Allow to query launch measurement of a SEV guest

Introduce sev/querylaunchmeasurement API endpoint for VMI. Apart from
the measurement itself it returns the data needed to calculate the
expected value as specified in AMD SEV specification:

  HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
       GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>

api/openapi-spec/swagger.json

@@ -9228,6 +9228,47 @@
      }
     ]
    },
+   "/apis/subresources.kubevirt.io/v1/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/sev/querylaunchmeasurement": {
+    "get": {
+     "description": "Query SEV launch measurement from a running Virtual Machine",
+     "consumes": [
+      "application/json"
+     ],
+     "produces": [
+      "application/json"
+     ],
+     "operationId": "v1SEVQueryLaunchMeasurement",
+     "responses": {
+      "200": {
+       "description": "OK",
+       "schema": {
+        "$ref": "#/definitions/v1.SEVMeasurementInfo"
+       }
+      },
+      "401": {
+       "description": "Unauthorized"
+      }
+     }
+    },
+    "parameters": [
+     {
+      "uniqueItems": true,
+      "type": "string",
+      "description": "Name of the resource",
+      "name": "name",
+      "in": "path",
+      "required": true
+     },
+     {
+      "uniqueItems": true,
+      "type": "string",
+      "description": "Object name and auth scope, such as for teams and projects",
+      "name": "namespace",
+      "in": "path",
+      "required": true
+     }
+    ]
+   },
    "/apis/subresources.kubevirt.io/v1/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/softreboot": {
     "put": {
      "description": "Soft reboot a VirtualMachineInstance object.",
@@ -10445,6 +10486,47 @@
      }
     ]
    },
+   "/apis/subresources.kubevirt.io/v1alpha3/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/sev/querylaunchmeasurement": {
+    "get": {
+     "description": "Query SEV launch measurement from a running Virtual Machine",
+     "consumes": [
+      "application/json"
+     ],
+     "produces": [
+      "application/json"
+     ],
+     "operationId": "v1alpha3SEVQueryLaunchMeasurement",
+     "responses": {
+      "200": {
+       "description": "OK",
+       "schema": {
+        "$ref": "#/definitions/v1.SEVMeasurementInfo"
+       }
+      },
+      "401": {
+       "description": "Unauthorized"
+      }
+     }
+    },
+    "parameters": [
+     {
+      "uniqueItems": true,
+      "type": "string",
+      "description": "Name of the resource",
+      "name": "name",
+      "in": "path",
+      "required": true
+     },
+     {
+      "uniqueItems": true,
+      "type": "string",
+      "description": "Object name and auth scope, such as for teams and projects",
+      "name": "namespace",
+      "in": "path",
+      "required": true
+     }
+    ]
+   },
    "/apis/subresources.kubevirt.io/v1alpha3/namespaces/{namespace:[a-z0-9][a-z0-9\\-]*}/virtualmachineinstances/{name:[a-z0-9][a-z0-9\\-]*}/softreboot": {
     "put": {
      "description": "Soft reboot a VirtualMachineInstance object.",
@@ -14837,6 +14919,44 @@
      }
     }
    },
+   "v1.SEVMeasurementInfo": {
+    "description": "SEVMeasurementInfo contains information about the guest launch measurement.",
+    "type": "object",
+    "properties": {
+     "apiMajor": {
+      "description": "API major version of the SEV host.",
+      "type": "integer",
+      "format": "int32"
+     },
+     "apiMinor": {
+      "description": "API minor version of the SEV host.",
+      "type": "integer",
+      "format": "int32"
+     },
+     "apiVersion": {
+      "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+      "type": "string"
+     },
+     "buildID": {
+      "description": "Build ID of the SEV host.",
+      "type": "integer",
+      "format": "int32"
+     },
+     "kind": {
+      "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+      "type": "string"
+     },
+     "measurement": {
+      "description": "Base64 encoded launch measurement of the SEV guest.",
+      "type": "string"
+     },
+     "policy": {
+      "description": "Policy of the SEV guest.",
+      "type": "integer",
+      "format": "int32"
+     }
+    }
+   },
    "v1.SEVPlatformInfo": {
     "description": "SEVPlatformInfo contains information about the AMD SEV features for the node.",
     "type": "object",

cmd/virt-handler/virt-handler.go

@@ -498,6 +498,7 @@ func (app *virtHandlerApp) runServer(errCh chan error, consoleHandler *rest.Cons
 	ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/userlist").To(lifecycleHandler.GetUsers).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.VirtualMachineInstanceGuestOSUserList{}))
 	ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/filesystemlist").To(lifecycleHandler.GetFilesystems).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.VirtualMachineInstanceFileSystemList{}))
 	ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/sev/fetchcertchain").To(lifecycleHandler.SEVFetchCertChainHandler).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.SEVPlatformInfo{}))
+	ws.Route(ws.GET("/v1/namespaces/{namespace}/virtualmachineinstances/{name}/sev/querylaunchmeasurement").To(lifecycleHandler.SEVQueryLaunchMeasurementHandler).Produces(restful.MIME_JSON).Consumes(restful.MIME_JSON).Returns(http.StatusOK, "OK", v1.SEVMeasurementInfo{}))
 	restful.DefaultContainer.Add(ws)
 	server := &http.Server{
 		Addr:    fmt.Sprintf("%s:%d", app.ServiceListen.BindAddress, app.consoleServerPort),

manifests/generated/operator-csv.yaml.in

@@ -737,6 +737,7 @@ spec:
           - virtualmachineinstances/filesystemlist
           - virtualmachineinstances/userlist
           - virtualmachineinstances/sev/fetchcertchain
+          - virtualmachineinstances/sev/querylaunchmeasurement
           verbs:
           - get
         - apiGroups:
@@ -835,6 +836,7 @@ spec:
           - virtualmachineinstances/filesystemlist
           - virtualmachineinstances/userlist
           - virtualmachineinstances/sev/fetchcertchain
+          - virtualmachineinstances/sev/querylaunchmeasurement
           verbs:
           - get
         - apiGroups:
@@ -934,6 +936,7 @@ spec:
           - virtualmachineinstances/filesystemlist
           - virtualmachineinstances/userlist
           - virtualmachineinstances/sev/fetchcertchain
+          - virtualmachineinstances/sev/querylaunchmeasurement
           verbs:
           - get
         - apiGroups:

manifests/generated/rbac-operator.authorization.k8s.yaml.in

@@ -639,6 +639,7 @@ rules:
   - virtualmachineinstances/filesystemlist
   - virtualmachineinstances/userlist
   - virtualmachineinstances/sev/fetchcertchain
+  - virtualmachineinstances/sev/querylaunchmeasurement
   verbs:
   - get
 - apiGroups:
@@ -737,6 +738,7 @@ rules:
   - virtualmachineinstances/filesystemlist
   - virtualmachineinstances/userlist
   - virtualmachineinstances/sev/fetchcertchain
+  - virtualmachineinstances/sev/querylaunchmeasurement
   verbs:
   - get
 - apiGroups:
@@ -836,6 +838,7 @@ rules:
   - virtualmachineinstances/filesystemlist
   - virtualmachineinstances/userlist
   - virtualmachineinstances/sev/fetchcertchain
+  - virtualmachineinstances/sev/querylaunchmeasurement
   verbs:
   - get
 - apiGroups: