diff --git a/tests/data/cli/compare/virt-install-amd-sev.xml b/tests/data/cli/compare/virt-install-amd-sev.xml new file mode 100644 index 00000000..68b236dd --- /dev/null +++ b/tests/data/cli/compare/virt-install-amd-sev.xml @@ -0,0 +1,89 @@ + + linux2020 + 00000000-1111-2222-3333-444444444444 + + + + + + 65536 + 65536 + 2 + + hvm + /usr/share/OVMF/OVMF_CODE.fd + + + + + + + + + + + + + + + + + + + /usr/bin/qemu-system-x86_64 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/urandom + + + + 0x07 + + diff --git a/tests/test_cli.py b/tests/test_cli.py index 47b59055..7d7b5a9b 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -1108,6 +1108,7 @@ c.add_compare("--connect " + utils.URIs.kvm_x86_remote + " --import --disk %(EXI c.add_compare("--connect %(URI-KVM-X86)s --os-variant fedora26 --graphics spice --controller usb,model=none", "graphics-usb-disable") c.add_compare("--osinfo generic --boot uefi --disk size=1", "boot-uefi") c.add_compare("--osinfo generic --boot uefi --disk size=1 --tpm none --connect " + utils.URIs.kvm_x86_oldfirmware, "boot-uefi-oldcaps") +c.add_compare("--osinfo linux2020 --boot uefi --launchSecurity sev --connect " + utils.URIs.kvm_amd_sev, "amd-sev") c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks", grep="NFS URL installs are no longer supported") c.add_invalid("--disk none --boot network --machine foobar", grep="domain type None with machine 'foobar'") diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py index 7af71811..9d2998d9 100644 --- a/virtinst/domain/launch_security.py +++ b/virtinst/domain/launch_security.py @@ -22,13 +22,15 @@ class DomainLaunchSecurity(XMLBuilder): if not guest.os.is_q35() or not guest.is_uefi(): raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine")) - # 'policy' is a mandatory 4-byte argument for the SEV firmware, - # if missing, let's use 0x03 which, according to the table at - # https://libvirt.org/formatdomain.html#launchSecurity: - # (bit 0) - disables the debugging mode - # (bit 1) - disables encryption key sharing across multiple guests + # The 'policy' is a mandatory 4-byte argument for the SEV firmware. + # If missing, we use 0x03 for the original SEV implementation and + # 0x07 for SEV-ES. + # Reference: https://libvirt.org/formatdomain.html#launchSecurity if self.policy is None: + domcaps = guest.lookup_domcaps() self.policy = "0x03" + if domcaps.supports_sev_launch_security(check_es=True): + self.policy = "0x07" def set_defaults(self, guest): if self.type == "sev": diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py index 6ba3e71c..d22ce6a2 100644 --- a/virtinst/domcapabilities.py +++ b/virtinst/domcapabilities.py @@ -93,6 +93,7 @@ def _make_capsblock(xml_root_name): class _SEV(XMLBuilder): XML_NAME = "sev" supported = XMLProperty("./@supported", is_yesno=True) + maxESGuests = XMLProperty("./maxESGuests") ############################# @@ -392,12 +393,15 @@ class DomainCapabilities(XMLBuilder): # Misc support methods # ######################## - def supports_sev_launch_security(self): + def supports_sev_launch_security(self, check_es=False): """ Returns False if either libvirt doesn't advertise support for SEV at all (< libvirt-4.5.0) or if it explicitly advertises it as unsupported on the platform """ + if check_es: + return bool(self.features.sev.supported and + self.features.sev.maxESGuests) return bool(self.features.sev.supported) def supports_video_bochs(self):