virt-host-validate: Detect SEV-ES and SEV-SNP

With a simple cpuid (Section "E.4.17 Function
8000_001Fh—Encrypted Memory Capabilities" in "AMD64 Architecture
Programmer’s Manual Vol. 3") we can detect whether CPU is capable
of running SEV-ES and/or SEV-SNP guests. Report these in
virt-host-validate tool.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index 3e6a1c78ae01c828dd54bfe3411ee806b9210940..a29a5b6d5f5a473ffe55156d87db54a6a5dcab73 100644 (file)
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -34,6 +34,7 @@
 #include "virstring.h"
 #include "virarch.h"
 #include "virutil.h"
+#include "virhostcpu.h"
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
@@ -380,9 +381,11 @@ bool virHostKernelModuleIsLoaded(const char *module)
 
 
 static int
-virHostValidateAMDSev(virValidateLevel level)
+virHostValidateAMDSev(const char *hvname,
+                      virValidateLevel level)
 {
     g_autofree char *mod_value = NULL;
+    uint32_t eax, ebx;
 
     if (virFileReadValueString(&mod_value, "/sys/module/kvm_amd/parameters/sev") < 0) {
         virValidateFail(level, "AMD Secure Encrypted Virtualization not "
@@ -405,6 +408,32 @@ virHostValidateAMDSev(virValidateLevel level)
         return VIR_VALIDATE_FAILURE(level);
     }
 
+    virValidatePass();
+
+    virValidateCheck(hvname, "%s",
+                     _("Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)"));
+
+    virHostCPUX86GetCPUID(0x8000001F, 0, &eax, &ebx, NULL, NULL);
+
+    if (eax & (1U << 3)) {
+        virValidatePass();
+    } else {
+        virValidateFail(level,
+                        "AMD SEV-ES is not supported");
+        return VIR_VALIDATE_FAILURE(level);
+    }
+
+    virValidateCheck(hvname, "%s",
+                     _("Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)"));
+
+    if (eax & (1U << 4)) {
+        virValidatePass();
+    } else {
+        virValidateFail(level,
+                        "AMD SEV-SNP is not supported");
+        return VIR_VALIDATE_FAILURE(level);
+    }
+
     return 1;
 }
 
@@ -459,7 +488,7 @@ int virHostValidateSecureGuests(const char *hvname,
             return VIR_VALIDATE_FAILURE(level);
         }
     } else if (hasAMDSev) {
-        int rc = virHostValidateAMDSev(level);
+        int rc = virHostValidateAMDSev(hvname, level);
 
         if (rc > 0)
             virValidatePass();