1. Patchew
  2. QEMU
  3. [PATCH 0/3] docs/interop: Extend firmware schema for SVSM
  4. View patch

[PATCH 3/3] docs/interop: Add firmware digests to schema

Oliver Steffen posted 3 patches 2 days, 1 hour ago
Maintainers: "Philippe Mathieu-Daudé" <philmd@linaro.org>, "Daniel P. Berrangé" <berrange@redhat.com>, Kashyap Chamarthy <kchamart@redhat.com>
[PATCH 3/3] docs/interop: Add firmware digests to schema
Posted by Oliver Steffen 2 days, 1 hour ago 
Add a new optional top-level array called "digests" to the firmware JSON
metadata schema. This can be used to attach different kinds of
digests/hash values associated with the firmware image to the metadata
file. The entries in the array are of a fixed type of JSON object,
which describes the kind of digest, the hash algorithm used, as well as
the value itself.

The only kind of supported digest type for now is the expected launch
digest for confidential VMs running on AMD SEV-SNP. The list of allowed
types can be extended in the future as needed to support other
use-cases.

Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
 docs/interop/firmware.json | 86 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 85 insertions(+), 1 deletion(-)

diff --git a/docs/interop/firmware.json b/docs/interop/firmware.json
index dabfa692fd..46d6b431c0 100644
--- a/docs/interop/firmware.json
+++ b/docs/interop/firmware.json
@@ -426,6 +426,53 @@
                       'memory' : 'FirmwareMappingMemory',
                       'igvm'   : 'FirmwareMappingIgvm' } }
 
+##
+# @FirmwareDigestType:
+#
+# Type of digest.
+#
+# @amd-sev-snp-launch: AMD SEV-SNP launch digest.
+##
+{ 'enum': 'FirmwareDigestType',
+  'data': [ 'amd-sev-snp-launch' ] }
+
+##
+# @AmdSevSnpLaunchHashAlg:
+#
+# Hash algorithms used for AMD SEV-SNP launch digests.
+#
+# @sha384: SHA-384
+##
+{ 'enum': 'AmdSevSnpLaunchHashAlg',
+  'data': [ 'sha384' ] }
+
+##
+# @AmdSevSnpLaunchDigest:
+#
+# Description of a launch digest as used by AMD SEV-SNP
+#
+# @hash-alg: Hashing algorithm
+#
+# @value: Digest value as hex string
+##
+{ 'struct' : 'AmdSevSnpLaunchDigest',
+  'data'   : { 'hash-alg' : 'AmdSevSnpLaunchHashAlg',
+               'value'    : 'str' } }
+
+##
+# @FirmwareDigest:
+#
+# Digests associated with the firmware image
+#
+# For example launch digests for attestation of confidential VMs.
+#
+# @type: Kind of digest.
+##
+{ 'union'         : 'FirmwareDigest',
+  'base'          : { 'type' : 'FirmwareDigestType' },
+  'discriminator' : 'type',
+  'data'          : { 'amd-sev-snp-launch' : 'AmdSevSnpLaunchDigest' } }
+
 ##
 # @Firmware:
 #
@@ -512,6 +559,10 @@
 #     debugging purposes only, and management software shall
 #     explicitly ignore it.
 #
+# @digests: (optional) Digest information associated with the
+#     firmware image, for example launch digests for confidential
+#     virtualization.
+#
 # Since: 3.0
 #
 # .. qmp-example::
@@ -713,6 +764,38 @@
 #             "-D DEBUG_PRINT_ERROR_LEVEL=0x80000000"
 #         ]
 #     }
+#
+#     {
+#        "description": "Coconut SVSM for QEMU under AMD SEV-SNP",
+#        "interface-types": [
+#            "uefi",
+#            "svsm"
+#         ],
+#        "mapping": {
+#           "device": "igvm",
+#           "filename": "/usr/share/coconut-svsm/coconut-qemu.igvm"
+#        },
+#        "targets": [
+#           {
+#              "architecture": "x86_64",
+#              "machines": [
+#                  "pc-q35-*"
+#              ]
+#           }
+#        ],
+#        "features": [
+#           "amd-sev-snp",
+#           "vtpm"
+#        ],
+#        "tags": [],
+#        "digests": [
+#           {
+#             "type": "amd-sev-snp-launch",
+#             "hash-alg": "sha384",
+#             "value": "ec664e889ed6c1b2763cacf7899d95b7f347373eb982e523419feea3aa362d891b3bf025f292267a5854049091789c3e"
+#           }
+#        ]
+#     }
 ##
 { 'struct' : 'Firmware',
   'data'   : { 'description'     : 'str',
@@ -720,4 +803,5 @@
                'mapping'         : 'FirmwareMapping',
                'targets'         : [ 'FirmwareTarget' ],
                'features'        : [ 'FirmwareFeature' ],
-               'tags'            : [ 'str' ] } }
+               'tags'            : [ 'str' ],
+               '*digests'        : [ 'FirmwareDigest' ] } }
-- 
2.52.0
Re: [PATCH 3/3] docs/interop: Add firmware digests to schema
Posted by Gerd Hoffmann 1 day, 21 hours ago 
  Hi,

> +##
> +# @AmdSevSnpLaunchHashAlg:
> +#
> +# Hash algorithms used for AMD SEV-SNP launch digests.
> +#
> +# @sha384: SHA-384
> +##
> +{ 'enum': 'AmdSevSnpLaunchHashAlg',
> +  'data': [ 'sha384' ] }

Hmm.  When it comes to extending this:  Do we want be very strict, like
this, and have a per-type list of digests?

One possible extension which comes to mind is the 'platform-code' digest
measured into TPMs (pcr0).  The possible hash algorithms here are
everything supported by the TPM, i.e. sha1, sha256, sha384, sha512.
I think for something new introduced in 2026 we can ignore sha1,
leaving the other three on the table.

So one option would be to add a TPMHashAlg enum for this (sticking to
the theme).

The alternative approach would be to have a common 'FirmwareHashAlg' for
all types.  Would make the structs below a bit simpler, the
AmdSevSnpLaunchDigest is not needed then and FirmwareDigest can be a
simple struct instead of a union.  On the other hand it would allow some
invalid combinations such as sha256 for amd-snp launch digest.

Opinions?

take care,
  Gerd

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.