With recent enough QEMU (yet unreleased) there's 'legacy-vm-type' attribute of 'sev-guest' object. It controls whether QEMU uses newer or older interface to init SEV guests. As a result, the measurements (e.g. implemented in tools/virt-qemu-sev-validate) are affected. There's no clear benefit in switching to the new interface and thus we should set the attribute to keep old style of measurements.
Signed-off-by: Michal Privoznik <mpriv...@redhat.com> --- src/qemu/qemu_command.c | 9 +++++++++ .../launch-security-sev-direct.x86_64-latest.args | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 6ec1e9cbef..0bc3c1b521 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9729,6 +9729,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, qemuDomainObjPrivate *priv = vm->privateData; g_autofree char *dhpath = NULL; g_autofree char *sessionpath = NULL; + bool legacyVMType = false; VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d", sev->policy, sev->common.cbitpos, sev->common.reduced_phys_bits); @@ -9739,6 +9740,13 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, if (sev->session) sessionpath = g_strdup_printf("%s/session.base64", priv->libDir); + /* Starting from QEMU 9.1.0 (v9.0.0-rc4-45-g023267334d specifically), QEMU + * uses new interface to create SEV guests. This changes what is measured. + * Toggle this knob to preserve old style of measurements. */ + if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_SEV_GUEST_LEGACY_VM_TYPE)) { + legacyVMType = true; + } + if (qemuMonitorCreateObjectProps(&props, "sev-guest", "lsec0", "u:cbitpos", sev->common.cbitpos, "u:reduced-phys-bits", sev->common.reduced_phys_bits, @@ -9746,6 +9754,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, "S:dh-cert-file", dhpath, "S:session-file", sessionpath, "T:kernel-hashes", sev->common.kernel_hashes, + "B:legacy-vm-type", legacyVMType, NULL) < 0) return -1; diff --git a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args index 09df8a7cb6..93cc2f71b9 100644 --- a/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args +++ b/tests/qemuxmlconfdata/launch-security-sev-direct.x86_64-latest.args @@ -33,6 +33,6 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ --object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true}' \ +-object '{"qom-type":"sev-guest","id":"lsec0","cbitpos":47,"reduced-phys-bits":1,"policy":1,"dh-cert-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/dh_cert.base64","session-file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/session.base64","kernel-hashes":true,"legacy-vm-type":true}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -msg timestamp=on -- 2.44.2