[libvirt PATCH v2 09/12] tools: support generating SEV secret injection tables

Cole Robinson crobinso at redhat.com
Tue Oct 25 23:38:43 UTC 2022 

On 10/19/22 6:17 AM, Daniel P. Berrangé wrote:
> It is possible to build OVMF for SEV with an embedded Grub that can
> fetch LUKS disk secrets. This adds support for injecting secrets in
> the required format.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---

> diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
> index 5ce5763d5b..2d15edb933 100755
> --- a/tools/virt-qemu-sev-validate
> +++ b/tools/virt-qemu-sev-validate
> @@ -36,16 +36,19 @@
>  
>  import abc
>  import argparse
> -from base64 import b64decode
> +from base64 import b64decode, b64encode
>  from hashlib import sha256
>  import hmac
>  import logging
> +import os
>  import re
>  import socket
>  from struct import pack
>  import sys
>  import traceback
>  from uuid import UUID
> +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
> +
>  
>  from lxml import etree
>  import libvirt
> @@ -573,7 +576,26 @@ class KernelTable(GUIDTable):
>          return entries
>  
>  
> -class ConfidentialVM(object):
> +class SecretsTable(GUIDTable):
> +
> +    TABLE_GUID = UUID('{1e74f542-71dd-4d66-963e-ef4287ff173b}').bytes_le
> +    DISK_PW_GUID = UUID('{736869e5-84f0-4973-92ec-06879ce3da0b}').bytes_le
> +
> +    def __init__(self):
> +        super().__init__(guid=self.TABLE_GUID,
> +                         lenlen=4)
> +        self.disk_password = None
> +
> +    def load_disk_password(self, path):
> +        with open(path, 'rb') as fh:
> +            self.disk_password = fh.read()
> +
> +    def entries(self):
> +        return self.build_entry(self.DISK_PW_GUID,
> +                                self.disk_password + bytes([0]), 4)
> +

This bytes([0]) NUL byte ends up in the efi_secret /sys path. Dropping
it doesn't seem to impact injecting the secret at all

FWIW once that's dropped, getting automatic luks unlock is really simple
with /etc/crypttab + kernel 5.19

sed -i -e "s| none |
/sys/kernel/security/secrets/coco/736869e5-84f0-4973-92ec-06879ce3da0b
|g" /etc/crypttab
dracut --force --add-drivers efi_secret
shutdown -r now

Thanks,
Cole

More information about the libvir-list mailing list