[libvirt PATCH v2 09/12] tools: support generating SEV secret injection tables
Dov Murik
dovmurik at linux.ibm.com
Wed Oct 26 12:47:12 UTC 2022
On 19/10/2022 13:17, berrange at redhat.com (Daniel P. Berrangé) wrote:
> It is possible to build OVMF for SEV with an embedded Grub that can
> fetch LUKS disk secrets. This adds support for injecting secrets in
> the required format.
>
> Signed-off-by: Daniel P. Berrang? <berrange at redhat.com>
> ---
> docs/manpages/virt-qemu-sev-validate.rst | 66 ++++++++++
> tools/virt-qemu-sev-validate | 156 +++++++++++++++++++++--
> 2 files changed, 213 insertions(+), 9 deletions(-)
>
> diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst
> index fcc13d68c8..7542bea9aa 100644
> --- a/docs/manpages/virt-qemu-sev-validate.rst
> +++ b/docs/manpages/virt-qemu-sev-validate.rst
> @@ -187,6 +187,29 @@ understand any configuration mistakes that have been made. If the
> will be skipped. The result is that the validation will likely be reported as
> failed.
>
> +Secret injection options
> +------------------------
> +
> +These options provide a way to inject a secret if validation of the
> +launch measurement passes.
> +
> +``--disk-password PATH``
> +
> +Path to a file containing the password to use to unlock the LUKS container
> +for the guest disk.
Maybe add an option to add custom secret entries:
--add-secret-entry GUID:PATH
?
-Dov
> +
> +``--secret-header PATH``
> +
> +Path to a file in which the injected secret header will be written in base64
> +format and later injected into the domain. This is required if there is no
> +connection to libvirt, otherwise the secret will be directly injected.
> +
> +``--secret-payload PATH``
> +
> +Path to a file in which the injected secret payload will be written in base64
> +format and later injected into the domain. This is required if there is no
> +connection to libvirt, otherwise the secret will be directly injected.
> +
More information about the libvir-list
mailing list