On Mon, Feb 22, 2021 at 12:40:07PM +0100, Kevin Wolf wrote: > Am 10.02.2021 um 19:01 hat Connor Kuehl geschrieben: > > Hello, > > > > Does QEMU have an internal API which would allow VM construction to wait at > > a *very specific point* until specific data/QMP message(s) are supplied via > > the QMP socket? > > > > For some additional context: QEMU supports launching AMD SEV-protected > > guests; in short: encrypted virtual machines. Guest owners may participate > > in attestation to cryptographically verify their assumptions about the > > guest's initial state, the host's platform, and the host platform owner's > > identity. If the guest owner is satisfied with the attestation process, a > > secret can be safely injected into the guest's address space over a secure > > channel. > > > > Attestation is an unavoidably interactive process. > > > > It appears that QEMU already exposes most of the API required to perform > > this attestation remotely with a guest owner over QMP, with only one > > exception: starting the attestation session. It looks like the session > > components (policy, session-file, and dh-cert-file) are supplied via command > > line arguments to QEMU and don't have a message type in the QMP spec: > > > > -object > > sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1,policy=0x1,session-file=blah.session,dh-cert-file=guest_owner.cert > > > > I would like to add a message type to QMP which allows guest owners to > > supply this data over a socket and _not_ require these components a priori > > via command line arguments. > > I don't think you need a new QMP command for this. If you would use > -object on the command line, you can use QMP object-add at runtime.
If the object were standalone that'd true, but 'sev-guest' object you create needs to be given to the '-machine' arg's 'memory-encryption' parameter. So there's a dependancy that means 'sev-guest' can only be used with -object in reality and not QMP object-add. This will eventually be solved when we make it possible to fully configure QEMU exclusively via QMP. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
