Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce API endpoints for SEV attestation #7197

Merged
merged 12 commits into from
Jun 30, 2023
Merged

Introduce API endpoints for SEV attestation #7197

merged 12 commits into from
Jun 30, 2023
+2,858 −119

Commits on Jun 23, 2023

  1. Allow to request SEV attestation in VMI spec 

    Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    825bf0f View commit details
    Browse the repository at this point in the history

  2. Add VMI admitter for SEV attestation 

    SEV attestation requires that VMI is started paused.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    5c6ceee View commit details
    Browse the repository at this point in the history

  3. Allow to fetch the SEV platfrom certificates 

    Introduce sev/fetchcertchain API endpoint for VMI. By calling the
endpoint a user can fetch the platform info needed for running the
attestation process.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    6d682a0 View commit details
    Browse the repository at this point in the history

  4. Allow to query launch measurement of a SEV guest 

    Introduce sev/querylaunchmeasurement API endpoint for VMI. Apart from
the measurement itself it returns the data needed to calculate the
expected value as specified in AMD SEV specification:

  HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
       GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    a66769a View commit details
    Browse the repository at this point in the history

  5. Allow to setup SEV session for a scheduled guest 

    Introduce sev/setupsession API endpoint for VMI. It can be used to
provide the session launch blob and the Diffie-Hellman key for a guest
that has been scheduled to run on a particular node.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    3913f87 View commit details
    Browse the repository at this point in the history

  6. Allow to inject SEV launch secret into a guest 

    Introduce sev/injectlaunchsecret API endpoint for VMI to inject an
encrypted secret into a paused guest.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    23f24a9 View commit details
    Browse the repository at this point in the history

  7. Add functional test for SEV attestation API 

    Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    38424c8 View commit details
    Browse the repository at this point in the history

  8. Fetch platform certificates by calling libvirt API 

    This reverts fetching of the certs from the node labeller. If fetched
directly in virt-launcher context that will automatically handle
certificates rotation since the API call will return the most recent
state.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    a32b3f0 View commit details
    Browse the repository at this point in the history

  9. Extend vnc and console subresource unit tests 

    Ensure the request fails if VMI is not running.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    41e3df4 View commit details
    Browse the repository at this point in the history

  10. Query SEV attestation settings in the tests 

    Do not hardcode the expected parameters since they are bound to a
specific hardware instance. Instead try to detect those in runtime using
virsh cli.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    0d64f69 View commit details
    Browse the repository at this point in the history

  11. Do not hardcode SEV session in the tests 

    Use sevctl tool to prepare the parameters in runtime.

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    f981a39 View commit details
    Browse the repository at this point in the history

  12. Expect SEV test to fail on non-amd64 architectures 

    Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
    @vasiliy-ul
    vasiliy-ul committed Jun 23, 2023
    Configuration menu
    Copy the full SHA
    f8464bd View commit details
    Browse the repository at this point in the history