From nobody Fri May 3 05:05:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1623414948; cv=none; d=zohomail.com; s=zohoarc; b=U+vJSKJ7/rSlnhQSnvpZHLJ9w+Yc/wmQyVgR5c1Oem6cATzdYvEbIuHn3Q7D2Tonb6Q80uV1IJvzShqaWX4cQ7HSzgnaLJ+qLhq+GXZSHlIALyF9YcWZuWh+d962Pd0hxxe+N7jNwKEGO4Zg78ktv5zvhBI7oxoLOwKAmccHO4w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623414948; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=m0q+QVRZSCdj4I+ISnE/RfPxSx8/IHGkuEuHRNDKb5w=; b=hjqSnq05vOs1aQnPWjn7o6ikPEpKFg/XQAEB3Bp7BmYtxNm72rHoi8i31lGtH5MLYqqjZ2qKCZxBAL1zXs8P7gW4ZwNrJXnC46FjTCa/HV5JvIxT5hsy1OhJ1Kw2zyf+1RrMVFKynnYLNjykn+5KTgI5H9lq7yujJ5PBBsHOroQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1623414948350557.6814289067165; Fri, 11 Jun 2021 05:35:48 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-172-90PpR3orNXiLWZaKKrbZKw-1; Fri, 11 Jun 2021 08:35:45 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C6E9B100C661; Fri, 11 Jun 2021 12:35:40 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7AE305D9C6; Fri, 11 Jun 2021 12:35:39 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 85E1E46F59; Fri, 11 Jun 2021 12:35:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15BCRUF3027515 for ; Fri, 11 Jun 2021 08:27:30 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7E23860917; Fri, 11 Jun 2021 12:27:30 +0000 (UTC) Received: from antique-work.redhat.com (unknown [10.40.194.113]) by smtp.corp.redhat.com (Postfix) with ESMTP id D019160936 for ; Fri, 11 Jun 2021 12:27:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623414947; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=m0q+QVRZSCdj4I+ISnE/RfPxSx8/IHGkuEuHRNDKb5w=; b=CZYwPckhuXybel8xwmT+mSiYCUjP4DO4OBlDiFHPg1qVpljDdr3WjueWQr4Iam2LlhBUqr EiDh8zaTfjV3ashtd5BgFu6WBLu/YBENUrO6snD/MnaLxx2baxBcxnUID65LDoef36Qi3a ZHMHr0fnHIkP3cyPu/aK7X6LvG1S2XY= X-MC-Unique: 90PpR3orNXiLWZaKKrbZKw-1 From: Pavel Hrdina To: libvir-list@redhat.com Subject: [libvirt PATCH] qemu_firmware: select correct firmware for AMD SEV-ES Date: Fri, 11 Jun 2021 14:27:25 +0200 Message-Id: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When using firmware auto-selection and user enables AMD SEV-ES we need to pick correct firmware that actually supports it. This can be detected by having `amd-sev-es` in the firmware JSON description. Signed-off-by: Pavel Hrdina Reviewed-by: Michal Privoznik --- src/qemu/qemu_firmware.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c index 2aeac635da..8d10497717 100644 --- a/src/qemu/qemu_firmware.c +++ b/src/qemu/qemu_firmware.c @@ -129,6 +129,7 @@ typedef enum { QEMU_FIRMWARE_FEATURE_ACPI_S3, QEMU_FIRMWARE_FEATURE_ACPI_S4, QEMU_FIRMWARE_FEATURE_AMD_SEV, + QEMU_FIRMWARE_FEATURE_AMD_SEV_ES, QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS, QEMU_FIRMWARE_FEATURE_REQUIRES_SMM, QEMU_FIRMWARE_FEATURE_SECURE_BOOT, @@ -145,6 +146,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature, "acpi-s3", "acpi-s4", "amd-sev", + "amd-sev-es", "enrolled-keys", "requires-smm", "secure-boot", @@ -913,6 +915,9 @@ qemuFirmwareOSInterfaceTypeFromOsDefFirmware(int fw) } =20 =20 +#define VIR_QEMU_FIRMWARE_AMD_SEV_ES_POLICY (1 << 2) + + static bool qemuFirmwareMatchDomain(const virDomainDef *def, const qemuFirmware *fw, @@ -924,6 +929,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def, bool supportsS4 =3D false; bool requiresSMM =3D false; bool supportsSEV =3D false; + bool supportsSEVES =3D false; bool supportsSecureBoot =3D false; bool hasEnrolledKeys =3D false; int reqSecureBoot; @@ -972,6 +978,11 @@ qemuFirmwareMatchDomain(const virDomainDef *def, case QEMU_FIRMWARE_FEATURE_AMD_SEV: supportsSEV =3D true; break; + + case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: + supportsSEVES =3D true; + break; + case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM: requiresSMM =3D true; break; @@ -1043,10 +1054,16 @@ qemuFirmwareMatchDomain(const virDomainDef *def, } =20 if (def->sev && - def->sev->sectype =3D=3D VIR_DOMAIN_LAUNCH_SECURITY_SEV && - !supportsSEV) { - VIR_DEBUG("Domain requires SEV, firmware '%s' doesn't support it",= path); - return false; + def->sev->sectype =3D=3D VIR_DOMAIN_LAUNCH_SECURITY_SEV) { + if (!supportsSEV) { + VIR_DEBUG("Domain requires SEV, firmware '%s' doesn't support = it", path); + return false; + } + + if (def->sev->policy & VIR_QEMU_FIRMWARE_AMD_SEV_ES_POLICY && !sup= portsSEVES) { + VIR_DEBUG("Domain requires SEV-ES, firmware '%s' doesn't suppo= rt it", path); + return false; + } } =20 VIR_DEBUG("Firmware '%s' matches domain requirements", path); @@ -1148,6 +1165,7 @@ qemuFirmwareEnableFeatures(virQEMUDriver *driver, case QEMU_FIRMWARE_FEATURE_ACPI_S3: case QEMU_FIRMWARE_FEATURE_ACPI_S4: case QEMU_FIRMWARE_FEATURE_AMD_SEV: + case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS: case QEMU_FIRMWARE_FEATURE_SECURE_BOOT: case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC: @@ -1181,6 +1199,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw, case QEMU_FIRMWARE_FEATURE_ACPI_S3: case QEMU_FIRMWARE_FEATURE_ACPI_S4: case QEMU_FIRMWARE_FEATURE_AMD_SEV: + case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS: case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC: case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC: @@ -1412,6 +1431,7 @@ qemuFirmwareGetSupported(const char *machine, case QEMU_FIRMWARE_FEATURE_ACPI_S3: case QEMU_FIRMWARE_FEATURE_ACPI_S4: case QEMU_FIRMWARE_FEATURE_AMD_SEV: + case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES: case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS: case QEMU_FIRMWARE_FEATURE_SECURE_BOOT: case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC: --=20 2.31.1