[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SEV guest attestation

From: Dr. David Alan Gilbert
Subject: Re: SEV guest attestation
Date: Wed, 24 Nov 2021 17:49:47 +0000
User-agent: Mutt/2.0.7 (2021-05-04)

* Tyler Fanelli (tfanelli@redhat.com) wrote:
> Hi,
> We recently discussed a way for remote SEV guest attestation through QEMU.
> My initial approach was to get data needed for attestation through different
> QMP commands (all of which are already available, so no changes required
> there), deriving hashes and certificate data; and collecting all of this
> into a new QMP struct (SevLaunchStart, which would include the VM's policy,
> secret, and GPA) which would need to be upstreamed into QEMU. Once this is
> provided, QEMU would then need to have support for attestation before a VM
> is started. Upon speaking to Dave about this proposal, he mentioned that
> this may not be the best approach, as some situations would render the
> attestation unavailable, such as the instance where a VM is running in a
> cloud, and a guest owner would like to perform attestation via QMP (a likely
> scenario), yet a cloud provider cannot simply let anyone pass arbitrary QMP
> commands, as this could be an issue.
> So I ask, does anyone involved in QEMU's SEV implementation have any input
> on a quality way to perform guest attestation? If so, I'd be interested.
> Thanks.

QMP is the right way to talk to QEMU; the question is whether something
sits between qemu and the attestation program - e.g. libvirt or possibly
subsequently something even higher level.

Can we start by you putting down what your interfaces look like at the


> Tyler.
> -- 
> Tyler Fanelli (tfanelli)
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

reply via email to

[Prev in Thread] Current Thread [Next in Thread]