From nobody Tue May 14 23:18:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1648064343; cv=none; d=zohomail.com; s=zohoarc; b=BvGrh7bPMz/WSK8ofhsghxM1WThjOiup8nUuZz+o8UOKXNn9aMRwpa49wbcTJ14GD9HQiBUPdFndmjCJBC8Q8jyfKpYK4vBsHNplv7Dax8AoW2IMmvVaNFB8/hE9r5nIfpiZ8p0YEjPloR1yzqoWT9+wApfx+fwKqjQl9OSni+Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648064343; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=nTLXx6PXGXvECMYs//CX5+bJzmJtx/B9raQAWIGLwkk=; b=CZGvh/1Q7KJR49y4Q0QKt3r/ukpqJu5DhWhFoSujNx0EjRhUZ3/IHhzc0fhzNQRcz++CIUdcccBeb11aXvf8/5cNAy12u7HHzVQZfpAL4lPPZHvNhyBqXvNGtSUisjEzLXB0U0kwg1kK1t4JXll+Sk9/3F22utptVgeWs2Dn8A0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1648064343977400.7571139354095; Wed, 23 Mar 2022 12:39:03 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-433-I6ONYIODPM2n5O1LTLv7Mg-1; Wed, 23 Mar 2022 15:38:40 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 47A7F805F7C; Wed, 23 Mar 2022 19:38:38 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 344F7141DEE5; Wed, 23 Mar 2022 19:38:38 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CDBA0194035A; Wed, 23 Mar 2022 19:38:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8AC4C1949763 for ; Wed, 23 Mar 2022 19:38:36 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 7A6B546A38A; Wed, 23 Mar 2022 19:38:36 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7554A48FB14 for ; Wed, 23 Mar 2022 19:38:36 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 588E785A5A8 for ; Wed, 23 Mar 2022 19:38:36 +0000 (UTC) Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-528-hLIN22vFOLqO8MAl1l0Zyg-1; Wed, 23 Mar 2022 15:38:35 -0400 Received: by mail-qk1-f197.google.com with SMTP id v22-20020a05620a0a9600b0067e87a1ff57so1673553qkg.14 for ; Wed, 23 Mar 2022 12:38:35 -0700 (PDT) Received: from fedora.redhat.com (pool-71-175-3-221.phlapa.fios.verizon.net. [71.175.3.221]) by smtp.gmail.com with ESMTPSA id x19-20020a05622a001300b002e1e78062e3sm607069qtw.84.2022.03.23.12.38.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Mar 2022 12:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648064343; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=nTLXx6PXGXvECMYs//CX5+bJzmJtx/B9raQAWIGLwkk=; b=GludlY4wV7bezzyga/cHSfGih2aDTzvUsj7/nTJFtwXQsMDn/ZF+QO/1EqrCHRtznEsRS7 lkVBDWxn7wNVjnLbI99sF0dSGT4VzkbOU5gJN/As7HidLC+TOPwsCwfwSyjL+cluM6vYdp 97zyhNUE6O/McUGBo6CdrxMuwOiBZR4= X-MC-Unique: I6ONYIODPM2n5O1LTLv7Mg-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: hLIN22vFOLqO8MAl1l0Zyg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nTLXx6PXGXvECMYs//CX5+bJzmJtx/B9raQAWIGLwkk=; b=sZqQ9d/zHM4021oU78QBA7AhSGr/dv3EH5+rIqMJPDe66Itl0F+lPGWXABOJT/rv/H 8GL7yhO7SHsIQFjdiiM35iCGtS/k2Qv1QxBvkqOa/t8udo4svR0ZqvLUyV8eAh7UaCrg KVd5ZvCJzgJXDpvjOTM6KKaDDHjPFBVWl51bypIcuZyvz4Q7OjStqphqjwpIWXzlTGsp G9nKjeAX/IOFtFUSc5+PzCWEEeKnHEIGt2+/FA9C8usKeSSQt+FQooN3Npg3fRM5bomf I8aBLaEE4EPpe4g2s5s+Kp7ycwysIaz56ailQSVQrTiFpdfqn0EgrCoipkc13i88k8sR GCSQ== X-Gm-Message-State: AOAM5318ZtCwSVWM+wROskmIhDsirgtH+2f0+ARxtb1RsrBTc6ypDi6c z1YWTxASCniIqMd93/lo3g+jnmVghsm2qf3EoQktfFS5b/K4DH/npsl3CFjoygFawKCMiNCoAXG R4/eYAbuPx1GwFLo6bmdHFGAEcThti+i38Upu9MArZ1mGeOQa5tdlSb+aF/bHRXMS7iY1BZk= X-Received: by 2002:a37:9f43:0:b0:67e:169e:f074 with SMTP id i64-20020a379f43000000b0067e169ef074mr1087364qke.472.1648064314128; Wed, 23 Mar 2022 12:38:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyWn7Mkn+sWtiTVc97EMNs5XoBWer4uS7hyFRZqRFHAl/AOqcGi3qBk2NUXwjhkO79yGcu+Fw== X-Received: by 2002:a37:9f43:0:b0:67e:169e:f074 with SMTP id i64-20020a379f43000000b0067e169ef074mr1087344qke.472.1648064313743; Wed, 23 Mar 2022 12:38:33 -0700 (PDT) From: Tyler Fanelli To: libvir-list@redhat.com Subject: [PATCH 1/5] libvirt: Introduce virDomainGetSevAttestationReport public API Date: Wed, 23 Mar 2022 15:36:25 -0400 Message-Id: <20220323193627.1127171-2-tfanelli@redhat.com> In-Reply-To: <20220323193627.1127171-1-tfanelli@redhat.com> References: <20220323193627.1127171-1-tfanelli@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tyler Fanelli , crobinso@redhat.com Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1648064344982100001 Content-Type: text/plain; charset="utf-8" This API allows getting an attestation report from a SEV-enabled guest. The API uses virTypedParameter for input. The details of an attestation report buffer are described in the SEV API spec in section "6.8.2 Parameters, Table 60". https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf Signed-off-by: Tyler Fanelli --- include/libvirt/libvirt-domain.h | 14 +++++++ src/driver-hypervisor.h | 7 ++++ src/libvirt-domain.c | 63 ++++++++++++++++++++++++++++++++ src/libvirt_public.syms | 4 ++ 4 files changed, 88 insertions(+) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index 2d5718301e..af8991dbd3 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -5166,6 +5166,15 @@ int virDomainSetLifecycleAction(virDomainPtr domain, */ # define VIR_DOMAIN_LAUNCH_SECURITY_SEV_SECRET_SET_ADDRESS "sev-secret-set= -address" =20 +/** + * VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE: + * + * A macro used to represent a random 16 bytes value encoded in base64 + * that will be included in a SEV attestation report, as + * VIR_TYPED_PARAM_STRING. + */ +# define VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE "mnonce" + int virDomainGetLaunchSecurityInfo(virDomainPtr domain, virTypedParameterPtr *params, int *nparams, @@ -5176,6 +5185,11 @@ int virDomainSetLaunchSecurityState(virDomainPtr dom= ain, int nparams, unsigned int flags); =20 +int virDomainGetSevAttestationReport(virDomainPtr domain, + virTypedParameterPtr *params_ptr, + int *nparams, + unsigned int flags); + typedef enum { VIR_DOMAIN_GUEST_INFO_USERS =3D (1 << 0), /* return active users */ VIR_DOMAIN_GUEST_INFO_OS =3D (1 << 1), /* return OS information */ diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h index 4423eb0885..568d8c9a26 100644 --- a/src/driver-hypervisor.h +++ b/src/driver-hypervisor.h @@ -1348,6 +1348,12 @@ typedef int int nparams, unsigned int flags); =20 +typedef int +(*virDrvDomainGetSevAttestationReport)(virDomainPtr domain, + virTypedParameterPtr params, + int nparams, + unsigned int flags); + typedef virDomainCheckpointPtr (*virDrvDomainCheckpointCreateXML)(virDomainPtr domain, const char *xmlDesc, @@ -1678,6 +1684,7 @@ struct _virHypervisorDriver { virDrvNodeGetSEVInfo nodeGetSEVInfo; virDrvDomainGetLaunchSecurityInfo domainGetLaunchSecurityInfo; virDrvDomainSetLaunchSecurityState domainSetLaunchSecurityState; + virDrvDomainGetSevAttestationReport domainGetSevAttestationReport; virDrvDomainCheckpointCreateXML domainCheckpointCreateXML; virDrvDomainCheckpointGetXMLDesc domainCheckpointGetXMLDesc; virDrvDomainListAllCheckpoints domainListAllCheckpoints; diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index a197618673..ebcba4a8b7 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -12957,6 +12957,69 @@ int virDomainSetLaunchSecurityState(virDomainPtr d= omain, return -1; } =20 +/** + * virDomainGetSevAttestationReport: + * @domain: a domain object + * @params_ptr: pointer to launch security parameter objects + * @nparams: pointer to number of launch security parameters + * @flags: currently used, set to 0 + * + * Get an attestation report from a SEV-enabled guest. On success, the gue= st + * attestation report can be obtained and the guest can be started. + * + * There is one parameter for receiving an attestation report, mnonce, whi= ch is + * a random 16-byte string to be included in the attestation report. + * + * Returns -1 in case of failure, 0 in case of success. + */ +int virDomainGetSevAttestationReport(virDomainPtr domain, + virTypedParameterPtr *params_ptr, + int *nparams, + unsigned int flags) +{ + virConnectPtr conn; + virTypedParameterPtr params; + int rc; + + params =3D *params_ptr; + conn =3D domain->conn; + + VIR_DOMAIN_DEBUG(domain, "params=3D%p, nparams=3D%d, flags=3D0x%x", + params, *nparams, flags); + VIR_TYPED_PARAMS_DEBUG(params, *nparams); + + virResetLastError(); + + virCheckDomainReturn(domain, -1); + virCheckNonNullArgGoto(params, error); + virCheckPositiveArgGoto(*nparams, error); + virCheckReadOnlyGoto(domain->conn->flags, error); + + rc =3D VIR_DRV_SUPPORTS_FEATURE(domain->conn->driver, domain->conn, + VIR_DRV_FEATURE_TYPED_PARAM_STRING); + + if (rc < 0) + goto error; + if (rc) + flags |=3D VIR_TYPED_PARAM_STRING_OKAY; + + if (virTypedParameterValidateSet(conn, params, *nparams) < 0) + goto error; + + if (conn->driver->domainGetSevAttestationReport) { + int ret; + ret =3D conn->driver->domainGetSevAttestationReport(domain, params= _ptr, + nparams, flags); + if (ret < 0) + goto error; + + return ret; + } + +error: + virDispatchError(domain->conn); + return -1; +} =20 /** * virDomainAgentSetResponseTimeout: diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms index f93692c427..f0cd5e7e55 100644 --- a/src/libvirt_public.syms +++ b/src/libvirt_public.syms @@ -916,4 +916,8 @@ LIBVIRT_8.0.0 { virDomainSetLaunchSecurityState; } LIBVIRT_7.8.0; =20 +LIBVIRT_8.2.0 { + global: + virDomainGetSevAttestationReport; +} LIBVIRT_8.0.0; # .... define new API here using predicted next version number .... --=20 2.34.1 From nobody Tue May 14 23:18:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1648064328; cv=none; d=zohomail.com; s=zohoarc; b=itPQ+R0HahAuplMDOEDndOFxbqGezlX3jG5Xs6M3KPs9ttKnspY52FzaOI8MXfZK36yorWLpPYy4n4XvMlrE6GKXCkqBQ8QbFW7JdsWEx4bQrD/a+9C2D/2f5YZGxgl6RSLZ3Lfr7H6SjYVhgjnOLOnqxjJfYhvi+xCubAb6Ehc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648064328; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=N6vSPDQdr0hsnm+eTT5lriApUqHC6Wp6DnytrLam84Q=; b=eNjvqJZLY34z6v97IXAA99Qo7UDgukfaOEY0xcm4FNU0QcNwo/TBRCEyBkIbV8eDE7so47OCfchxKsLTrtKz2dW8R6CVnwAB5Rbu6ZNQPA4GLiHEjK8/QM39J+AsUOZ7TNZUBxtCKrIZueQ36RepDv/4/A1vCa82+7olTMx4OBU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1648064328213208.40321309997796; Wed, 23 Mar 2022 12:38:48 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-440-nfAB5UK1Pe-Z0TwCTLNOlw-1; Wed, 23 Mar 2022 15:38:45 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 18ADE1814501; Wed, 23 Mar 2022 19:38:43 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id EFF0E400F721; Wed, 23 Mar 2022 19:38:42 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 6C1F11940363; Wed, 23 Mar 2022 19:38:42 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 85BA5194034F for ; Wed, 23 Mar 2022 19:38:41 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 78AC8141DC5F; Wed, 23 Mar 2022 19:38:41 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 74DA31410DD5 for ; Wed, 23 Mar 2022 19:38:41 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5C222185A79C for ; Wed, 23 Mar 2022 19:38:41 +0000 (UTC) Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-600-O9YAa920NyOgJEP9yJfqPQ-1; Wed, 23 Mar 2022 15:38:38 -0400 Received: by mail-qt1-f197.google.com with SMTP id a24-20020ac81098000000b002e1e06a72aeso1995735qtj.6 for ; Wed, 23 Mar 2022 12:38:38 -0700 (PDT) Received: from fedora.redhat.com (pool-71-175-3-221.phlapa.fios.verizon.net. [71.175.3.221]) by smtp.gmail.com with ESMTPSA id x19-20020a05622a001300b002e1e78062e3sm607069qtw.84.2022.03.23.12.38.