This addresses a few issues in the AMD SEV support
- Neither host or domain level SEV metadata is
exposed in virsh commands
- The domain launch security parameters don't expose
enough info to validate the measurement
- Support verified direct kernel boot
- Report max SEV/SEV-ES guest counts
The second point was the initial purpose of my work. Per the
SEV API guide to calculate the measurement we need
measurement = HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)
The API_MINOR, API_MAJOR, BUILD values are things that are
available from 'query-sev' QMP command and libvirt does
not expose this info. This patch series adds them to
virDomainGetLaunchSecurityParams alongside the measurement
that we already report.
So now the client can fetch this info and calculate an expected
measurement to compare with the actual measurement they got.
They will thus know if the guest is safe to inject secrets into,
which is where Jim's recent patches come into play.
Daniel P. Berrangé (12):
include: add new launch security parameters
qemu: report error querying launch params for inactive guest
qemu: add monitor APIs for query-sev
qemu: report new launch security parameters
tools: add 'domlaunchsecinfo' virsh command
tools: add 'nodesevinfo' virsh command
conf: extend domain capabilities for max SEV guest count
include: define parameters for reporting SEV guest limits
qemu: report max number of SEV guests
conf: add support for setting SEV kernel hashes
qemu: probe for sev-guest.kernel-hashes property
qemu: format sev-guest.kernel-hashes property
docs/formatdomain.rst | 7 +-
docs/formatdomaincaps.html.in | 6 +
docs/manpages/virsh.rst | 31 +++++
docs/schemas/domaincaps.rng | 6 +
docs/schemas/domaincommon.rng | 5 +
include/libvirt/libvirt-domain.h | 32 +++++
include/libvirt/libvirt-host.h | 16 +++
src/conf/domain_capabilities.c | 4 +
src/conf/domain_capabilities.h | 2 +
src/conf/domain_conf.c | 8 ++
src/conf/domain_conf.h | 1 +
src/qemu/qemu_capabilities.c | 46 ++++++++
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 7 ++
src/qemu/qemu_driver.c | 59 ++++++++--
src/qemu/qemu_monitor.c | 13 +++
src/qemu/qemu_monitor.h | 9 ++
src/qemu/qemu_monitor_json.c | 46 ++++++++
src/qemu/qemu_monitor_json.h | 9 ++
src/qemu/qemu_validate.c | 8 ++
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 2 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 2 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml | 2 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 7 +-
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 7 +-
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 7 +-
.../caps_2.12.0.x86_64.replies | 97 ++++++++++++----
.../caps_3.0.0.x86_64.replies | 97 ++++++++++++----
.../caps_3.1.0.x86_64.replies | 97 ++++++++++++----
.../caps_4.0.0.x86_64.replies | 97 ++++++++++++----
.../caps_4.1.0.x86_64.replies | 89 ++++++++++----
.../caps_4.2.0.x86_64.replies | 89 ++++++++++----
.../caps_5.0.0.x86_64.replies | 89 ++++++++++----
.../caps_5.1.0.x86_64.replies | 89 ++++++++++----
.../caps_5.2.0.x86_64.replies | 89 ++++++++++----
.../caps_6.0.0.x86_64.replies | 89 ++++++++++----
.../caps_6.1.0.x86_64.replies | 89 ++++++++++----
.../caps_6.2.0.x86_64.replies | 109 ++++++++++++++----
.../caps_6.2.0.x86_64.xml | 8 ++
tests/qemumonitorjsontest.c | 43 +++++++
...unch-security-sev-direct.x86_64-6.2.0.args | 40 +++++++
.../launch-security-sev-direct.xml | 39 +++++++
tests/qemuxml2argvtest.c | 1 +
tools/virsh-domain.c | 53 +++++++++
tools/virsh-host.c | 45 ++++++++
48 files changed, 1427 insertions(+), 271 deletions(-)
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-6.2.0.args
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml
--
2.33.1