From nobody Tue Oct 28 08:32:14 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1760455773; cv=none; d=zohomail.com; s=zohoarc; b=DqODfqfam5D8EMxchJCcCnw+URVZHcIAZz69qkUxB61nkyrOBuOd98XXvqx8jWQcfucERhbyOXRr1S0q8CZHUpUIVAszBjflqzrt/YOylTCl5MfLrf12J03XIlJSnaQ5MCD+uVtZmSlRHzcGoF/50bkeS9Nm84T5YoN3oKc42Qg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1760455773; h=Content-Transfer-Encoding:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=wEQsU+rA1C+t3QsMRmaHovkORbRLiEf9nrpWcsK70wE=; b=T2jRGgCcTuFt0393bJMZPyRGGTIwV9Seu/K89DCiJkyWLGd3pU13l1oBhxU0wo02lHL3qOkBTJn8MaIZy2hmENE0q43cGPwJ3BCrR7ArMhy9GRPZf+8YITj9Nj7CmwGq0GtqgNHNSiV6dvuXaK7Z5/JnBYFx7Rr7nqsRMj+kinw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1760455772798994.3274473139626; Tue, 14 Oct 2025 08:29:32 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id B9722445D8; Tue, 14 Oct 2025 11:29:31 -0400 (EDT) Received: from [172.19.199.20] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 3E42E446BC; Tue, 14 Oct 2025 11:28:52 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id BB14041D9B; Tue, 14 Oct 2025 11:28:41 -0400 (EDT) Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B968F41C41 for ; Tue, 14 Oct 2025 11:28:40 -0400 (EDT) Received: from localhost.localdomain (2.general.hector.uk.vpn [10.172.192.135]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 7B16A3F79C for ; Tue, 14 Oct 2025 15:28:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1760455718; bh=wEQsU+rA1C+t3QsMRmaHovkORbRLiEf9nrpWcsK70wE=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=lpxWS+2SPCAjTvD305yX9H5i33as4Aieh8LAMoaf0iFXcZ3kcw+ES5U3dTFpfamAj zD7MGbAP6IfOlWMy1WVct2pU4eSFZL2D93G2A3nzdzfvP38fqDH9rICuvylR3UYJim zkTPQXfZ2FuKviHy+57EHHCYKY5SZKyv8fn5NpZbcbr+WAPyczkWhDX6X6GIboBHjN IuXasIcEvn0NW0GjFhwqFVEl5qHr7UTOHbQROvZBT4DjBb+d58kJBai5zaLDxrZq8t p4ksDkHl+cNF1i8vI8nbCqyt8E6nfWxQkDhf+0BjzNMZZQhb7f3z3JrMXg4FyWno5Y hqV8TFPO6kMZ1Un/PRZ/IWHkNsYNmeQQaQwyf3U5IfqpohXqqZsTKNHKcCsrtwUOVA vPNOT7Z2vhqXru+67FIduvoXynhpc3y/I12rfAlEp7NGNWIMfdU9TBjxaIKv4mQRTL fIj6wCoSV0tqxY7zFa8f0ruCPeuKn62vXxArOI7oUAHHdy7amzvz3UJJN2urZuO9I+ uq+8RPa2SGJ4BMWJLdmwOIwaLScFrSDKVbjOcYRYFS7pmaY2qH1Mo8Gm5O8TgIj1WW S6Z0XdbQR0zEIDsBhDTLmyarZtBGx7do5vsgNLoo25kednGKfbMGVBVjf7dvmBSObl /Q14M3FxsRPf1lng3o9T4h3U= From: Hector Cao To: devel@lists.libvirt.org Subject: [PATCH] apparmor: Allow AMD-SEV device access for AMD-SEV VM Date: Tue, 14 Oct 2025 17:28:34 +0200 Message-ID: <20251014152834.119161-1-hector.cao@canonical.com> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 2OUFUUDVC4L3WUYEKNTMHR3HM7RENQQN X-Message-ID-Hash: 2OUFUUDVC4L3WUYEKNTMHR3HM7RENQQN X-MailFrom: hector.cao@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @canonical.com) X-ZM-MESSAGEID: 1760455775838154100 Content-Type: text/plain; charset="utf-8" AMD-SEV virtual machines interact with the underlying AMD-SEV technology through the character device /dev/sev. Currently, the AppArmor profile does not include the rule required to allow this access. There are two main approaches to address this limitation: 1) Add the required rule to the libvirt-qemu abstraction. 2) Dynamically add the rule only when the VM is an AMD-SEV guest. Since AMD-SEV guests represent a niche use case, it is more appropriate to apply the rule dynamically rather than granting access to all VMs through a global abstraction change. This commit implements option (2) by modifying the virt-aa-helper binary to insert the necessary rule into the AppArmor dynamic profile when the VM is identified as an AMD-SEV guest. The added entry in the generated libvirt-.files file will look like: ... "/dev/sev" rw, ... Signed-off-by: Hector Cao --- src/security/virt-aa-helper.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8a297d4b54..de0a826063 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1370,6 +1370,21 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n"); } =20 + /* AMD-SEV VM needs to read/write the character device /dev/sev */ + if (ctl->def->sec) { + switch (ctl->def->sec->sectype) { + case VIR_DOMAIN_LAUNCH_SECURITY_SEV: + case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP: + virBufferAddLit(&buf, " \"/dev/sev\" rw,\n"); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + case VIR_DOMAIN_LAUNCH_SECURITY_NONE: + case VIR_DOMAIN_LAUNCH_SECURITY_LAST: + break; + } + } + if (ctl->newfile && vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) { return -1; --=20 2.45.2