|
| From: | Tyler Fanelli |
| Subject: | SEV guest attestation |
| Date: | Wed, 24 Nov 2021 11:34:16 -0500 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 |
Hi,We recently discussed a way for remote SEV guest attestation through QEMU. My initial approach was to get data needed for attestation through different QMP commands (all of which are already available, so no changes required there), deriving hashes and certificate data; and collecting all of this into a new QMP struct (SevLaunchStart, which would include the VM's policy, secret, and GPA) which would need to be upstreamed into QEMU. Once this is provided, QEMU would then need to have support for attestation before a VM is started. Upon speaking to Dave about this proposal, he mentioned that this may not be the best approach, as some situations would render the attestation unavailable, such as the instance where a VM is running in a cloud, and a guest owner would like to perform attestation via QMP (a likely scenario), yet a cloud provider cannot simply let anyone pass arbitrary QMP commands, as this could be an issue.
So I ask, does anyone involved in QEMU's SEV implementation have any input on a quality way to perform guest attestation? If so, I'd be interested. Thanks.
Tyler. -- Tyler Fanelli (tfanelli)
| [Prev in Thread] | Current Thread | [Next in Thread] |