > 5 files changed, 46 insertions(+), 5 deletions(-) > create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.x86_64-2.12.0.err > create mode 100644 tests/qemuxml2argvdata/launch-security-sev-missing-policy.xml Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
© 2016 - 2026 Red Hat, Inc.