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Mar 2022 12:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648064327; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=N6vSPDQdr0hsnm+eTT5lriApUqHC6Wp6DnytrLam84Q=; b=ZHy4q7DxWrmeY6C28rq0Z+047MU0ZEh0SyhhGPoMBjYuaP20xp3hA2BTvWTdqVCV7PM8DC oMSxP3zhNsSdUtXbAyBFm2maK+BFXmA6idlht6NCFXO72iuBjPTLGOW4k/wxmNbeezgvKt GZvP4/eA7X7FJ8jNI/DZdyHYPsWYZhE= X-MC-Unique: nfAB5UK1Pe-Z0TwCTLNOlw-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: O9YAa920NyOgJEP9yJfqPQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=N6vSPDQdr0hsnm+eTT5lriApUqHC6Wp6DnytrLam84Q=; b=D19Uhsp1t+lWnXCDyHX12UuQtTNTZ4S+z8qCDYWs76cDZaETPdN8H+cCeS4UYd2dtx ZJZn83Lq5ckZKhs8f/DruXnN7m09dS668FDqqF3WleRi8a5xaMcUC7UsWiNeVvlY5x1O 752WFShmomYTwbDjyHrc5oQtAq4zkTgcdaynoI3MOxZJRqs8zIBB21pLv0qY9MQIX6Az AY8CLGH0TGScZ/YVqP0WxPF7zOn7ZuFFMEQf5Z0gt3kH4HaFh/w2jRjMjweihuK23GH8 vapeB9iwPRZF5xg70V4/Lk17pYBbn2e66nDzNwCh6+VrvkDyeH8lc/VQ6AtvlssZA5N3 rBCQ== X-Gm-Message-State: AOAM5301FdQXkYPsmo7pf313oOYzXAfhRpCDLh9BKzl7thwkoLh+uqs9 9k9yuJUigCmUsj78HN4YHWeRjkKAdBXSTRJTNa6/lcjJ7D/HpT+rze801qJylSkAlDyKW+vpoKW h9/OGENFpaxeVPpN8aKIp8eo8IPF3+Q3l0+P3drgx4qrlhhJL2Jla+zIvxaIuERLlTseRDGs= X-Received: by 2002:a05:622a:148e:b0:2e2:2ebd:63d9 with SMTP id t14-20020a05622a148e00b002e22ebd63d9mr1326941qtx.601.1648064317054; Wed, 23 Mar 2022 12:38:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWX+6XoBBVJbiiuPBI2+gbfi8DB1yY6oRvNp/oTPFpjYoGErSknb5toyZ0ujE95yupZazKKQ== X-Received: by 2002:a05:622a:148e:b0:2e2:2ebd:63d9 with SMTP id t14-20020a05622a148e00b002e22ebd63d9mr1326920qtx.601.1648064316696; Wed, 23 Mar 2022 12:38:36 -0700 (PDT) From: Tyler Fanelli To: libvir-list@redhat.com Subject: [PATCH 2/5] remote: add RPC support for the virDomainGetSevAttestationReport API Date: Wed, 23 Mar 2022 15:36:26 -0400 Message-Id: <20220323193627.1127171-3-tfanelli@redhat.com> In-Reply-To: <20220323193627.1127171-1-tfanelli@redhat.com> References: <20220323193627.1127171-1-tfanelli@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tyler Fanelli , crobinso@redhat.com Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1648064328872100001 Content-Type: text/plain; charset="utf-8" Signed-off-by: Tyler Fanelli --- src/remote/remote_daemon_dispatch.c | 44 +++++++++++++++++++++++ src/remote/remote_driver.c | 55 +++++++++++++++++++++++++++++ src/remote/remote_protocol.x | 21 ++++++++++- src/remote_protocol-structs | 12 +++++++ 4 files changed, 131 insertions(+), 1 deletion(-) diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon= _dispatch.c index 2463386e39..dcb734ab09 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -5305,6 +5305,50 @@ remoteDispatchNodeGetSevInfo(virNetServer *server G_= GNUC_UNUSED, return rv; } =20 +static int +remoteDispatchDomainGetSevAttestationReport(virNetServer *server G_GNUC_UN= USED, + virNetServerClient *client, + virNetMessage *msg G_GNUC_UNUS= ED, + struct virNetMessageError *rer= r, + remote_domain_get_sev_attestat= ion_report_args *args, + remote_domain_get_sev_attestat= ion_report_ret *ret) +{ + virTypedParameterPtr params =3D NULL; + int nparams =3D 0; + int rv =3D -1; + virConnectPtr conn =3D remoteGetHypervisorConn(client); + virDomainPtr dom =3D NULL; + + if (!conn) + goto cleanup; + + if (!(dom =3D get_nonnull_domain(conn, args->dom))) + goto cleanup; + + if (virTypedParamsDeserialize((struct _virTypedParameterRemote *) args= ->params.params_val, + args->params.params_len, + 0, ¶ms, &nparams) < 0) + goto cleanup; + + if (virDomainGetSevAttestationReport(dom, ¶ms, &nparams, args->fla= gs) < 0) + goto cleanup; + + if (virTypedParamsSerialize(params, nparams, + REMOTE_DOMAIN_GET_SEV_ATTESTATION_REPORT_P= ARAMS_MAX, + (struct _virTypedParameterRemote **) &ret-= >params.params_val, + &ret->params.params_len, + args->flags) < 0) + goto cleanup; + + rv =3D 0; + +cleanup: + if (rv < 0) + virNetMessageSaveError(rerr); + virTypedParamsFree(params, nparams); + + return rv; +} =20 static int remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED, diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 7e7a21fcab..bfc5d6c874 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -6775,6 +6775,60 @@ remoteNodeGetSEVInfo(virConnectPtr conn, return rv; } =20 +static int +remoteDomainGetSevAttestationReport(virDomainPtr dom, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags) +{ + int rv =3D -1; + remote_domain_get_sev_attestation_report_args args; + remote_domain_get_sev_attestation_report_ret ret; + struct private_data *priv =3D dom->conn->privateData; + virTypedParameterPtr ret_params =3D NULL; + int ret_nparams =3D 0; + + remoteDriverLock(priv); + + + make_nonnull_domain(&args.dom, dom); + args.flags =3D flags; + + if (virTypedParamsSerialize(*params, *nparams, + REMOTE_DOMAIN_GET_SEV_ATTESTATION_REPORT_P= ARAMS_MAX, + (struct _virTypedParameterRemote **) &args= .params.params_val, + &args.params.params_len, + VIR_TYPED_PARAM_STRING_OKAY) < 0) { + goto cleanup; + } + + memset(&ret, 0, sizeof(ret)); + if (call(dom->conn, priv, 0, REMOTE_PROC_DOMAIN_GET_SEV_ATTESTATION_RE= PORT, + (xdrproc_t) xdr_remote_domain_get_sev_attestation_report_args,= (char *) &args, + (xdrproc_t) xdr_remote_domain_get_sev_attestation_report_ret, = (char *) &ret) =3D=3D -1) { + goto done; + } + + if (virTypedParamsDeserialize((struct _virTypedParameterRemote *) ret.