[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SEV guest attestation

From: Tyler Fanelli
Subject: Re: SEV guest attestation
Date: Wed, 24 Nov 2021 13:29:36 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0

On 11/24/21 12:49 PM, Dr. David Alan Gilbert wrote:
* Tyler Fanelli (tfanelli@redhat.com) wrote:

We recently discussed a way for remote SEV guest attestation through QEMU.
My initial approach was to get data needed for attestation through different
QMP commands (all of which are already available, so no changes required
there), deriving hashes and certificate data; and collecting all of this
into a new QMP struct (SevLaunchStart, which would include the VM's policy,
secret, and GPA) which would need to be upstreamed into QEMU. Once this is
provided, QEMU would then need to have support for attestation before a VM
is started. Upon speaking to Dave about this proposal, he mentioned that
this may not be the best approach, as some situations would render the
attestation unavailable, such as the instance where a VM is running in a
cloud, and a guest owner would like to perform attestation via QMP (a likely
scenario), yet a cloud provider cannot simply let anyone pass arbitrary QMP
commands, as this could be an issue.

So I ask, does anyone involved in QEMU's SEV implementation have any input
on a quality way to perform guest attestation? If so, I'd be interested.
QMP is the right way to talk to QEMU; the question is whether something
sits between qemu and the attestation program - e.g. libvirt or possibly
subsequently something even higher level.

Can we start by you putting down what your interfaces look like at the

Basically, I just establish a connection with a QMP socket at the beginning, serialize different QMP structs to get the data I need (query-sev, query-sev-capabilities, etc..), get the results and deserialize that data. In the original attempt, I would keep this protocol for issuing "sev-launch-start", "sev-inject-secret", and others. From a mgmt app perspective (in my case, I'm looking at it from a sevctl perspective), it's relatively straightforward. Any work required for getting certificates, sessions, measurements, and OVMF data is handled by sevctl.



Tyler Fanelli (tfanelli)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]