Expose SEV-SNP in domcaps and virt-host-validate

[PATCH 0/8] Expose SEV-SNP in domcaps and virt-host-validate

Michal Privoznik posted 8 patches 3 months, 3 weeks ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1719308849.git.mprivozn@redhat.com

docs/formatdomaincaps.rst                     | 10 +++
src/conf/domain_capabilities.c                | 14 ++++
src/conf/domain_capabilities.h                |  9 ++
src/conf/schemas/domaincaps.rng               | 10 +++
src/libvirt_private.syms                      |  2 +
src/qemu/qemu_capabilities.c                  | 24 +++++-
src/qemu/qemu_capabilities.h                  |  3 +
src/qemu/qemu_validate.c                      | 29 +++----
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |  3 +
.../qemu_4.2.0-virt.aarch64.xml               |  3 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |  3 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml     |  3 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |  3 +
.../qemu_5.0.0-tcg-virt.riscv64.xml           |  3 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |  3 +
.../qemu_5.0.0-virt.aarch64.xml               |  3 +
.../qemu_5.0.0-virt.riscv64.xml               |  3 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |  3 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_5.1.0.sparc.xml     |  3 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |  3 +
.../qemu_5.2.0-tcg-virt.riscv64.xml           |  3 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |  3 +
.../qemu_5.2.0-virt.aarch64.xml               |  3 +
.../qemu_5.2.0-virt.riscv64.xml               |  3 +
tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |  3 +
tests/domaincapsdata/qemu_5.2.0.s390x.xml     |  3 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |  5 ++
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |  5 ++
.../qemu_6.0.0-virt.aarch64.xml               |  3 +
tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_6.0.0.s390x.xml     |  5 ++
tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |  5 ++
.../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |  3 +
.../qemu_6.2.0-virt.aarch64.xml               |  3 +
tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |  3 +
tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |  3 +
.../qemu_7.0.0-hvf.aarch64+hvf.xml            |  3 +
.../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |  3 +
.../qemu_7.0.0-virt.aarch64.xml               |  3 +
tests/domaincapsdata/qemu_7.0.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |  3 +
tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_7.1.0.ppc64.xml     |  3 +
tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |  3 +
.../qemu_7.2.0-hvf.x86_64+hvf.xml             |  3 +
.../domaincapsdata/qemu_7.2.0-q35.x86_64.xml  |  3 +
.../qemu_7.2.0-tcg.x86_64+hvf.xml             |  3 +
.../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_7.2.0.ppc.xml       |  3 +
tests/domaincapsdata/qemu_7.2.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_8.0.0-q35.x86_64.xml  |  3 +
.../qemu_8.0.0-tcg-virt.riscv64.xml           |  3 +
.../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml  |  3 +
.../qemu_8.0.0-virt.riscv64.xml               |  3 +
tests/domaincapsdata/qemu_8.0.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_8.1.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_8.1.0.s390x.xml     |  5 ++
tests/domaincapsdata/qemu_8.1.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_8.2.0-q35.x86_64.xml  |  3 +
.../qemu_8.2.0-tcg-virt.loongarch64.xml       |  3 +
.../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml  |  3 +
.../qemu_8.2.0-virt.aarch64.xml               |  3 +
.../qemu_8.2.0-virt.loongarch64.xml           |  3 +
tests/domaincapsdata/qemu_8.2.0.aarch64.xml   |  3 +
tests/domaincapsdata/qemu_8.2.0.armv7l.xml    |  3 +
tests/domaincapsdata/qemu_8.2.0.s390x.xml     |  5 ++
tests/domaincapsdata/qemu_8.2.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_9.0.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_9.0.0.x86_64.xml    |  3 +
.../domaincapsdata/qemu_9.1.0-q35.x86_64.xml  |  3 +
.../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml  |  3 +
tests/domaincapsdata/qemu_9.1.0.x86_64.xml    |  3 +
.../caps_9.1.0_x86_64.xml                     |  1 -
tests/qemuxmlconftest.c                       |  6 +-
tools/virt-host-validate-common.c             | 83 ++++++++++++++-----
95 files changed, 413 insertions(+), 42 deletions(-)

Expand all Fold all

[PATCH 0/8] Expose SEV-SNP in domcaps and virt-host-validate

Posted by Michal Privoznik 3 months, 3 weeks ago

This is a promised follow up to:

https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7QQXVQXZATOIDYAJFOT45RPXRKX4GEWP/

