libvirt driver launching AMD SEV-encrypted instances

Registered by Adam Spiers on 2018-10-11

Booting an instance with a flavor containing an SEV-specific required trait extra spec should cause that instance to be defined and booted on a compute host which provides that trait. Additionally the instance must be created with additional XML in the libvirt domain definition which causes QEMU to boot the instance with SEV enabled.

Blueprint information

Status:
Started
Approver:
Matt Riedemann
Priority:
Low
Drafter:
Adam Spiers
Direction:
Approved
Assignee:
Adam Spiers
Definition:
Approved
Series goal:
Accepted for train
Implementation:
Needs Code Review
Milestone target:
None
Started by
Matt Riedemann on 2019-02-01

Related branches

Sprints

Whiteboard

Addressed by: https://review.openstack.org/609779
    Add spec for libvirt driver launching AMD SEV-encrypted instances

Gerrit topic: https://review.opendev.org/#/q/topic:bp/amd-sev-libvirt-support

Approved for Stein. -- mriedem 20190103

Addressed by: https://review.openstack.org/628252
    AMD SEV: address final feedback received prior to merge

Addressed by: https://review.openstack.org/633855
    Add detection of SEV support from QEMU/AMD-SP/libvirt on AMD hosts

Addressed by: https://review.openstack.org/635608
   Add HW_CPU_AMD_SEV trait

Addressed by: https://review.openstack.org/636334
    Extract SEV-specific bits on host detection

Addressed by: https://review.openstack.org/636318
    Add configs for AMD SEV

Addressed by: https://review.openstack.org/638680
    Add new "supports_amd_sev" capability to libvirt driver

Addressed by: https://review.openstack.org/640483
    Parse <emulator> elements from virConnectGetCapabilities()

Gerrit topic: https://review.openstack.org/#q,topic:bp/s,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bp/amd-sev-libvirt-support,n,z

Addressed by: https://review.openstack.org/641994
    Re-approve AMD SEV support for Train

This did not complete in the Stein release so I am deferring to the Train release. Remember to re-propose the spec for Train as necessary: https://specs.openstack.org/openstack/nova-specs/readme.html#previously-approved-specifications -- mriedem 20190311

Addressed by: https://review.openstack.org/644554
    Move libvirt calculation of machine type to utils.py

Addressed by: https://review.openstack.org/636301
    Fix memtune parameters according to libvirt docs

Addressed by: https://review.openstack.org/644564
    Add iommu driver to devices

Addressed by: https://review.openstack.org/644565
    [wip] Driver changes for sev

Addressed by: https://review.opendev.org/641994
    Re-approve AMD SEV support for Train

Gerrit topic: https://review.opendev.org/#/q/topic:bp/gracefully-handle-qemu-machine-types

Addressed by: https://review.opendev.org/655268
    Add infrastructure for invoking libvirt's getDomainCapabilities API

Addressed by: https://review.opendev.org/633855
    Add detection of SEV support from QEMU/AMD-SP/libvirt on AMD hosts

Re-approved for Train. -- mriedem 20190424

Addressed by: https://review.opendev.org/655717
    Update SEV work item to new approach based on MEM_ENCRYPTION_CONTEXT

Addressed by: https://review.opendev.org/638680
    Add new "supports_amd_sev" capability to libvirt driver

Addressed by: https://review.opendev.org/636334
    Extract SEV-specific bits on host detection

Addressed by: https://review.opendev.org/636318
    Add <launchSecurity> element to libvirt guest XML for AMD SEV

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.