![]() Add a new sev_enabled() function to the libvirt utils to detect that SEV is required and return True if and only if the following are both true: a) the supports_amd_sev instance variable in the host is true, *and* b) the instance extra specs and/or image properties request memory encryption to be enabled. In this case we know that SEV functionality is required, so tweak the guest config accordingly in various ways: - Ensure that the machine type is some q35 variant. If the image had an hw_machine_type property requesting some other type, an InvalidMachineType exception will be raised. - Set the "iommu" attribute to "on" for all relevant devices including disk / network devices, but excluding input/graphics/video/serial devices. This is achieved via a new set_driver_iommu_for_sev() method added to nova.virt.libvirt.designer. In order to test this thoroughly, beef up the fake KVM guest fixture with extra devices of each type. - Add the <launchSecurity> element to enable use of SEV. Two related configuration values are extracted from domain capabilities and set on the element. - Enable memory locking. All the memory pages allocated by QEMU must be pinned for SEV, which is achieved via <memoryBacking> and <locked /> elements. blueprint: amd-sev-libvirt-support Change-Id: Ie54fca066f3333d1d5d18a2c0e8f6c7d5042490b |
||
---|---|---|
.. | ||
storage | ||
volume | ||
__init__.py | ||
blockinfo.py | ||
config.py | ||
designer.py | ||
driver.py | ||
firewall.py | ||
guest.py | ||
host.py | ||
imagebackend.py | ||
imagecache.py | ||
instancejobtracker.py | ||
migration.py | ||
utils.py | ||
vif.py |