Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:branches:openSUSE:Factory:Rings:1-MinimalX
virt-manager
virtman-add-sev-memory-support.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File virtman-add-sev-memory-support.patch of Package virt-manager
References: bsc#1196806, jsc#SLE-18834, jsc#PED-8910 bsc#1231400 - Virt-manager is missing support for AMD sev-snp Add AMD SEV support to virt-manager There are three types: sev, sev-es, sev-snp Index: virt-manager-4.1.0/virtinst/cli.py =================================================================== --- virt-manager-4.1.0.orig/virtinst/cli.py +++ virt-manager-4.1.0/virtinst/cli.py @@ -4814,7 +4814,13 @@ class ParserLaunchSecurity(VirtCLIParser cls.add_arg("policy", "policy") cls.add_arg("session", "session") cls.add_arg("dhCert", "dhCert") + cls.add_arg("guestVisibleWorkarounds", "guestVisibleWorkarounds") + cls.add_arg("idBlock", "idBlock") + cls.add_arg("idAuth", "idAuth") + cls.add_arg("hostData", "hostData") cls.add_arg("kernelHashes", "kernelHashes", is_onoff=True) + cls.add_arg("authorKey", "authorKey", is_onoff=True) + cls.add_arg("vcek", "vcek", is_onoff=True) ########################### Index: virt-manager-4.1.0/ui/details.ui =================================================================== --- virt-manager-4.1.0.orig/ui/details.ui +++ virt-manager-4.1.0/ui/details.ui @@ -1927,7 +1927,20 @@ </packing> </child> <child> - <placeholder/> + <object class="GtkCheckButton" id="launch-security"> + <property name="label" translatable="yes">Enable launch security</property> + <property name="visible">True</property> + <property name="can-focus">True</property> + <property name="receives-default">False</property> + <property name="halign">start</property> + <property name="use-underline">True</property> + <property name="draw-indicator">True</property> + <signal name="toggled" handler="on_mem_launch_security_toggled" swapped="no"/> + </object> + <packing> + <property name="left-attach">1</property> + <property name="top-attach">4</property> + </packing> </child> </object> <packing> Index: virt-manager-4.1.0/virtManager/details/details.py =================================================================== --- virt-manager-4.1.0.orig/virtManager/details/details.py +++ virt-manager-4.1.0/virtManager/details/details.py @@ -49,6 +49,7 @@ from ..delete import vmmDeleteStorage EDIT_MEM, EDIT_MEM_SHARED, + EDIT_MEM_SEV, EDIT_AUTOSTART, EDIT_BOOTORDER, @@ -86,7 +87,7 @@ from ..delete import vmmDeleteStorage EDIT_FS, - EDIT_HOSTDEV_ROMBAR) = range(1, 38) + EDIT_HOSTDEV_ROMBAR) = range(1, 39) # Columns in hw list model @@ -422,6 +423,7 @@ class vmmDetails(vmmGObjectUI): "on_mem_maxmem_changed": _e(EDIT_MEM), "on_mem_memory_changed": self._curmem_changed_cb, "on_mem_shared_access_toggled": _e(EDIT_MEM_SHARED), + "on_mem_launch_security_toggled": _e(EDIT_MEM_SEV), "on_boot_list_changed": self._boot_list_changed_cb, "on_boot_moveup_clicked": self._boot_moveup_clicked_cb, @@ -1498,6 +1500,9 @@ class vmmDetails(vmmGObjectUI): if self._edited(EDIT_MEM_SHARED): kwargs["mem_shared"] = self.widget("shared-memory").get_active() + if self._edited(EDIT_MEM_SEV): + kwargs["sevmem"] = self.widget("launch-security").get_active() + return self._change_config( self.vm.define_memory, kwargs, hotplug_args=hotplug_args) @@ -2004,6 +2009,14 @@ class vmmDetails(vmmGObjectUI): curmem.set_value(int(round(vm_cur_mem))) maxmem.set_value(int(round(vm_max_mem))) + domcaps = self.vm.get_domain_capabilities() + show_sev = domcaps.supports_sev_launch_security() + self.widget("launch-security").set_sensitive(show_sev and self.is_customize_dialog) + if