From nobody Mon Feb  9 23:38:23 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1692967997; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ci+98zdHnpoytF43npCIccEQkKUULqcX36p6zJi6op9QBDhq3DEbmpnRUunyg5Z6b0tZyh8+EgriHkNBzZxRtyty42ogu9iKPD3SY/frX+jfaQfxPRp30AzfxSK5pm4ljXv43zHhkRBzUGZ5RqM55KRqQ1Crihj9xcDKYmA9s9k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1692967997;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=whKhAzDBepMQVlXIDplAgkFfqgE6T1gHxhrOGiO1gmg=;
	b=brTMhOfyUylBacqDj091/t4qvqt9f2T6yPFP1MboW6xgeFM3RnURqoJg1VomejekYng/NN0MHAbDi2sMj2Xze6qG0Hhn11WsIujYm1cKAyM9KTtb1w1WkUwfGDbJrqwpuZVIKHWyPjwlYD3mk5+cwVyUP4HEeDqKQ9FLO4RDyiM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<berrange@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1692967997285626.2504466329299;
 Fri, 25 Aug 2023 05:53:17 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-533-34ifsggZNJazdsbJWr-rwQ-1; Fri, 25 Aug 2023 08:53:10 -0400
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8713828004F7;
	Fri, 25 Aug 2023 12:53:08 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 744A3C1602E;
	Fri, 25 Aug 2023 12:53:08 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 226D019465B2;
	Fri, 25 Aug 2023 12:53:03 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id B5A891946A42 for <libvir-list@listman.corp.redhat.com>;
 Fri, 25 Aug 2023 12:53:01 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 7E36D2166B28; Fri, 25 Aug 2023 12:53:01 +0000 (UTC)
Received: from localhost.localdomain.com (unknown [10.42.28.144])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 0BB012166B26;
 Fri, 25 Aug 2023 12:53:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1692967996;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=whKhAzDBepMQVlXIDplAgkFfqgE6T1gHxhrOGiO1gmg=;
	b=TjtU9thnvQrH1TLWM0jlXNOHHwgwoM7LTVNYVdH3g2Xu4ZopniqKvroRDNYHjtjgVT8HMp
	nIoSQH16LwL0IkcYrslaBQMyc91c8ns15NlHkzvDItZJLs8Ct183u/IG23bGKI4JfQtzDs
	EB4M4IIv4H83kj/tICV3+2YfwIRizK0=
X-MC-Unique: 34ifsggZNJazdsbJWr-rwQ-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 2/2] tools: fix VMSA construction with explicit CPU
 family/model/stepping
Date: Fri, 25 Aug 2023 13:52:58 +0100
Message-ID: <20230825125258.651285-3-berrange@redhat.com>
In-Reply-To: <20230825125258.651285-1-berrange@redhat.com>
References: <20230825125258.651285-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1692967999481100001

If the CPU family/model/stepping are provided on the command line, but
the firmware is being automatically extracted from the libvirt guest,
we try to build the VMSA too early. This leads to an exception trying
to parse the firmware that has not been loaded yet. We must delay
building the VMSA in that scenario.

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 tools/virt-qemu-sev-validate | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
index c279741004..67edbd085f 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -940,7 +940,7 @@ class LibvirtConfidentialVM(ConfidentialVM):
                     "kernel/initrd/cmdline not provided but kernel "
                     "measurement is enabled")
=20
-    def load_domain(self, uri, id_name_uuid, secure, ignore_config):
+    def load_domain(self, uri, id_name_uuid, build_vmsa, secure, ignore_co=
nfig):
         self.conn =3D libvirt.open(uri)
=20
         remote =3D socket.getfqdn() !=3D self.conn.getHostname()
@@ -1049,7 +1049,7 @@ class LibvirtConfidentialVM(ConfidentialVM):
         capsxml =3D self.conn.getCapabilities()
         capsdoc =3D etree.fromstring(capsxml)
=20
-        if self.is_sev_es() and self.vmsa_cpu0 is None:
+        if self.is_sev_es() and build_vmsa:
             if secure:
                 raise InsecureUsageException(
                     "Using CPU SKU from capabilities is not secure")
@@ -1263,17 +1263,19 @@ def attest(args):
     if args.vmsa_cpu1 is not None:
         cvm.load_vmsa_cpu1(args.vmsa_cpu1)
=20
-    if args.cpu_family is not None:
-        cvm.build_vmsas(args.cpu_family,
-                        args.cpu_model,
-                        args.cpu_stepping)
-
     if args.domain is not None:
+        build_vmsa =3D args.vmsa_cpu0 is None and args.cpu_family is None
         cvm.load_domain(args.connect,
                         args.domain,
+                        build_vmsa,
                         not args.insecure,
                         args.ignore_config)
=20
+    if args.cpu_family is not None:
+        cvm.build_vmsas(args.cpu_family,
+                        args.cpu_model,
+                        args.cpu_stepping)
+
     cvm.attest()
     if not args.quiet:
         print("OK: Looks good to me")
--=20
2.41.0