Re: [libvirt PATCH 02/12] tools: support validating SEV firmware boot measurements
On Sun, Oct 16, 2022 at 02:54:47PM -0400, Cole Robinson wrote:
On 10/7/22 7:42 AM, Daniel P. Berrangé wrote:
> The virt-qemu-sev-validate program will compare a reported SEV/SEV-ES
> domain launch measurement, to a computed launch measurement. This
> determines whether the domain has been tampered with during launch.
>
> This initial implementation requires all inputs to be provided
> explicitly, and as such can run completely offline, without any
> connection to libvirt.
>
> The tool is placed in the libvirt-client-qemu sub-RPM since it is
> specific to the QEMU driver.
>
> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
> + try:
> + check_usage(args)
> +
> + attest(args)
> +
> + sys.exit(0)
> + except AttestationFailedException as e:
> + if not args.quiet:
> + print("ERROR: %s" % e, file=sys.stderr)
> + sys.exit(1)
> + except UnsupportedUsageException as e:
> + if not args.quiet:
> + print("ERROR: %s" % e, file=sys.stderr)
> + sys.exit(2)
> + except Exception as e:
> + if args.debug:
> + traceback.print_tb(e.__traceback__)
> + if not args.quiet:
> + print("ERROR: %s" % e, file=sys.stderr)
> + sys.exit(3)
This only tracebacks on --debug for an unexpected error. I think it's
more useful to have --debug always print backtrace. It helped me
debugging usage of the script
Ok, I can do that.
Do you recall what sort of problems required you to be looking at
the debug output ? Wondering if there's anything we can do to make
it more foolproof for less knowledgable users ?
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|