= params.params_val, + ret.params.params_len, + REMOTE_DOMAIN_GET_SEV_ATTESTATION_REPORT= _PARAMS_MAX, + &ret_params, + &ret_nparams) < 0) + goto cleanup; + + virTypedParamsFree(*params, *nparams); + *params =3D g_steal_pointer(&ret_params); + *nparams =3D ret_nparams; + + rv =3D 0; + +cleanup: + virTypedParamsFree(ret_params, ret_nparams); + xdr_free((xdrproc_t) xdr_remote_domain_get_sev_attestation_report_ret,= (char *) &ret); +done: + remoteDriverUnlock(priv); + return rv; +} =20 static int remoteNodeGetCPUMap(virConnectPtr conn, @@ -8651,6 +8705,7 @@ static virHypervisorDriver hypervisor_driver =3D { .domainGetMessages =3D remoteDomainGetMessages, /* 7.1.0 */ .domainStartDirtyRateCalc =3D remoteDomainStartDirtyRateCalc, /* 7.2.0= */ .domainSetLaunchSecurityState =3D remoteDomainSetLaunchSecurityState, = /* 8.0.0 */ + .domainGetSevAttestationReport =3D remoteDomainGetSevAttestationReport= , /* 8.1.0 */ }; =20 static virNetworkDriver network_driver =3D { diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 4f13cef662..4e5ce42bd5 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -275,6 +275,9 @@ const REMOTE_DOMAIN_LAUNCH_SECURITY_INFO_PARAMS_MAX =3D= 64; /* Upper limit on number of launch security state entries */ const REMOTE_DOMAIN_LAUNCH_SECURITY_STATE_PARAMS_MAX =3D 64; =20 +/* Upper limit on number of SEV attestation report entries */ +const REMOTE_DOMAIN_GET_SEV_ATTESTATION_REPORT_PARAMS_MAX =3D 64; + /* Upper limit on number of parameters describing a guest */ const REMOTE_DOMAIN_GUEST_INFO_PARAMS_MAX =3D 2048; =20 @@ -3651,6 +3654,16 @@ struct remote_domain_set_launch_security_state_args { unsigned int flags; }; =20 +struct remote_domain_get_sev_attestation_report_args { + remote_nonnull_domain dom; + remote_typed_param params; + unsigned int flags; +}; + +struct remote_domain_get_sev_attestation_report_ret { + remote_typed_param params; +}; + /* nwfilter binding */ =20 struct remote_nwfilter_binding_lookup_by_port_dev_args { @@ -6920,5 +6933,11 @@ enum remote_procedure { * @generate: both * @acl: domain:write */ - REMOTE_PROC_DOMAIN_SET_LAUNCH_SECURITY_STATE =3D 439 + REMOTE_PROC_DOMAIN_SET_LAUNCH_SECURITY_STATE =3D 439, + + /** + * @generate: none + * @acl: domain:read + */ + REMOTE_PROC_DOMAIN_GET_SEV_ATTESTATION_REPORT =3D 440 }; diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs index d88176781d..67333284cd 100644 --- a/src/remote_protocol-structs +++ b/src/remote_protocol-structs @@ -3013,6 +3013,17 @@ struct remote_domain_set_launch_security_state_args { } params; u_int flags; }; +struct remote_domain_get_sev_attestation_report_args { + remote_nonnull_domain dom; + u_int flags; +}; +struct remote_domain_get_sev_attestation_report_ret { + struct { + u_int params_len; + remote_typed_param * params_val; + } params; + int nparams; +}; struct remote_nwfilter_binding_lookup_by_port_dev_args { remote_nonnull_string name; }; @@ -3689,4 +3700,5 @@ enum remote_procedure { REMOTE_PROC_NETWORK_CREATE_XML_FLAGS =3D 437, REMOTE_PROC_DOMAIN_EVENT_MEMORY_DEVICE_SIZE_CHANGE =3D 438, REMOTE_PROC_DOMAIN_SET_LAUNCH_SECURITY_STATE =3D 439, + REMOTE_PROC_DOMAIN_GET_SEV_ATTESTATION_REPORT =3D 440, }; --=20 2.34.1 From nobody Tue May 14 23:18:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1648064327; cv=none; d=zohomail.com; s=zohoarc; b=bxaYUujTsZISHQhV8LJN8bK4S801fOhzRVuippSy7FOpVWs12l/TzxnVcuLJZ/btb0f/FGfy0Yo7/CaIbOPtESBFWxUy8tNoownlWXL4YiNiECJy8v9h7Kp43FMRd0Qn8mWZn5cUiQ70bbrjGz/RRHd/1RRx2nNhZpebjZn3e+A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648064327; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ypZA0sJy4R2z4kX3C7Rg8clZpB7xPROXETdyDirvWbo=; b=dsw23VfZDVktaBon0w+n0Z8zACKMg0IraTJ/hBTpOnjYGJHyJokueAaMdytJotMftpFEpAl2qcSMjARkQbwPurl3gXrcxM6PHVYJVTaKMgsdPw2DziCMm6m2oK6KIttRIEnFkOjqpqk39P3FBJK1KEh3lkMSLLr24FIlZbC4fsg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1648064327883756.770835076297; Wed, 23 Mar 2022 12:38:47 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-632-V9EVneehNnuUV5j5WvPnHw-1; Wed, 23 Mar 2022 15:38:45 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 98CEE3C01B86; Wed, 23 Mar 2022 19:38:42 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7EBDC40CFD01; Wed, 23 Mar 2022 19:38:42 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 202131940352; Wed, 23 Mar 2022 19:38:42 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0A776194034F for ; Wed, 23 Mar 2022 19:38:41 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id F32FA58BACA; Wed, 23 Mar 2022 19:38:40 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EEFBB58BAC8 for ; Wed, 23 Mar 2022 19:38:40 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D5CA4101AA45 for ; Wed, 23 Mar 2022 19:38:40 +0000 (UTC) Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-77-i1BVLVYbPYuRY2RxdhtyeA-1; Wed, 23 Mar 2022 15:38:39 -0400 Received: by mail-qt1-f198.google.com with SMTP id k1-20020ac85fc1000000b002e1c5930386so2004306qta.3 for ; Wed, 23 Mar 2022 12:38:39 -0700 (PDT) Received: from fedora.redhat.com (pool-71-175-3-221.phlapa.fios.verizon.net. [71.175.3.221]) by smtp.gmail.com with ESMTPSA id x19-20020a05622a001300b002e1e78062e3sm607069qtw.84.2022.03.23.12.38.