Tommaso Califano <[email protected]> writes:
> The next step for completing the SEV launch emulation is to implement the
> "query-sev-launch-measure" feature, responsible for returning the
> measurement. In this case the measurement will be computed in QEMU.
>
> Implement sev_emulated_launch_get_measure() to emulate the LAUNCH_MEASURE
> command per AMD SEV API spec section 6.5.1. It generates a random 16-byte
> mnonce, computes the launch digest as SHA-256 over ld_data, then derives
> the measurement via HMAC-SHA256
> (TIK;0x04|| API version || build ID || policy || launch digest || mnonce).
> The base64-encoded result (32-byte HMAC + 16-byte mnonce) populates
> "query-sev-launch-measure" data, advancing state to LAUNCH_SECRET for
> secret injection.
>
> The TIK is supplied via 16-byte binary file specified in new
> SevEmulatedProperty "tik" path; absent this, keys default to zeroed.
> Example QEMU arguments with the key passed:
>
> -cpu "EPYC-Milan" \
> -accel tcg \
> -object sev-emulated,id=sev0,cbitpos=47,reduced-phys-bits=1,\
> tik=/path/to/tik.bin \
> -machine memory-encryption=sev0
>
> Signed-off-by: Tommaso Califano <[email protected]>
> ---
> qapi/qom.json | 3 +-
> target/i386/sev.c | 155 ++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 157 insertions(+), 1 deletion(-)
>
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 35cda819ec..affb5024b5 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -1064,11 +1064,12 @@
> # This object functionally emulates AMD SEV hardware via TCG, so
> # it does not require real hardware to run.
> #
> +# @tik: binary file of the SEV TIK (default: all 0).
Is this a file name?
Blank line here, please.
> # Since: 10.1.0
> ##
> { 'struct': 'SevEmulatedProperties',
> 'base': 'SevGuestProperties',
> - 'data': {}}
> + 'data': {'*tik': 'str'}}
>
> ##
> # @SevSnpGuestProperties:
[...]
