womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mem-enc: create generic check for mem encryption support by host

Browse Source 
Introduce the new Host.supports_mem_encryption which tells whether
the host supports memory encryption. This allows us to centralize
and generalize the check logic for additional mechanisms such as
Arm CCA, planned to be added in the future.

Implements: blueprint generalize-sev-code
Change-Id: If020c71bd4962c6ca96e042592854e57d9a7dcce
Signed-off-by: Taketani Ryo <taketani.ryo@fujitsu.com>
This commit is contained in:
Taketani Ryo
2025-11-21 09:56:08 +00:00
parent 11dff40b4f
commit 2035afbb5e
3 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nova/tests/unit/virt/libvirt/test_host.py
+5
View File
@@ -2182,6 +2182,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
@mock.patch('builtins.open', mock.mock_open(read_data="1\n")) @mock.patch('builtins.open', mock.mock_open(read_data="1\n"))
def test_unsupported_without_feature(self, fake_exists): def test_unsupported_without_feature(self, fake_exists):
self.assertFalse(self.host.supports_amd_sev) self.assertFalse(self.host.supports_amd_sev)
self.assertFalse(self.host.supports_mem_encryption)
@mock.patch.object(os.path, 'exists', return_value=True) @mock.patch.object(os.path, 'exists', return_value=True)
@mock.patch('builtins.open', mock.mock_open(read_data="1\n")) @mock.patch('builtins.open', mock.mock_open(read_data="1\n"))
@@ -2189,6 +2190,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
new=vc._domain_capability_features_with_SEV_unsupported) new=vc._domain_capability_features_with_SEV_unsupported)
def test_unsupported_with_feature(self, fake_exists): def test_unsupported_with_feature(self, fake_exists):
self.assertFalse(self.host.supports_amd_sev) self.assertFalse(self.host.supports_amd_sev)
self.assertFalse(self.host.supports_mem_encryption)
def test_non_x86_architecture(self): def test_non_x86_architecture(self):
fake_caps_xml = ''' fake_caps_xml = '''
@@ -2203,6 +2205,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
with mock.patch.object(fakelibvirt.virConnect, 'getCapabilities', with mock.patch.object(fakelibvirt.virConnect, 'getCapabilities',
return_value=fake_caps_xml): return_value=fake_caps_xml):
self.assertFalse(self.host.supports_amd_sev) self.assertFalse(self.host.supports_amd_sev)
self.assertFalse(self.host.supports_mem_encryption)
class TestLibvirtSEVSupported(TestLibvirtSEV): class TestLibvirtSEVSupported(TestLibvirtSEV):
@@ -2214,6 +2217,7 @@ class TestLibvirtSEVSupported(TestLibvirtSEV):
new=vc._domain_capability_features_with_SEV) new=vc._domain_capability_features_with_SEV)
def test_supported_with_feature(self, fake_exists): def test_supported_with_feature(self, fake_exists):
self.assertTrue(self.host.supports_amd_sev) self.assertTrue(self.host.supports_amd_sev)
self.assertTrue(self.host.supports_mem_encryption)
@ddt.ddt @ddt.ddt
@@ -2294,6 +2298,7 @@ class TestLibvirtSEVESSupported(TestLibvirtSEV):
new=vc._domain_capability_features_with_SEV) new=vc._domain_capability_features_with_SEV)
def test_supported_with_feature(self, fake_exists, get_version): def test_supported_with_feature(self, fake_exists, get_version):
self.assertTrue(self.host.supports_amd_sev_es) self.assertTrue(self.host.supports_amd_sev_es)
self.assertTrue(self.host.supports_mem_encryption)
class LibvirtTpoolProxyTestCase(test.NoDBTestCase): class LibvirtTpoolProxyTestCase(test.NoDBTestCase):
nova/virt/libvirt/driver.py
+3 -4
View File
@@ -7662,10 +7662,9 @@ class LibvirtDriver(driver.ComputeDriver):
guest.add_device(vpmem_config) guest.add_device(vpmem_config)
def _get_mem_encryption_config(self, flavor, image_meta): def _get_mem_encryption_config(self, flavor, image_meta):
"""To enable AMD SEV, the following should be true: """To enable memory encryption the following should be true:
a) the supports_amd_sev instance variable in the host is a) the host supports a memory encryption architecture,
true,
b) the instance extra specs and/or image properties request b) the instance extra specs and/or image properties request
memory encryption to be enabled, and memory encryption to be enabled, and
c) there are no conflicts between extra specs, image properties c) there are no conflicts between extra specs, image properties
@@ -7682,7 +7681,7 @@ class LibvirtDriver(driver.ComputeDriver):
pass it to be checked alongside the other sanity checks which pass it to be checked alongside the other sanity checks which
are run while determining whether SEV is selected. are run while determining whether SEV is selected.
""" """
if not self._host.supports_amd_sev: if not self._host.supports_mem_encryption:
return None return None
mach_type = libvirt_utils.get_machine_type(image_meta) mach_type = libvirt_utils.get_machine_type(image_meta)
nova/virt/libvirt/host.py
+14
View File
@@ -2048,6 +2048,20 @@ class Host(object):
return None return None
return self._max_sev_es_guests return self._max_sev_es_guests
@property
def supports_mem_encryption(self) -> bool:
"""Determine if the host supports memory encryption for guests.
This checks whether any memory encryption technology
(e.g., AMD SEV, Arm CCA) is supported by the host.
This is conditional on support in the hardware,
kernel, qemu, and libvirt for the specific encryption technology.
Returns a boolean indicating whether any memory encryption
is supported.
"""
return self.supports_amd_sev
@property @property
def supports_remote_managed_ports(self) -> bool: def supports_remote_managed_ports(self) -> bool:
"""Determine if the host supports remote managed ports. """Determine if the host supports remote managed ports.