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Mar 2022 12:38:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648064326; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ypZA0sJy4R2z4kX3C7Rg8clZpB7xPROXETdyDirvWbo=; b=MQs2flfoM21oIFW9ZGwWLPsjJCTPdG0AB6Pfr3w349OoKZBYDMJ2cGl2hQfSHU3BQvNDz+ W1Rn926q6FHJ1nUzlKmLqjz4JqlcUxApfdGaGgo5khd0FSV3cmJM2u4f525TPYU3lWdtIl jU/6V0UteGQjdDpEdKTMyNC5ldyeZw0= X-MC-Unique: V9EVneehNnuUV5j5WvPnHw-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: i1BVLVYbPYuRY2RxdhtyeA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ypZA0sJy4R2z4kX3C7Rg8clZpB7xPROXETdyDirvWbo=; b=6rEi8CVvjljnEKJemYOKTqMPm2SkqmZIvYaCKfLozOyNsZkcPnzKuDSFe0IdiZ6O74 eOaK+sNUKpGdNewRAuwGXR2/LGA1RAagGHYM3XA5zCYZkw73VSo3NgEs+iKAqZtEdyJv xpVdEpDVpEkslNqIhUE7k7RVxoW5dbru/E7AmvXqWAbwfWMydEkOZg9L1Vhncrs4CQLS n4RFyx6jUuxK9JneWSXvM5YkoQUOiHJAPHJBWR8jpqD/u5MkVdmR6WTse8t1TmaL71dS z8qPMUfyKoeOQGCe7PhpOgBBDXm90k8IXLrTrP13q/dMMfTQZ/WW30e5Y4eE5Lvu4d+g g5wA== X-Gm-Message-State: AOAM530qHEfI0HK7M/tMZHbxN3+bYUOpAJqqC+p45CvNLQfxG3HFDTA/ Ffd1GSJxReSoCF/rrni8TdfZD2Df4mrEiuSslbCxPkkQ+m0I+Y1N505jM2IL+/7BWkYU4U3VGck nRXJdrUZrfliMCf83Om/5flCDnspdrAwiSkgZZlQYOQ1lCTppznIpN9nwWxjUVj9p0pJdEms= X-Received: by 2002:ad4:5dcf:0:b0:441:5d56:2387 with SMTP id m15-20020ad45dcf000000b004415d562387mr1296659qvh.35.1648064318872; Wed, 23 Mar 2022 12:38:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0FlPEdLslt+BJEIUaUXOnVyh7QoX5n8qR2K1dDwVSJkvHR8JQiDbtgMrt3GRTQoA1MrEj1g== X-Received: by 2002:ad4:5dcf:0:b0:441:5d56:2387 with SMTP id m15-20020ad45dcf000000b004415d562387mr1296641qvh.35.1648064318649; Wed, 23 Mar 2022 12:38:38 -0700 (PDT) From: Tyler Fanelli To: libvir-list@redhat.com Subject: [PATCH 3/5] qemu_capabilities: Introduce QEMU_CAPS_SEV_GET_ATTESTATION_REPORT Date: Wed, 23 Mar 2022 15:36:27 -0400 Message-Id: <20220323193627.1127171-4-tfanelli@redhat.com> In-Reply-To: <20220323193627.1127171-1-tfanelli@redhat.com> References: <20220323193627.1127171-1-tfanelli@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tyler Fanelli , crobinso@redhat.com Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1648065229547100001 Content-Type: text/plain; charset="utf-8"; x-default="true" The 'query-sev-attestation-report' qmp command is only available with qemu >=3D 6.1.0. Introduce a capability for query-sev-attestation-report. Signed-off-by: Tyler Fanelli --- src/qemu/qemu_capabilities.c | 2 ++ src/qemu/qemu_capabilities.h | 1 + tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_6.2.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_7.0.0.x86_64.xml | 1 + 5 files changed, 6 insertions(+) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 32980e7330..68ebbe6534 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -668,6 +668,7 @@ VIR_ENUM_IMPL(virQEMUCaps, =20 /* 425 */ "blockdev.nbd.tls-hostname", /* QEMU_CAPS_BLOCKDEV_NBD_TLS_H= OSTNAME */ + "query-sev-attestation-report", /* QEMU_CAPS_SEV_GET_ATTESTA= TION_REPORT */=20 ); =20 =20 @@ -1235,6 +1236,7 @@ struct virQEMUCapsStringFlags virQEMUCapsCommands[] = =3D { { "query-dirty-rate", QEMU_CAPS_QUERY_DIRTY_RATE }, { "sev-inject-launch-secret", QEMU_CAPS_SEV_INJECT_LAUNCH_SECRET }, { "calc-dirty-rate", QEMU_CAPS_CALC_DIRTY_RATE }, + { "query-sev-attestation-report", QEMU_CAPS_SEV_GET_ATTESTATION_REPORT= }, }; =20 struct virQEMUCapsStringFlags virQEMUCapsMigration[] =3D { diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index 0a215a11d5..6c0e8f40aa 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -643,6 +643,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for = syntax-check */ =20 /* 425 */ QEMU_CAPS_BLOCKDEV_NBD_TLS_HOSTNAME, /* tls hostname can be overriden = for NBD clients */ + QEMU_CAPS_SEV_GET_ATTESTATION_REPORT, /* 'query-sev-attestation-report= ' qmp command present */ =20 QEMU_CAPS_LAST /* this must always be the last item */ } virQEMUCapsFlags; diff --git a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_6.1.0.x86_64.xml index ba1aecc37e..63a46ed1e1 100644 --- a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml @@ -239,6 +239,7 @@ + 6001000 0 43100243 diff --git a/tests/qemucapabilitiesdata/caps_6.2.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_6.2.0.x86_64.xml index d77907af55..681dedb935 100644 --- a/tests/qemucapabilitiesdata/caps_6.2.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_6.2.0.x86_64.xml @@ -241,6 +241,7 @@ + 6002000 0 43100244 diff --git a/tests/qemucapabilitiesdata/caps_7.0.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_7.0.0.x86_64.xml index 0f34a341af..93ac38d04d 100644 --- a/tests/qemucapabilitiesdata/caps_7.0.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_7.0.0.x86_64.xml @@ -244,6 +244,7 @@ + 6002050 0 43100243 --=20 2.34.1 From nobody Tue May 14 23:18:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1648064332; cv=none; d=zohomail.com; s=zohoarc; b=EE4QJyi8CNEOQ2pBALt4xIOtAlv8BGkzon7HDQlzZx2BSm72oGvoGSq7IpNBrMdQKjyIlDGMmMiwTL0KNZ5g60aN4YagsxgGnQwRU4zwLr2LLA+iXXGc1e6Vh/WJ8I8454CnBU6PZ+guveo//Jkq23XsKDK2KCVMz8jcpL/7bdk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648064332; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=JjTAj5DiaiCEeLRv/ePYI31oP+j5EiA8/w0bw63bCxg=; b=TPvPAxtOakzHQMOSGLyznRqsjVkz/iDPWv2my3ud+z5OYIfeQeaQujR04w/9fIlp7ST2eeVZAPMKOhPW6x9Enml0pZg1yR4IeE1VD1Qpb8UuLEWlrUcNURjtjf3EqGeriRTGk4mUB9MLIR2wx7JXooGhYxzyakx10RH2XKabTVc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 164806433229598.33707009895284; Wed, 23 Mar 2022 12:38:52 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-368-NaczGy_mPLel187RJOaezQ-1; Wed, 23 Mar 2022 15:38:47 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 27538801585; Wed, 23 Mar 2022 19:38:45 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 122A5C27E8A; Wed, 23 Mar 2022 19:38:45 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C30421940356; Wed, 23 Mar 2022 19:38:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 763D51940356 for ; Wed, 23 Mar 2022 19:38:43 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 68F3C4010A01; Wed, 23 Mar 2022 19:38:43 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 65375400E420 for ; Wed, 23 Mar 2022 19:38:43 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4BAC6805F68 for ; Wed, 23 Mar 2022 19:38:43 +0000 (UTC) Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-620-cJrrwlJeOFGpDmSkPd-R_w-1; Wed, 23 Mar 2022 15:38:41 -0400 Received: by mail-qv1-f72.google.com with SMTP id p65-20020a0c90c7000000b004412a2a1a6cso2017750qvp.3 for ; Wed, 23 Mar 2022 12:38:41 -0700 (PDT) Received: from fedora.redhat.com (pool-71-175-3-221.phlapa.fios.verizon.net. [71.175.3.221]) by smtp.gmail.com with ESMTPSA id x19-20020a05622a001300b002e1e78062e3sm607069qtw.84.2022.03.23.12.38.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Mar 2022 12:38:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648064330; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=JjTAj5DiaiCEeLRv/ePYI31oP+j5EiA8/w0bw63bCxg=; b=DV83ksuKSSPMQpIwsQBq4/+jM8lCzpEojunQHKHQmkGjRwhdWcr6RPzq7ebN3x/ceAHxuN ANju3ZI/tDq0YY6JBitgkaxl4X1mhaaA/Gxs3RPj0yuZrbXvK3+mIn38PmhBHxg7EWei/x z3TULM7tJfgb4R0X5Cmk6iaP7z5cr9k= X-MC-Unique: NaczGy_mPLel187RJOaezQ-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: cJrrwlJeOFGpDmSkPd-R_w-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JjTAj5DiaiCEeLRv/ePYI31oP+j5EiA8/w0bw63bCxg=; b=K+rXvo0q6Ud2zhSnk6yQbT/LuY/hwopxdLlTzQcQF8hXs0tjc5pvSpUIrelCAhrdQC QzFaAHeYP7wjS6EfqpYU8L2pINbbZ5eg1lFuwm15zx1LgN5cv8VEPDJ9DG0MymX144tC uvISWvIFkbZ+ocPQ45g2HEs5cLDWfoEw6EvjozaMDQkV3VTjNGszKZH/7yuZWBuy2tkg 70jtUmQVaMoLD1MJOizv/1yTGLBLEV0S5VmPqOPW/g8rPR06BHZfuCxdX5tpKmglK6oM Af1riTSbLXnmFqbebjPFdv36Sgp5TrC7bmjNzxbo2/J95UL9O/0/2qhxQmfSqUShMUtD 2O2A== X-Gm-Message-State: AOAM532w8JohuwdErZmBvykxsCjUytUmrHYkSTxqUrs/+5JLyu+tAKF5 jcb4QmgNOQufkquIRWbYCYitj7KgC2y92AgH8i7LInz85PNcKHa1iriZTK/Yho2HHPTlZEkST7h ZIgJJvXl2Jyua0mS6s/5ZonhCWOryOJv+6GBEZWpV1YIQYf1TnauO64xje+Ed3rMNd1kUUFw= X-Received: by 2002:a05:6214:2b07:b0:432:f7e6:e443 with SMTP id jx7-20020a0562142b0700b00432f7e6e443mr1111854qvb.125.1648064320712; Wed, 23 Mar 2022 12:38:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwKG3p8WRmyNqTg3WOXO5iem4Hz2AT+HzGIhVMNjcyTGxHSntnGWp479uLifZQPJr1pZdsgtg== X-Received: by 2002:a05:6214:2b07:b0:432:f7e6:e443 with SMTP id jx7-20020a0562142b0700b00432f7e6e443mr1111831qvb.125.1648064320317; Wed, 23 Mar 2022 12:38:40 -0700 (PDT) From: Tyler Fanelli To: libvir-list@redhat.com Subject: [PATCH 4/5] qemu: Implement the virDomainGetSevAttestationReport API Date: Wed, 23 Mar 2022 15:36:28 -0400 Message-Id: <20220323193627.1127171-5-tfanelli@redhat.com> In-Reply-To: <20220323193627.1127171-1-tfanelli@redhat.com> References: <20220323193627.1127171-1-tfanelli@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tyler Fanelli , crobinso@redhat.com Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1648064333135100001 Content-Type: text/plain; charset="utf-8" Get a SEV attestation report using the query-sev-attestation-report QMP API. Signed-off-by: Tyler Fanelli --- include/libvirt/libvirt-domain.h | 8 +++ src/driver-hypervisor.h | 4 +- src/qemu/qemu_driver.c | 86 ++++++++++++++++++++++++++++++++ src/qemu/qemu_monitor.c | 11 ++++ src/qemu/qemu_monitor.h | 5 ++ src/qemu/qemu_monitor_json.c | 40 +++++++++++++++ src/qemu/qemu_monitor_json.h | 5 ++ 7 files changed, 157 insertions(+), 2 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index af8991dbd3..3f56da99cc 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -5175,6 +5175,14 @@ int virDomainSetLifecycleAction(virDomainPtr domain, */ # define VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE "mnonce" =20 +/** + * VIR_DOMAIN_SEV_ATTESTATION_REPORT_DATA: + * + * A macro used to represent the returned SEV attestation report (encoded = in + * base64). + */ +# define VIR_DOMAIN_SEV_ATTESTATION_REPORT_DATA "sev-attestation-report" + int virDomainGetLaunchSecurityInfo(virDomainPtr domain, virTypedParameterPtr *params, int *nparams, diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h index 568d8c9a26..8912e5d7ef 100644 --- a/src/driver-hypervisor.h +++ b/src/driver-hypervisor.h @@ -1350,8 +1350,8 @@ typedef int =20 typedef int (*virDrvDomainGetSevAttestationReport)(virDomainPtr domain, - virTypedParameterPtr params, - int nparams, + virTypedParameterPtr *params_ptr, + int *nparams, unsigned int flags); =20 typedef virDomainCheckpointPtr diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index b7e83c769a..a96a0b9f84 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -20123,6 +20123,91 @@ qemuDomainSetLaunchSecurityState(virDomainPtr doma= in, return ret; } =20 +static int +qemuDomainGetSevAttestationReport(virDomainPtr domain, + virTypedParameterPtr *params, + int *nparams, + unsigned int flags) +{ + virQEMUDriver *driver; + virDomainObj *vm; + int ret =3D -1; + size_t i; + g_autofree char *mnonce =3D NULL; + g_autofree char *report =3D NULL; + int maxpar =3D 2; + g_autoptr(virQEMUCaps) qemucaps =3D NULL; + + driver =3D domain->conn->privateData; + + virCheckFlags(VIR_TYPED_PARAM_STRING_OKAY, -1); + if (virTypedParamsValidate(*params, *nparams, + VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE, + VIR_TYPED_PARAM_STRING, + NULL) < 0) + return -1; + + if (!(vm =3D qemuDomainObjFromDomain(domain))) + goto cleanup; + + if (virDomainGetSevAttestationReportEnsureACL(domain->conn, vm->def) <= 0) + goto cleanup; + + /* SEV must be enabled to get an attestation report */ + if (!vm->def->sec || + vm->def->sec->sectype !=3D VIR_DOMAIN_LAUNCH_SECURITY_SEV) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("attestation report is only supported in SEV-enabled domains= ")); + goto cleanup; + } + + if (!