Michal Prívozník (8):
  libvirt_private.syms: Export virDomainLaunchSecurity enum handlers
  qemuxmlconftest; Explicitly enable QEMU_CAPS_SEV_SNP_GUEST for
    "launch-security-sev-snp"
  qemu_capabilities: Probe SEV capabilities even for
    QEMU_CAPS_SEV_SNP_GUEST
  domcaps: Report launchSecurity
  qemu: Fill launchSecurity in domaincaps
  qemu_validate: Use domaincaps to validate supported launchSecurity
    type
  virt-host-validate: Move AMD SEV into a separate func
  virt-host-validate: Detect SEV-ES and SEV-SNP

 docs/formatdomaincaps.rst                     | 10 +++
 src/conf/domain_capabilities.c                | 14 ++++
 src/conf/domain_capabilities.h                |  9 ++
 src/conf/schemas/domaincaps.rng               | 10 +++
 src/libvirt_private.syms                      |  2 +
 src/qemu/qemu_capabilities.c                  | 24 +++++-
 src/qemu/qemu_capabilities.h                  |  3 +
 src/qemu/qemu_validate.c                      | 29 +++----
 .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml  |  3 +
 .../qemu_4.2.0-virt.aarch64.xml               |  3 +
 tests/domaincapsdata/qemu_4.2.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_4.2.0.ppc64.xml     |  3 +
 tests/domaincapsdata/qemu_4.2.0.s390x.xml     |  3 +
 tests/domaincapsdata/qemu_4.2.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml  |  3 +
 .../qemu_5.0.0-tcg-virt.riscv64.xml           |  3 +
 .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml  |  3 +
 .../qemu_5.0.0-virt.aarch64.xml               |  3 +
 .../qemu_5.0.0-virt.riscv64.xml               |  3 +
 tests/domaincapsdata/qemu_5.0.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_5.0.0.ppc64.xml     |  3 +
 tests/domaincapsdata/qemu_5.0.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_5.1.0.sparc.xml     |  3 +
 tests/domaincapsdata/qemu_5.1.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml  |  3 +
 .../qemu_5.2.0-tcg-virt.riscv64.xml           |  3 +
 .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml  |  3 +
 .../qemu_5.2.0-virt.aarch64.xml               |  3 +
 .../qemu_5.2.0-virt.riscv64.xml               |  3 +
 tests/domaincapsdata/qemu_5.2.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_5.2.0.ppc64.xml     |  3 +
 tests/domaincapsdata/qemu_5.2.0.s390x.xml     |  3 +
 tests/domaincapsdata/qemu_5.2.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml  |  5 ++
 .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml  |  5 ++
 .../qemu_6.0.0-virt.aarch64.xml               |  3 +
 tests/domaincapsdata/qemu_6.0.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_6.0.0.s390x.xml     |  5 ++
 tests/domaincapsdata/qemu_6.0.0.x86_64.xml    |  5 ++
 .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_6.1.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml  |  3 +
 .../qemu_6.2.0-virt.aarch64.xml               |  3 +
 tests/domaincapsdata/qemu_6.2.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_6.2.0.ppc64.xml     |  3 +
 tests/domaincapsdata/qemu_6.2.0.x86_64.xml    |  3 +
 .../qemu_7.0.0-hvf.aarch64+hvf.xml            |  3 +
 .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml  |  3 +
 .../qemu_7.0.0-virt.aarch64.xml               |  3 +
 tests/domaincapsdata/qemu_7.0.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_7.0.0.ppc64.xml     |  3 +
 tests/domaincapsdata/qemu_7.0.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_7.1.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_7.1.0.ppc64.xml     |  3 +
 tests/domaincapsdata/qemu_7.1.0.x86_64.xml    |  3 +
 .../qemu_7.2.0-hvf.x86_64+hvf.xml             |  3 +
 .../domaincapsdata/qemu_7.2.0-q35.x86_64.xml  |  3 +
 .../qemu_7.2.0-tcg.x86_64+hvf.xml             |  3 +
 .../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_7.2.0.ppc.xml       |  3 +
 tests/domaincapsdata/qemu_7.2.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_8.0.0-q35.x86_64.xml  |  3 +
 .../qemu_8.0.0-tcg-virt.riscv64.xml           |  3 +
 .../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml  |  3 +
 .../qemu_8.0.0-virt.riscv64.xml               |  3 +
 tests/domaincapsdata/qemu_8.0.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_8.1.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_8.1.0.s390x.xml     |  5 ++
 tests/domaincapsdata/qemu_8.1.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_8.2.0-q35.x86_64.xml  |  3 +
 .../qemu_8.2.0-tcg-virt.loongarch64.xml       |  3 +
 .../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml  |  3 +
 .../qemu_8.2.0-virt.aarch64.xml               |  3 +
 .../qemu_8.2.0-virt.loongarch64.xml           |  3 +
 tests/domaincapsdata/qemu_8.2.0.aarch64.xml   |  3 +
 tests/domaincapsdata/qemu_8.2.0.armv7l.xml    |  3 +
 tests/domaincapsdata/qemu_8.2.0.s390x.xml     |  5 ++
 tests/domaincapsdata/qemu_8.2.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_9.0.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_9.0.0.x86_64.xml    |  3 +
 .../domaincapsdata/qemu_9.1.0-q35.x86_64.xml  |  3 +
 .../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml  |  3 +
 tests/domaincapsdata/qemu_9.1.0.x86_64.xml    |  3 +
 .../caps_9.1.0_x86_64.xml                     |  1 -
 tests/qemuxmlconftest.c                       |  6 +-
 tools/virt-host-validate-common.c             | 83 ++++++++++++++-----
 95 files changed, 413 insertions(+), 42 deletions(-)

