From 424283ad1db9c4da519fac698486967e6b6557b0 Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Wed, 3 Aug 2022 08:47:02 -0400
Subject: [PATCH] launch_security: Use SEV-ES policy=0x07 if host supports it

---
 .../data/cli/compare/virt-install-amd-sev.xml | 89 +++++++++++++++++++
 tests/test_cli.py                             |  1 +
 virtinst/domain/launch_security.py            | 12 +--
 virtinst/domcapabilities.py                   |  6 +-
 4 files changed, 102 insertions(+), 6 deletions(-)
 create mode 100644 tests/data/cli/compare/virt-install-amd-sev.xml

diff --git a/tests/data/cli/compare/virt-install-amd-sev.xml b/tests/data/cli/compare/virt-install-amd-sev.xml
new file mode 100644
index 00000000..68b236dd
--- /dev/null
+++ b/tests/data/cli/compare/virt-install-amd-sev.xml
@@ -0,0 +1,89 @@
+<domain type="kvm">
+  <name>linux2020</name>
+  <uuid>00000000-1111-2222-3333-444444444444</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://libosinfo.org/linux/2020"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory>65536</memory>
+  <currentMemory>65536</currentMemory>
+  <vcpu>2</vcpu>
+  <os>
+    <type arch="x86_64" machine="q35">hvm</type>
+    <loader readonly="yes" type="pflash">/usr/share/OVMF/OVMF_CODE.fd</loader>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state="off"/>
+  </features>
+  <cpu mode="host-passthrough"/>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="qcow2" discard="unmap"/>
+      <source file="/var/lib/libvirt/images/linux2020.qcow2"/>
+      <target dev="vda" bus="virtio"/>
+    </disk>
+    <controller type="usb" model="qemu-xhci" ports="15"/>
+    <controller type="pci" model="pcie-root"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <interface type="bridge">
+      <source bridge="testsuitebr0"/>
+      <mac address="00:11:22:33:44:55"/>
+      <model type="virtio"/>
+    </interface>
+    <console type="pty"/>
+    <channel type="unix">
+      <source mode="bind"/>
+      <target type="virtio" name="org.qemu.guest_agent.0"/>
+    </channel>
+    <channel type="spicevmc">
+      <target type="virtio" name="com.redhat.spice.0"/>
+    </channel>
+    <input type="tablet" bus="usb"/>
+    <tpm model="tpm-crb">
+      <backend type="emulator"/>
+    </tpm>
+    <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
+      <image compression="off"/>
+    </graphics>
+    <sound model="ich9"/>
+    <video>
+      <model type="virtio"/>
+    </video>
+    <redirdev bus="usb" type="spicevmc"/>
+    <redirdev bus="usb" type="spicevmc"/>
+    <memballoon model="virtio"/>
+    <rng model="virtio">
+      <backend model="random">/dev/urandom</backend>
+    </rng>
+  </devices>
+  <launchSecurity type="sev">
+    <policy>0x07</policy>
+  </launchSecurity>
+</domain>
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 47b59055..7d7b5a9b 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -1108,6 +1108,7 @@ c.add_compare("--connect " + utils.URIs.kvm_x86_remote + " --import --disk %(EXI
 c.add_compare("--connect %(URI-KVM-X86)s --os-variant fedora26 --graphics spice --controller usb,model=none", "graphics-usb-disable")
 c.add_compare("--osinfo generic --boot uefi --disk size=1", "boot-uefi")
 c.add_compare("--osinfo generic --boot uefi --disk size=1 --tpm none --connect " + utils.URIs.kvm_x86_oldfirmware, "boot-uefi-oldcaps")
+c.add_compare("--osinfo linux2020 --boot uefi --launchSecurity sev --connect " + utils.URIs.kvm_amd_sev, "amd-sev")
 
 c.add_invalid("--disk none --location nfs:example.com/fake --nonetworks", grep="NFS URL installs are no longer supported")
 c.add_invalid("--disk none --boot network --machine foobar", grep="domain type None with machine 'foobar'")
diff --git a/virtinst/domain/launch_security.py b/virtinst/domain/launch_security.py
index 7af71811..9d2998d9 100644
--- a/virtinst/domain/launch_security.py
+++ b/virtinst/domain/launch_security.py
@@ -22,13 +22,15 @@ class DomainLaunchSecurity(XMLBuilder):
         if not guest.os.is_q35() or not guest.is_uefi():
             raise RuntimeError(_("SEV launch security requires a Q35 UEFI machine"))
 
-        # 'policy' is a mandatory 4-byte argument for the SEV firmware,
-        # if missing, let's use 0x03 which, according to the table at
-        # https://libvirt.org/formatdomain.html#launchSecurity:
-        # (bit 0) - disables the debugging mode
-        # (bit 1) - disables encryption key sharing across multiple guests
+        # The 'policy' is a mandatory 4-byte argument for the SEV firmware.
+        # If missing, we use 0x03 for the original SEV implementation and
+        # 0x07 for SEV-ES.
+        # Reference: https://libvirt.org/formatdomain.html#launchSecurity
         if self.policy is None:
+            domcaps = guest.lookup_domcaps()
             self.policy = "0x03"
+            if domcaps.supports_sev_launch_security(check_es=True):
+                self.policy = "0x07"
 
     def set_defaults(self, guest):
         if self.type == "sev":
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
index 6ba3e71c..d22ce6a2 100644
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@@ -93,6 +93,7 @@ def _make_capsblock(xml_root_name):
 class _SEV(XMLBuilder):
     XML_NAME = "sev"
     supported = XMLProperty("./@supported", is_yesno=True)
+    maxESGuests = XMLProperty("./maxESGuests")
 
 
 #############################
@@ -392,12 +393,15 @@ class DomainCapabilities(XMLBuilder):
     # Misc support methods #
     ########################
 
-    def supports_sev_launch_security(self):
+    def supports_sev_launch_security(self, check_es=False):
         """
         Returns False if either libvirt doesn't advertise support for SEV at
         all (< libvirt-4.5.0) or if it explicitly advertises it as unsupported
         on the platform
         """
+        if check_es:
+            return bool(self.features.sev.supported and
+                        self.features.sev.maxESGuests)
         return bool(self.features.sev.supported)
 
     def supports_video_bochs(self):