[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interactive launch over QMP socket?

From: Kevin Wolf
Subject: Re: Interactive launch over QMP socket?
Date: Mon, 22 Feb 2021 12:40:07 +0100

Am 10.02.2021 um 19:01 hat Connor Kuehl geschrieben:
> Hello,
> Does QEMU have an internal API which would allow VM construction to wait at
> a *very specific point* until specific data/QMP message(s) are supplied via
> the QMP socket?
> For some additional context: QEMU supports launching AMD SEV-protected
> guests; in short: encrypted virtual machines. Guest owners may participate
> in attestation to cryptographically verify their assumptions about the
> guest's initial state, the host's platform, and the host platform owner's
> identity. If the guest owner is satisfied with the attestation process, a
> secret can be safely injected into the guest's address space over a secure
> channel.
> Attestation is an unavoidably interactive process.
> It appears that QEMU already exposes most of the API required to perform
> this attestation remotely with a guest owner over QMP, with only one
> exception: starting the attestation session. It looks like the session
> components (policy, session-file, and dh-cert-file) are supplied via command
> line arguments to QEMU and don't have a message type in the QMP spec:
>       -object 
> sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x1,session-file=blah.session,dh-cert-file=guest_owner.cert
> I would like to add a message type to QMP which allows guest owners to
> supply this data over a socket and _not_ require these components a priori
> via command line arguments.

I don't think you need a new QMP command for this. If you would use
-object on the command line, you can use QMP object-add at runtime.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]