(qemucaps =3D virQEMUCapsCacheLookupDefault(driver->qemuCapsCache, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL))) + goto cleanup; + + + if (!virQEMUCapsGet(qemucaps, QEMU_CAPS_SEV_GET_ATTESTATION_REPORT)) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("QEMU does not support getting a SEV attestation report"= )); + goto cleanup; + } + + for (i =3D 0; i < *nparams; ++i) { + virTypedParameterPtr param =3D params[i]; + + if (STREQ(param->field, VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE)) + mnonce =3D g_strdup(param->value.s); + } + + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) + goto endjob; + + qemuDomainObjEnterMonitor(driver, vm); + ret =3D qemuMonitorGetSevAttestationReport(QEMU_DOMAIN_PRIVATE(vm)->mo= n, + mnonce, + &report); + qemuDomainObjExitMonitor(vm); + if (ret < 0) + goto endjob; + + if (virTypedParamsAddString(params, nparams, &maxpar, + VIR_DOMAIN_SEV_ATTESTATION_REPORT_DATA, + report) < 0) + goto endjob; + + ret =3D 0; + +endjob: + qemuDomainObjEndJob(vm); + +cleanup: + virDomainObjEndAPI(&vm); + return ret; +} =20 static const unsigned int qemuDomainGetGuestInfoSupportedTypes =3D VIR_DOMAIN_GUEST_INFO_USERS | @@ -21028,6 +21113,7 @@ static virHypervisorDriver qemuHypervisorDriver =3D= { .domainGetMessages =3D qemuDomainGetMessages, /* 7.1.0 */ .domainStartDirtyRateCalc =3D qemuDomainStartDirtyRateCalc, /* 7.2.0 */ .domainSetLaunchSecurityState =3D qemuDomainSetLaunchSecurityState, /*= 8.0.0 */ + .domainGetSevAttestationReport =3D qemuDomainGetSevAttestationReport, = /* 8.1.0 */ }; =20 =20 diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 316cff5b9b..284e4a0b01 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -4330,6 +4330,17 @@ qemuMonitorSetLaunchSecurityState(qemuMonitor *mon, } =20 =20 +int +qemuMonitorGetSevAttestationReport(qemuMonitor *mon, + const char *mnonce, + char **report) +{ + QEMU_CHECK_MONITOR(mon); + + return qemuMonitorJSONGetSevAttestationReport(mon, mnonce, report); +} + + int qemuMonitorGetPRManagerInfo(qemuMonitor *mon, GHashTable **retinfo) diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 5c2a749282..2e6fb8bfe0 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -1447,6 +1447,11 @@ qemuMonitorSetLaunchSecurityState(qemuMonitor *mon, unsigned long long setaddr, bool hasSetaddr); =20 +int +qemuMonitorGetSevAttestationReport(qemuMonitor *mon, + const char *mnonce, + char **report); + typedef struct _qemuMonitorPRManagerInfo qemuMonitorPRManagerInfo; struct _qemuMonitorPRManagerInfo { bool connected; diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index d5622bd6d9..45adf7a740 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -8322,6 +8322,46 @@ qemuMonitorJSONSetLaunchSecurityState(qemuMonitor *m= on, return 0; } =20 +/** + * Get a SEV attestation report + * + * Example JSON: + * + * {"execute" : "query-sev-attestation-report", + * "data" : { "mnonce": "str" } } + * {"return" : "data" : "mnonceNlSPUDlXPJG5966/8%YZ" } } + */ +int +qemuMonitorJSONGetSevAttestationReport(qemuMonitor *mon, + const char *mnonce, + char **report) +{ + const char *tmp; + g_autoptr(virJSONValue) cmd =3D NULL; + g_autoptr(virJSONValue) reply =3D NULL; + virJSONValue *data; + + cmd =3D qemuMonitorJSONMakeCommand("query-sev-attestation-report", + "s:mnonce", mnonce, + NULL); + if (cmd =3D=3D NULL) + return -1; + + if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0) + return -1; + + if (qemuMonitorJSONCheckReply(cmd, reply, VIR_JSON_TYPE_OBJECT) < 0) + return -1; + + data =3D virJSONValueObjectGetObject(reply, "return"); + + if (!(tmp =3D virJSONValueObjectGetString(data, "data"))) + return -1; + + *report =3D g_strdup(tmp); + + return 0; +} =20 /* * Example return data diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h index 982fbad44e..9a8e4ffd28 100644 --- a/src/qemu/qemu_monitor_json.h +++ b/src/qemu/qemu_monitor_json.h @@ -484,6 +484,11 @@ int qemuMonitorJSONSetLaunchSecurityState(qemuMonitor = *mon, unsigned long long setaddr, bool hasSetaddr); =20 +int +qemuMonitorJSONGetSevAttestationReport(qemuMonitor *mon, + const char *mnonce, + char **report); + int qemuMonitorJSONGetMachines(qemuMonitor *mon, qemuMonitorMachineInfo ***machines) --=20 2.34.1 From nobody Tue May 14 23:18:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1648064334; cv=none; d=zohomail.com; s=zohoarc; b=ftU5ddR2wjhEGfr9x97YBMp6Os7aQJIzDLTEJkZ70dr6to9tx7H+qMGXNwCnJqVzKEfLNEOxx6zcd1TvUlEx3hVxN6Za7GMc/Hh33hJ28k7ckGKnk5yS62Smd74S6rAe4pdyK1tFfNFD6S+cKbCzwwvhvI/dgSXyQjVlNM9H1JY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648064334; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=v7tLWelhd5w0zfzjFygHr4CvnD6M4304Xk/NmVB/WsU=; b=HM7cl75LWihZlYxHj6HejAJh3BrCpsvT9rOUdR6CCWrR74S177uMXlrHfHXsZ+MgdnCE0fywffhN69IQdkqhqB2rXw2N/TB9YaQUHcjVVpz/bjeNBsAvxF2YUSV5SfrjITSWaE1j23g9PA8tFt/TaLHUCB0pKymXMtKLA9g/GWs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1648064334441810.0571539573546; Wed, 23 Mar 2022 12:38:54 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-108-JTYedNNcNhSfkmta7yJ2IQ-1; Wed, 23 Mar 2022 15:38:51 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7D8F0803D46; Wed, 23 Mar 2022 19:38:46 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 64A5440CFD07; Wed, 23 Mar 2022 19:38:46 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 1F8481940365; Wed, 23 Mar 2022 19:38:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C42AE1940359 for ; Wed, 23 Mar 2022 19:38:44 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 96FEF40D1B9A; Wed, 23 Mar 2022 19:38:44 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7967C400E420 for ; Wed, 23 Mar 2022 19:38:44 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 601DB811E81 for ; Wed, 23 Mar 2022 19:38:44 +0000 (UTC) Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-541-e656Bj2jOsitVTuvcJ1vOg-1; Wed, 23 Mar 2022 15:38:43 -0400 Received: by mail-qt1-f197.google.com with SMTP id y23-20020ac85257000000b002e06697f2ebso1978917qtn.16 for ; Wed, 23 Mar 2022 12:38:43 -0700 (PDT) Received: from fedora.redhat.com (pool-71-175-3-221.phlapa.fios.verizon.net. [71.175.3.221]) by smtp.gmail.com with ESMTPSA id x19-20020a05622a001300b002e1e78062e3sm607069qtw.84.2022.03.23.12.38.