On Fri, Oct 14, 2022 at 11:11:08AM +0800, 贺培轩 wrote:
Hello,
I'm new to libvirt. I have tried to launch a sev vm with secret
injection recently, and I found the command domsetlaunchsecstate is what I
need. But I had some problem to make it work. Here is what I did to use
this command.
1. run command: virsh create sev-guest.xml
2. create secret header file and secret file.
3. run command: virsh domsetlaunchsecstate sev-guest-1
--secrethdr <hdr-filename> --secret <secret-filename> .
But it will report this error: SEV: not in correct state.
I think it is because the vm is not in a paused state. So how can I launch
a sev vm which is in a paused state? How should I revise my xml file?
Just pass the --paused flag, eg
$ virsh create --paused sev-guest.xml
Note, that before injecting sectrets to the guest, you would want to
perform an attestation to validate the boot measurement is what is
expected.
https://listman.redhat.com/archives/libvir-list/2022-October/234729.html
The next release of libvirt is likley to include a script which
handles the attestation and can inject a secret when it succeeds:
https://gitlab.com/berrange/libvirt/-/blob/lgtm-vm/tools/virt-qemu-sev-va...
See docs showing usage here:
https://gitlab.com/berrange/libvirt/-/blob/lgtm-vm/docs/manpages/virt-qem...
This script is hardcoded to inject a LUKS disk secret, as defined
by the OVMF amdsev build flavour. I'm curious what kind of secret
you are wanting to inject, and whether our tool needs extending
to cope with other secrets besides the disk.
The sev-guest.xml I use is as follows:
<domain type="kvm">
<name>sev-guest-1</name>
<uuid>d50a4205-40e0-4482-b0dc-f26bb4a1a9ff</uuid>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="
http://libosinfo.org/xmlns/libvirt/domain/1.0">
<libosinfo:os
id="http://ubuntu.com/ubuntu/16.04"/>
</libosinfo:libosinfo>
</metadata>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<memtune>
<hard_limit>4563402</hard_limit>
</memtune>
<vcpu>32</vcpu>
<cpu mode='custom' match='exact' check='partial'>
<model fallback='forbid'>EPYC</model>
</cpu>
<os>
<type arch="x86_64" machine="q35">hvm</type>
<loader readonly="yes"
type="pflash">/data01/OVMF.fd</loader>
<nvram
template="/data01/OVMF.fd">/var/lib/libvirt/qemu/nvram/sev-guest-1_VARS.fd</nvram>
For use with SEV, if you want to perform attestation prior
to injecting a disk secret, then use of a stateless
firmware (ie no NVRAM) is strongly recommended, otherwise
the NVRAM can be used to undermine the integrity of the
guest from a malicious host.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|