diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2022-01-07 16:15:23 +0000 |
|---|---|---|
| committer | Daniel P. Berrangé <berrange@redhat.com> | 2022-11-15 11:09:30 +0000 |
| commit | 0b9e70b1419023c9d5445667940a346a2cafc7f5 (patch) | |
| tree | f6b6ed62843817664ec6020da750cbf59db8610c /docs/manpages | |
| parent | 0e911045ae6b406ad7005b94aeeb0f67f879f2eb (diff) | |
| download | libvirt-0b9e70b1419023c9d5445667940a346a2cafc7f5.tar.gz | |
tools: support validating SEV direct kernel boot measurements
When doing direct kernel boot we need to include the kernel, initrd and
cmdline in the measurement.
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'docs/manpages')
| -rw-r--r-- | docs/manpages/virt-qemu-sev-validate.rst | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst index e2c4672a05..e8a868f5a8 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -102,6 +102,20 @@ initialize AMD SEV. For the validation to be trustworthy it important that the firmware build used has no support for loading non-volatile variables from NVRAM, even if NVRAM is expose to the guest. +``-k PATH``, ``--kernel=PATH`` + +Path to the kernel binary if doing direct kernel boot. + +``-r PATH``, ``--initrd=PATH`` + +Path to the initrd binary if doing direct kernel boot. Defaults to zero length +content if omitted. + +``-e STRING``, ``--cmdline=STRING`` + +String containing any kernel command line parameters used during boot of the +domain. Defaults to the empty string if omitted. + ``--tik PATH`` TIK file for domain. This file must be exactly 16 bytes in size and contains the @@ -182,6 +196,22 @@ Validate the measurement of a SEV guest booting from disk: --build-id 13 \ --policy 3 +Validate the measurement of a SEV guest with direct kernel boot: + +:: + + # virt-dom-sev-validate \ + --firmware OVMF.sev.fd \ + --kernel vmlinuz-5.11.12 \ + --initrd initramfs-5.11.12 \ + --cmdline "root=/dev/vda1" \ + --tk this-guest-tk.bin \ + --measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \ + --api-major 0 \ + --api-minor 24 \ + --build-id 13 \ + --policy 3 + Fetch from remote libvirt ------------------------- @@ -202,6 +232,19 @@ Validate the measurement of a SEV guest booting from disk: --tk this-guest-tk.bin \ --domain fedora34x86_64 +Validate the measurement of a SEV guest with direct kernel boot: + +:: + + # virt-dom-sev-validate \ + --connect qemu+ssh://root@some.remote.host/system \ + --firmware OVMF.sev.fd \ + --kernel vmlinuz-5.11.12 \ + --initrd initramfs-5.11.12 \ + --cmdline "root=/dev/vda1" \ + --tk this-guest-tk.bin \ + --domain fedora34x86_64 + Fetch from local libvirt ------------------------ |