From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 30 Jun 2020 15:38:18 +0000 (-0400)
Subject: target/i386: sev: fail query-sev-capabilities if QEMU cannot use SEV
X-Git-Tag: v5.1.0-rc0~17^2~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b38750c40281dd0d068f8536b2ea95d7b9bd585;p=thirdparty%2Fqemu.git

target/i386: sev: fail query-sev-capabilities if QEMU cannot use SEV

In some cases, such as if the kvm-amd "sev" module parameter is set
to 0, SEV will be unavailable but query-sev-capabilities will still
return all the information.  This tricks libvirt into erroneously
reporting that SEV is available.  Check the actual usability of the
feature and return the appropriate error if QEMU cannot use KVM
or KVM cannot use SEV.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---

diff --git a/target/i386/sev.c b/target/i386/sev.c
index 7012b1d4b12..c3ecf867042 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -450,6 +450,15 @@ sev_get_capabilities(Error **errp)
     uint32_t ebx;
     int fd;
 
+    if (!kvm_enabled()) {
+        error_setg(errp, "KVM not enabled");
+        return NULL;
+    }
+    if (kvm_vm_ioctl(kvm_state, KVM_MEMORY_ENCRYPT_OP, NULL) < 0) {
+        error_setg(errp, "SEV is not enabled in KVM");
+        return NULL;
+    }
+
     fd = open(DEFAULT_SEV_DEVICE, O_RDWR);
     if (fd < 0) {
         error_setg_errno(errp, errno, "Failed to open %s",