7:52 a.m.
Daniel P. Berrangé (2):
tools: fix handling of CPU family/model/stepping in SEV validation
tools: fix VMSA construction with explicit CPU family/model/stepping
tools/virt-qemu-sev-validate | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--
2.41.0
7:52 a.m.
New subject: [libvirt PATCH 1/2] tools: fix handling of CPU family/model/stepping in SEV validation
The SEV-ES boot measurement includes the initial CPU register state
(VMSA) and one of the fields includes the CPU identification. When
building a VMSA blob we get the CPU family/model/stepping from the
host capabilities, however, the VMSA must reflect the guest CPU not
host CPU. Thus using host capabilities is only when whe the guest
has the 'host-passthrough' CPU mode active. With 'host-model' it is
cannot be assumed host and guest match, because QEMU may not (yet)
have a named CPU model for a given host CPU.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-qemu-sev-validate | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
index 209f19a4a8..c279741004 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -1054,6 +1054,11 @@ class LibvirtConfidentialVM(ConfidentialVM):
raise InsecureUsageException(
"Using CPU SKU from capabilities is not secure")
+ mode = doc.xpath("/domain/cpu/@mode")
+ if mode != "host-passthrough":
+ raise UnsupportedUsageException(
+ "Using CPU family/model/stepping from host not possible unless
'host-passthrough' is used")
+
sig = capsdoc.xpath("/capabilities/host/cpu/signature")
if len(sig) != 1:
raise UnsupportedUsageException(
--
2.41.0
3:55 a.m.
New subject: [libvirt PATCH 1/2] tools: fix handling of CPU family/model/stepping in SEV validation
On Fri, Aug 25, 2023 at 13:52:57 +0100, Daniel P. Berrangé wrote:
The SEV-ES boot measurement includes the initial CPU register state
(VMSA) and one of the fields includes the CPU identification. When
building a VMSA blob we get the CPU family/model/stepping from the
host capabilities, however, the VMSA must reflect the guest CPU not
host CPU. Thus using host capabilities is only when whe the guest
has the 'host-passthrough' CPU mode active. With 'host-model' it is
cannot be assumed host and guest match, because QEMU may not (yet)
have a named CPU model for a given host CPU.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-qemu-sev-validate | 5 +++++
1 file changed, 5 insertions(+)
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
4:05 a.m.
New subject: [libvirt PATCH 1/2] tools: fix handling of CPU family/model/stepping in SEV validation
On Fri, Aug 25, 2023 at 01:52:57PM +0100, Daniel P. Berrangé wrote:
The SEV-ES boot measurement includes the initial CPU register state
(VMSA) and one of the fields includes the CPU identification. When
building a VMSA blob we get the CPU family/model/stepping from the
host capabilities, however, the VMSA must reflect the guest CPU not
host CPU. Thus using host capabilities is only when whe the guest
has the 'host-passthrough' CPU mode active. With 'host-model' it is
cannot be assumed host and guest match, because QEMU may not (yet)
have a named CPU model for a given host CPU.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-qemu-sev-validate | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
index 209f19a4a8..c279741004 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -1054,6 +1054,11 @@ class LibvirtConfidentialVM(ConfidentialVM):
raise InsecureUsageException(
"Using CPU SKU from capabilities is not secure")
+ mode = doc.xpath("/domain/cpu/@mode")
+ if mode != "host-passthrough":
+ raise UnsupportedUsageException(
+ "Using CPU family/model/stepping from host not possible unless
'host-passthrough' is used")
+
sig = capsdoc.xpath("/capabilities/host/cpu/signature")
if len(sig) != 1:
raise UnsupportedUsageException(
--
2.41.0
Reviewed-by: Erik Skultety <eskultet(a)redhat.com>
7:52 a.m.
New subject: [libvirt PATCH 2/2] tools: fix VMSA construction with explicit CPU family/model/stepping
If the CPU family/model/stepping are provided on the command line, but
the firmware is being automatically extracted from the libvirt guest,
we try to build the VMSA too early. This leads to an exception trying
to parse the firmware that has not been loaded yet. We must delay
building the VMSA in that scenario.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-qemu-sev-validate | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
index c279741004..67edbd085f 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -940,7 +940,7 @@ class LibvirtConfidentialVM(ConfidentialVM):
"kernel/initrd/cmdline not provided but kernel "
"measurement is enabled")
- def load_domain(self, uri, id_name_uuid, secure, ignore_config):
+ def load_domain(self, uri, id_name_uuid, build_vmsa, secure, ignore_config):
self.conn = libvirt.open(uri)
remote = socket.getfqdn() != self.conn.getHostname()
@@ -1049,7 +1049,7 @@ class LibvirtConfidentialVM(ConfidentialVM):
capsxml = self.conn.getCapabilities()
capsdoc = etree.fromstring(capsxml)
- if self.is_sev_es() and self.vmsa_cpu0 is None:
+ if self.is_sev_es() and build_vmsa:
if secure:
raise InsecureUsageException(
"Using CPU SKU from capabilities is not secure")
@@ -1263,17 +1263,19 @@ def attest(args):
if args.vmsa_cpu1 is not None:
cvm.load_vmsa_cpu1(args.vmsa_cpu1)
- if args.cpu_family is not None:
- cvm.build_vmsas(args.cpu_family,
- args.cpu_model,
- args.cpu_stepping)
-
if args.domain is not None:
+ build_vmsa = args.vmsa_cpu0 is None and args.cpu_family is None
cvm.load_domain(args.connect,
args.domain,
+ build_vmsa,
not args.insecure,
args.ignore_config)
+ if args.cpu_family is not None:
+ cvm.build_vmsas(args.cpu_family,
+ args.cpu_model,
+ args.cpu_stepping)
+
cvm.attest()
if not args.quiet:
print("OK: Looks good to me")
--
2.41.0
4:01 a.m.
New subject: [libvirt PATCH 2/2] tools: fix VMSA construction with explicit CPU family/model/stepping
On Fri, Aug 25, 2023 at 13:52:58 +0100, Daniel P. Berrangé wrote:
If the CPU family/model/stepping are provided on the command line,
but
the firmware is being automatically extracted from the libvirt guest,
we try to build the VMSA too early. This leads to an exception trying
to parse the firmware that has not been loaded yet. We must delay
building the VMSA in that scenario.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-qemu-sev-validate | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
4:06 a.m.
New subject: [libvirt PATCH 2/2] tools: fix VMSA construction with explicit CPU family/model/stepping
On Fri, Aug 25, 2023 at 01:52:58PM +0100, Daniel P. Berrangé wrote:
If the CPU family/model/stepping are provided on the command line,
but
the firmware is being automatically extracted from the libvirt guest,
we try to build the VMSA too early. This leads to an exception trying
to parse the firmware that has not been loaded yet. We must delay
building the VMSA in that scenario.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Reviewed-by: Erik Skultety <eskultet(a)redhat.com>
3:35 a.m.
ping, I'd like these bug fixes in the forthcoming release this
week.
On Fri, Aug 25, 2023 at 01:52:56PM +0100, Daniel P. Berrangé wrote:
Daniel P. Berrangé (2):
tools: fix handling of CPU family/model/stepping in SEV validation
tools: fix VMSA construction with explicit CPU family/model/stepping
tools/virt-qemu-sev-validate | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--
2.41.0
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
451
days inactive
455
days old
7 comments
3 participants
participants (3)
-
Daniel P. Berrangé -
Erik Skultety -
Peter Krempa