Merge "mem-enc: create generic check for mem encryption support by host"

nova/tests/unit/virt/libvirt/test_host.py

@@ -2221,6 +2221,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
     @mock.patch('builtins.open', mock.mock_open(read_data="1\n"))
     def test_unsupported_without_feature(self, fake_exists):
         self.assertFalse(self.host.supports_amd_sev)
+        self.assertFalse(self.host.supports_mem_encryption)
 
     @mock.patch.object(os.path, 'exists', return_value=True)
     @mock.patch('builtins.open', mock.mock_open(read_data="1\n"))
@@ -2228,6 +2229,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
         new=vc._domain_capability_features_with_SEV_unsupported)
     def test_unsupported_with_feature(self, fake_exists):
         self.assertFalse(self.host.supports_amd_sev)
+        self.assertFalse(self.host.supports_mem_encryption)
 
     def test_non_x86_architecture(self):
         fake_caps_xml = '''
@@ -2242,6 +2244,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
         with mock.patch.object(fakelibvirt.virConnect, 'getCapabilities',
                                return_value=fake_caps_xml):
             self.assertFalse(self.host.supports_amd_sev)
+            self.assertFalse(self.host.supports_mem_encryption)
 
 
 class TestLibvirtSEVSupported(TestLibvirtSEV):
@@ -2253,6 +2256,7 @@ class TestLibvirtSEVSupported(TestLibvirtSEV):
                        new=vc._domain_capability_features_with_SEV)
     def test_supported_with_feature(self, fake_exists):
         self.assertTrue(self.host.supports_amd_sev)
+        self.assertTrue(self.host.supports_mem_encryption)
 
 
 @ddt.ddt
@@ -2333,6 +2337,7 @@ class TestLibvirtSEVESSupported(TestLibvirtSEV):
                        new=vc._domain_capability_features_with_SEV)
     def test_supported_with_feature(self, fake_exists, get_version):
         self.assertTrue(self.host.supports_amd_sev_es)
+        self.assertTrue(self.host.supports_mem_encryption)
 
 
 class LibvirtTpoolProxyTestCase(test.NoDBTestCase):

nova/virt/libvirt/driver.py

@@ -7673,10 +7673,9 @@ class LibvirtDriver(driver.ComputeDriver):
             guest.add_device(vpmem_config)
 
     def _get_mem_encryption_config(self, flavor, image_meta):
-        """To enable AMD SEV, the following should be true:
+        """To enable memory encryption the following should be true:
 
-        a) the supports_amd_sev instance variable in the host is
-           true,
+        a) the host supports a memory encryption architecture,
         b) the instance extra specs and/or image properties request
            memory encryption to be enabled, and
         c) there are no conflicts between extra specs, image properties
@@ -7693,7 +7692,7 @@ class LibvirtDriver(driver.ComputeDriver):
         pass it to be checked alongside the other sanity checks which
         are run while determining whether SEV is selected.
         """
-        if not self._host.supports_amd_sev:
+        if not self._host.supports_mem_encryption:
             return None
 
         mach_type = libvirt_utils.get_machine_type(image_meta)

nova/virt/libvirt/host.py

@@ -2042,6 +2042,20 @@ class Host(object):
             return None
         return self._max_sev_es_guests
 
+    @property
+    def supports_mem_encryption(self) -> bool:
+        """Determine if the host supports memory encryption for guests.
+
+        This checks whether any memory encryption technology
+        (e.g., AMD SEV, Arm CCA) is supported by the host.
+        This is conditional on support in the hardware,
+        kernel, qemu, and libvirt for the specific encryption technology.
+        Returns a boolean indicating whether any memory encryption
+        is supported.
+        """
+
+        return self.supports_amd_sev
+
     @property
     def supports_remote_managed_ports(self) -> bool:
         """Determine if the host supports remote managed ports.