Re: [libvirt PATCH v2 09/12] tools: support generating SEV secret injection tables

It is possible to build OVMF for SEV with an embedded Grub that can fetch LUKS disk secrets. This adds support for injecting secrets in the required format. Signed-off-by: Daniel P. Berrang? <berrange at redhat.com> --- docs/manpages/virt-qemu-sev-validate.rst | 66 ++++++++++ tools/virt-qemu-sev-validate | 156 +++++++++++++++++++++-- 2 files changed, 213 insertions(+), 9 deletions(-) diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst index fcc13d68c8..7542bea9aa 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -187,6 +187,29 @@ understand any configuration mistakes that have been made. If the will be skipped. The result is that the validation will likely be reported as failed. +Secret injection options +------------------------ + +These options provide a way to inject a secret if validation of the +launch measurement passes. + +``--disk-password PATH`` + +Path to a file containing the password to use to unlock the LUKS container +for the guest disk.

+ +``--secret-header PATH`` + +Path to a file in which the injected secret header will be written in base64 +format and later injected into the domain. This is required if there is no +connection to libvirt, otherwise the secret will be directly injected. + +``--secret-payload PATH`` + +Path to a file in which the injected secret payload will be written in base64 +format and later injected into the domain. This is required if there is no +connection to libvirt, otherwise the secret will be directly injected. +