[libvirt PATCH v2 09/12] tools: support generating SEV secret injection tables

Daniel P. Berrangé berrange at redhat.com
Wed Oct 26 14:03:37 UTC 2022


On Wed, Oct 26, 2022 at 03:47:12PM +0300, Dov Murik wrote:
> 
> 
> On 19/10/2022 13:17, berrange at redhat.com (Daniel P. Berrangé) wrote:
> > It is possible to build OVMF for SEV with an embedded Grub that can
> > fetch LUKS disk secrets. This adds support for injecting secrets in
> > the required format.
> > 
> > Signed-off-by: Daniel P. Berrang? <berrange at redhat.com>
> > ---
> >  docs/manpages/virt-qemu-sev-validate.rst |  66 ++++++++++
> >  tools/virt-qemu-sev-validate             | 156 +++++++++++++++++++++--
> >  2 files changed, 213 insertions(+), 9 deletions(-)
> > 
> > diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst
> > index fcc13d68c8..7542bea9aa 100644
> > --- a/docs/manpages/virt-qemu-sev-validate.rst
> > +++ b/docs/manpages/virt-qemu-sev-validate.rst
> > @@ -187,6 +187,29 @@ understand any configuration mistakes that have been made. If the
> >  will be skipped. The result is that the validation will likely be reported as
> >  failed.
> >  
> > +Secret injection options
> > +------------------------
> > +
> > +These options provide a way to inject a secret if validation of the
> > +launch measurement passes.
> > +
> > +``--disk-password PATH``
> > +
> > +Path to a file containing the password to use to unlock the LUKS container
> > +for the guest disk.
> 
> Maybe add an option to add custom secret entries:
> 
>   --add-secret-entry GUID:PATH
> 
> ?

Yeah, I was just thinking the same. I'll respin with --disk-password
removed, and instead allow

   --inject GUID:PATH
   --inject NAME:PATH

where 'NAME' can refer to any well known GUIDs, so most fo the time in
the common case people can do:

   --inject luks-key:/some/path

instead of

  --inject IMPOSSIBLE-TO-RMEMBER-UUID:/some/poath

and of course allow --inject multiple times too.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


More information about the libvir-list mailing list