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Mar 2022 12:38:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648064333; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=v7tLWelhd5w0zfzjFygHr4CvnD6M4304Xk/NmVB/WsU=; b=Tbq0kX9kir+fj1+RfUfHZZmIr/3iMSOPMOLdlX+LB09k7koBdiwJxz/beupYTlahd2dvVI P9RlwgjLVA8moJHt0Nym5aHkuPiNg9B3GeJ5/Sc461aP9SKiy5ILEVcdJw3hWHkz4prjpk uSarakWc1Tf4sIpI4ZLI4hKxm48ajUY= X-MC-Unique: JTYedNNcNhSfkmta7yJ2IQ-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: e656Bj2jOsitVTuvcJ1vOg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=v7tLWelhd5w0zfzjFygHr4CvnD6M4304Xk/NmVB/WsU=; b=2jAkJicaeqPa+GAjCLvHXrourZlUrGVfUfCkP36e2OTApB4ZK4H96WA2ldVPonZnTU SOnPHJNaNmN0qrfadK0fHrnGds4gqBCbGsfTzeiGgOipNKoPjkhA/aArF5PNw2VR2bBU WOv2Kd/XDczCyXku58gPlhkiW4JU4ROiRRT39/9m9PzAB7suEF0t8iGZVKXgfp3xn09N kSJOsl4miA3jsSUjNiUxfN0Lu6iKSGgD4eH6nZcVvvbsv1CWC6G7+v4XVYBBLbKkuogv 9cKFGfAvFwUtdGdsR0dptWKQxfXvxwkQyiskrNBrFiFZHdQiRqMKINtaRD7lWCxQqOsn 3N/A== X-Gm-Message-State: AOAM532PgdAIKjl0KzqCYEepGVq1NK4GEA5UIQweZ40yBB0pDtWT+VI2 umB0+AlRlFCQ5eEsqVVIo8UA51xPAxwaXHhfKS6b027TKNC0l4N+ywuA/trtuIpr7q5/or5XE8+ 3+BmVKOSHswvyqMUozIcHOTlHchFvlW1ZAge8M4L1tBgoVlQo04L2qD1cOa7aqQZjBidtFPw= X-Received: by 2002:a05:6214:c45:b0:440:eace:6106 with SMTP id r5-20020a0562140c4500b00440eace6106mr1485367qvj.8.1648064322443; Wed, 23 Mar 2022 12:38:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEW1gEa6KZveNR1cYcPTVWjQyqO/iYNXjvqZ3ho2q10DWUpYNwLzL+VAGi9Qk5QF86+c22jQ== X-Received: by 2002:a05:6214:c45:b0:440:eace:6106 with SMTP id r5-20020a0562140c4500b00440eace6106mr1485352qvj.8.1648064322170; Wed, 23 Mar 2022 12:38:42 -0700 (PDT) From: Tyler Fanelli To: libvir-list@redhat.com Subject: [PATCH 5/5] tools: add domgetsevreport virsh command Date: Wed, 23 Mar 2022 15:36:29 -0400 Message-Id: <20220323193627.1127171-6-tfanelli@redhat.com> In-Reply-To: <20220323193627.1127171-1-tfanelli@redhat.com> References: <20220323193627.1127171-1-tfanelli@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tyler Fanelli , crobinso@redhat.com Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1648064334948100003 Content-Type: text/plain; charset="utf-8" After domlaunchsecinfo is used to attest a VM, domgetsevreport can be used to get a full SEV attestation report from the guest. Signed-off-by: Tyler Fanelli --- docs/manpages/virsh.rst | 18 +++++++++++ tools/virsh-domain.c | 68 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index d2e6528533..ce62551f91 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -2119,6 +2119,24 @@ the guest's memory to set the secret. If not specifi= ed, the address will be determined by the hypervisor. =20 =20 +domgetsevreport +--------------- + +**Syntax:** + +:: + + domgetsevreport domain --mnonce mnonce-string + +Get an attestation report from a SEV-enabled guest. The guest must have a +launchSecurity type enabled in its configuration. On success, the attestat= ion +report can be examined. On failure, guest may not be attested and should be +examined to confirm so. + +*--mnonce* specifies a random 16-byte value encoded in base64 to be includ= ed +in the attestation report + + dommemstat ---------- =20 diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index d5fd8be7c3..bd8f426596 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -9715,6 +9715,68 @@ cmdDomSetLaunchSecState(vshControl * ctl, const vshC= md * cmd) return ret; } =20 +/* + * "domgetsevreport" command + */ +static const vshCmdInfo info_domgetsevreport[] =3D { + {.name =3D "help", + .data =3D N_("Get domain SEV attestation report") + }, + {.name =3D "desc", + .data =3D N_("Get an attestation report from a SEV-enabled domain") + }, + {.name =3D NULL} +}; + +static const vshCmdOptDef opts_domgetsevreport[] =3D { + VIRSH_COMMON_OPT_DOMAIN_FULL(0), + {.name =3D "mnonce", + .type =3D VSH_OT_STRING, + .flags =3D VSH_OFLAG_REQ_OPT, + .help =3D N_("random 16 bytes value encoded in base64 to be included = in report)"), + }, + {.name =3D NULL} +}; + +static bool +cmdDomGetSevAttestationReport(vshControl *ctl, const vshCmd *cmd) +{ + g_autoptr(virshDomain) dom =3D NULL; + const char *mnonce =3D NULL; + virTypedParameterPtr params =3D NULL; + int nparams =3D 0, maxparams =3D 0; + bool ret =3D false; + char *report_str; + + if (!(dom =3D virshCommandOptDomain(ctl, cmd, NULL))) + return false; + + if (vshCommandOptStringReq(ctl, cmd, "mnonce", &mnonce) < 0) + return false; + + if (mnonce =3D=3D NULL) + return false; + + if (virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE, + mnonce) < 0) + return false; + + if (virDomainGetSevAttestationReport(dom, ¶ms, &nparams, 0) !=3D 0= ) { + vshError(ctl, "%s", _("Unable to get SEV attestation report")); + goto cleanup; + } + + report_str =3D vshGetTypedParamValue(ctl, ¶ms[1]); + vshPrint(ctl, "base64-encoded attestation report: %s\n", report_str); + + ret =3D true; + +cleanup: + virTypedParamsFree(params, nparams); + return ret; +} + /* * "qemu-monitor-command" command */ @@ -13827,6 +13889,12 @@ const vshCmdDef domManagementCmds[] =3D { .info =3D info_domsetlaunchsecstate, .flags =3D 0 }, + {.name =3D "domgetsevreport", + .handler =3D cmdDomGetSevAttestationReport, + .opts =3D opts_domgetsevreport, + .info =3D info_domgetsevreport, + .flags =3D 0 + }, {.name =3D "domname", .handler =3D cmdDomname, .opts =3D opts_domname, --=20 2.34.1