The API can be used by application to get the SEV capability (which includes platform certificate chain and other releated information)
Signed-off-by: Brijesh Singh <<brijesh.si...@amd.com>> --- include/libvirt/libvirt-host.h | 42 +++++++++++++++++ src/driver-hypervisor.h | 6 +++ src/libvirt-host.c | 48 +++++++++++++++++++ src/libvirt_public.syms | 5 ++ src/qemu/qemu_capabilities.c | 7 +++ src/qemu/qemu_capabilities.h | 4 ++ src/qemu/qemu_driver.c | 91 +++++++++++++++++++++++++++++++++++++ src/remote/remote_daemon_dispatch.c | 44 ++++++++++++++++++ src/remote/remote_driver.c | 41 +++++++++++++++++ src/remote/remote_protocol.x | 22 ++++++++- src/remote_protocol-structs | 13 ++++++ 11 files changed, 322 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-host.h b/include/libvirt/libvirt-host.h index 84f4858..d020597 100644 --- a/include/libvirt/libvirt-host.h +++ b/include/libvirt/libvirt-host.h @@ -432,6 +432,48 @@ typedef virNodeCPUStats *virNodeCPUStatsPtr; typedef virNodeMemoryStats *virNodeMemoryStatsPtr; + +/** + * + * SEV Parameters + */ + +/** + * VIR_NODE_SEV_PDH: + * + * Marco represents the Platform Diffie-Hellman key, as VIR_TYPED_PARAMS_STRING. + */ +# define VIR_NODE_SEV_PDH "pdh" + +/** + * VIR_NODE_SEV_CERT_CHAIN: + * + * Marco represents the Platform certificate chain that includes the + * endorsement key (PEK), owner certificate authority (OCD) and chip + * endorsement key (CEK), as VIR_TYPED_PARAMS_STRING. + */ +# define VIR_NODE_SEV_CERT_CHAIN "cert-chain" + +/** + * VIR_NODE_SEV_CBITPOS: + * + * Marco represents the CBit Position used by hypervisor when SEV is enabled. + */ +# define VIR_NODE_SEV_CBITPOS "cbitpos" + +/** + * VIR_NODE_SEV_REDUCED_PHYS_BITS: + * + * Marco represents the number of bits we lose in physical address space + * when SEV is enabled in the guest. + */ +# define VIR_NODE_SEV_REDUCED_PHYS_BITS "reduced-phys-bits" + +int virNodeGetSEVCapability (virConnectPtr conn, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags); + /** * virConnectFlags * diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h index aa99cbb..cb2ab9c 100644 --- a/src/driver-hypervisor.h +++ b/src/driver-hypervisor.h @@ -1309,6 +1309,11 @@ typedef int unsigned int action, unsigned int flags); +typedef int +(*virDrvNodeGetSEVCapability)(virConnectPtr conn, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags); typedef struct _virHypervisorDriver virHypervisorDriver; typedef virHypervisorDriver *virHypervisorDriverPtr; @@ -1558,6 +1563,7 @@ struct _virHypervisorDriver { virDrvDomainSetLifecycleAction domainSetLifecycleAction; virDrvConnectCompareHypervisorCPU connectCompareHypervisorCPU; virDrvConnectBaselineHypervisorCPU connectBaselineHypervisorCPU; + virDrvNodeGetSEVCapability nodeGetSEVCapability; }; diff --git a/src/libvirt-host.c b/src/libvirt-host.c index 3aaf558..6c47b69 100644 --- a/src/libvirt-host.c +++ b/src/libvirt-host.c @@ -1639,3 +1639,51 @@ virNodeAllocPages(virConnectPtr conn, virDispatchError(conn); return -1; } + +/* + * virNodeGetSEVCapability: + * @conn: pointer to the hypervisor connection + * @params: where to store SEV capabilities; output + * @nparams: pointer to number of SEV parameters; output + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * Get the SEV host capabilities, If hypervisor supports SEV then @params + * will contains PDH and