New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce API endpoints for SEV attestation #7197
Conversation
5fb5971
to
3355916
Compare
3355916
to
68657c2
Compare
e16ee9f
to
7bb8eb2
Compare
775b7e0
to
bb14be1
Compare
bb14be1
to
b9e1b16
Compare
b9e1b16
to
229f33d
Compare
229f33d
to
d0266e0
Compare
Introduce sev/querylaunchmeasurement API endpoint for VMI. Apart from the measurement itself it returns the data needed to calculate the expected value as specified in AMD SEV specification: HMAC(0x04 || API_MAJOR || API_MINOR || BUILD || GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK) Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Introduce sev/setupsession API endpoint for VMI. It can be used to provide the session launch blob and the Diffie-Hellman key for a guest that has been scheduled to run on a particular node. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Introduce sev/injectlaunchsecret API endpoint for VMI to inject an encrypted secret into a paused guest. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
This reverts fetching of the certs from the node labeller. If fetched directly in virt-launcher context that will automatically handle certificates rotation since the API call will return the most recent state. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Ensure the request fails if VMI is not running. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Do not hardcode the expected parameters since they are bound to a specific hardware instance. Instead try to detect those in runtime using virsh cli. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Use sevctl tool to prepare the parameters in runtime. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
3a830dd
to
f8464bd
Compare
/test pull-kubevirt-e2e-k8s-1.26-sev |
/test pull-kubevirt-e2e-k8s-1.26-sig-storage |
@alicefr, @iholder101, a gentle ping :) Would appreciate it if you could re-lgtm or approve the PR. Thanks! |
|
||
manager, _ := NewLibvirtDomainManager(mockConn, testVirtShareDir, testEphemeralDiskDir, nil, ovmfDir, ephemeralDiskCreatorMock, metadataCache) | ||
sevMeasurementInfo, err := manager.GetLaunchMeasurement(vmi) | ||
if runtime.GOARCH == "amd64" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we skip all the SEV suite if this isn't amd64?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure about skipping, since it may hide potential issues. If the code is expected to error-out on non-amd64, IMHO, better to have a test in place to ensure it. In this particular case, manager.GetLaunchMeasurement
fails due to missing ovmf code binary with sev support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, fine to me!
@@ -197,6 +187,31 @@ var _ = Describe("[sig-compute]AMD Secure Encrypted Virtualization (SEV)", decor | |||
} | |||
} | |||
|
|||
parseVirshInfo := func(info string, expectedKeys []string) map[string]string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be a good function to move to a shared file for utils. It can be done in a following PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, this is a good candidate for common utils. Though, on the other hand, I think it makes sense to move it when there are several users of that function. Otherwise, the utils tend to grow.
return entries | ||
} | ||
|
||
toUint := func(s string) uint { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above we could move it to a common shared file
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alicefr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks a lot @alicefr for the review and valuable input! |
Sorry for the delay @vasiliy-ul! Thanks very much for this PR! Appreciate your contributions a lot, I know it wasn't easy :) /lgtm |
/retest-required |
@vasiliy-ul: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Thank you for the review, @iholder101! /test pull-kubevirt-unit-test |
Looks like this PR broke https://github.com/openshift/openshift-restclient-python/blob/master/openshift/dynamic/discovery.py#L133, which expects VMInstancesSEVFetchCertChain/VMInstancesSEVQueryLaunchMeasurement/VMInstancesSEVSetupSession/VMInstancesSEVInjectLaunchSecret to be of the format 'a/b' not cc: @myakove |
What this PR does / why we need it:
The PR introduces new API endpoints for SEV attestation. It is based on the initial design proposal. It allows to perform the necessary pre-launch attestation steps:
sev/fetchcertchain
:the API call is routed to the node where the VM is scheduled and it is processed byUPD: the call is routed to thevirt-handler
. The certificates are fetched fromlibvirt
bynode-labeller
in theinit-container
context (thus ATM the support of certificates rotation is limited);virt-launcher
pod where the correspondinglibvirt
API is invoked;sev/setupsession
: the call is routed to thevirt-launcher
pod where the correspondinglibvirt
API is invoked;sev/querylaunchmeasurement
: the call is routed to thevirt-launcher
pod where the correspondinglibvirt
API is invoked. The measurement is returned to the caller;sev/injectsecret
: the call is routed to thevirt-launcher
pod where the correspondinglibvirt
API is invoked.The attestation process can be run either manually by calling the corresponding endpoints (e.g. using
virtctl
) or in an automated way by leveraging an attestation server and a controller that will monitor the VMI state and perform the required actions. The E2E functional test intests/launchsecurity/sev.go
demonstrates the general flow.Attestation can be requested via VMI spec yaml:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
virtctl
commands mapped to the SEV endpoints is not in the scope of this PR and will be added later in a follow-up (same applies to the attestation controller: not in the scope ATM). UPD: Extend virtctl to Support Interactive SEV Attestation #7595libvirt >= 8.0.0
: rpm: Update virtualization packages #7277Release note: