From nobody Mon Feb  9 00:06:59 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1548948403130197.0790615883734;
 Thu, 31 Jan 2019 07:26:43 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 98E9BA4035;
	Thu, 31 Jan 2019 15:26:40 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id EBE9A53785;
	Thu, 31 Jan 2019 15:26:38 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id DD8823F774;
	Thu, 31 Jan 2019 15:26:37 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0VFQY09005549 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 31 Jan 2019 10:26:34 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 3DFAB1A7CE; Thu, 31 Jan 2019 15:26:34 +0000 (UTC)
Received: from beluga.usersys.redhat.com (unknown [10.43.2.166])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 8991919492;
	Thu, 31 Jan 2019 15:26:33 +0000 (UTC)
From: Erik Skultety <eskultet@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 31 Jan 2019 16:26:16 +0100
Message-Id: 
 <579c28bc42c18a43cafbb82eae0919a6bab446d3.1548948096.git.eskultet@redhat.com>
In-Reply-To: <cover.1548948096.git.eskultet@redhat.com>
References: <cover.1548948096.git.eskultet@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: Erik Skultety <eskultet@redhat.com>
Subject: [libvirt] [PATCH 3/5] qemu: domain: Add /dev/sev into the domain
	mount namespace selectively
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Thu, 31 Jan 2019 15:26:41 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

Instead of exposing /dev/sev to every domain, do it selectively.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/qemu/qemu_domain.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 5bfe4fe14e..f02c45535a 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -116,6 +116,7 @@ VIR_ENUM_IMPL(qemuDomainNamespace, QEMU_DOMAIN_NS_LAST,
 #define DEVPREFIX "/dev/"
 #define DEV_VFIO "/dev/vfio/vfio"
 #define DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
+#define DEV_SEV "/dev/sev"
=20
=20
 struct _qemuDomainLogContext {
@@ -12200,6 +12201,26 @@ qemuDomainSetupLoader(virQEMUDriverConfigPtr cfg A=
TTRIBUTE_UNUSED,
 }
=20
=20
+static int
+qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED,
+                              virDomainObjPtr vm,
+                              const struct qemuDomainCreateDeviceData *dat=
a)
+{
+    virDomainSEVDefPtr sev =3D vm->def->sev;
+
+    if (!sev || sev->sectype !=3D VIR_DOMAIN_LAUNCH_SECURITY_SEV)
+        return 0;
+
+    VIR_DEBUG("Setting up launch security");
+
+    if (qemuDomainCreateDevice(DEV_SEV, data, false) < 0)
+        return -1;
+
+    VIR_DEBUG("Set up launch security");
+    return 0;
+}
+
+
 int
 qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
                          virSecurityManagerPtr mgr,
@@ -12271,6 +12292,9 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
     if (qemuDomainSetupLoader(cfg, vm, &data) < 0)
         goto cleanup;
=20
+    if (qemuDomainSetupLaunchSecurity(cfg, vm, &data) < 0)
+        goto cleanup;
+
     /* Save some mount points because we want to share them with the host =
*/
     for (i =3D 0; i < ndevMountsPath; i++) {
         struct stat sb;
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list