[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 36/49] i386/sev: Add KVM_EXIT_VMGEXIT handling for Extende
From: |
Markus Armbruster |
Subject: |
Re: [PATCH v3 36/49] i386/sev: Add KVM_EXIT_VMGEXIT handling for Extended Guest Requests |
Date: |
Mon, 22 Apr 2024 17:02:35 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Michael Roth <michael.roth@amd.com> writes:
> The GHCB specification[1] defines a VMGEXIT-based Guest Request
> hypercall to allow an SNP guest to issue encrypted requests directly to
> SNP firmware to do things like query the attestation report for the
> guest. These are generally handled purely in the kernel.
>
> In some some cases, it's useful for the host to be able to additionally
> supply the certificate chain for the signing key that SNP firmware uses
> to sign these attestation reports. To allow for, the GHCB specification
> defines an Extended Guest Request where this certificate data can be
> provided in a special format described in the GHCB spec. This
> certificate data may be global or guest-specific depending on how the
> guest was configured. Rather than providing interfaces to manage these
> within the kernel, KVM handles this by forward the Extended Guest
> Requests on to userspace so the certificate data can be provided in the
> expected format.
>
> Add a certs-path parameter to the sev-snp-guest object so that it can
> be used to inject any certificate data into these Extended Guest
> Requests.
>
> Signed-off-by: Michael Roth <michael.roth@amd.com>
> ---
> qapi/qom.json | 7 +++-
> target/i386/sev.c | 85 +++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 91 insertions(+), 1 deletion(-)
>
> diff --git a/qapi/qom.json b/qapi/qom.json
> index b25a3043da..7ba778af91 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -957,6 +957,10 @@
> # SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI
> # (default: all-zero)
> #
> +# @certs-path: path to certificate data that can be passed to guests via
> +# SNP Extended Guest Requests. File should be in the format
> +# described in the GHCB specification. (default: none)
Is this a filename, or is it a search path of sorts?
> +#
> # Since: 7.2
> ##
> { 'struct': 'SevSnpGuestProperties',
> @@ -967,7 +971,8 @@
> '*id-block': 'str',
> '*id-auth': 'str',
> '*auth-key-enabled': 'bool',
> - '*host-data': 'str' } }
> + '*host-data': 'str',
> + '*certs-path': 'str' } }
>
> ##
> # @ThreadContextProperties:
[...]
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH v3 36/49] i386/sev: Add KVM_EXIT_VMGEXIT handling for Extended Guest Requests,
Markus Armbruster <=