qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: adding 'official' way to dump SEV VMSA

From: Dov Murik
Subject: Re: adding 'official' way to dump SEV VMSA
Date: Thu, 14 Apr 2022 11:19:35 +0300
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 
Hi Cole,

On 13/04/2022 16:36, Cole Robinson wrote:
> Hi all,
> 
> SEV-ES and SEV-SNP attestation require a copy of the initial VMSA to
> validate the launch measurement. For developers dipping their toe into
> SEV-* work, the easiest way to get sample VMSA data for their machine is
> to grab it from a running VM.
> 
> There's two techniques I've seen for that: patch some printing into
> kernel __sev_launch_update_vmsa, or use systemtap like danpb's script
> here: https://gitlab.com/berrange/libvirt/-/blob/lgtm/scripts/sev-vmsa.stp
> 
> Seems like this could be friendlier though. I'd like to work on this if
> others agree.
> 
> Some ideas I've seen mentioned in passing:
> 
> - debugfs entry in /sys/kernel/debug/kvm/.../vcpuX/
> - new KVM ioctl
> - something with tracepoints
> - some kind of dump in dmesg that doesn't require a patch
> 
> Thoughts?


Brijesh suggested to me to construct the VMSA without getting any info from
the host (except number of vcpus), because the initial state of the vcpus
is standard and known if you use QEMU and OVMF (but that's open for discussion).

I took his approach (thanks Brijesh!) and now it's how we calculate expected
SNP measurements in sev-snp-measure [1].  The relevant part for VMSA 
construction
is in [2].

I plan to add SEV-ES and SEV measurements calculation to this 
library/program as well.


[1] https://github.com/IBM/sev-snp-measure
[2] https://github.com/IBM/sev-snp-measure/blob/main/sevsnpmeasure/vmsa.py

-Dov
reply via email to
[Prev in Thread] Current Thread [Next in Thread]