-- 
2.44.2

Re: [PATCH 0/8] Expose SEV-SNP in domcaps and virt-host-validate

Posted by Jiri Denemark 3 months, 3 weeks ago

On Tue, Jun 25, 2024 at 11:48:45 +0200, Michal Privoznik wrote:
> This is a promised follow up to:
> 
> https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7QQXVQXZATOIDYAJFOT45RPXRKX4GEWP/
> 
> Michal Prívozník (8):
>   libvirt_private.syms: Export virDomainLaunchSecurity enum handlers
>   qemuxmlconftest; Explicitly enable QEMU_CAPS_SEV_SNP_GUEST for
>     "launch-security-sev-snp"
>   qemu_capabilities: Probe SEV capabilities even for
>     QEMU_CAPS_SEV_SNP_GUEST
>   domcaps: Report launchSecurity
>   qemu: Fill launchSecurity in domaincaps
>   qemu_validate: Use domaincaps to validate supported launchSecurity
>     type
>   virt-host-validate: Move AMD SEV into a separate func
>   virt-host-validate: Detect SEV-ES and SEV-SNP

Overall it looks OK (see replies to 3/8 and 5/8 for a few nits) and it
makes sense to me. But you should probably wait for a second look from
someone familiar with SEV to check the design makes sense.

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

Re: [PATCH 0/8] Expose SEV-SNP in domcaps and virt-host-validate

Posted by Daniel P. Berrangé 3 months, 3 weeks ago

On Tue, Jun 25, 2024 at 01:54:59PM +0200, Jiri Denemark wrote:
> On Tue, Jun 25, 2024 at 11:48:45 +0200, Michal Privoznik wrote:
> > This is a promised follow up to:
> > 
> > https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7QQXVQXZATOIDYAJFOT45RPXRKX4GEWP/
> > 
> > Michal Prívozník (8):
> >   libvirt_private.syms: Export virDomainLaunchSecurity enum handlers
> >   qemuxmlconftest; Explicitly enable QEMU_CAPS_SEV_SNP_GUEST for
> >     "launch-security-sev-snp"
> >   qemu_capabilities: Probe SEV capabilities even for
> >     QEMU_CAPS_SEV_SNP_GUEST
> >   domcaps: Report launchSecurity
> >   qemu: Fill launchSecurity in domaincaps
> >   qemu_validate: Use domaincaps to validate supported launchSecurity
> >     type
> >   virt-host-validate: Move AMD SEV into a separate func
> >   virt-host-validate: Detect SEV-ES and SEV-SNP
> 
> Overall it looks OK (see replies to 3/8 and 5/8 for a few nits) and it
> makes sense to me. But you should probably wait for a second look from
> someone familiar with SEV to check the design makes sense.
> 
> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

Looks fine to me.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|