cedc850e4e
Add a new sev_enabled() function to the libvirt utils to detect that
SEV is required and return True if and only if the following are both
true:
a) the supports_amd_sev instance variable in the host is
true, *and*
b) the instance extra specs and/or image properties request
memory encryption to be enabled.
In this case we know that SEV functionality is required, so tweak the
guest config accordingly in various ways:
- Ensure that the machine type is some q35 variant. If the image had
an hw_machine_type property requesting some other type, an
InvalidMachineType exception will be raised.
- Set the "iommu" attribute to "on" for all relevant devices including
disk / network devices, but excluding input/graphics/video/serial
devices. This is achieved via a new set_driver_iommu_for_sev()
method added to nova.virt.libvirt.designer. In order to test this
thoroughly, beef up the fake KVM guest fixture with extra devices
of each type.
- Add the <launchSecurity> element to enable use of SEV. Two related
configuration values are extracted from domain capabilities and set
on the element.
- Enable memory locking. All the memory pages allocated by QEMU must
be pinned for SEV, which is achieved via <memoryBacking> and <locked />
elements.
blueprint: amd-sev-libvirt-support
Change-Id: Ie54fca066f3333d1d5d18a2c0e8f6c7d5042490b
|
||
|---|---|---|
| .. | ||
| storage | ||
| volume | ||
| __init__.py | ||
| blockinfo.py | ||
| config.py | ||
| designer.py | ||
| driver.py | ||
| firewall.py | ||
| guest.py | ||
| host.py | ||
| imagebackend.py | ||
| imagecache.py | ||
| instancejobtracker.py | ||
| migration.py | ||
| utils.py | ||
| vif.py | ||