| Message ID | 20240320083945.991426-33-michael.roth@amd.com |
|---|---|
| State | New |
| Headers | show |
| Series | Add AMD Secure Nested Paging (SEV-SNP) support | expand |
On Wed, Mar 20, 2024 at 03:39:28AM -0500, Michael Roth wrote: > For SEV-SNP guests, launch measurement is queried from within the guest > during attestation, so don't attempt to return it as part of > query-sev-launch-measure. > > Signed-off-by: Michael Roth <michael.roth@amd.com> > --- > target/i386/sev.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/target/i386/sev.c b/target/i386/sev.c > index b03d70a3d1..0c8e4bdb4c 100644 > --- a/target/i386/sev.c > +++ b/target/i386/sev.c > @@ -803,7 +803,9 @@ sev_launch_get_measure(Notifier *notifier, void *unused) > > static char *sev_get_launch_measurement(void) > { > - SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs); > + ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs; > + SevGuestState *sev_guest = > + (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); > > if (sev_guest && > SEV_COMMON(sev_guest)->state >= SEV_STATE_LAUNCH_SECRET) { The QAPI docs for query-sev-launch-measurement should be updated to reflect that this command is only valid to call for SEV/SEV-ES, not SNP. The error reoprting in qmp_query_sev_launch_measure leaves a little to be desired just giving a generic message "SEV launch measurement is not available" I think that this sev_get_launch_measurement method should report a more fine grained error, to distinguish * Unavailable because we're not a SEV/SEV-ES guest * Unavailable because the guest hasn't reached launch state With regards, Daniel
On Wed, Mar 20, 2024 at 12:15:00PM +0000, Daniel P. Berrangé wrote: > On Wed, Mar 20, 2024 at 03:39:28AM -0500, Michael Roth wrote: > > For SEV-SNP guests, launch measurement is queried from within the guest > > during attestation, so don't attempt to return it as part of > > query-sev-launch-measure. > > > > Signed-off-by: Michael Roth <michael.roth@amd.com> > > --- > > target/i386/sev.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/target/i386/sev.c b/target/i386/sev.c > > index b03d70a3d1..0c8e4bdb4c 100644 > > --- a/target/i386/sev.c > > +++ b/target/i386/sev.c > > @@ -803,7 +803,9 @@ sev_launch_get_measure(Notifier *notifier, void *unused) > > > > static char *sev_get_launch_measurement(void) > > { > > - SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs); > > + ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs; > > + SevGuestState *sev_guest = > > + (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); > > > > if (sev_guest && > > SEV_COMMON(sev_guest)->state >= SEV_STATE_LAUNCH_SECRET) { > > The QAPI docs for query-sev-launch-measurement should be updated > to reflect that this command is only valid to call for SEV/SEV-ES, > not SNP. Also, the same question about whether query-sev-attestation-report and sev-inject-launch-secret need updating to declare them SEV/SEV-ES only, or if they are expected work with SNP too ? With regards, Daniel
diff --git a/target/i386/sev.c b/target/i386/sev.c index b03d70a3d1..0c8e4bdb4c 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -803,7 +803,9 @@ sev_launch_get_measure(Notifier *notifier, void *unused) static char *sev_get_launch_measurement(void) { - SevGuestState *sev_guest = SEV_GUEST(MACHINE(qdev_get_machine())->cgs); + ConfidentialGuestSupport *cgs = MACHINE(qdev_get_machine())->cgs; + SevGuestState *sev_guest = + (SevGuestState *)object_dynamic_cast(OBJECT(cgs), TYPE_SEV_GUEST); if (sev_guest && SEV_COMMON(sev_guest)->state >= SEV_STATE_LAUNCH_SECRET) {
For SEV-SNP guests, launch measurement is queried from within the guest during attestation, so don't attempt to return it as part of query-sev-launch-measure. Signed-off-by: Michael Roth <michael.roth@amd.com> --- target/i386/sev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)