NVIDIA: SAUCE: virtinst: add shared-mec support for CCA guests

Add support for the shared-mec attribute in CCA launch security
configuration. This allows users to control whether CCA Realms use
shared or private Memory Encryption Contexts (MECs).

Usage:
  --launchSecurity type=cca,sharedMec=on   # Use shared MEC
  --launchSecurity type=cca,sharedMec=off  # Use private MEC
  --launchSecurity type=cca                # QEMU default (shared)

The sharedMec attribute maps to the libvirt XML shared-mec attribute
and the QEMU rme-guest shared-mec property.

Signed-off-by: Ian May <ianm@nvidia.com>

Author: ianm-nv

tests/data/cli/compare/virt-install-aarch64-launch-security-cca-shared-mec.xml

@@ -0,0 +1,57 @@
+<domain type="qemu">
+  <name>test-aarch64-launch-security-cca-shared-mec</name>
+  <uuid>915218db-98d8-43b2-81f3-c054a6ff8961</uuid>
+  <memory>2097152</memory>
+  <currentMemory>2097152</currentMemory>
+  <vcpu>1</vcpu>
+  <os firmware="efi">
+    <type arch="aarch64" machine="virt">hvm</type>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+  </features>
+  <cpu mode="maximum"/>
+  <clock offset="utc"/>
+  <devices>
+    <emulator>/usr/bin/qemu-system-aarch64</emulator>
+    <controller type="usb" model="qemu-xhci" ports="15"/>
+    <controller type="pci" model="pcie-root"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <controller type="pci" model="pcie-root-port"/>
+    <interface type="network">
+      <source network="default"/>
+      <mac address="52:54:00:73:8c:4a"/>
+    </interface>
+    <console type="pty"/>
+    <channel type="spicevmc">
+      <target type="virtio" name="com.redhat.spice.0"/>
+    </channel>
+    <input type="tablet" bus="usb"/>
+    <input type="keyboard" bus="usb"/>
+    <tpm>
+      <backend type="emulator"/>
+    </tpm>
+    <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
+      <image compression="off"/>
+    </graphics>
+    <sound model="ich9"/>
+    <video>
+      <model type="ramfb"/>
+    </video>
+  </devices>
+  <launchSecurity type="cca" shared-mec="yes"/>
+</domain>
+

tests/test_cli.py

@@ -1908,6 +1908,11 @@ def add_compare(self, cat, args, compbase, **kwargs):
     "aarch64-launch-security-cca",
     prerun_check="11.9.0",
 )
+c.add_compare(
+    "--boot uefi --machine virt --launchSecurity type=cca,sharedMec=on",
+    "aarch64-launch-security-cca-shared-mec",
+    prerun_check="11.9.0",
+)
 
 
 ######################

virtinst/cli.py

@@ -5333,6 +5333,7 @@ def _virtcli_class_init(cls):
         cls.add_arg("measurementAlgo", "measurementAlgo")
         cls.add_arg("personalizationValue", "personalizationValue")
         cls.add_arg("measurementLog", "measurementLog", is_onoff=True)
+        cls.add_arg("sharedMec", "sharedMec", is_onoff=True)
 
 
 ###########################

virtinst/domain/launch_security.py

@@ -30,6 +30,7 @@ class DomainLaunchSecurity(XMLBuilder):
     measurementAlgo = XMLProperty("./measurement-algo")
     personalizationValue = XMLProperty("./personalization-value")
     measurementLog = XMLProperty("./@measurement-log", is_yesno=True)
+    sharedMec = XMLProperty("./@shared-mec", is_yesno=True)
 
     def _set_defaults_sev(self, guest):
         if not guest.os.is_q35() or not guest.is_uefi():