[libvirt PATCH 12/12] docs/manpages: add checklist of problems for SEV attestation
Daniel P. Berrangé
berrange at redhat.com
Tue Oct 18 09:20:53 UTC 2022
On Sun, Oct 16, 2022 at 03:27:39PM -0400, Cole Robinson wrote:
> On 10/7/22 7:43 AM, Daniel P. Berrangé wrote:
> > Despite efforts to make the virt-qemu-sev-validate tool friendly, it is
> > a certainty that almost everyone who tries it will hit false negative
> > results, getting a failure despite the VM being trustworthy.
> >
> > Diagnosing these problems is no easy matter, especially for those not
> > familiar with SEV/SEV-ES in general. This extra docs text attempts to
> > set out a checklist of items to look at to identify what went wrong.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> > ---
> > docs/manpages/virt-qemu-sev-validate.rst | 112 +++++++++++++++++++++++
> > 1 file changed, 112 insertions(+)
> >
> > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst
> > index 7542bea9aa..e0c18f2d20 100644
> > --- a/docs/manpages/virt-qemu-sev-validate.rst
> > +++ b/docs/manpages/virt-qemu-sev-validate.rst
> > @@ -437,6 +437,118 @@ inject a disk password on success:
> > --domain fedora34x86_64 \
> > --disk-password passwd.txt
> >
> > +COMMON MISTAKES CHECKLIST
> > +=========================
> > +
> > +The complexity of configuring a guest and validating its boot measurement
> > +means it is very likely to see the failure::
> > +
> > + ERROR: Measurement does not match, VM is not trustworthy
> > +
> > +This error message assumes the worst, but in most cases will failure will be
> > +a result of either mis-configuring the guest, or passing the wrong information
> > +when trying to validate it. The following information is a guide for what
> > +items to check in order to stand the best chance of diagnosing the problem
> > +
> > +* Check the VM configuration for the DH certificate and session
> > + blob in the libvirt guest XML.
> > +
> > + The content for these fields should be in base64 format, which is
> > + what ``sevctl session`` generates. Other tools may generate the files
> > + in binary format, so ensure it has been correctly converted to base64.
> > +
> > +* Check the VM configuration policy value matches the session blob
> > +
> > + The ``<policy>`` value in libvirt guest XML has to match the value
> > + passed to the ``sevctl session`` command.
> > +
>
> FWIW In this case, qemu will explicitly error. From 7.0.0-6.fc36:
>
> -accel kvm: sev_launch_start: LAUNCH_START ret=1 fw_error=11 'Bad
> measurement'
Oh, I had forgotten that
>
> I think it's worth putting some subset of that qemu error string at the
> top of this section too. If users hit it, going through the checklist
> here may solve their issue.
>
> For example, If you're flailing around with sevctl like I have, some of
> the sub commands will invalidate all your previous generated
> session/dhCert blobs, and subsequent VM boots will fail as above.
> `sevctl reset` and/or `sevctl rotate`. That's probably obscure enough to
> not need documenting, but if the first item here leads to re-running
> sevctl session then you'll fix your problem :)
Hmm, yes, I'd stayed away from reset/rotate to avoid trouble :-)
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list