4757f653ca
- Bugfix: Enhance the capability to trace the shutdown status of large VMS - conf: qemu: support provide inject secret for Hygon CSV - conf: qemu: add libvirt support reuse id for hygon CSV - Automatically unbind all devices' driver under same root port and bind to vfio-pci in the context of CVM. - Consistent coding style with opensource. - build: Make daemons depend on generated *_protocol.[ch] - Add the get tmm memory info API into libvirt-host. Also should add the RPC calls into libvirtd for API calling. - Add cvm parameter into the type of LaunchSecurity which is a optional filed for libvirt xml Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit d6a30a53977380d182cdf5f873c4ceb1ec29a85a)
130 lines
4.8 KiB
Diff
130 lines
4.8 KiB
Diff
From 66ab1f1ce7ae35f757580062ef6653ae64c01522 Mon Sep 17 00:00:00 2001
|
|
From: hanliyang <hanliyang@hygon.cn>
|
|
Date: Wed, 13 Nov 2024 16:12:57 +0800
|
|
Subject: [PATCH] conf: qemu: support provide inject secret for Hygon CSV
|
|
|
|
csv xml format:
|
|
<launchSecurity type='sev'>
|
|
<policy>0x0001</policy>
|
|
<cbitpos>47</cbitpos>
|
|
<reducePhysBits>5</reducedPhysBits>
|
|
<dhCert>U2FsdGVkX1+rW6B/JbYqNA==</dhCert>
|
|
<session>5aeG4mH2E/OqN1a3uT8hfg==</session>
|
|
<secretHeader>gW3E30rG/I3L1nD/YfG+DA==</secretHeader>
|
|
<secret>zP1oY9W7ZcPFtL0QeN11vQ==</secret>
|
|
</launchSecurity>
|
|
|
|
Signed-off-by: hanliyang <hanliyang@hygon.cn>
|
|
---
|
|
src/conf/domain_conf.c | 8 ++++++++
|
|
src/conf/domain_conf.h | 2 ++
|
|
src/qemu/qemu_command.c | 10 ++++++++++
|
|
src/qemu/qemu_process.c | 10 ++++++++++
|
|
4 files changed, 30 insertions(+)
|
|
|
|
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
|
|
index 2be4706b03..b3475757c3 100644
|
|
--- a/src/conf/domain_conf.c
|
|
+++ b/src/conf/domain_conf.c
|
|
@@ -3829,6 +3829,8 @@ virDomainSecDefFree(virDomainSecDef *def)
|
|
g_free(def->data.sev.dh_cert);
|
|
g_free(def->data.sev.session);
|
|
g_free(def->data.sev.user_id);
|
|
+ g_free(def->data.sev.secret_header);
|
|
+ g_free(def->data.sev.secret);
|
|
break;
|
|
case VIR_DOMAIN_LAUNCH_SECURITY_PV:
|
|
case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
|
|
@@ -13549,6 +13551,8 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
|
|
def->dh_cert = virXPathString("string(./dhCert)", ctxt);
|
|
def->session = virXPathString("string(./session)", ctxt);
|
|
def->user_id = virXPathString("string(./userid)", ctxt);
|
|
+ def->secret_header = virXPathString("string(./secretHeader)", ctxt);
|
|
+ def->secret = virXPathString("string(./secret)", ctxt);
|
|
|
|
return 0;
|
|
}
|
|
@@ -26617,6 +26621,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
|
|
|
|
if (sev->user_id)
|
|
virBufferEscapeString(&childBuf, "<userid>%s</userid>\n", sev->user_id);
|
|
+ if (sev->secret_header)
|
|
+ virBufferEscapeString(&childBuf, "<secretHeader>%s</secretHeader>\n", sev->secret_header);
|
|
+ if (sev->secret)
|
|
+ virBufferEscapeString(&childBuf, "<secret>%s</secret>\n", sev->secret);
|
|
|
|
break;
|
|
}
|
|
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
|
|
index c06ac9552c..f0e5535013 100644
|
|
--- a/src/conf/domain_conf.h
|
|
+++ b/src/conf/domain_conf.h
|
|
@@ -2874,6 +2874,8 @@ struct _virDomainSEVDef {
|
|
unsigned int reduced_phys_bits;
|
|
virTristateBool kernel_hashes;
|
|
char *user_id;
|
|
+ char *secret_header;
|
|
+ char *secret;
|
|
};
|
|
|
|
struct _virDomainSecDef {
|
|
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
|
|
index d4a0d73aae..0c47f019f2 100644
|
|
--- a/src/qemu/qemu_command.c
|
|
+++ b/src/qemu/qemu_command.c
|
|
@@ -9714,6 +9714,8 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
|
g_autofree char *dhpath = NULL;
|
|
g_autofree char *sessionpath = NULL;
|
|
+ g_autofree char *secretheaderpath = NULL;
|
|
+ g_autofree char *secretpath = NULL;
|
|
|
|
VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d",
|
|
sev->policy, sev->cbitpos, sev->reduced_phys_bits);
|
|
@@ -9727,6 +9729,12 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
|
|
if (sev->session)
|
|
sessionpath = g_strdup_printf("%s/session.base64", priv->libDir);
|
|
|
|
+ if (sev->secret_header)
|
|
+ secretheaderpath = g_strdup_printf("%s/secret_header.base64", priv->libDir);
|
|
+
|
|
+ if (sev->secret)
|
|
+ secretpath = g_strdup_printf("%s/secret.base64", priv->libDir);
|
|
+
|
|
if (qemuMonitorCreateObjectProps(&props, "sev-guest", "lsec0",
|
|
"u:cbitpos", sev->cbitpos,
|
|
"u:reduced-phys-bits", sev->reduced_phys_bits,
|
|
@@ -9735,6 +9743,8 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
|
|
"S:dh-cert-file", dhpath,
|
|
"S:session-file", sessionpath,
|
|
"T:kernel-hashes", sev->kernel_hashes,
|
|
+ "S:secret-header-file", secretheaderpath,
|
|
+ "S:secret-file", secretpath,
|
|
NULL) < 0)
|
|
return -1;
|
|
|
|
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
|
|
index 892676c020..63ce075812 100644
|
|
--- a/src/qemu/qemu_process.c
|
|
+++ b/src/qemu/qemu_process.c
|
|
@@ -7029,6 +7029,16 @@ qemuProcessPrepareSEVGuestInput(virDomainObj *vm)
|
|
return -1;
|
|
}
|
|
|
|
+ if (sev->secret_header) {
|
|
+ if (qemuProcessSEVCreateFile(vm, "secret_header", sev->secret_header) < 0)
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (sev->secret) {
|
|
+ if (qemuProcessSEVCreateFile(vm, "secret", sev->secret) < 0)
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
2.41.0.windows.1
|
|
|