|
From: | Janosch Frank |
Subject: | Re: [PATCH] target/s390x/kvm/pv: Provide some more useful information if decryption fails |
Date: | Tue, 9 Jan 2024 16:36:06 +0100 |
User-agent: | Mozilla Thunderbird |
On 1/9/24 15:52, Thomas Huth wrote:
On 09/01/2024 15.42, Daniel P. Berrangé wrote:On Tue, Jan 09, 2024 at 03:30:38PM +0100, Thomas Huth wrote:It's a common scenario to copy guest images from one host to another to run the guest on the other machine. This (of course) does not work with "secure exection" guests since they are encrypted with one certain host key. However, if you still (accidentally) do it, you only get a very user-unfriendly error message that looks like this:Not a comment on the patch, but my own interest how/where does the disk image encryption/decryption happen ? Is that in guest kernel context, and any info on what format the encryption uses ?There is an "ultravisor" (part of the host firmware) that takes care of the decryption. See e.g. Claudio's talk here: https://www.youtube.com/watch?v=J2YibrLfB4s
And here's the tool that creates the encrypted image: https://github.com/ibm-s390-linux/s390-tools/tree/master/genprotimg If I remember correctly the image should be aes-256-xts. The SE header (that contains the image key) should be aes-256-gcm.The header has keyslots so each machine the VM is allowed to run on can unwrap the header independently.
Adding Marc to keep me honest here since he wrote genprotimg.
[Prev in Thread] | Current Thread | [Next in Thread] |