Am 10.02.2021 um 19:01 hat Connor Kuehl geschrieben: > Hello, > > Does QEMU have an internal API which would allow VM construction to wait at > a *very specific point* until specific data/QMP message(s) are supplied via > the QMP socket? > > For some additional context: QEMU supports launching AMD SEV-protected > guests; in short: encrypted virtual machines. Guest owners may participate > in attestation to cryptographically verify their assumptions about the > guest's initial state, the host's platform, and the host platform owner's > identity. If the guest owner is satisfied with the attestation process, a > secret can be safely injected into the guest's address space over a secure > channel. > > Attestation is an unavoidably interactive process. > > It appears that QEMU already exposes most of the API required to perform > this attestation remotely with a guest owner over QMP, with only one > exception: starting the attestation session. It looks like the session > components (policy, session-file, and dh-cert-file) are supplied via command > line arguments to QEMU and don't have a message type in the QMP spec: > > -object > sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x1,session-file=blah.session,dh-cert-file=guest_owner.cert > > I would like to add a message type to QMP which allows guest owners to > supply this data over a socket and _not_ require these components a priori > via command line arguments.
I don't think you need a new QMP command for this. If you would use -object on the command line, you can use QMP object-add at runtime. Kevin
