libvirt driver launching AMD SEV-encrypted instances

Registered by Adam Spiers on 2018-10-11

Booting an instance with a flavor containing an SEV-specific required trait extra spec should cause that instance to be defined and booted on a compute host which provides that trait. Additionally the instance must be created with additional XML in the libvirt domain definition which causes QEMU to boot the instance with SEV enabled.

Blueprint information

Status:
Complete
Approver:
Matt Riedemann
Priority:
Low
Drafter:
Adam Spiers
Direction:
Approved
Assignee:
Adam Spiers
Definition:
Approved
Series goal:
Accepted for train
Implementation:
Implemented
Milestone target:
None
Started by
Matt Riedemann on 2019-02-01
Completed by
Eric Fried on 2019-09-11

Related branches

Sprints

Whiteboard

Addressed by: https://review.opendev.org/609779
    Add spec for libvirt driver launching AMD SEV-encrypted instances

Gerrit topic: https://review.opendev.org/#/q/topic:bp/amd-sev-libvirt-support

Approved for Stein. -- mriedem 20190103

Addressed by: https://review.opendev.org/628252
    AMD SEV: address final feedback received prior to merge

Addressed by: https://review.opendev.org/633855
    Add detection of SEV support from QEMU/AMD-SP/libvirt on AMD hosts

Addressed by: https://review.opendev.org/635608
   Add HW_CPU_AMD_SEV trait

Addressed by: https://review.opendev.org/636334
    Extract SEV-specific bits on host detection

Addressed by: https://review.opendev.org/636318
    Add <launchSecurity> element to libvirt guest XML for AMD SEV

Addressed by: https://review.opendev.org/638680
    Add new "supports_amd_sev" capability to libvirt driver

Addressed by: https://review.opendev.org/640483
    Parse <emulator> elements from virConnectGetCapabilities()

Addressed by: https://review.opendev.org/641994
    Re-approve AMD SEV support for Train

This did not complete in the Stein release so I am deferring to the Train release. Remember to re-propose the spec for Train as necessary: https://specs.openstack.org/openstack/nova-specs/readme.html#previously-approved-specifications -- mriedem 20190311

Addressed by: https://review.opendev.org/644554
    Move libvirt calculation of machine type to utils.py

Addressed by: https://review.opendev.org/636301
    Fix memtune parameters according to libvirt docs

Addressed by: https://review.opendev.org/644564
    Add iommu driver to devices

Gerrit topic: https://review.opendev.org/#/q/topic:bp/gracefully-handle-qemu-machine-types

Addressed by: https://review.opendev.org/655268
    Add infrastructure for invoking libvirt's getDomainCapabilities API

Re-approved for Train. -- mriedem 20190424

Addressed by: https://review.opendev.org/655717
    Update SEV work item to new approach based on MEM_ENCRYPTION_CONTEXT

Addressed by: https://review.opendev.org/662105
    Track inventory for new MEM_ENCRYPTION_CONTEXT resource class

Addressed by: https://review.opendev.org/644565
    Detect that SEV is required and enable iommu for devices

Addressed by: https://review.opendev.org/662555
    Use fake flavor instead of empty dict in test

Addressed by: https://review.opendev.org/662556
    Pass extra_specs to flavor in vif tests

Addressed by: https://review.opendev.org/662557
    Use launchSecurity element when SEV was required

Addressed by: https://review.opendev.org/662558
    Enable memory locking if SEV is requested

Addressed by: https://review.opendev.org/664397
    Change new image property to hw_mem_encryption

Addressed by: https://review.opendev.org/664420
    Add extra spec parameter and image property for memory encryption

Addressed by: https://review.opendev.org/666616
    Track inventory for new MEM_ENCRYPTION_CONTEXT resource class

Addressed by: https://review.opendev.org/666617
    WIP: Document AMD SEV support for encrypted VMs in libvirt

Addressed by: https://review.opendev.org/670189
    libvirt: harden get_domain_capabilities

Addressed by: https://review.opendev.org/673151
    Enhance parsing of domain capabilities and track canonical machine types

Addressed by: https://review.opendev.org/673152
    Enhance parsing of domain capabilities and track canonical machine types

Addressed by: https://review.opendev.org/674628
    Allow assertXmlEqual() to pass options to matchers.XMLMatches

Addressed by: https://review.opendev.org/674629
    Fix libvirt driver tests to use LibvirtConfigCapsGuest instances

Addressed by: https://review.opendev.org/676964
    Extract new base class for provider usage functional tests

Addressed by: https://review.opendev.org/677710
    Split fake host capabilities into reusable variables

Addressed by: https://review.opendev.org/679339
    Indent fake libvirt host capabilities fixtures more nicely

Addressed by: https://review.opendev.org/679340
    libvirt/host.py: remove unnecessary temporary variable

Addressed by: https://review.opendev.org/679568
    Make _get_cpu_feature_traits() always return a dict

Addressed by: https://review.opendev.org/680065
    Ensure q35 machine type is used when booting with SEV

Addressed by: https://review.opendev.org/680158
    Reject live migration and suspend on SEV guests

Addressed by: https://review.opendev.org/680526
    Extract fake KVM guest fixture for reuse

Addressed by: https://review.opendev.org/680527
    Move get_machine_type() test to test_utils.py

Addressed by: https://review.opendev.org/681254
    Improve SEV documentation and other minor tweaks

[efried 20190911] Marking complete. The only remaining artifacts are docs & tempest tests.

Addressed by: https://review.opendev.org/684825
    Set iommu driver for virtio controllers too

Addressed by: https://review.opendev.org/685756
    Also enable iommu for virtio controllers in libvirt

Addressed by: https://review.opendev.org/686414
    docs: Highlight the current broken state of SEV

Addressed by: https://review.opendev.org/693072
    Create a controller for qga when SEV is used

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.