[PATCH 0/2] tools: A few small fixes for virt-qemu-sev-validate

See patches for details. Jim Fehlig (2): docs: Fix examples in virt-qemu-sev-validate man page tools: Fix detection of remote libvirt access in virt-qemu-sev-validate docs/manpages/virt-qemu-sev-validate.rst | 24 ++++++++++++------------ tools/virt-qemu-sev-validate | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) -- 2.38.1

Some of the examples refer to virt-dom-sev-validate. Replace them with the proper name. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- docs/manpages/virt-qemu-sev-validate.rst | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst index fcbe84b0ee..9eff387aea 100644 --- a/docs/manpages/virt-qemu-sev-validate.rst +++ b/docs/manpages/virt-qemu-sev-validate.rst @@ -257,7 +257,7 @@ Validate the measurement of a SEV guest with direct kernel boot: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --firmware OVMF.sev.fd \ --kernel vmlinuz-5.11.12 \ --initrd initramfs-5.11.12 \ @@ -273,7 +273,7 @@ Validate the measurement of a SEV-ES SMP guest booting from disk: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --firmware OVMF.sev.fd \ --num-cpus 2 \ --vmsa-cpu0 vmsa0.bin \ @@ -290,7 +290,7 @@ automatically constructed VMSA: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --firmware OVMF.sev.fd \ --num-cpus 2 \ --cpu-family 23 \ @@ -308,7 +308,7 @@ inject a disk password on success: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --loader OVMF.sev.fd \ --tk this-guest-tk.bin \ --measurement Zs2pf19ubFSafpZ2WKkwquXvACx9Wt/BV+eJwQ/taO8jhyIj/F8swFrybR1fZ2ID \ @@ -347,7 +347,7 @@ Validate the measurement of a SEV guest with direct kernel boot: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --connect qemu+ssh://root@some.remote.host/system \ --firmware OVMF.sev.fd \ --kernel vmlinuz-5.11.12 \ @@ -360,7 +360,7 @@ Validate the measurement of a SEV-ES SMP guest booting from disk: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --connect qemu+ssh://root@some.remote.host/system \ --firmware OVMF.sev.fd \ --num-cpus 2 \ @@ -374,7 +374,7 @@ automatically constructed VMSA: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --connect qemu+ssh://root@some.remote.host/system \ --firmware OVMF.sev.fd \ --cpu-family 23 \ @@ -388,7 +388,7 @@ inject a disk password on success: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --connect qemu+ssh://root@some.remote.host/system \ --loader OVMF.sev.fd \ --tk this-guest-tk.bin \ @@ -419,7 +419,7 @@ Validate the measurement of a SEV guest with direct kernel boot: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --insecure \ --tk this-guest-tk.bin \ --domain fedora34x86_64 @@ -428,7 +428,7 @@ Validate the measurement of a SEV-ES SMP guest booting from disk: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --insecure \ --vmsa-cpu0 vmsa0.bin \ --vmsa-cpu1 vmsa1.bin \ @@ -440,7 +440,7 @@ automatically constructed VMSA: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --insecure \ --tk this-guest-tk.bin \ --domain fedora34x86_64 @@ -450,7 +450,7 @@ inject a disk password on success: :: - # virt-dom-sev-validate \ + # virt-qemu-sev-validate \ --insecure \ --tk this-guest-tk.bin \ --domain fedora34x86_64 \ -- 2.38.1

The VM's firmware path is not extracted from the XML when invoking virt-qemu-sev-validate in insecure mode and connecting to the local libvirt virt-qemu-sev-validate --insecure --tk tek-tik.bin --domain test-sev-es ERROR: Cannot access firmware path remotely The test for remote access compares the return value from socket.gethostname() to the return value from conn.getHostname(). The former doesn't always return the fqdn, whereas the latter does. Use socket.getfqdn() instead. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- Optionally only compare hostnames and not fqdn? tools/virt-qemu-sev-validate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate index 3d8b292fef..7a8c3205e7 100755 --- a/tools/virt-qemu-sev-validate +++ b/tools/virt-qemu-sev-validate @@ -942,7 +942,7 @@ class LibvirtConfidentialVM(ConfidentialVM): def load_domain(self, uri, id_name_uuid, secure, ignore_config): self.conn = libvirt.open(uri) - remote = socket.gethostname() != self.conn.getHostname() + remote = socket.getfqdn() != self.conn.getHostname() if not remote and secure: raise InsecureUsageException( "running locally on the hypervisor host is not secure") -- 2.38.1

On Thu, Feb 02, 2023 at 11:24:58AM -0700, Jim Fehlig wrote:
See patches for details.
Jim Fehlig (2): docs: Fix examples in virt-qemu-sev-validate man page tools: Fix detection of remote libvirt access in virt-qemu-sev-validate
docs/manpages/virt-qemu-sev-validate.rst | 24 ++++++++++++------------ tools/virt-qemu-sev-validate | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé
-
Jim Fehlig