[libvirt] [PATCH 0/2] AMD SEV: Relabel session data under /var/lib/libvirt
If a user tries to pass the optional "dhCert" or "session" data to the SEV firmware, these are in form of a base64-encoded strings which libvirt then takes and creates files with those strings as content under /var/lib/libvirt/qemu/<domain>. Libvirt then puts paths to these files on to QEMU cmdline. QEMU then uses these files within its communication with SEV firmware, provided it has access to those files. https://bugzilla.redhat.com/show_bug.cgi?id=1658112 Erik Skultety (2): qemu: process: SEV: Assume libDir to be the directory to create files in qemu: process: SEV: Relabel guest owner's SEV files created before start src/qemu/qemu_process.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) -- 2.19.2
Since SEV operates on a per domain basis, it's very likely that all SEV launch-related data will be created under /var/lib/libvirt/qemu/<domain_name>. Therefore, when calling into qemuProcessSEVCreateFile we can assume @libDir as the directory prefix rather than passing it explicitly. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- src/qemu/qemu_process.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 2f8e19d29d..db3c095f09 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6040,14 +6040,15 @@ qemuProcessPrepareDomain(virQEMUDriverPtr driver, static int -qemuProcessSEVCreateFile(const char *configDir, +qemuProcessSEVCreateFile(virDomainObjPtr vm, const char *name, const char *data) { + qemuDomainObjPrivatePtr priv = vm->privateData; char *configFile; int ret = -1; - if (!(configFile = virFileBuildPath(configDir, name, ".base64"))) + if (!(configFile = virFileBuildPath(priv->libDir, name, ".base64"))) return -1; if (virFileRewriteStr(configFile, S_IRUSR | S_IWUSR, data) < 0) { @@ -6084,12 +6085,12 @@ qemuProcessPrepareSEVGuestInput(virDomainObjPtr vm) } if (sev->dh_cert) { - if (qemuProcessSEVCreateFile(priv->libDir, "dh_cert", sev->dh_cert) < 0) + if (qemuProcessSEVCreateFile(vm, "dh_cert", sev->dh_cert) < 0) return -1; } if (sev->session) { - if (qemuProcessSEVCreateFile(priv->libDir, "session", sev->session) < 0) + if (qemuProcessSEVCreateFile(vm, "session", sev->session) < 0) return -1; } -- 2.19.2
Before launching a SEV guest we take the base64-encoded guest owner's data specified in launchSecurity and create files with the same content under /var/lib/libvirt/qemu/<domain>. The reason for this is that we need to pass these files on to QEMU which then uses them to communicate with the SEV firmware, except when it doesn't have permissions to open those files since we don't relabel them. https://bugzilla.redhat.com/show_bug.cgi?id=1658112 Signed-off-by: Erik Skultety <eskultet@redhat.com> --- src/qemu/qemu_process.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index db3c095f09..dd815f5b80 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6045,6 +6045,7 @@ qemuProcessSEVCreateFile(virDomainObjPtr vm, const char *data) { qemuDomainObjPrivatePtr priv = vm->privateData; + virQEMUDriverPtr driver = priv->driver; char *configFile; int ret = -1; @@ -6057,6 +6058,9 @@ qemuProcessSEVCreateFile(virDomainObjPtr vm, goto cleanup; } + if (qemuSecurityDomainSetPathLabel(driver, vm, configFile, true) < 0) + goto cleanup; + ret = 0; cleanup: VIR_FREE(configFile); -- 2.19.2
On 12/11/18 3:43 PM, Erik Skultety wrote:
If a user tries to pass the optional "dhCert" or "session" data to the SEV firmware, these are in form of a base64-encoded strings which libvirt then takes and creates files with those strings as content under /var/lib/libvirt/qemu/<domain>. Libvirt then puts paths to these files on to QEMU cmdline. QEMU then uses these files within its communication with SEV firmware, provided it has access to those files.
https://bugzilla.redhat.com/show_bug.cgi?id=1658112
Erik Skultety (2): qemu: process: SEV: Assume libDir to be the directory to create files in qemu: process: SEV: Relabel guest owner's SEV files created before start
src/qemu/qemu_process.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)
ACK Michal
participants (2)
-
Erik Skultety -
Michal Privoznik