Re: [libvirt PATCH v2 09/12] tools: support generating SEV secret injection tables

On 19/10/2022 13:17, berrange at redhat.com (Daniel P. Berrangé) wrote: > It is possible to build OVMF for SEV with an embedded Grub that can > fetch LUKS disk secrets. This adds support for injecting secrets in > the required format. > > Signed-off-by: Daniel P. Berrang? <berrange at redhat.com> > --- > docs/manpages/virt-qemu-sev-validate.rst | 66 ++++++++++ > tools/virt-qemu-sev-validate | 156 +++++++++++++++++++++-- > 2 files changed, 213 insertions(+), 9 deletions(-) > > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst > index fcc13d68c8..7542bea9aa 100644 > --- a/docs/manpages/virt-qemu-sev-validate.rst > +++ b/docs/manpages/virt-qemu-sev-validate.rst > @@ -187,6 +187,29 @@ understand any configuration mistakes that have been made. If the > will be skipped. The result is that the validation will likely be reported as > failed. > > +Secret injection options > +------------------------ > + > +These options provide a way to inject a secret if validation of the > +launch measurement passes. > + > +``--disk-password PATH`` > + > +Path to a file containing the password to use to unlock the LUKS container > +for the guest disk. Maybe add an option to add custom secret entries: --add-secret-entry GUID:PATH ?