Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
libvirt.11701
a404ac34-qemu-cgroup-sev.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File a404ac34-qemu-cgroup-sev.patch of Package libvirt.11701
commit a404ac34768e975bd420d1eeac3811563da67e3f Author: Erik Skultety <eskultet@redhat.com> Date: Mon Jan 21 14:50:11 2019 +0100 qemu: cgroup: Expose /dev/sev/ only to domains that require SEV SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Index: libvirt-4.0.0/src/qemu/qemu_cgroup.c =================================================================== --- libvirt-4.0.0.orig/src/qemu/qemu_cgroup.c +++ libvirt-4.0.0/src/qemu/qemu_cgroup.c @@ -627,6 +627,22 @@ qemuTeardownChardevCgroup(virDomainObjPt static int +qemuSetupSEVCgroup(virDomainObjPtr vm) +{ + qemuDomainObjPrivatePtr priv = vm->privateData; + int ret; + + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) + return 0; + + ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev", + VIR_CGROUP_DEVICE_RW, false); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev", + "rw", ret); + return ret; +} + +static int qemuSetupDevicesCgroup(virDomainObjPtr vm) { qemuDomainObjPrivatePtr priv = vm->privateData; @@ -733,6 +749,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr v goto cleanup; } + if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0) + goto cleanup; + ret = 0; cleanup: virObjectUnref(cfg);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor