
On 19/10/2022 13:17, berrange at redhat.com (Daniel P. Berrangé) wrote:
It is possible to build OVMF for SEV with an embedded Grub that can fetch LUKS disk secrets. This adds support for injecting secrets in the required format.
Signed-off-by: Daniel P. Berrang? <berrange at redhat.com> --- docs/manpages/virt-qemu-sev-validate.rst | 66 ++++++++++ tools/virt-qemu-sev-validate | 156 +++++++++++++++++++++-- 2 files changed, 213 insertions(+), 9 deletions(-)
diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst index fcc13d68c8..7542bea9aa 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -187,6 +187,29 @@ understand any configuration mistakes that have been made. If the will be skipped. The result is that the validation will likely be reported as failed.
+Secret injection options +------------------------ + +These options provide a way to inject a secret if validation of the +launch measurement passes. + +``--disk-password PATH`` + +Path to a file containing the password to use to unlock the LUKS container +for the guest disk.
Maybe add an option to add custom secret entries: --add-secret-entry GUID:PATH ? -Dov
+ +``--secret-header PATH`` + +Path to a file in which the injected secret header will be written in base64 +format and later injected into the domain. This is required if there is no +connection to libvirt, otherwise the secret will be directly injected. + +``--secret-payload PATH`` + +Path to a file in which the injected secret payload will be written in base64 +format and later injected into the domain. This is required if there is no +connection to libvirt, otherwise the secret will be directly injected. +