2:36 p.m.
This API allows getting an attestation report from a SEV-enabled guest.
The API uses virTypedParameter for input. The details of an attestation
report buffer are described in the SEV API spec in section
"6.8.2 Parameters, Table 60".
https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
Signed-off-by: Tyler Fanelli <tfanelli(a)redhat.com>
---
include/libvirt/libvirt-domain.h | 14 +++++++
src/driver-hypervisor.h | 7 ++++
src/libvirt-domain.c | 63 ++++++++++++++++++++++++++++++++
src/libvirt_public.syms | 4 ++
4 files changed, 88 insertions(+)
diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h
index 2d5718301e..af8991dbd3 100644
--- a/include/libvirt/libvirt-domain.h
+++ b/include/libvirt/libvirt-domain.h
@@ -5166,6 +5166,15 @@ int virDomainSetLifecycleAction(virDomainPtr domain,
*/
# define VIR_DOMAIN_LAUNCH_SECURITY_SEV_SECRET_SET_ADDRESS
"sev-secret-set-address"
+/**
+ * VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE:
+ *
+ * A macro used to represent a random 16 bytes value encoded in base64
+ * that will be included in a SEV attestation report, as
+ * VIR_TYPED_PARAM_STRING.
+ */
+# define VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE "mnonce"
+
int virDomainGetLaunchSecurityInfo(virDomainPtr domain,
virTypedParameterPtr *params,
int *nparams,
@@ -5176,6 +5185,11 @@ int virDomainSetLaunchSecurityState(virDomainPtr domain,
int nparams,
unsigned int flags);
+int virDomainGetSevAttestationReport(virDomainPtr domain,
+ virTypedParameterPtr *params_ptr,
+ int *nparams,
+ unsigned int flags);
+
typedef enum {
VIR_DOMAIN_GUEST_INFO_USERS = (1 << 0), /* return active users */
VIR_DOMAIN_GUEST_INFO_OS = (1 << 1), /* return OS information */
diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h
index 4423eb0885..568d8c9a26 100644
--- a/src/driver-hypervisor.h
+++ b/src/driver-hypervisor.h
@@ -1348,6 +1348,12 @@ typedef int
int nparams,
unsigned int flags);
+typedef int
+(*virDrvDomainGetSevAttestationReport)(virDomainPtr domain,
+ virTypedParameterPtr params,
+ int nparams,
+ unsigned int flags);
+
typedef virDomainCheckpointPtr
(*virDrvDomainCheckpointCreateXML)(virDomainPtr domain,
const char *xmlDesc,
@@ -1678,6 +1684,7 @@ struct _virHypervisorDriver {
virDrvNodeGetSEVInfo nodeGetSEVInfo;
virDrvDomainGetLaunchSecurityInfo domainGetLaunchSecurityInfo;
virDrvDomainSetLaunchSecurityState domainSetLaunchSecurityState;
+ virDrvDomainGetSevAttestationReport domainGetSevAttestationReport;
virDrvDomainCheckpointCreateXML domainCheckpointCreateXML;
virDrvDomainCheckpointGetXMLDesc domainCheckpointGetXMLDesc;
virDrvDomainListAllCheckpoints domainListAllCheckpoints;
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index a197618673..ebcba4a8b7 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -12957,6 +12957,69 @@ int virDomainSetLaunchSecurityState(virDomainPtr domain,
return -1;
}
+/**
+ * virDomainGetSevAttestationReport:
+ * @domain: a domain object
+ * @params_ptr: pointer to launch security parameter objects
+ * @nparams: pointer to number of launch security parameters
+ * @flags: currently used, set to 0
+ *
+ * Get an attestation report from a SEV-enabled guest. On success, the guest
+ * attestation report can be obtained and the guest can be started.
+ *
+ * There is one parameter for receiving an attestation report, mnonce, which is
+ * a random 16-byte string to be included in the attestation report.
+ *
+ * Returns -1 in case of failure, 0 in case of success.
+ */
+int virDomainGetSevAttestationReport(virDomainPtr domain,
+ virTypedParameterPtr *params_ptr,
+ int *nparams,
+ unsigned int flags)
+{
+ virConnectPtr conn;
+ virTypedParameterPtr params;
+ int rc;
+
+ params = *params_ptr;
+ conn = domain->conn;
+
+ VIR_DOMAIN_DEBUG(domain, "params=%p, nparams=%d, flags=0x%x",
+ params, *nparams, flags);
+ VIR_TYPED_PARAMS_DEBUG(params, *nparams);
+
+ virResetLastError();
+
+ virCheckDomainReturn(domain, -1);
+ virCheckNonNullArgGoto(params, error);
+ virCheckPositiveArgGoto(*nparams, error);
+ virCheckReadOnlyGoto(domain->conn->flags, error);
+
+ rc = VIR_DRV_SUPPORTS_FEATURE(domain->conn->driver, domain->conn,
+ VIR_DRV_FEATURE_TYPED_PARAM_STRING);
+
+ if (rc < 0)
+ goto error;
+ if (rc)
+ flags |= VIR_TYPED_PARAM_STRING_OKAY;
+
+ if (virTypedParameterValidateSet(conn, params, *nparams) < 0)
+ goto error;
+
+ if (conn->driver->domainGetSevAttestationReport) {
+ int ret;
+ ret = conn->driver->domainGetSevAttestationReport(domain, params_ptr,
+ nparams, flags);
+ if (ret < 0)
+ goto error;
+
+ return ret;
+ }
+
+error:
+ virDispatchError(domain->conn);
+ return -1;
+}
/**
* virDomainAgentSetResponseTimeout:
diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms
index f93692c427..f0cd5e7e55 100644
--- a/src/libvirt_public.syms
+++ b/src/libvirt_public.syms
@@ -916,4 +916,8 @@ LIBVIRT_8.0.0 {
virDomainSetLaunchSecurityState;
} LIBVIRT_7.8.0;
+LIBVIRT_8.2.0 {
+ global:
+ virDomainGetSevAttestationReport;
+} LIBVIRT_8.0.0;
# .... define new API here using predicted next version number ....
--
2.34.1