certificate chain. + * + * Returns 0 in case of success, and -1 in case of failure. + */ +int +virNodeGetSEVCapability(virConnectPtr conn, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags) +{ + VIR_DEBUG("conn=%p, params=%p, nparams=%p (%d), flags=0x%x", + conn, params, nparams, *nparams, flags); + + virResetLastError(); + + virCheckConnectReturn(conn, -1); + virCheckNonNullArgGoto(nparams, error); + virCheckNonNegativeArgGoto(*nparams, error); + virCheckReadOnlyGoto(conn->flags, error); + + if (VIR_DRV_SUPPORTS_FEATURE(conn->driver, conn, + VIR_DRV_FEATURE_TYPED_PARAM_STRING)) + flags |= VIR_TYPED_PARAM_STRING_OKAY; + + if (conn->driver->nodeGetSEVCapability) { + int ret; + ret = conn->driver->nodeGetSEVCapability(conn, params, + nparams, flags); + if (ret < 0) + goto error; + return ret; + } + + virReportUnsupportedError(); + + error: + virDispatchError(conn); + return -1; +} diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms index 958601b..438205f 100644 --- a/src/libvirt_public.syms +++ b/src/libvirt_public.syms @@ -792,4 +792,9 @@ LIBVIRT_4.4.0 { virConnectBaselineHypervisorCPU; } LIBVIRT_4.1.0; +LIBVIRT_4.5.0 { + global: + virNodeGetSEVCapability; +} LIBVIRT_4.4.0; + # .... define new API here using predicted next version number .... diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 5db444c..82aec96 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -2080,6 +2080,13 @@ virQEMUCapsSetSEVCapabilities(virQEMUCapsPtr qemuCaps, } +virSEVCapabilityPtr +virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps) +{ + return qemuCaps->sevCapabilities; +} + + static int virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps, qemuMonitorPtr mon) diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index ad25e6c..630ce77 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -615,4 +615,8 @@ bool virQEMUCapsGuestIsNative(virArch host, bool virQEMUCapsCPUFilterFeatures(const char *name, void *opaque); + +virSEVCapabilityPtr +virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps); + #endif /* __QEMU_CAPABILITIES_H__*/ diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index c200c5a..0fb1aba 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -21438,6 +21438,96 @@ qemuDomainSetLifecycleAction(virDomainPtr dom, } +static int +qemuGetSEVCapabilities(virQEMUCapsPtr qemuCaps, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags) +{ + int maxpar = 0; + virSEVCapabilityPtr sev = virQEMUCapsGetSEVCapabilities(qemuCaps); + + virCheckFlags(VIR_TYPED_PARAM_STRING_OKAY, -1); + + if (virTypedParamsAddString(params, nparams, &maxpar, + VIR_NODE_SEV_PDH, sev->pdh) < 0) + return -1; + + if (virTypedParamsAddString(params, nparams, &maxpar, + VIR_NODE_SEV_CERT_CHAIN, sev->pdh) < 0) + goto cleanup; + + if (virTypedParamsAddUInt(params, nparams, &maxpar, + VIR_NODE_SEV_CBITPOS, sev->cbitpos) < 0) + goto cleanup; + + if (virTypedParamsAddUInt(params, nparams, &maxpar, + VIR_NODE_SEV_REDUCED_PHYS_BITS, + sev->reduced_phys_bits) < 0) + goto cleanup; + + return 0; + + cleanup: + return -1; +} + + +static int +qemuNodeGetSEVCapability(virConnectPtr conn, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags) +{ + virQEMUDriverPtr driver = conn->privateData; + virCapsPtr caps = NULL; + virQEMUCapsPtr qemucaps = NULL; + virArch hostarch; + virCapsDomainDataPtr capsdata; + int ret = -1; + + if (virNodeGetSevCapabilityEnsureACL(conn) < 0) + return ret; + + if (!(caps = virQEMUDriverGetCapabilities(driver, true))) + return ret; + + hostarch = virArchFromHost(); + if (!(capsdata = virCapabilitiesDomainDataLookup(caps, + VIR_DOMAIN_OSTYPE_HVM, hostarch, VIR_DOMAIN_VIRT_QEMU, + NULL, NULL))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot find suitable emulator for %s"), + virArchToString(hostarch)); + goto UnrefCaps; + } + + qemucaps = virQEMUCapsCacheLookup(driver->qemuCapsCache, + capsdata->emulator); + VIR_FREE(capsdata); + if (!qemucaps) + goto UnrefCaps; + + if (!virQEMUCapsGet(qemucaps, QEMU_CAPS_SEV_GUEST)) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("QEMU does not support SEV guest")); + goto UnrefQemuCaps; + } + + if (qemuGetSEVCapabilities(qemucaps, params, nparams, flags) < 0) + goto UnrefQemuCaps; + + ret = 0; + + UnrefQemuCaps: + virObjectUnref(qemucaps); + UnrefCaps: + virObjectUnref(caps); + + return ret; +} + + static virHypervisorDriver qemuHypervisorDriver = { .name = QEMU_DRIVER_NAME, .connectURIProbe = qemuConnectURIProbe, @@ -21661,6 +21751,7 @@ static virHypervisorDriver qemuHypervisorDriver = { .domainSetLifecycleAction = qemuDomainSetLifecycleAction, /* 3.9.0 */ .connectCompareHypervisorCPU = qemuConnectCompareHypervisorCPU, /* 4.4.0 */ .connectBaselineHypervisorCPU = qemuConnectBaselineHypervisorCPU, /* 4.4.0 */ + .nodeGetSEVCapability = qemuNodeGetSEVCapability, /* 4.5.0 */ }; diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c index 81d0445..f974b71 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -5001,6 +5001,50 @@ remoteDispatchDomainGetDiskErrors(virNetServerPtr server ATTRIBUTE_UNUSED, static int +remoteDispatchNodeGetSevCapability(virNetServerPtr server ATTRIBUTE_UNUSED, + virNetServerClientPtr client ATTRIBUTE_UNUSED, + virNetMessagePtr msg ATTRIBUTE_UNUSED, + virNetMessageErrorPtr rerr, + remote_node_get_sev_capability_args *args, + remote_node_get_sev_capability_ret *ret) +{ + virTypedParameterPtr params = NULL; + int nparams = 0; + int rv = -1; + struct daemonClientPrivate *priv = + virNetServerClientGetPrivateData(client); + + if (!priv->conn) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("connection not open")); + goto cleanup; + } + + if (virNodeGetSEVCapability(priv->conn, ¶ms, &nparams, args->flags) < 0) + goto cleanup; + + if (nparams > REMOTE_NODE_SEV_CAPABILITY_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; + } + + + if (virTypedParamsSerialize(params, nparams, + (virTypedParameterRemotePtr *) &ret->params.params_val, + &ret->params.params_len, + args->flags) < 0) + goto cleanup; + + rv = 0; + + cleanup: + if (rv < 0) + virNetMessageSaveError(rerr); + virTypedParamsFree(params, nparams); + return rv; +} + + +static int remoteDispatchNodeGetMemoryParameters(virNetServerPtr server ATTRIBUTE_UNUSED, virNetServerClientPtr client ATTRIBUTE_UNUSED, virNetMessagePtr msg ATTRIBUTE_UNUSED, diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 3be30bd..cdc9a70 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -6776,6 +6776,46 @@ remoteNodeGetMemoryParameters(virConnectPtr conn, return rv; } + +static int +remoteNodeGetSEVCapability(virConnectPtr conn, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags) +{ + int rv = -1; + remote_node_get_sev_capability_args args; + remote_node_get_sev_capability_ret ret; + struct private_data *priv = conn->privateData; + + remoteDriverLock(priv); + + args.flags = flags; + + memset(&ret, 0, sizeof(ret)); + if (call(conn, priv, 0, REMOTE_PROC_NODE_GET_SEV_CAPABILITY, + (xdrproc_t) xdr_remote_node_get_sev_capability_args, (char *) &args, + (xdrproc_t) xdr_remote_node_get_sev_capability_ret, (char *) &ret) == -1) + goto done; + + if (virTypedParamsDeserialize((virTypedParameterRemotePtr) ret.params.params_val, + ret.params.params_len, + REMOTE_NODE_SEV_CAPABILITY_MAX, + params, + nparams) < 0) + goto cleanup; + + rv = 0; + + cleanup: + xdr_free((xdrproc_t) xdr_remote_node_get_sev_capability_ret, + (char *) &ret); + done: + remoteDriverUnlock(priv); + return rv; +} + + static int remoteNodeGetCPUMap(virConnectPtr conn, unsigned char **cpumap, @@ -8452,6 +8492,7 @@ static virHypervisorDriver hypervisor_driver = { .domainSetLifecycleAction = remoteDomainSetLifecycleAction, /* 3.9.0 */ .connectCompareHypervisorCPU = remoteConnectCompareHypervisorCPU, /* 4.4.0 */ .connectBaselineHypervisorCPU = remoteConnectBaselineHypervisorCPU, /* 4.4.0 */ + .nodeGetSEVCapability = remoteNodeGetSEVCapability, /* 4.5.0 */ }; static virNetworkDriver network_driver = { diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index a0ab7e9..a4e1166 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -253,6 +253,9 @@ const REMOTE_DOMAIN_IP_ADDR_MAX = 2048; /* Upper limit on number of guest vcpu information entries */ const REMOTE_DOMAIN_GUEST_VCPU_PARAMS_MAX = 64; +/* Upper limit on number of SEV parameters */ +const REMOTE_NODE_SEV_CAPABILITY_MAX = 64; + /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ typedef opaque remote_uuid[VIR_UUID_BUFLEN]; @@ -3480,6 +3483,17 @@ struct remote_connect_baseline_hypervisor_cpu_ret { remote_nonnull_string cpu; }; +struct remote_node_get_sev_capability_args { + int nparams; + unsigned int flags; +}; + +struct remote_node_get_sev_capability_ret { + remote_typed_param params<REMOTE_NODE_SEV_CAPABILITY_MAX>; + int nparams; +}; + + /*----- Protocol. -----*/ /* Define the program number, protocol version and procedure numbers here. */ @@ -6187,5 +6201,11 @@ enum remote_procedure { * @generate: both * @acl: connect:write */ - REMOTE_PROC_CONNECT_BASELINE_HYPERVISOR_CPU = 394 + REMOTE_PROC_CONNECT_BASELINE_HYPERVISOR_CPU = 394, + + /** + * @generate: none + * @acl: connect:read + */ + REMOTE_PROC_NODE_GET_SEV_CAPABILITY = 395 }; diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs index 0c4cfc6..7705821 100644 --- a/src/remote_protocol-structs +++ b/src/remote_protocol-structs @@ -2907,6 +2907,18 @@ struct remote_connect_baseline_hypervisor_cpu_args { struct remote_connect_baseline_hypervisor_cpu_ret { remote_nonnull_string cpu; }; +struct remote_node_get_sev_capability_args { + int nparams; + u_int flags; +}; +struct remote_node_get_sev_capability_ret { + struct { + u_int params_len; + remote_typed_param * params_val; + } params; + int nparams; +}; + enum remote_procedure { REMOTE_PROC_CONNECT_OPEN = 1, REMOTE_PROC_CONNECT_CLOSE = 2, @@ -3302,4 +3314,5 @@ enum remote_procedure { REMOTE_PROC_DOMAIN_DETACH_DEVICE_ALIAS = 392, REMOTE_PROC_CONNECT_COMPARE_HYPERVISOR_CPU = 393, REMOTE_PROC_CONNECT_BASELINE_HYPERVISOR_CPU = 394, + REMOTE_PROC_NODE_SEV_CAPABILITY = 395, }; -- 2.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list