self.vm.get_launch_security_type(): + self.widget("launch-security").set_active(True) + else: + self.widget("launch-security").set_active(False) + shared_mem, shared_mem_err = self.vm.has_shared_mem() self.widget("shared-memory").set_active(shared_mem) self.widget("shared-memory").set_sensitive(not bool(shared_mem_err)) Index: virt-manager-4.1.0/virtManager/object/domain.py =================================================================== --- virt-manager-4.1.0.orig/virtManager/object/domain.py +++ virt-manager-4.1.0/virtManager/object/domain.py @@ -707,15 +707,33 @@ class vmmDomain(vmmLibvirtObject): guest.memoryBacking.access_mode = access_mode def define_memory(self, memory=_SENTINEL, maxmem=_SENTINEL, - mem_shared=_SENTINEL): + mem_shared=_SENTINEL, sevmem=_SENTINEL): guest = self._make_xmlobj_to_define() + def _set_rombar(guest, value): + # Ideally turning rombar off would be done automatically + # by either libvirt or qemu when SEV is detected. + for nic in guest.devices.interface: + nic.set_rom_bar(value) + if memory != _SENTINEL: guest.currentMemory = int(memory) if maxmem != _SENTINEL: guest.memory = int(maxmem) if mem_shared != _SENTINEL: self._edit_shared_mem(guest, mem_shared) + if sevmem != _SENTINEL: + if sevmem is True: + domcaps = self.get_domain_capabilities() + guest.launchSecurity.type = "sev" + guest.launchSecurity.set_defaults(guest) + guest.memoryBacking.set_locked(True) + _set_rombar(guest, "off") + else: + guest.launchSecurity.type = None + guest.launchSecurity.policy = None + guest.memoryBacking.set_locked(False) + _set_rombar(guest, None) self._redefine_xmlobj(guest) @@ -1334,6 +1352,9 @@ class vmmDomain(vmmLibvirtObject): def get_description(self): return self.get_xmlobj().description + def get_launch_security_type(self): + return self.get_xmlobj().launchSecurity.type + def get_boot_order(self): legacy = not self.can_use_device_boot_order() return self.xmlobj.get_boot_order(legacy=legacy) Index: virt-manager-4.1.0/virtinst/domain/memorybacking.py =================================================================== --- virt-manager-4.1.0.orig/virtinst/domain/memorybacking.py +++ virt-manager-4.1.0/virtinst/domain/memorybacking.py @@ -27,6 +27,9 @@ class DomainMemoryBacking(XMLBuilder): XML_NAME = "memoryBacking" _XML_PROP_ORDER = ["hugepages", "nosharepages", "locked", "pages"] + def set_locked(self, value): + self.locked = value + hugepages = XMLProperty("./hugepages", is_bool=True) nosharepages = XMLProperty("./nosharepages", is_bool=True) locked = XMLProperty("./locked", is_bool=True) Index: virt-manager-4.1.0/virtinst/domcapabilities.py =================================================================== --- virt-manager-4.1.0.orig/virtinst/domcapabilities.py +++ virt-manager-4.1.0/virtinst/domcapabilities.py @@ -93,9 +93,20 @@ def _make_capsblock(xml_root_name): class _SEV(XMLBuilder): XML_NAME = "sev" supported = XMLProperty("./@supported", is_yesno=True) + cbitpos = XMLProperty("./cbitpos") + reducedPhysBits = XMLProperty("./reducedPhysBits") + maxGuests = XMLProperty("./maxGuests") maxESGuests = XMLProperty("./maxESGuests") +class _LAUNCHSECURITY(XMLBuilder): + XML_NAME = "launchSecurity" + supported = XMLProperty("./@supported", is_yesno=True) + sectype = XMLProperty("./@sectype") + sev = XMLProperty("./launchSecurity/sev/@state", is_onoff=True) + sev_snp = XMLProperty("./launchSecurity/sev-snp/@state", is_onoff=True) + + ############################# # Misc toplevel XML classes # ############################# @@ -121,6 +132,7 @@ class _Features(_CapsBlock): XML_NAME = "features" gic = XMLChildProperty(_make_capsblock("gic"), is_single=True) sev = XMLChildProperty(_SEV, is_single=True) + launchSecurity = XMLChildProperty(_LAUNCHSECURITY, is_single=True) class _MemoryBacking(_CapsBlock): @@ -406,6 +418,9 @@ class DomainCapabilities(XMLBuilder): self.features.sev.maxESGuests) return bool(self.features.sev.supported) + def supports_sev_es_launch_security(self): + return bool(self.features.sev.supported and self.features.sev.maxESGuests) + def supports_video_bochs(self): """ Returns False if either libvirt or qemu do not have support to bochs Index: virt-manager-4.1.0/virtinst/domain/launch_security.py =================================================================== --- virt-manager-4.1.0.orig/virtinst/domain/launch_security.py +++ virt-manager-4.1.0/virtinst/domain/launch_security.py @@ -16,11 +16,21 @@ class DomainLaunchSecurity(XMLBuilder): policy = XMLProperty("./policy") session = XMLProperty("./session") dhCert = XMLProperty("./dhCert") + guestVisibleWorkarounds = XMLProperty("./guestVisibleWorkarounds") + idBlock = XMLProperty("./idBlock") + idAuth = XMLProperty("./idAuth") + hostData = XMLProperty("./hostData") kernelHashes = XMLProperty("./@kernelHashes", is_yesno=True) + authorKey = XMLProperty("./@authorKey", is_yesno=True) + vcek = XMLProperty("./@vcek", is_yesno=True) def _set_defaults_sev(self, guest): - if not guest.os.is_q35() or not guest.is_uefi(): - raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine")) + if not guest.os.is_q35(): + raise RuntimeError(_("SEV launch security requires a Q35 machine")) + # Libvirt will select the appropriate firmware file if not specified + # as long as we enable efi. + if not guest.is_uefi(): + guest.os.firmware = 'efi' # The 'policy' is a mandatory 4-byte argument for the SEV firmware. # If missing, we use 0x03 for the original SEV implementation and @@ -30,7 +40,11 @@ class DomainLaunchSecurity(XMLBuilder): domcaps = guest.lookup_domcaps() self.policy = "0x03" if domcaps.supports_sev_launch_security(check_es=True): - self.policy = "0x07" + if "sev-snp" in domcaps.features.launchSecurity.get_xml(): + self.type = "sev-snp" + self.policy = "0x00030000" + else: + self.policy = "0x07" def set_defaults(self, guest): if self.type == "sev": Index: virt-manager-4.1.0/virtinst/devices/interface.py =================================================================== --- virt-manager-4.1.0.orig/virtinst/devices/interface.py +++ virt-manager-4.1.0/virtinst/devices/interface.py @@ -287,6 +287,9 @@ class DeviceInterface(Device): self.type = nettype self.source = source + def set_rom_bar(self, value): + self.rom_bar = value + ################## # Default config # Index: virt-manager-4.1.0/virtManager/addhardware.py =================================================================== --- virt-manager-4.1.0.orig/virtManager/addhardware.py +++ virt-manager-4.1.0/virtManager/addhardware.py @@ -1444,6 +1444,9 @@ class vmmAddHardware(vmmGObjectUI): mac = self.widget("create-mac-address").get_text() dev = self._netlist.build_device(mac, model) + if self.vm.get_launch_security_type() == "sev": + dev.set_rom_bar("off") + return dev def _build_input(self): Index: virt-manager-4.1.0/virtinst/guest.py =================================================================== --- virt-manager-4.1.0.orig/virtinst/guest.py +++ virt-manager-4.1.0/virtinst/guest.py @@ -559,6 +559,9 @@ class Guest(XMLBuilder): self.os.loader_ro = True self.os.loader_type = "pflash" self.os.loader = path + domcaps = self.lookup_domcaps() + if domcaps.supports_sev_launch_security() == "sev-snp": + self.os.loader_type = "rom" # If the firmware name contains "secboot" it is probably build # with SMM feature required so we need to enable that feature,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor