Add a new optional top-level array called "digests" to the firmware JSON metadata schema. This can be used to attach different kinds of digests/hash values associated with the firmware image to the metadata file. The entries in the array are of a fixed type of JSON object, which describes the kind of digest, the hash algorithm used, as well as the value itself.
The only kind of supported digest type for now is the expected launch digest for confidential VMs running on AMD SEV-SNP. The list of allowed types can be extended in the future as needed to support other use-cases. Signed-off-by: Oliver Steffen <[email protected]> --- docs/interop/firmware.json | 86 +++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) diff --git a/docs/interop/firmware.json b/docs/interop/firmware.json index dabfa692fd..46d6b431c0 100644 --- a/docs/interop/firmware.json +++ b/docs/interop/firmware.json @@ -426,6 +426,53 @@ 'memory' : 'FirmwareMappingMemory', 'igvm' : 'FirmwareMappingIgvm' } } +## +# @FirmwareDigestType: +# +# Type of digest. +# +# @amd-sev-snp-launch: AMD SEV-SNP launch digest. +## +{ 'enum': 'FirmwareDigestType', + 'data': [ 'amd-sev-snp-launch' ] } + +## +# @AmdSevSnpLaunchHashAlg: +# +# Hash algorithms used for AMD SEV-SNP launch digests. +# +# @sha384: SHA-384 +## +{ 'enum': 'AmdSevSnpLaunchHashAlg', + 'data': [ 'sha384' ] } + +## +# @AmdSevSnpLaunchDigest: +# +# Description of a launch digest as used by AMD SEV-SNP +# +# @hash-alg: Hashing algorithm +# +# @value: Digest value as hex string +## +{ 'struct' : 'AmdSevSnpLaunchDigest', + 'data' : { 'hash-alg' : 'AmdSevSnpLaunchHashAlg', + 'value' : 'str' } } + +## +# @FirmwareDigest: +# +# Digests associated with the firmware image +# +# For example launch digests for attestation of confidential VMs. +# +# @type: Kind of digest. +## +{ 'union' : 'FirmwareDigest', + 'base' : { 'type' : 'FirmwareDigestType' }, + 'discriminator' : 'type', + 'data' : { 'amd-sev-snp-launch' : 'AmdSevSnpLaunchDigest' } } + ## # @Firmware: # @@ -512,6 +559,10 @@ # debugging purposes only, and management software shall # explicitly ignore it. # +# @digests: (optional) Digest information associated with the +# firmware image, for example launch digests for confidential +# virtualization. +# # Since: 3.0 # # .. qmp-example:: @@ -713,6 +764,38 @@ # "-D DEBUG_PRINT_ERROR_LEVEL=0x80000000" # ] # } +# +# { +# "description": "Coconut SVSM for QEMU under AMD SEV-SNP", +# "interface-types": [ +# "uefi", +# "svsm" +# ], +# "mapping": { +# "device": "igvm", +# "filename": "/usr/share/coconut-svsm/coconut-qemu.igvm" +# }, +# "targets": [ +# { +# "architecture": "x86_64", +# "machines": [ +# "pc-q35-*" +# ] +# } +# ], +# "features": [ +# "amd-sev-snp", +# "vtpm" +# ], +# "tags": [], +# "digests": [ +# { +# "type": "amd-sev-snp-launch", +# "hash-alg": "sha384", +# "value": "ec664e889ed6c1b2763cacf7899d95b7f347373eb982e523419feea3aa362d891b3bf025f292267a5854049091789c3e" +# } +# ] +# } ## { 'struct' : 'Firmware', 'data' : { 'description' : 'str', @@ -720,4 +803,5 @@ 'mapping' : 'FirmwareMapping', 'targets' : [ 'FirmwareTarget' ], 'features' : [ 'FirmwareFeature' ], - 'tags' : [ 'str' ] } } + 'tags' : [ 'str' ], + '*digests' : [ 'FirmwareDigest' ] } } -- 2.52.0
