Implement vmsa build subcommand #18
Conversation
|
@crobinso While testing |
|
Thanks! But I will submit the IMO we should just concentrate on infrastructure and What's on your todo list before this is out of draft state? I'd like to see tests FWIW. test cases will help make sure we don't regress when we move the Vmsa definitions to sev crate |
Sure, that works too.
Ensuring that the VMSA buffer is packed correctly when writing to the file is top priority right now (currently, the buffer isn't correctly packed to 4KB when writing). I'm using the sevctl-test package to ensure the behavior is expected. I'll push my changes to sevctl-test with tests for the VMSA commands when I have everything correct. |
|
I think this build command needs to come with test coverage, since this is complex and subtle which si very easy to get wrong. Essentially we want to run the code and compare its output to known good output, for a variety of scenarios. I don't think we want to checking in a bunch of binary VMSA blobs though. Rather we should provide the 'show' command in this PR too, and store the output of 'show' for various known good VMSA blobs, and test against that. |
Yea, I'm testing with a fork of sevctl-test, and when everything is ready I will also push my changes to that repo as well. |
|
Testing with the 'build' command the output doesn't match the checksum of the VMSA generated by my original python script. The actual VMSA register values are all the same, but the padding to round it up to 4096 bytes contains random data. The padding needs to be all-zeroes. The 'show' command, or rather the code for loading VMSA blobs should validate that the padding is all zeros too, to prevent silent mistakes slipping past. |
@berrange: I wasn't aware of that. Will fix now.
Sure. Will add a check to make sure all padded bytes are zero. |
|
The 'vmsa build' command is segfaulting for me now i'm afraid. |
IIUC, the VM launch measurement will contain a cryptographic hash over the entire 4k page of data, even though the actual register content only spans a subset of that range. So that padding upto 4k has to contain predictable data, so you can reproduce the measurement later. |
|
Files are equal now: |
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
|
TLDR: drop patch 3, squash This successfully recreates the two working vmsa0.bin and vmsa1.bin binaries I created with danpb's script. I think that's good enough to commit the Please drop the 'show' changes though, I will submit those separately. It was basically a hack to prove that it's working, with format similar to danpb's script so I could manually verify the results are correct. I don't think that list of You've mentioned sevctl-test but IMO this should (also?) be covered with unittests. It will be easier to verify all the combinations with some unittest infrastructure. I will add that with my |
tylerfanelli
changed the title
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
3 subcommands to be added based off of danpb's virt-dom-sev-vmsa-tool.py
build: Build a VMSA buffer based off of given inputs
update: Update an already-existing VMSA buffer.
show: Pretty-print a VMSA buffer's contents for human-readable viewing.
Build subcommand still a WIP at the moment.