libvirt/SOURCES/libvirt-qemu-Check-if-AMD-secure-guest-support-is-enabled.patch

From 71e87f4da22992c5d9f858535a1acaa7201aa7d3 Mon Sep 17 00:00:00 2001
Message-Id: <71e87f4da22992c5d9f858535a1acaa7201aa7d3@dist-git>
From: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
Date: Wed, 24 Jun 2020 13:16:19 +0200
Subject: [PATCH] qemu: Check if AMD secure guest support is enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Implement secure guest check for AMD SEV (Secure Encrypted
Virtualization) in order to invalidate the qemu capabilities
cache in case the availability of the feature changed.

For AMD SEV the verification consists of:
 - checking if /sys/module/kvm_amd/parameters/sev contains the
   value '1': meaning SEV is enabled in the host kernel;
 - checking if /dev/sev exists

Signed-off-by: Paulo de Rezende Pinatti <ppinatti@linux.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: Bjoern Walk <bwalk@linux.ibm.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
(cherry picked from commit 657365e74f489b70bfbf2eb014db63046c5e3888)

https://bugzilla.redhat.com/show_bug.cgi?id=1848997
https://bugzilla.redhat.com/show_bug.cgi?id=1850351

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Message-Id: <1c3393cb71b731f5632d150d77f9920b591aa5ee.1592996194.git.jdenemar@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/qemu/qemu_capabilities.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 8a4b43c269..278eaa0009 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -4543,6 +4543,27 @@ virQEMUCapsKVMSupportsSecureGuestS390(void)
 }
 
 
+/*
+ * Check whether AMD Secure Encrypted Virtualization (x86) is enabled
+ */
+static bool
+virQEMUCapsKVMSupportsSecureGuestAMD(void)
+{
+    g_autofree char *modValue = NULL;
+
+    if (virFileReadValueString(&modValue, "/sys/module/kvm_amd/parameters/sev") < 0)
+        return false;
+
+    if (modValue[0] != '1')
+        return false;
+
+    if (virFileExists(QEMU_DEV_SEV))
+        return true;
+
+    return false;
+}
+
+
 /*
  * Check whether the secure guest functionality is enabled.
  * See the specific architecture function for details on the verifications made.
@@ -4554,6 +4575,10 @@ virQEMUCapsKVMSupportsSecureGuest(void)
 
     if (ARCH_IS_S390(arch))
         return virQEMUCapsKVMSupportsSecureGuestS390();
+
+    if (ARCH_IS_X86(arch))
+        return virQEMUCapsKVMSupportsSecureGuestAMD();
+
     return false;
 }
 
-- 
2.27.0