Set the kernel-hashes property on the sev-guest object if the config
asked for it explicitly. While QEMU machine types currently default to
having this setting off, it is not guaranteed to remain this way.
We can't assume that the QEMU capabilities were generated on an AMD host
with SEV, so we must force set the QEMU_CAPS_SEV_GUEST. This also means
that the 'sev' info in the qemuCaps struct might be NULL, but this is
harmless from POV of testing the CLI generator.
Signed-off-by: Daniel P. Berrangé
---
src/qemu/qemu_capabilities.c | 5 +++
src/qemu/qemu_command.c | 1 +
src/qemu/qemu_validate.c | 7
...nch-security-sev-direct.x86_64-latest.args | 40 +++
.../launch-security-sev-direct.xml| 39 ++
tests/qemuxml2argvtest.c | 5 +++
tests/testutilsqemu.c | 15 ---
7 files changed, 107 insertions(+), 5 deletions(-)
create mode 100644
tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index c1b06998af..4f63322a9e 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -1892,6 +1892,11 @@ virQEMUCapsSEVInfoCopy(virSEVCapability **dst,
{
g_autoptr(virSEVCapability) tmp = NULL;
+if (!src) {
+*dst = NULL;
+return 0;
+}
+
tmp = g_new0(virSEVCapability, 1);
tmp->pdh = g_strdup(src->pdh);
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6d00105b24..4d5f7934cb 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9928,6 +9928,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
"u:policy", sev->policy,
"S:dh-cert-file", dhpath,
"S:session-file", sessionpath,
+ "T:kernel-hashes", sev->kernel_hashes,
NULL) < 0)
return -1;
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index f9a195e991..c1924eb2ad 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1217,6 +1217,13 @@ qemuValidateDomainDef(const virDomainDef *def,
"this QEMU binary"));
return -1;
}
+
+if (def->sec->data.sev.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
+!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
+virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("SEV measured direct kernel boot is not
supported with this QEMU binary"));
+return -1;
+}
break;
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
if (!virQEMUCapsGet(qemuCaps,
QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
diff --git
a/tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args
b/tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args
new file mode 100644
index 00..dac312e301
--- /dev/null
+++ b/tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-latest.args
@@ -0,0 +1,40 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}'
\
+-machine
pc,usb=off,dump-guest-core=off,confidential-guest-support=lsec0,memory-backend=pc.ram
\
+-accel kvm \
+-cpu qemu64 \
+-m 214 \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-kernel /vmlinuz \
+-initrd /initrd \
+-append runme \
+-device
'{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
+-blockdev
'{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}'
\
+-device
'{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-format","id":"ide0-0-0","bootindex":1}'
\
+-audiodev '{"id":"audio1","driver":"none"}' \
+-object