diff --git a/nova/tests/unit/virt/libvirt/test_host.py b/nova/tests/unit/virt/libvirt/test_host.py index 417b250509..56ebbfe37c 100644 --- a/nova/tests/unit/virt/libvirt/test_host.py +++ b/nova/tests/unit/virt/libvirt/test_host.py @@ -2182,6 +2182,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV): @mock.patch('builtins.open', mock.mock_open(read_data="1\n")) def test_unsupported_without_feature(self, fake_exists): self.assertFalse(self.host.supports_amd_sev) + self.assertFalse(self.host.supports_mem_encryption) @mock.patch.object(os.path, 'exists', return_value=True) @mock.patch('builtins.open', mock.mock_open(read_data="1\n")) @@ -2189,6 +2190,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV): new=vc._domain_capability_features_with_SEV_unsupported) def test_unsupported_with_feature(self, fake_exists): self.assertFalse(self.host.supports_amd_sev) + self.assertFalse(self.host.supports_mem_encryption) def test_non_x86_architecture(self): fake_caps_xml = ''' @@ -2203,6 +2205,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV): with mock.patch.object(fakelibvirt.virConnect, 'getCapabilities', return_value=fake_caps_xml): self.assertFalse(self.host.supports_amd_sev) + self.assertFalse(self.host.supports_mem_encryption) class TestLibvirtSEVSupported(TestLibvirtSEV): @@ -2214,6 +2217,7 @@ class TestLibvirtSEVSupported(TestLibvirtSEV): new=vc._domain_capability_features_with_SEV) def test_supported_with_feature(self, fake_exists): self.assertTrue(self.host.supports_amd_sev) + self.assertTrue(self.host.supports_mem_encryption) @ddt.ddt @@ -2294,6 +2298,7 @@ class TestLibvirtSEVESSupported(TestLibvirtSEV): new=vc._domain_capability_features_with_SEV) def test_supported_with_feature(self, fake_exists, get_version): self.assertTrue(self.host.supports_amd_sev_es) + self.assertTrue(self.host.supports_mem_encryption) class LibvirtTpoolProxyTestCase(test.NoDBTestCase): diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py index b5adcd3c89..640ec002e4 100644 --- a/nova/virt/libvirt/driver.py +++ b/nova/virt/libvirt/driver.py @@ -7662,10 +7662,9 @@ class LibvirtDriver(driver.ComputeDriver): guest.add_device(vpmem_config) def _get_mem_encryption_config(self, flavor, image_meta): - """To enable AMD SEV, the following should be true: + """To enable memory encryption the following should be true: - a) the supports_amd_sev instance variable in the host is - true, + a) the host supports a memory encryption architecture, b) the instance extra specs and/or image properties request memory encryption to be enabled, and c) there are no conflicts between extra specs, image properties @@ -7682,7 +7681,7 @@ class LibvirtDriver(driver.ComputeDriver): pass it to be checked alongside the other sanity checks which are run while determining whether SEV is selected. """ - if not self._host.supports_amd_sev: + if not self._host.supports_mem_encryption: return None mach_type = libvirt_utils.get_machine_type(image_meta) diff --git a/nova/virt/libvirt/host.py b/nova/virt/libvirt/host.py index c29f883fce..52d8761cd4 100644 --- a/nova/virt/libvirt/host.py +++ b/nova/virt/libvirt/host.py @@ -2048,6 +2048,20 @@ class Host(object): return None return self._max_sev_es_guests + @property + def supports_mem_encryption(self) -> bool: + """Determine if the host supports memory encryption for guests. + + This checks whether any memory encryption technology + (e.g., AMD SEV, Arm CCA) is supported by the host. + This is conditional on support in the hardware, + kernel, qemu, and libvirt for the specific encryption technology. + Returns a boolean indicating whether any memory encryption + is supported. + """ + + return self.supports_amd_sev + @property def supports_remote_managed_ports(self) -> bool: """Determine if the host supports remote managed ports.