diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2022-01-07 17:25:23 +0000 |
|---|---|---|
| committer | Daniel P. Berrangé <berrange@redhat.com> | 2022-11-15 11:09:30 +0000 |
| commit | 3e7b7da9e02bbeaff051413cde79b930edb57cc9 (patch) | |
| tree | 0d86b4f547630816d8c010d46e86fe2c062dbe31 /docs/manpages | |
| parent | 7d55c815c63fc2a794bc6467f673afbdda932ea4 (diff) | |
| download | libvirt-3e7b7da9e02bbeaff051413cde79b930edb57cc9.tar.gz | |
tools: support validating SEV-ES initial vCPU state measurements
With the SEV-ES policy the VMSA state of each vCPU must be included in
the measured data. The VMSA state can be generated using the 'sevctl'
tool, by telling it a QEMU VMSA is required, and passing the hypevisor's
CPU SKU (family, model, stepping).
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'docs/manpages')
| -rw-r--r-- | docs/manpages/virt-qemu-sev-validate.rst | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst index e374fecec0..d51969d0b2 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -116,6 +116,23 @@ content if omitted. String containing any kernel command line parameters used during boot of the domain. Defaults to the empty string if omitted. +``-n COUNT``, ``--num-cpus=COUNT`` + +The number of virtual CPUs for the domain. This is required when the +domain policy is set to require SEV-ES. + +``-0 PATH``, ``--vmsa-cpu0=PATH`` + +Path to the VMSA initial state for the boot CPU. This is required when +the domain policy is set to require SEV-ES. The file contents must be +exactly 4096 bytes in length. + +``-1 PATH``, ``--vmsa-cpu1=PATH`` + +Path to the VMSA initial state for the non-boot CPU. This is required when +the domain policy is set to require SEV-ES and the domain has more than one +CPU present. The file contents must be exactly 4096 bytes in length. + ``--tik PATH`` TIK file for domain. This file must be exactly 16 bytes in size and contains the @@ -212,6 +229,22 @@ Validate the measurement of a SEV guest with direct kernel boot: --build-id 13 \ --policy 3 +Validate the measurement of a SEV-ES SMP guest booting from disk: + +:: + + # virt-dom-sev-validate \ + --firmware OVMF.sev.fd \ + --num-cpus 2 \ + --vmsa-cpu0 vmsa0.bin \ + --vmsa-cpu1 vmsa1.bin \ + --tk this-guest-tk.bin \ + --measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \ + --api-major 0 \ + --api-minor 24 \ + --build-id 13 \ + --policy 7 + Fetch from remote libvirt ------------------------- @@ -245,6 +278,19 @@ Validate the measurement of a SEV guest with direct kernel boot: --tk this-guest-tk.bin \ --domain fedora34x86_64 +Validate the measurement of a SEV-ES SMP guest booting from disk: + +:: + + # virt-dom-sev-validate \ + --connect qemu+ssh://root@some.remote.host/system \ + --firmware OVMF.sev.fd \ + --num-cpus 2 \ + --vmsa-cpu0 vmsa0.bin \ + --vmsa-cpu1 vmsa1.bin \ + --tk this-guest-tk.bin \ + --domain fedora34x86_64 + Fetch from local libvirt ------------------------ @@ -274,6 +320,18 @@ Validate the measurement of a SEV guest with direct kernel boot: --tk this-guest-tk.bin \ --domain fedora34x86_64 +Validate the measurement of a SEV-ES SMP guest booting from disk: + +:: + + # virt-dom-sev-validate \ + --insecure \ + --num-cpus 2 \ + --vmsa-cpu0 vmsa0.bin \ + --vmsa-cpu1 vmsa1.bin \ + --tk this-guest-tk.bin \ + --domain fedora34x86_64 + EXIT STATUS =========== |