|
From: | Connor Kuehl |
Subject: | Re: Interactive launch over QMP socket? |
Date: | Wed, 10 Feb 2021 12:46:46 -0600 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 |
On 2/10/21 12:14 PM, James Bottomley wrote:
I would like to add a message type to QMP which allows guest owners to supply this data over a socket and _not_ require these components a priori via command line arguments. In doing so, this would allow for a 100% remote attestation process over the socket. However, I'm not sure how to express this interactive "waiting" for this data to become available with internal APIs (assuming it's not supplied as a command line argument).Well, I never understood why qemu can't deduce the value of cbitpos ... it even errors out if you get it wrong. However, other things like the policy and the session file have to be present at start of day. They're not things that can be passed in after qemu starts building the machine image because they need to be present to begin building it.
Right, I didn't mean to include cbitpos in consideration for this. I'm only interested in supplying the session, policy, and certificate info over the socket.
Shouldn't the session, policy, and certificate information only be required in time for the KVM_SEV_LAUNCH_START ioctl call? This is the place I'm interested in waiting for the relevant data.
The patch for remote attestation (which was only recently added to the PSP protocol) is here: https://lore.kernel.org/kvm/20210105163943.30510-1-brijesh.singh@amd.com/
Thank you! I didn't see this, I'll read up on it. Connor
[Prev in Thread] | Current Thread | [Next in Thread] |