Re: [PATCH 4/5] i386/sev: Add launch measurement emulation and TIK property

Fri, 20 Mar 2026 07:31:35 -0700 


Il 19/03/26 13:33, Markus Armbruster ha scritto:
> Tommaso Califano <[email protected]> writes:
> 
>> The next step for completing the SEV launch emulation is to implement the
>> "query-sev-launch-measure" feature, responsible for returning the
>> measurement. In this case the measurement will be computed in QEMU.
>>
>> Implement sev_emulated_launch_get_measure() to emulate the LAUNCH_MEASURE
>> command per AMD SEV API spec section 6.5.1. It generates a random 16-byte
>> mnonce, computes the launch digest as SHA-256 over ld_data, then derives
>> the measurement via HMAC-SHA256
>> (TIK;0x04|| API version || build ID || policy || launch digest || mnonce).
>> The base64-encoded result (32-byte HMAC + 16-byte mnonce) populates
>> "query-sev-launch-measure" data, advancing state to LAUNCH_SECRET for
>> secret injection.
>>
>> The TIK is supplied via 16-byte binary file specified in new
>> SevEmulatedProperty "tik" path; absent this, keys default to zeroed.
>> Example QEMU arguments with the key passed:
>>
>>      -cpu "EPYC-Milan" \
>>      -accel tcg \
>>      -object sev-emulated,id=sev0,cbitpos=47,reduced-phys-bits=1,\
>>                                      tik=/path/to/tik.bin \
>>      -machine memory-encryption=sev0
>>
>> Signed-off-by: Tommaso Califano <[email protected]>
>> ---
>>  qapi/qom.json     |   3 +-
>>  target/i386/sev.c | 155 ++++++++++++++++++++++++++++++++++++++++++++++
>>  2 files changed, 157 insertions(+), 1 deletion(-)
>>
>> diff --git a/qapi/qom.json b/qapi/qom.json
>> index 35cda819ec..affb5024b5 100644
>> --- a/qapi/qom.json
>> +++ b/qapi/qom.json
>> @@ -1064,11 +1064,12 @@
>>  # This object functionally emulates AMD SEV hardware via TCG, so
>>  # it does not require real hardware to run.
>>  #
>> +# @tik: binary file of the SEV TIK (default: all 0).
> 
> Is this a file name?
> 

Yes, I'll specify it better writing "Path to the binary file..."

> Blank line here, please.
> 

I'll add it.

>>  # Since: 10.1.0
>>  ##
>>  { 'struct': 'SevEmulatedProperties',
>>    'base': 'SevGuestProperties',
>> -  'data': {}}
>> +  'data': {'*tik': 'str'}}
>>  
>>  ##
>>  # @SevSnpGuestProperties:
> 
> [...]
> 

Best regards,
Tommaso Califano
























					Reply via email to