conf: add support for setting SEV kernel hashes

Normally the SEV measurement only covers the firmware
loader contents. When doing a direct kernel boot, however,
with new enough OVMF it is possible to ask for the
measurement to cover the kernel, ramdisk and command line.

It can't be done automatically as that would break existing
guests using direct kernel boot with old firmware, so there
is a new XML setting allowing this behaviour to be toggled.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 2e9c4506069d31a4e04235a09bd53750440f2608..51ca23aeceb9c61317a983f6101d807cbc182427 100644 (file)
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -8222,7 +8222,7 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__
 
    <domain>
      ...
-     <launchSecurity type='sev'>
+     <launchSecurity type='sev' kernelHashes='yes'>
        <policy>0x0001</policy>
        <cbitpos>47</cbitpos>
        <reducedPhysBits>1</reducedPhysBits>
@@ -8232,6 +8232,11 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__
      ...
    </domain>
 
+``kernelHashes``
+   The optional ``kernelHashes`` attribute indicates whether the
+   hashes of the kernel, ramdisk and command line should be included
+   in the measurement done by the firmware. This is only valid if
+   using direct kernel boot. :since:`Since 8.0.0`
 ``cbitpos``
    The required ``cbitpos`` element provides the C-bit (aka encryption bit)
    location in guest page table entry. The value of ``cbitpos`` is hypervisor

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index ce5018f798f85871d86b6369371728f8d466f57c..7fa5c2b8b525f4f0b578e684dcd5875ce407a965 100644 (file)
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -499,6 +499,11 @@
     <attribute name="type">
       <value>sev</value>
     </attribute>
+    <optional>
+      <attribute name="kernelHashes">
+        <ref name="virYesNo"/>
+      </attribute>
+    </optional>
     <interleave>
       <optional>
         <element name="cbitpos">

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e0c92816f1ed26caa371859724963c0107f152a2..716c6d2240077ca5db6003f917a971058bd0d577 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -14804,6 +14804,10 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
     unsigned long policy;
     int rc;
 
+    if (virXMLPropTristateBool(ctxt->node, "kernelHashes", VIR_XML_PROP_NONE,
+                               &def->kernel_hashes) < 0)
+        return -1;
+
     if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
                        _("failed to get launch security policy"));
@@ -27134,6 +27138,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV: {
         virDomainSEVDef *sev = &sec->data.sev;
 
+        if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
+            virBufferAsprintf(&attrBuf, " kernelHashes='%s'",
+                              virTristateBoolTypeToString(sev->kernel_hashes));
+
         if (sev->haveCbitpos)
             virBufferAsprintf(&childBuf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
 

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index afabcd1b4d3003d9dc5eca8960a8dd42147f40d0..144ba4dd1211f80e391464e9adf17deb087894e8 100644 (file)
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2714,6 +2714,7 @@ struct _virDomainSEVDef {
     unsigned int cbitpos;
     bool haveReducedPhysBits;
     unsigned int reduced_phys_bits;
+    virTristateBool kernel_hashes;
 };
 
 struct _virDomainSecDef {