From nobody Mon Feb  9 17:56:05 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1665143037; cv=none;
	d=zohomail.com; s=zohoarc;
	b=kdNuInD9gVH9grzeJpGWYNSfI6Dlc4X4EPOGmxP9CwnatWDkGXLJG/F4HmNZVGF3Jl8mlP0vZR6nfjJxUAjj4Neb7i6ZOuXK3B0pFkC2g7MsyoQXsbbvr2VlkK7Vs2OI//w3WXq9Lvf/vK12WHt1I41nwHuUKdSTWuAvOCj7gp0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1665143037;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=0Q0hqWvc7+TCY8qssc+V2wjGO5ytIWHhaj4wJ+WLHCg=;
	b=IHWhJUv3McnkyIs39MIKdrd7ou71YGwFjcYiSUZfuLAxnwNgoQEi6y46x/I3rzOwuZpPJ2B0QT8lAWJmo6S0hQRBt/1VTv3Ttka58wamuBDVW3rYQ+H4TRX9rryQ9WRe7S7Ja3neccw/VYu4HpXsDVZsWktzodDNiQGAmoXY7eo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<berrange@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1665143037506630.195199972623;
 Fri, 7 Oct 2022 04:43:57 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-606-MTnslLjtMLC0184EluPjyA-1; Fri, 07 Oct 2022 07:43:45 -0400
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 746B4833941;
	Fri,  7 Oct 2022 11:43:43 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 62C09535943;
	Fri,  7 Oct 2022 11:43:43 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id D2C101947B80;
	Fri,  7 Oct 2022 11:43:15 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 73D301946A49 for <libvir-list@listman.corp.redhat.com>;
 Fri,  7 Oct 2022 11:43:12 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 6E1EBC16932; Fri,  7 Oct 2022 11:43:12 +0000 (UTC)
Received: from localhost.localdomain.com (unknown [10.33.36.42])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 07836C15BA4;
 Fri,  7 Oct 2022 11:43:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1665143036;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=0Q0hqWvc7+TCY8qssc+V2wjGO5ytIWHhaj4wJ+WLHCg=;
	b=d9d/+3htHFTbXHBW4dC/3vJ0dYY9exArbptt3NfpyU+KvgxNtyEONgkTQC58R5rF+JKoT7
	X7FQwRGCSL6NqLdRvWzr8DAoHmaGKjvp58wMFUa+3Frnh/S0NbWO5gvYhPCiQTWHi42gqs
	yjn0ZiUN/JbGw+uGCWbV7wqYlIwtBZg=
X-MC-Unique: MTnslLjtMLC0184EluPjyA-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 05/12] tools: load direct kernel config from libvirt
Date: Fri,  7 Oct 2022 12:43:00 +0100
Message-Id: <20221007114307.1461861-6-berrange@redhat.com>
In-Reply-To: <20221007114307.1461861-1-berrange@redhat.com>
References: <20221007114307.1461861-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1665143038073100002

When connected to libvirt we can validate that the guest configuration
has the kernel hashes property enabled, otherwise including the kernel
GUID table in our expected measurements is not likely to match the
actual measurement.

When running locally we can also automatically detect the kernel/initrd
paths, along with the cmdline string from the XML.

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 docs/manpages/virt-qemu-sev-validate.rst |  9 ++++
 tools/virt-qemu-sev-validate.py          | 59 ++++++++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-=
qemu-sev-validate.rst
index da804ae6a0..beb40383be 100644
--- a/docs/manpages/virt-qemu-sev-validate.rst
+++ b/docs/manpages/virt-qemu-sev-validate.rst
@@ -263,6 +263,15 @@ Validate the measurement of a SEV guest booting from d=
isk:
        --tk this-guest-tk.bin \
        --domain fedora34x86_64
=20
+Validate the measurement of a SEV guest with direct kernel boot:
+
+::
+
+   # virt-dom-sev-validate \
+       --insecure \
+       --tk this-guest-tk.bin \
+       --domain fedora34x86_64
+
 EXIT STATUS
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
diff --git a/tools/virt-qemu-sev-validate.py b/tools/virt-qemu-sev-validate=
.py
index 4bc3b925f7..f2eeabac0d 100755
--- a/tools/virt-qemu-sev-validate.py
+++ b/tools/virt-qemu-sev-validate.py
@@ -293,6 +293,35 @@ class LibvirtConfidentialVM(ConfidentialVM):
             raise IncorrectConfigException(
                 "Domain must have one firmware path")
=20
+        measure_kernel_nodes =3D doc.xpath(
+            "/domain/launchSecurity[@type=3D'sev']/@kernelHashes")
+        measure_kernel =3D False
+        if len(measure_kernel_nodes) =3D=3D 1:
+            if measure_kernel_nodes[0] =3D=3D "yes":
+                measure_kernel =3D True
+
+        xp_kernel =3D "/domain/os/kernel"
+        xp_initrd =3D "/domain/os/initrd"
+        xp_cmdline =3D "/domain/os/cmdline"
+        kern_nodes =3D (doc.xpath(xp_kernel) +
+                      doc.xpath(xp_initrd) +
+                      doc.xpath(xp_cmdline))
+        if not measure_kernel:
+            if len(self.kernel_table.entries()) !=3D 0:
+                raise UnsupportedUsageException(
+                    "kernel/initrd/cmdline provided but kernel "
+                    "measurement not enabled")
+
+            # Check for an insecure scenario
+            if len(kern_nodes) !=3D 0 and secure:
+                raise InsecureUsageException(
+                    "direct kernel boot present without measurement")
+        else:
+            if len(kern_nodes) =3D=3D 0:
+                raise IncorrectConfigException(
+                    "kernel/initrd/cmdline not provided but kernel "
+                    "measurement is enabled")
+
     def load_domain(self, uri, id_name_uuid, secure, ignore_config):
         self.conn =3D libvirt.open(uri)
=20
@@ -356,6 +385,36 @@ class LibvirtConfidentialVM(ConfidentialVM):
=20
             self.load_firmware(loadernodes[0].text)
=20
+        if self.kernel_table.kernel is None:
+            kernelnodes =3D doc.xpath("/domain/os/kernel")
+            if len(kernelnodes) !=3D 0:
+                if remote:
+                    raise UnsupportedUsageException(
+                        "Cannot access kernel path remotely")
+                if secure:
+                    raise InsecureUsageException(
+                        "Using kernel path from XML is not secure")
+                self.kernel_table.load_kernel(kernelnodes[0].text)
+
+        if self.kernel_table.initrd is None:
+            initrdnodes =3D doc.xpath("/domain/os/initrd")
+            if len(initrdnodes) !=3D 0:
+                if remote:
+                    raise UnsupportedUsageException(
+                        "Cannot access initrd path remotely")
+                if secure:
+                    raise InsecureUsageException(
+                        "Using initrd path from XML is not secure")
+                self.kernel_table.load_initrd(initrdnodes[0].text)
+
+        if self.kernel_table.cmdline is None:
+            cmdlinenodes =3D doc.xpath("/domain/os/cmdline")
+            if len(cmdlinenodes) !=3D 0:
+                if secure:
+                    raise InsecureUsageException(
+                        "Using cmdline string from XML is not secure")
+                self.kernel_table.load_cmdline(cmdlinenodes[0].text)
+
=20
 def parse_command_line():
     parser =3D argparse.ArgumentParser(
--=20
2.37.3