[libvirt PATCH v3 08/12] tools: load CPU count and CPU SKU from libvirt

Wednesday, 2 November 2022

When validating a SEV-ES guest, we need to know the CPU count and VMSA
state. We can get the CPU count directly from libvirt's guest info. The
VMSA state can be constructed automatically if we query the CPU SKU from
host capabilities XML. Neither of these is secure, however, so this
behaviour is restricted.

Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;
---
 docs/manpages/virt-qemu-sev-validate.rst |  4 ----
 tools/virt-qemu-sev-validate             | 26 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/docs/manpages/virt-qemu-sev-validate.rst
b/docs/manpages/virt-qemu-sev-validate.rst
index 4aebbb3c9b..e1e290f125 100644
--- a/docs/manpages/virt-qemu-sev-validate.rst
+++ b/docs/manpages/virt-qemu-sev-validate.rst
@@ -358,7 +358,6 @@ Validate the measurement of a SEV-ES SMP guest booting from disk:
 
    # virt-dom-sev-validate \
        --insecure \
-       --num-cpus 2 \
        --vmsa-cpu0 vmsa0.bin \
        --vmsa-cpu1 vmsa1.bin \
        --tk this-guest-tk.bin \
@@ -371,9 +370,6 @@ automatically constructed VMSA:
 
    # virt-dom-sev-validate \
        --insecure \
-       --cpu-family 23 \
-       --cpu-model 49 \
-       --cpu-stepping 0 \
        --tk this-guest-tk.bin \
        --domain fedora34x86_64
 
diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
index cdf6a24d46..9eb9d54258 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -868,6 +868,14 @@ class LibvirtConfidentialVM(ConfidentialVM):
         if self.policy is None:
             self.policy = sevinfo["sev-policy"]
 
+        if self.is_sev_es() and self.num_cpus is None:
+            if secure:
+                raise InsecureUsageException(
+                    "Using CPU count from guest is not secure")
+
+            info = self.dom.info()
+            self.num_cpus = info[3]
+
         if self.firmware is None:
             if remote:
                 raise UnsupportedUsageException(
@@ -913,6 +921,24 @@ class LibvirtConfidentialVM(ConfidentialVM):
                         "Using cmdline string from XML is not secure")
                 self.kernel_table.load_cmdline(cmdlinenodes[0].text)
 
+        capsxml = self.conn.getCapabilities()
+        capsdoc = etree.fromstring(capsxml)
+
+        if self.is_sev_es() and self.vmsa_cpu0 is None:
+            if secure:
+                raise InsecureUsageException(
+                    "Using CPU SKU from capabilities is not secure")
+
+            sig = capsdoc.xpath("/capabilities/host/cpu/signature")
+            if len(sig) != 1:
+                raise UnsupportedUsageException(
+                    "Libvirt is too old to report host CPU signature")
+
+            cpu_family = int(sig[0].get("family"))
+            cpu_model = int(sig[0].get("model"))
+            cpu_stepping = int(sig[0].get("stepping"))
+            self.build_vmsas(cpu_family, cpu_model, cpu_stepping)
+
 
 def parse_command_line():
     parser = argparse.ArgumentParser(
-- 
2.37.3


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt PATCH v3 08/12] tools: load CPU count and CPU SKU from libvirt