From 2035afbb5ecd020fca728941fa7ce61153ba2aa5 Mon Sep 17 00:00:00 2001
From: Taketani Ryo <taketani.ryo@fujitsu.com>
Date: Fri, 21 Nov 2025 09:56:08 +0000
Subject: [PATCH] mem-enc: create generic check for mem encryption support by
 host

Introduce the new Host.supports_mem_encryption which tells whether
the host supports memory encryption. This allows us to centralize
and generalize the check logic for additional mechanisms such as
Arm CCA, planned to be added in the future.

Implements: blueprint generalize-sev-code
Change-Id: If020c71bd4962c6ca96e042592854e57d9a7dcce
Signed-off-by: Taketani Ryo <taketani.ryo@fujitsu.com>
---
 nova/tests/unit/virt/libvirt/test_host.py |  5 +++++
 nova/virt/libvirt/driver.py               |  7 +++----
 nova/virt/libvirt/host.py                 | 14 ++++++++++++++
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/nova/tests/unit/virt/libvirt/test_host.py b/nova/tests/unit/virt/libvirt/test_host.py
index 417b250509..56ebbfe37c 100644
--- a/nova/tests/unit/virt/libvirt/test_host.py
+++ b/nova/tests/unit/virt/libvirt/test_host.py
@@ -2182,6 +2182,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
     @mock.patch('builtins.open', mock.mock_open(read_data="1\n"))
     def test_unsupported_without_feature(self, fake_exists):
         self.assertFalse(self.host.supports_amd_sev)
+        self.assertFalse(self.host.supports_mem_encryption)
 
     @mock.patch.object(os.path, 'exists', return_value=True)
     @mock.patch('builtins.open', mock.mock_open(read_data="1\n"))
@@ -2189,6 +2190,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
         new=vc._domain_capability_features_with_SEV_unsupported)
     def test_unsupported_with_feature(self, fake_exists):
         self.assertFalse(self.host.supports_amd_sev)
+        self.assertFalse(self.host.supports_mem_encryption)
 
     def test_non_x86_architecture(self):
         fake_caps_xml = '''
@@ -2203,6 +2205,7 @@ class TestLibvirtSEVUnsupported(TestLibvirtSEV):
         with mock.patch.object(fakelibvirt.virConnect, 'getCapabilities',
                                return_value=fake_caps_xml):
             self.assertFalse(self.host.supports_amd_sev)
+            self.assertFalse(self.host.supports_mem_encryption)
 
 
 class TestLibvirtSEVSupported(TestLibvirtSEV):
@@ -2214,6 +2217,7 @@ class TestLibvirtSEVSupported(TestLibvirtSEV):
                        new=vc._domain_capability_features_with_SEV)
     def test_supported_with_feature(self, fake_exists):
         self.assertTrue(self.host.supports_amd_sev)
+        self.assertTrue(self.host.supports_mem_encryption)
 
 
 @ddt.ddt
@@ -2294,6 +2298,7 @@ class TestLibvirtSEVESSupported(TestLibvirtSEV):
                        new=vc._domain_capability_features_with_SEV)
     def test_supported_with_feature(self, fake_exists, get_version):
         self.assertTrue(self.host.supports_amd_sev_es)
+        self.assertTrue(self.host.supports_mem_encryption)
 
 
 class LibvirtTpoolProxyTestCase(test.NoDBTestCase):
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
index b5adcd3c89..640ec002e4 100644
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -7662,10 +7662,9 @@ class LibvirtDriver(driver.ComputeDriver):
             guest.add_device(vpmem_config)
 
     def _get_mem_encryption_config(self, flavor, image_meta):
-        """To enable AMD SEV, the following should be true:
+        """To enable memory encryption the following should be true:
 
-        a) the supports_amd_sev instance variable in the host is
-           true,
+        a) the host supports a memory encryption architecture,
         b) the instance extra specs and/or image properties request
            memory encryption to be enabled, and
         c) there are no conflicts between extra specs, image properties
@@ -7682,7 +7681,7 @@ class LibvirtDriver(driver.ComputeDriver):
         pass it to be checked alongside the other sanity checks which
         are run while determining whether SEV is selected.
         """
-        if not self._host.supports_amd_sev:
+        if not self._host.supports_mem_encryption:
             return None
 
         mach_type = libvirt_utils.get_machine_type(image_meta)
diff --git a/nova/virt/libvirt/host.py b/nova/virt/libvirt/host.py
index c29f883fce..52d8761cd4 100644
--- a/nova/virt/libvirt/host.py
+++ b/nova/virt/libvirt/host.py
@@ -2048,6 +2048,20 @@ class Host(object):
             return None
         return self._max_sev_es_guests
 
+    @property
+    def supports_mem_encryption(self) -> bool:
+        """Determine if the host supports memory encryption for guests.
+
+        This checks whether any memory encryption technology
+        (e.g., AMD SEV, Arm CCA) is supported by the host.
+        This is conditional on support in the hardware,
+        kernel, qemu, and libvirt for the specific encryption technology.
+        Returns a boolean indicating whether any memory encryption
+        is supported.
+        """
+
+        return self.supports_amd_sev
+
     @property
     def supports_remote_managed_ports(self) -> bool:
         """Determine if the host supports remote managed ports.