-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce API endpoints for SEV attestation #7197
Commits on Jun 23, 2023
-
Allow to request SEV attestation in VMI spec
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 825bf0f - Browse repository at this point
Copy the full SHA 825bf0fView commit details -
Add VMI admitter for SEV attestation
SEV attestation requires that VMI is started paused. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 5c6ceee - Browse repository at this point
Copy the full SHA 5c6ceeeView commit details -
Allow to fetch the SEV platfrom certificates
Introduce sev/fetchcertchain API endpoint for VMI. By calling the endpoint a user can fetch the platform info needed for running the attestation process. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 6d682a0 - Browse repository at this point
Copy the full SHA 6d682a0View commit details -
Allow to query launch measurement of a SEV guest
Introduce sev/querylaunchmeasurement API endpoint for VMI. Apart from the measurement itself it returns the data needed to calculate the expected value as specified in AMD SEV specification: HMAC(0x04 || API_MAJOR || API_MINOR || BUILD || GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK) Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for a66769a - Browse repository at this point
Copy the full SHA a66769aView commit details -
Allow to setup SEV session for a scheduled guest
Introduce sev/setupsession API endpoint for VMI. It can be used to provide the session launch blob and the Diffie-Hellman key for a guest that has been scheduled to run on a particular node. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 3913f87 - Browse repository at this point
Copy the full SHA 3913f87View commit details -
Allow to inject SEV launch secret into a guest
Introduce sev/injectlaunchsecret API endpoint for VMI to inject an encrypted secret into a paused guest. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 23f24a9 - Browse repository at this point
Copy the full SHA 23f24a9View commit details -
Add functional test for SEV attestation API
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 38424c8 - Browse repository at this point
Copy the full SHA 38424c8View commit details -
Fetch platform certificates by calling libvirt API
This reverts fetching of the certs from the node labeller. If fetched directly in virt-launcher context that will automatically handle certificates rotation since the API call will return the most recent state. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for a32b3f0 - Browse repository at this point
Copy the full SHA a32b3f0View commit details -
Extend vnc and console subresource unit tests
Ensure the request fails if VMI is not running. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 41e3df4 - Browse repository at this point
Copy the full SHA 41e3df4View commit details -
Query SEV attestation settings in the tests
Do not hardcode the expected parameters since they are bound to a specific hardware instance. Instead try to detect those in runtime using virsh cli. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for 0d64f69 - Browse repository at this point
Copy the full SHA 0d64f69View commit details -
Do not hardcode SEV session in the tests
Use sevctl tool to prepare the parameters in runtime. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for f981a39 - Browse repository at this point
Copy the full SHA f981a39View commit details -
Expect SEV test to fail on non-amd64 architectures
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Configuration menu - View commit details
-
Copy full SHA for f8464bd - Browse repository at this point
Copy the full SHA f8464bdView commit details