From nobody Sun Feb 8 10:48:39 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1667390362; cv=none; d=zohomail.com; s=zohoarc; b=TxcJq/fD1ditHHdzcorCLaGzf9J4DZWPwGxryMO2TKOSr7NkNoyrEeKpgsyp6CMXm24gUhSlzyXoiwKYsxGIMbtFXXeddNLKxrGRENMzMePWeEIC5kdOFj86529BVtdQDS2Wmu4AhGr0+ItiwIPVLCY9crr7Jgqb5+7WS9tDDm0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1667390362; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jSgLiQ/lk2D9qqULsyCqcCsFMDuQjyDOQ1LsvoIc3Tw=; b=QS+h/XOUN3YMBw6W5lu4OH06mByiyDjmYtGu54FPGl3OMCOrwCc7NnMjsCqf7CfiZmcoCjTctMOgV41UeDshimq3eSrG+Nqde8gqmB91QCqV24miliBG6YHY8sSzqB1IMDfVZivojrwdP7cVbJYy01VVl1xli2ceM2ijeBiAFag= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 166739036289580.82404896919195; Wed, 2 Nov 2022 04:59:22 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-365-G44z-24vORK_Y7eR1fCfJQ-1; Wed, 02 Nov 2022 07:59:17 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 80E9F1C09072; Wed, 2 Nov 2022 11:59:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 60B8C40C845B; Wed, 2 Nov 2022 11:59:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 28E6A19465A4; Wed, 2 Nov 2022 11:59:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 743031946594 for ; Wed, 2 Nov 2022 11:59:08 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 4B2FC111CB83; Wed, 2 Nov 2022 11:59:08 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.154]) by smtp.corp.redhat.com (Postfix) with ESMTP id C5DDD1121339; Wed, 2 Nov 2022 11:59:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1667390360; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jSgLiQ/lk2D9qqULsyCqcCsFMDuQjyDOQ1LsvoIc3Tw=; b=Go+/UKcGlwG2+pBTiuuOerGc6y3bV8wNVA5/hH79hc+WksVEncirYwxIw+S34kv9aA4RGq Rzv67TqbqsNKk5swVteIUdwR4Ec3NjzBd+IqXcPZ7sVepbebt5IhswESSrgh7f1NErWUam mNINw0+ggil1cJy5IQeKplczaaLCIC8= X-MC-Unique: G44z-24vORK_Y7eR1fCfJQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v3 06/12] tools: support validating SEV-ES initial vCPU state measurements Date: Wed, 2 Nov 2022 11:58:55 +0000 Message-Id: <20221102115901.823636-7-berrange@redhat.com> In-Reply-To: <20221102115901.823636-1-berrange@redhat.com> References: <20221102115901.823636-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1667390365081100002 With the SEV-ES policy the VMSA state of each vCPU must be included in the measured data. The VMSA state can be generated using the 'sevctl' tool, by telling it a QEMU VMSA is required, and passing the hypevisor's CPU SKU (family, model, stepping). Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko --- docs/manpages/virt-qemu-sev-validate.rst | 58 ++++++++++++++++++++ tools/virt-qemu-sev-validate | 69 ++++++++++++++++++++++-- 2 files changed, 124 insertions(+), 3 deletions(-) diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-= qemu-sev-validate.rst index 8fa1452c5c..9f86212cb9 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -116,6 +116,23 @@ content if omitted. String containing any kernel command line parameters used during boot of t= he domain. Defaults to the empty string if omitted. =20 +``-n COUNT``, ``--num-cpus=3DCOUNT`` + +The number of virtual CPUs for the domain. This is required when the +domain policy is set to require SEV-ES. + +``-0 PATH``, ``--vmsa-cpu0=3DPATH`` + +Path to the VMSA initial state for the boot CPU. This is required when +the domain policy is set to require SEV-ES. The file contents must be +exactly 4096 bytes in length. + +``-1 PATH``, ``--vmsa-cpu1=3DPATH`` + +Path to the VMSA initial state for the non-boot CPU. This is required when +the domain policy is set to require SEV-ES and the domain has more than one +CPU present. The file contents must be exactly 4096 bytes in length. + ``--tik PATH`` =20 TIK file for domain. This file must be exactly 16 bytes in size and contai= ns the @@ -212,6 +229,22 @@ Validate the measurement of a SEV guest with direct ke= rnel boot: --build-id 13 \ --policy 3 =20 +Validate the measurement of a SEV-ES SMP guest booting from disk: + +:: + + # virt-dom-sev-validate \ + --firmware OVMF.sev.fd \ + --num-cpus 2 \ + --vmsa-cpu0 vmsa0.bin \ + --vmsa-cpu1 vmsa1.bin \ + --tk this-guest-tk.bin \ + --measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8sw= FrybR1fZ2ID \ + --api-major 0 \ + --api-minor 24 \ + --build-id 13 \ + --policy 7 + Fetch from remote libvirt ------------------------- =20 @@ -245,6 +278,19 @@ Validate the measurement of a SEV guest with direct ke= rnel boot: --tk this-guest-tk.bin \ --domain fedora34x86_64 =20 +Validate the measurement of a SEV-ES SMP guest booting from disk: + +:: + + # virt-dom-sev-validate \ + --connect qemu+ssh://root@some.remote.host/system \ + --firmware OVMF.sev.fd \ + --num-cpus 2 \ + --vmsa-cpu0 vmsa0.bin \ + --vmsa-cpu1 vmsa1.bin \ + --tk this-guest-tk.bin \ + --domain fedora34x86_64 + Fetch from local libvirt ------------------------ =20 @@ -274,6 +320,18 @@ Validate the measurement of a SEV guest with direct ke= rnel boot: --tk this-guest-tk.bin \ --domain fedora34x86_64 =20 +Validate the measurement of a SEV-ES SMP guest booting from disk: + +:: + + # virt-dom-sev-validate \ + --insecure \ + --num-cpus 2 \ + --vmsa-cpu0 vmsa0.bin \ + --vmsa-cpu1 vmsa1.bin \ + --tk this-guest-tk.bin \ + --domain fedora34x86_64 + EXIT STATUS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate index 2c696ba04c..5abcedfb1f 100755 --- a/tools/virt-qemu-sev-validate +++ b/tools/virt-qemu-sev-validate @@ -153,13 +153,16 @@ class KernelTable(GUIDTable): =20 =20 class ConfidentialVM(object): + POLICY_BIT_SEV_ES =3D 2 + POLICY_VAL_SEV_ES =3D (1 << POLICY_BIT_SEV_ES) =20 def __init__(self, measurement=3DNone, api_major=3DNone, api_minor=3DNone, build_id=3DNone, - policy=3DNone): + policy=3DNone, + num_cpus=3DNone): self.measurement =3D measurement self.api_major =3D api_major self.api_minor =3D api_minor @@ -170,8 +173,15 @@ class ConfidentialVM(object): self.tik =3D None self.tek =3D None =20 + self.num_cpus =3D num_cpus + self.vmsa_cpu0 =3D None + self.vmsa_cpu1 =3D None + self.kernel_table =3D KernelTable() =20 + def is_sev_es(self): + return self.policy & self.POLICY_VAL_SEV_ES + def load_tik_tek(self, tik_path, tek_path): with open(tik_path, 'rb') as fh: self.tik =3D fh.read() @@ -207,6 +217,43 @@ class ConfidentialVM(object): self.firmware =3D fh.read() log.debug("Loader(sha256): %s", sha256(self.firmware).hexdigest()) =20 + @staticmethod + def _load_vmsa(path): + with open(path, 'rb') as fh: + vmsa =3D fh.read() + + if len(vmsa) !=3D 4096: + raise UnsupportedUsageException( + "VMSA must be 4096 bytes in length") + return vmsa + + def load_vmsa_cpu0(self, path): + self.vmsa_cpu0 =3D self._load_vmsa(path) + log.debug("VMSA CPU 0(sha256): %s", + sha256(self.vmsa_cpu0).hexdigest()) + + def load_vmsa_cpu1(self, path): + self.vmsa_cpu1 =3D self._load_vmsa(path) + log.debug("VMSA CPU 1(sha256): %s", + sha256(self.vmsa_cpu1).hexdigest()) + + def get_cpu_state(self): + if self.num_cpus is None: + raise UnsupportedUsageException( + "Number of virtual CPUs must be specified for SEV-ES domai= n") + + if self.vmsa_cpu0 is None: + raise UnsupportedUsageException( + "VMSA for boot CPU required for SEV-ES domain") + + if self.num_cpus > 1 and self.vmsa_cpu1 is None: + raise UnsupportedUsageException( + "VMSA for additional CPUs required for SEV-ES domain with = SMP") + + vmsa =3D self.vmsa_cpu0 + (self.vmsa_cpu1 * (self.num_cpus - 1)) + log.debug("VMSA(sha256): %s", sha256(vmsa).hexdigest()) + return vmsa + # Get the full set of measured launch data for the domain # # The measured data that the guest is initialized with is the concaten= ation @@ -217,6 +264,8 @@ class ConfidentialVM(object): def get_measured_data(self): measured_data =3D (self.firmware + self.kernel_table.build()) + if self.is_sev_es(): + measured_data +=3D self.get_cpu_state() log.debug("Measured-data(sha256): %s", sha256(measured_data).hexdigest()) return measured_data @@ -454,6 +503,12 @@ def parse_command_line(): help=3D'Path to the initrd binary') vmconfig.add_argument('--cmdline', '-e', help=3D'Cmdline string booted with') + vmconfig.add_argument('--num-cpus', '-n', type=3Dint, + help=3D'Number of virtual CPUs') + vmconfig.add_argument('--vmsa-cpu0', '-0', + help=3D'VMSA state for the boot CPU') + vmconfig.add_argument('--vmsa-cpu1', '-1', + help=3D'VMSA state for the additional CPUs') vmconfig.add_argument('--tik', help=3D'TIK file for domain') vmconfig.add_argument('--tek', @@ -524,13 +579,15 @@ def attest(args): api_major=3Dargs.api_major, api_minor=3Dargs.api_minor, build_id=3Dargs.build_id, - policy=3Dargs.policy) + policy=3Dargs.policy, + num_cpus=3Dargs.num_cpus) else: cvm =3D LibvirtConfidentialVM(measurement=3Dargs.measurement, api_major=3Dargs.api_major, api_minor=3Dargs.api_minor, build_id=3Dargs.build_id, - policy=3Dargs.policy) + policy=3Dargs.policy, + num_cpus=3Dargs.num_cpus) =20 if args.firmware is not None: cvm.load_firmware(args.firmware) @@ -549,6 +606,12 @@ def attest(args): if args.cmdline is not None: cvm.kernel_table.load_cmdline(args.cmdline) =20 + if args.vmsa_cpu0 is not None: + cvm.load_vmsa_cpu0(args.vmsa_cpu0) + + if args.vmsa_cpu1 is not None: + cvm.load_vmsa_cpu1(args.vmsa_cpu1) + if args.domain is not None: cvm.load_domain(args.connect, args.domain, --=20 2.37.3