Add sevctl measurement build
#68
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
crobinso
force-pushed
the
measurement-build
branch
5 times, most recently
from
d2ae085
to
6061d98
Compare
crobinso
force-pushed
the
measurement-build
branch
from
6061d98
to
8a97317
Compare
crobinso
force-pushed
the
measurement-build
branch
from
8a97317
to
919e57d
Compare
crobinso
changed the title
sevctl measurement buildsevctl measurement build
Assembles the measurement from the follow options --api-major INT --api-minor INT --policy INT --build-id INT --nonce BASE64 --tik FILENAME --launch-digest BASE64 And spits out a base 64 string Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Same with --nonce Signed-off-by: Cole Robinson <crobinso@redhat.com>
If specified, we dump binary content to the specified file, rather than base64 to stdout Signed-off-by: Cole Robinson <crobinso@redhat.com>
--firmware can be specified independently. --kernel --initrd --cmdline expect OVMF firmware and must be specified as a trio
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Allow passing in base64 representation of the full output of the LAUNCH_MEASURE firmware command, like returned by qemu `query-sev-launch-measure` and/or `virsh domlaunchsecinfo` This saves users the pain of peeling the nonce out of that base64 value Signed-off-by: Cole Robinson <crobinso@redhat.com>
The LAUNCH_MEASURE firmware call returns measurement+nonce. Arguably this is two values, but qemu and libvirt treat this blob as opaque and return it straight to the user. Because of this, it's kind of ambiguous what `measurement` should refer to here: the entire blob, or the value with the nonce removed. `sevtool calc_measurement` returns the latter, but I expect most tools will want to use qemu and/or libvirt. Change the measurement output to return the measurement+nonce format. If this is the wrong choice, we can add an --output-format option later. Signed-off-by: Cole Robinson <crobinso@redhat.com>
Would need some changes on sev crate side to plug existing code in here Signed-off-by: Cole Robinson <crobinso@redhat.com>
crobinso
force-pushed
the
measurement-build
branch
from
919e57d
to
8fc125f
Compare
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Return the Result object gives us better default error output.
Example:
$ sevctl vmsa build ... --firmware idontexist
Before:
Error: error loading firmware blob entries in OVMF
After:
Error: error loading firmware blob entries in OVMF
Caused by:
0: error reading from firmware path file
1: No such file or directory (os error 2)
Signed-off-by: Cole Robinson <crobinso@redhat.com>
These will be used in an upcoming patch Signed-off-by: Cole Robinson <crobinso@redhat.com>
Build header and payload binary files, for use with qemu's sev-inject-launch-secret / virsh domsetlaunchsecstate Secrets are injected with one or more --secret UUID:FILENAME options Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
crobinso
force-pushed
the
measurement-build
branch
from
8fc125f
to
79eaf6d
Compare
|
@tylerfanelli I added |
tylerfanelli
previously approved these changes
Nov 28, 2022
crobinso
force-pushed
the
measurement-build
branch
from
446f2e1
to
79eaf6d
Compare
tylerfanelli
approved these changes
Dec 13, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds
sevctl measurement buildfor spitting out a measurement+nonce blob, like we get from qemu and libvirt for a running VM.Patches tell the story. One note is that this doesn't use
sevcrate existing Session bits to build the measurement. Thesevcrate will need some tweaks for us to use it here. And in the end it would only save maybe 7-8 lines of code.