Re: [RFC] Allowing SEV attestation

2021-10-27 Thread Daniel P . Berrangé
On Tue, Oct 26, 2021 at 05:29:00PM -0600, Jim Fehlig wrote: > On 5/6/21 04:22, Michal Prívozník wrote: > > Dear list, > > Hi Michal, > > This thread has been quiet for a long time, but I wanted to check if any > work has been done to provide an sev-inject-launch-secret equivalent for > libvirt.

Re: [RFC] Allowing SEV attestation

2021-10-27 Thread Michal Prívozník
On 10/27/21 1:29 AM, Jim Fehlig wrote: > On 5/6/21 04:22, Michal Prívozník wrote: >> Dear list, > > Hi Michal, > > This thread has been quiet for a long time, but I wanted to check if any > work has been done to provide an sev-inject-launch-secret equivalent for > libvirt. AFAICT, there was

Re: [RFC] Allowing SEV attestation

2021-10-26 Thread Jim Fehlig
On 5/6/21 04:22, Michal Prívozník wrote: Dear list, Hi Michal, This thread has been quiet for a long time, but I wanted to check if any work has been done to provide an sev-inject-launch-secret equivalent for libvirt. AFAICT, there was agreement this missing piece is needed to solve the

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Daniel P . Berrangé
On Thu, May 06, 2021 at 07:57:43AM -0500, Connor Kuehl wrote: > On 5/6/21 6:35 AM, Kashyap Chamarthy wrote: > >> It looks like QEMU will expose commands needed for attestation via QMP [3]. > >> But question then is, how to expose those at Libvirt level? Should we allow > >> users to bypass Libvirt

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Connor Kuehl
On 5/6/21 8:51 AM, Daniel P. Berrangé wrote: >> I see. So it sounds like the way forward for libvirt is that it will >> need to essentially duplicate the SEV-related QMP message types into its >> own protocol since expecting the client to understand QMP discloses the >> fact that the underlying

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Daniel P . Berrangé
On Thu, May 06, 2021 at 08:43:53AM -0500, Connor Kuehl wrote: > On 5/6/21 8:32 AM, Daniel P. Berrangé wrote: > > On Thu, May 06, 2021 at 08:04:44AM -0500, Connor Kuehl wrote: > >> On 5/6/21 6:51 AM, Daniel P. Berrangé wrote: > It looks like QEMU will expose commands needed for attestation via

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Connor Kuehl
On 5/6/21 8:32 AM, Daniel P. Berrangé wrote: > On Thu, May 06, 2021 at 08:04:44AM -0500, Connor Kuehl wrote: >> On 5/6/21 6:51 AM, Daniel P. Berrangé wrote: It looks like QEMU will expose commands needed for attestation via QMP [3]. >>> >>> As mentioned in my reply to that thread, I believe

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Daniel P . Berrangé
On Thu, May 06, 2021 at 08:04:44AM -0500, Connor Kuehl wrote: > On 5/6/21 6:51 AM, Daniel P. Berrangé wrote: > >> It looks like QEMU will expose commands needed for attestation via QMP [3]. > > > > As mentioned in my reply to that thread, I believe we can already do > > pretty much all of that

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Connor Kuehl
On 5/6/21 6:51 AM, Daniel P. Berrangé wrote: >> It looks like QEMU will expose commands needed for attestation via QMP [3]. > > As mentioned in my reply to that thread, I believe we can already do > pretty much all of that via a combination of libvirt APIs & guest XML. This is not a good user

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Connor Kuehl
On 5/6/21 6:35 AM, Kashyap Chamarthy wrote: >> It looks like QEMU will expose commands needed for attestation via QMP [3]. >> But question then is, how to expose those at Libvirt level? Should we allow >> users to bypass Libvirt and communicate to QEMU directly or wrap those QMPs >> in >> public

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Daniel P . Berrangé
On Thu, May 06, 2021 at 12:22:26PM +0200, Michal Prívozník wrote: > Dear list, > > in the light of recent development of secure virtualization (for instance AMD > SEV-SNP [1]) I'd like us to be prepared for when QEMU adopts these new > technologies and thus would like to discuss our options. So

Re: [RFC] Allowing SEV attestation

2021-05-06 Thread Kashyap Chamarthy
On Thu, May 06, 2021 at 12:22:26PM +0200, Michal Prívozník wrote: Hi, (Just chiming in as a curious libvirt API user :-)) [...] > This is where attestation comes to help - it enables the guest owner (which in > this example is different to the one running it) verify - with cryptographic >

[RFC] Allowing SEV attestation

2021-05-06 Thread Michal Prívozník
Dear list, in the light of recent development of secure virtualization (for instance AMD SEV-SNP [1]) I'd like us to be prepared for when QEMU adopts these new technologies and thus would like to discuss our options. So far, I've came across AMD SEV-SNP [2]. While it's true that we do support