libvirt driver launching AMD SEV-encrypted instances
Booting an instance with a flavor containing an SEV-specific required trait extra spec should cause that instance to be defined and booted on a compute host which provides that trait. Additionally the instance must be created with additional XML in the libvirt domain definition which causes QEMU to boot the instance with SEV enabled.
Blueprint information
- Status:
- Complete
- Approver:
- Matt Riedemann
- Priority:
- Low
- Drafter:
- Adam Spiers
- Direction:
- Approved
- Assignee:
- Adam Spiers
- Definition:
- Approved
- Series goal:
- Accepted for train
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Matt Riedemann
- Completed by
- Eric Fried
Related branches
Related bugs
Sprints
Whiteboard
Addressed by: https:/
Add spec for libvirt driver launching AMD SEV-encrypted instances
Gerrit topic: https:/
Approved for Stein. -- mriedem 20190103
Addressed by: https:/
AMD SEV: address final feedback received prior to merge
Addressed by: https:/
Add detection of SEV support from QEMU/AMD-SP/libvirt on AMD hosts
Addressed by: https:/
Add HW_CPU_AMD_SEV trait
Addressed by: https:/
Extract SEV-specific bits on host detection
Addressed by: https:/
Add <launchSecurity> element to libvirt guest XML for AMD SEV
Addressed by: https:/
Add new "supports_amd_sev" capability to libvirt driver
Addressed by: https:/
Parse <emulator> elements from virConnectGetCa
Addressed by: https:/
Re-approve AMD SEV support for Train
This did not complete in the Stein release so I am deferring to the Train release. Remember to re-propose the spec for Train as necessary: https:/
Addressed by: https:/
Move libvirt calculation of machine type to utils.py
Addressed by: https:/
Fix memtune parameters according to libvirt docs
Addressed by: https:/
Add iommu driver to devices
Gerrit topic: https:/
Addressed by: https:/
Add infrastructure for invoking libvirt's getDomainCapabi
Re-approved for Train. -- mriedem 20190424
Addressed by: https:/
Update SEV work item to new approach based on MEM_ENCRYPTION_
Addressed by: https:/
Track inventory for new MEM_ENCRYPTION_
Addressed by: https:/
Detect that SEV is required and enable iommu for devices
Addressed by: https:/
Use fake flavor instead of empty dict in test
Addressed by: https:/
Pass extra_specs to flavor in vif tests
Addressed by: https:/
Use launchSecurity element when SEV was required
Addressed by: https:/
Enable memory locking if SEV is requested
Addressed by: https:/
Change new image property to hw_mem_encryption
Addressed by: https:/
Add extra spec parameter and image property for memory encryption
Addressed by: https:/
Track inventory for new MEM_ENCRYPTION_
Addressed by: https:/
WIP: Document AMD SEV support for encrypted VMs in libvirt
Addressed by: https:/
libvirt: harden get_domain_
Addressed by: https:/
Enhance parsing of domain capabilities and track canonical machine types
Addressed by: https:/
Enhance parsing of domain capabilities and track canonical machine types
Addressed by: https:/
Allow assertXmlEqual() to pass options to matchers.XMLMatches
Addressed by: https:/
Fix libvirt driver tests to use LibvirtConfigCa
Addressed by: https:/
Extract new base class for provider usage functional tests
Addressed by: https:/
Split fake host capabilities into reusable variables
Addressed by: https:/
Indent fake libvirt host capabilities fixtures more nicely
Addressed by: https:/
libvirt/
Addressed by: https:/
Make _get_cpu_
Addressed by: https:/
Ensure q35 machine type is used when booting with SEV
Addressed by: https:/
Reject live migration and suspend on SEV guests
Addressed by: https:/
Extract fake KVM guest fixture for reuse
Addressed by: https:/
Move get_machine_type() test to test_utils.py
Addressed by: https:/
Improve SEV documentation and other minor tweaks
[efried 20190911] Marking complete. The only remaining artifacts are docs & tempest tests.
Addressed by: https:/
Set iommu driver for virtio controllers too
Addressed by: https:/
Also enable iommu for virtio controllers in libvirt
Addressed by: https:/
docs: Highlight the current broken state of SEV
Addressed by: https:/
Create a controller for qga when SEV is used
Addressed by: https:/
Switch to uses_virtio to enable iommu driver for AMD SEV
Addressed by: https:/
Switch to uses_virtio to enable iommu driver for AMD SEV
Addressed by: https:/
Create a controller for qga when SEV is used
Addressed by: https:/
Revert "docs: Highlight the current broken state of SEV" (partially)