[libvirt PATCH 10/12] docs/kbase: describe attestation for SEV guests

Kashyap Chamarthy kchamart at redhat.com
Thu Oct 13 10:27:18 UTC 2022


On Fri, Oct 07, 2022 at 12:43:05PM +0100, Daniel P. Berrangé wrote:

The doc reads well; and is a strict improvement.  I only have a couple
of small nits inline.

[...]

>  Memory
>  ------
>  
> @@ -373,6 +387,94 @@ running:
>     # dmesg | grep -i sev
>     AMD Secure Encrypted Virtualization (SEV) active
>  
> +Guest attestation for SEV/SEV-ES from a trusted host
> +====================================================
> +
> +Before a confidential guest is used, it may be desirable to attest to boot

nit: "attest to" --> "attest the"

> +measurement. To be trustworthy the attestation process needs to be performed
> +from a machine that is already trusted. This would typically be a physical
> +machine that the guest owner controls, or could be a previously launched
> +confidential guest that has already itself been attested. Most notably, it is
> +**not** possible to securely attest a guest from the hypervisor host itself,
> +as the goal of the attestation process is to detect whether the hypervisor is
> +malicious.
> +
> +Performing an attestation requires that the ``<launchSecurity>`` element is
> +configured with a guest owner DH certificate, and a session data blob. These

nit: "DH certificate" --> "Diffie-Hellman (DH) certificate"?

> +must be unique for every guest launch attempt. Any reuse will open avenues of
> +attack for the hypervisor to fake the measurement. Unique data can be generated
> +using the ``sevctl`` tool.

Might want to mention that the ``sevtool`` needs to be installed
separately (or link to its GitHub repo?).  I see it packaged at least in
Fedora.

> +
> +First of all the PDH for the hypervisor host needs to be obtained. 

Might want to expand the "PDH" on first use: PDH (Platform
Diffie-Hellman key).  It would also be nice to define what this key
actually is (there are at least 11 keys, looking at AMD's SEV API doc).
Consider rephrasing the above to something like:

    "First of all the Platform Diffie-Hellman key (PDH) for the
    hypervisor host needs to be obtained.  The PDH is used to negotiate
    a master secret between the SEV firmware and external entities."

> The admin
> +of the hypervisor can extract this using::
> +
> +  $ sevctl export --full ${hostname}.pdh
> +
> +Upon receiving the PDH associated with the hypervisor, the guest owner should
> +validate its integrity::

[...]

> +With it launched, it is possible to query the launch measurement::
> +
> +  $ virsh domlaunchsecinfo ${myvmname}
> +  sev-measurement: LMnv8i8N2QejezMPkscShF0cyPYCslgUoCxGWRqQuyt0Q0aUjVkH/T6NcmkwZkWp
> +  sev-api-major  : 0
> +  sev-api-minor  : 24
> +  sev-build-id   : 15
> +  sev-policy     : 3
> +
> +The techiques required to validate the measurement reported are beyond the
> +scope of this document. Fortunately, libvirt provides a tool that can be used
> +to perform this validation::
> +
> +  $ virt-qemu-sev-validate \
> +      --measurement LMnv8i8N2QejezMPkscShF0cyPYCslgUoCxGWRqQuyt0Q0aUjVkH/T6NcmkwZkWp
> +      --api-major 0
> +      --api-minor 24
> +      --build-id 15
> +      --policy 3
> +      --tik ${myvmname}_tik.bin
> +      --tek ${myvmname}_tek.bin
> +  OK: Looks good to me

Nice!

I'm going to give this a try on an SEV-ES box.  Regardless, the rest of
the doc reads well.  Thank you for documenting!

Feel free to choose what nits to address from the above.  With or without
the nits addressed:

Reviewed-by: Kashyap Chamarthy <kchamart at redhat.com>    

> +The `man page <../manpages/virt-qemu-sev-validate.html>`__ for
> +``virt-qemu-sev-validate`` outlines a great many other ways to invoke this
> +tool.
> +
>  Limitations
>  ===========
>  
> -- 
> 2.37.3
> 

-- 
/kashyap


More information about the libvir-list mailing list