From 67b5084e991a3d2b8fd348ab42a15727d8fe9f42 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Wed, 1 Jan 2025 05:44:37 +0000 Subject: [PATCH] [Feature]Hygon: Support reuse ASID and secret injection for Hygon CSV VMs to #bug13124 Supports ASID reuse for confidential VMs, supports automatic injection of secrets into Hygon confidential VMs. project: TC2024080203 Signed-off-by: hanliyang --- ...bvirt-support-reuse-id-for-hygon-CSV.patch | 89 ++++++++++++ ...t-provide-inject-secret-for-Hygon-CS.patch | 129 ++++++++++++++++++ libvirt.spec | 8 +- 3 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 1009-conf-qemu-add-libvirt-support-reuse-id-for-hygon-CSV.patch create mode 100644 1010-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch diff --git a/1009-conf-qemu-add-libvirt-support-reuse-id-for-hygon-CSV.patch b/1009-conf-qemu-add-libvirt-support-reuse-id-for-hygon-CSV.patch new file mode 100644 index 0000000..b9b178a --- /dev/null +++ b/1009-conf-qemu-add-libvirt-support-reuse-id-for-hygon-CSV.patch @@ -0,0 +1,89 @@ +From f5f6b60a6f8d58bbece7db96730cd506cd5703ee Mon Sep 17 00:00:00 2001 +From: panpingsheng +Date: Fri, 8 Sep 2023 15:04:44 +0800 +Subject: [PATCH 1/2] conf: qemu: add libvirt support reuse id for hygon CSV + +csv xml format: + + 0x0081 + 47 + 5 + usertest + + +Signed-off-by: panpingsheng +Signed-off-by: Xin Jiang +Signed-off-by: hanliyang +--- + src/conf/domain_conf.c | 5 +++++ + src/conf/domain_conf.h | 1 + + src/qemu/qemu_command.c | 4 ++++ + 3 files changed, 10 insertions(+) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index 427e7d1..85a5d9c 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -3560,6 +3560,7 @@ virDomainSecDefFree(virDomainSecDef *def) + case VIR_DOMAIN_LAUNCH_SECURITY_SEV: + g_free(def->data.sev.dh_cert); + g_free(def->data.sev.session); ++ g_free(def->data.sev.user_id); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_NONE: +@@ -14850,6 +14851,7 @@ virDomainSEVDefParseXML(virDomainSEVDef *def, + def->policy = policy; + def->dh_cert = virXPathString("string(./dhCert)", ctxt); + def->session = virXPathString("string(./session)", ctxt); ++ def->user_id = virXPathString("string(./userid)", ctxt); + + return 0; + } +@@ -27179,6 +27181,9 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec) + if (sev->session) + virBufferEscapeString(&childBuf, "%s\n", sev->session); + ++ if (sev->user_id) ++ virBufferEscapeString(&childBuf, "%s\n", sev->user_id); ++ + break; + } + +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index 930af36..768ba5f 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -2717,6 +2717,7 @@ struct _virDomainSEVDef { + bool haveReducedPhysBits; + unsigned int reduced_phys_bits; + virTristateBool kernel_hashes; ++ char *user_id; + }; + + struct _virDomainSecDef { +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 978ce89..d742ac4 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -9930,6 +9930,9 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d", + sev->policy, sev->cbitpos, sev->reduced_phys_bits); + ++ if (sev->user_id) ++ VIR_DEBUG("user_id=%s", sev->user_id); ++ + if (sev->dh_cert) + dhpath = g_strdup_printf("%s/dh_cert.base64", priv->libDir); + +@@ -9940,6 +9943,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + "u:cbitpos", sev->cbitpos, + "u:reduced-phys-bits", sev->reduced_phys_bits, + "u:policy", sev->policy, ++ "S:user-id", sev->user_id, + "S:dh-cert-file", dhpath, + "S:session-file", sessionpath, + "T:kernel-hashes", sev->kernel_hashes, +-- +2.43.5 + diff --git a/1010-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch b/1010-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch new file mode 100644 index 0000000..788eecc --- /dev/null +++ b/1010-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch @@ -0,0 +1,129 @@ +From ad62b677c476440b1a831d4fb8f5f7ef3c7a9975 Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Wed, 13 Nov 2024 16:12:57 +0800 +Subject: [PATCH 2/2] conf: qemu: support provide inject secret for Hygon CSV + +csv xml format: + + 0x0001 + 47 + 5 + U2FsdGVkX1+rW6B/JbYqNA== + 5aeG4mH2E/OqN1a3uT8hfg== + gW3E30rG/I3L1nD/YfG+DA== + zP1oY9W7ZcPFtL0QeN11vQ== + + +Signed-off-by: hanliyang +--- + src/conf/domain_conf.c | 8 ++++++++ + src/conf/domain_conf.h | 2 ++ + src/qemu/qemu_command.c | 10 ++++++++++ + src/qemu/qemu_process.c | 10 ++++++++++ + 4 files changed, 30 insertions(+) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index 85a5d9c..fa108b1 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -3561,6 +3561,8 @@ virDomainSecDefFree(virDomainSecDef *def) + g_free(def->data.sev.dh_cert); + g_free(def->data.sev.session); + g_free(def->data.sev.user_id); ++ g_free(def->data.sev.secret_header); ++ g_free(def->data.sev.secret); + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: + case VIR_DOMAIN_LAUNCH_SECURITY_NONE: +@@ -14852,6 +14854,8 @@ virDomainSEVDefParseXML(virDomainSEVDef *def, + def->dh_cert = virXPathString("string(./dhCert)", ctxt); + def->session = virXPathString("string(./session)", ctxt); + def->user_id = virXPathString("string(./userid)", ctxt); ++ def->secret_header = virXPathString("string(./secretHeader)", ctxt); ++ def->secret = virXPathString("string(./secret)", ctxt); + + return 0; + } +@@ -27183,6 +27187,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec) + + if (sev->user_id) + virBufferEscapeString(&childBuf, "%s\n", sev->user_id); ++ if (sev->secret_header) ++ virBufferEscapeString(&childBuf, "%s\n", sev->secret_header); ++ if (sev->secret) ++ virBufferEscapeString(&childBuf, "%s\n", sev->secret); + + break; + } +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index 768ba5f..2bc4358 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -2718,6 +2718,8 @@ struct _virDomainSEVDef { + unsigned int reduced_phys_bits; + virTristateBool kernel_hashes; + char *user_id; ++ char *secret_header; ++ char *secret; + }; + + struct _virDomainSecDef { +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index d742ac4..2b6b5fb 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -9926,6 +9926,8 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + qemuDomainObjPrivate *priv = vm->privateData; + g_autofree char *dhpath = NULL; + g_autofree char *sessionpath = NULL; ++ g_autofree char *secretheaderpath = NULL; ++ g_autofree char *secretpath = NULL; + + VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d", + sev->policy, sev->cbitpos, sev->reduced_phys_bits); +@@ -9939,6 +9941,12 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + if (sev->session) + sessionpath = g_strdup_printf("%s/session.base64", priv->libDir); + ++ if (sev->secret_header) ++ secretheaderpath = g_strdup_printf("%s/secret_header.base64", priv->libDir); ++ ++ if (sev->secret) ++ secretpath = g_strdup_printf("%s/secret.base64", priv->libDir); ++ + if (qemuMonitorCreateObjectProps(&props, "sev-guest", "lsec0", + "u:cbitpos", sev->cbitpos, + "u:reduced-phys-bits", sev->reduced_phys_bits, +@@ -9947,6 +9955,8 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd, + "S:dh-cert-file", dhpath, + "S:session-file", sessionpath, + "T:kernel-hashes", sev->kernel_hashes, ++ "S:secret-header-file", secretheaderpath, ++ "S:secret-file", secretpath, + NULL) < 0) + return -1; + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 73d54f0..dac44ce 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -6650,6 +6650,16 @@ qemuProcessPrepareSEVGuestInput(virDomainObj *vm) + return -1; + } + ++ if (sev->secret_header) { ++ if (qemuProcessSEVCreateFile(vm, "secret_header", sev->secret_header) < 0) ++ return -1; ++ } ++ ++ if (sev->secret) { ++ if (qemuProcessSEVCreateFile(vm, "secret", sev->secret) < 0) ++ return -1; ++ } ++ + return 0; + } + +-- +2.43.5 + diff --git a/libvirt.spec b/libvirt.spec index 0cbd0ae..5c8d054 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -3,7 +3,7 @@ # This spec file assumes you are building on a Fedora or RHEL version # that's still supported by the vendor. It may work on other distros # or versions, but no effort will be made to ensure that going forward. -%define anolis_release .0.1 +%define anolis_release .0.2 %define min_rhel 8 %define min_fedora 33 @@ -330,6 +330,8 @@ Patch1005: qemu-command-Use-correct-tpm-device-for-all-non-x86.patch Patch1006: libvirt-cpu-Add-new-Dharma-CPU-model.patch Patch1007: libvirt-cpu-map-add-S5000C-cpu-model.patch Patch1008: libvirt-Add-sw64-architecture-support-for-libvirt.patch +Patch1009: 1009-conf-qemu-add-libvirt-support-reuse-id-for-hygon-CSV.patch +Patch1010: 1010-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2209,6 +2211,10 @@ exit 0 %changelog +* Wed Jan 01 2025 hanliyang - 8.0.0-23.3.0.2 +- conf: qemu: add libvirt support reuse id for hygon CSV +- conf: qemu: support provide inject secret for Hygon CSV + * Fri Dec 20 2024 zhaotianrui - 8.0.0-23.3.0.1 - Add loongarch support - Fix loongarch xml validate -- Gitee