Re: [libvirt PATCH 3/6] qemu: add monitor APIs for query-sev
On Thu, Dec 09, 2021 at 09:36:03AM +0100, Peter Krempa wrote:
On Wed, Dec 08, 2021 at 18:44:31 +0000, Daniel P. Berrangé wrote:
> We're only returning the set of fields needed to perform an
> attestation, per the SEV API docs.
>
> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
> ---
> src/qemu/qemu_monitor.c | 13 +++++++++++
> src/qemu/qemu_monitor.h | 9 ++++++++
> src/qemu/qemu_monitor_json.c | 45 ++++++++++++++++++++++++++++++++++++
> src/qemu/qemu_monitor_json.h | 8 +++++++
> 4 files changed, 75 insertions(+)
> diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
> index e00d785c20..423bae49d2 100644
> --- a/src/qemu/qemu_monitor_json.c
> +++ b/src/qemu/qemu_monitor_json.c
> @@ -8216,6 +8216,51 @@ qemuMonitorJSONGetSEVMeasurement(qemuMonitor *mon)
> }
>
>
> +/**
> + * Retrive info about the SEV setup, returning those fields that
> + * are required to do a launch attestation, as per
> + *
> + * HMAC(0x04 || API_MAJOR || API_MINOR || BUILD || GCTX.POLICY || GCTX.LD ||
MNONCE; GCTX.TIK)
> + *
> + * specified in section 6.5.1 of AMD Secure Encrypted
> + * Virtualization API.
> + *
> + * { "execute": "query-sev" }
> + * { "return": { "enabled": true, "api-major" : 0,
"api-minor" : 0,
> + * "build-id" : 0, "policy" : 0,
"state" : "running",
> + * "handle" : 1 } }
> + */
> +int qemuMonitorJSONGetSEVInfo(qemuMonitor *mon,
> + unsigned int *apiMajor,
> + unsigned int *apiMinor,
> + unsigned int *buildID,
> + unsigned int *policy)
Please use consistent (with what you've added in the header file) and
modern header formatting.
> +{
> + g_autoptr(virJSONValue) cmd = NULL;
> + g_autoptr(virJSONValue) reply = NULL;
> + virJSONValue *data;
> +
> + if (!(cmd = qemuMonitorJSONMakeCommand("query-sev", NULL)))
> + return -1;
> +
> + if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0)
> + return -1;
> +
> + if (qemuMonitorJSONCheckReply(cmd, reply, VIR_JSON_TYPE_OBJECT) < 0)
> + return -1;
> +
> + data = virJSONValueObjectGetObject(reply, "return");
> +
> + if (virJSONValueObjectGetNumberUint(data, "api-major", apiMajor) <
0 ||
> + virJSONValueObjectGetNumberUint(data, "api-minor", apiMinor) <
0 ||
> + virJSONValueObjectGetNumberUint(data, "build-id", buildID) < 0
||
> + virJSONValueObjectGetNumberUint(data, "policy", policy) < 0)
> + return -1;
> +
> + return 0;
> +}
> +
> +
> /*
> * Example return data
> *
> diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h
> index 0984717675..163be25c32 100644
> --- a/src/qemu/qemu_monitor_json.h
> +++ b/src/qemu/qemu_monitor_json.h
> @@ -369,6 +369,14 @@ int qemuMonitorJSONSystemWakeup(qemuMonitor *mon);
>
> char *qemuMonitorJSONGetSEVMeasurement(qemuMonitor *mon);
>
> +int qemuMonitorJSONGetSEVInfo(qemuMonitor *mon,
> + unsigned int *apiMajor,
> + unsigned int *apiMinor,
> + unsigned int *buildID,
> + unsigned int *policy)
> + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
> + ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
Preferrably use modern header formatting.
Almost everything in this header uses the style matching
this patch. IMHO divering in style is worse.
> int qemuMonitorJSONGetVersion(qemuMonitor *mon,
> int *major,
> int *minor,
qemumonitorjsontest?
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|