From: Eduardo Habkost <ehabkost@redhat.com>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: qemu-devel@nongnu.org, armbru@redhat.com, dgilbert@redhat.com,
James Bottomley <jejb@linux.ibm.com>,
Tom Lendacky <Thomas.Lendacky@amd.com>,
Eric Blake <eblake@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org
Subject: Re: [PATCH v3] target/i386/sev: add support to query the attestation report
Date: Mon, 31 May 2021 16:01:16 -0400 [thread overview]
Message-ID: <20210531200116.phfr6vo3penynb4f@habkost.net> (raw)
In-Reply-To: <20210429170728.24322-1-brijesh.singh@amd.com>
On Thu, Apr 29, 2021 at 12:07:28PM -0500, Brijesh Singh wrote:
> The SEV FW >= 0.23 added a new command that can be used to query the
> attestation report containing the SHA-256 digest of the guest memory
> and VMSA encrypted with the LAUNCH_UPDATE and sign it with the PEK.
>
> Note, we already have a command (LAUNCH_MEASURE) that can be used to
> query the SHA-256 digest of the guest memory encrypted through the
> LAUNCH_UPDATE. The main difference between previous and this command
> is that the report is signed with the PEK and unlike the LAUNCH_MEASURE
> command the ATTESATION_REPORT command can be called while the guest
> is running.
>
> Add a QMP interface "query-sev-attestation-report" that can be used
> to get the report encoded in base64.
>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Tom Lendacky <Thomas.Lendacky@amd.com>
> Cc: Eric Blake <eblake@redhat.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: kvm@vger.kernel.org
> Reviewed-by: James Bottomley <jejb@linux.ibm.com>
> Tested-by: James Bottomley <jejb@linux.ibm.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
[...]
> + gsize len;
[...]
> + /* verify the input mnonce length */
> + if (len != sizeof(input.mnonce)) {
> + error_setg(errp, "SEV: mnonce must be %ld bytes (got %ld)",
> + sizeof(input.mnonce), len);
This breaks the build on i386. Failed CI job:
https://gitlab.com/ehabkost/qemu/-/jobs/1300032082
I'm applying the following fixup.
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
---
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 12899a31736..0e135d56e53 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -517,7 +517,7 @@ sev_get_attestation_report(const char *mnonce, Error **errp)
/* verify the input mnonce length */
if (len != sizeof(input.mnonce)) {
- error_setg(errp, "SEV: mnonce must be %ld bytes (got %ld)",
+ error_setg(errp, "SEV: mnonce must be %ld bytes (got %" G_GSIZE_FORMAT ")",
sizeof(input.mnonce), len);
g_free(buf);
return NULL;
--
Eduardo
WARNING: multiple messages have this Message-ID (diff)
From: Eduardo Habkost <ehabkost@redhat.com>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: Tom Lendacky <Thomas.Lendacky@amd.com>,
kvm@vger.kernel.org, armbru@redhat.com,
James Bottomley <jejb@linux.ibm.com>,
qemu-devel@nongnu.org, dgilbert@redhat.com,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v3] target/i386/sev: add support to query the attestation report
Date: Mon, 31 May 2021 16:01:16 -0400 [thread overview]
Message-ID: <20210531200116.phfr6vo3penynb4f@habkost.net> (raw)
In-Reply-To: <20210429170728.24322-1-brijesh.singh@amd.com>
On Thu, Apr 29, 2021 at 12:07:28PM -0500, Brijesh Singh wrote:
> The SEV FW >= 0.23 added a new command that can be used to query the
> attestation report containing the SHA-256 digest of the guest memory
> and VMSA encrypted with the LAUNCH_UPDATE and sign it with the PEK.
>
> Note, we already have a command (LAUNCH_MEASURE) that can be used to
> query the SHA-256 digest of the guest memory encrypted through the
> LAUNCH_UPDATE. The main difference between previous and this command
> is that the report is signed with the PEK and unlike the LAUNCH_MEASURE
> command the ATTESATION_REPORT command can be called while the guest
> is running.
>
> Add a QMP interface "query-sev-attestation-report" that can be used
> to get the report encoded in base64.
>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Tom Lendacky <Thomas.Lendacky@amd.com>
> Cc: Eric Blake <eblake@redhat.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: kvm@vger.kernel.org
> Reviewed-by: James Bottomley <jejb@linux.ibm.com>
> Tested-by: James Bottomley <jejb@linux.ibm.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
[...]
> + gsize len;
[...]
> + /* verify the input mnonce length */
> + if (len != sizeof(input.mnonce)) {
> + error_setg(errp, "SEV: mnonce must be %ld bytes (got %ld)",
> + sizeof(input.mnonce), len);
This breaks the build on i386. Failed CI job:
https://gitlab.com/ehabkost/qemu/-/jobs/1300032082
I'm applying the following fixup.
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
---
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 12899a31736..0e135d56e53 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -517,7 +517,7 @@ sev_get_attestation_report(const char *mnonce, Error **errp)
/* verify the input mnonce length */
if (len != sizeof(input.mnonce)) {
- error_setg(errp, "SEV: mnonce must be %ld bytes (got %ld)",
+ error_setg(errp, "SEV: mnonce must be %ld bytes (got %" G_GSIZE_FORMAT ")",
sizeof(input.mnonce), len);
g_free(buf);
return NULL;
--
Eduardo
next prev parent reply other threads:[~2021-05-31 20:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-29 17:07 [PATCH v3] target/i386/sev: add support to query the attestation report Brijesh Singh
2021-04-29 17:07 ` Brijesh Singh
2021-05-07 22:00 ` Connor Kuehl
2021-05-07 22:00 ` Connor Kuehl
2021-05-21 22:15 ` Brijesh Singh
2021-05-21 22:15 ` Brijesh Singh
2021-05-27 20:55 ` Eduardo Habkost
2021-05-27 20:55 ` Eduardo Habkost
2021-05-31 20:01 ` Eduardo Habkost [this message]
2021-05-31 20:01 ` Eduardo Habkost
2021-06-01 13:34 ` Eduardo Habkost
2021-06-01 13:34 ` Eduardo Habkost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531200116.phfr6vo3penynb4f@habkost.net \
--to=ehabkost@redhat.com \
--cc=Thomas.Lendacky@amd.com \
--cc=armbru@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.