From: Paul Meyer Date: Sat, 23 May 2026 15:37:40 +0000 (+0200) Subject: man: document SEV-SNP credential delivery via initrd cpio X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F42272%2Fhead;p=thirdparty%2Fsystemd.git man: document SEV-SNP credential delivery via initrd cpio Under --coco=sev-snp, credentials no longer flow through SMBIOS/fw_cfg (which the guest PID1 discards as unmeasured in confidential VMs) but through a cpio archive appended to the initrd, landing in the @system bucket via the new /.extra/system_credentials/ initrd path. Update systemd-vmspawn(1) to describe this and the guest systemd version requirement. Signed-off-by: Paul Meyer --- diff --git a/man/systemd-vmspawn.xml b/man/systemd-vmspawn.xml index 3a84196b627..fd73e007707 100644 --- a/man/systemd-vmspawn.xml +++ b/man/systemd-vmspawn.xml @@ -352,13 +352,20 @@ SNP-capable hardware and firmware. must point to a raw SNP-built OVMF .fd image; the standard pflash + NVRAM split is not supported under SNP, so the firmware is loaded via QEMU's and Secure Boot is - unavailable. SMBIOS credentials passed via or - are rejected because they are outside the SNP launch - measurement. Direct kernel boot via is required so that the - kernel, initrd and command line are hashed into the launch measurement - (kernel-hashes=on); booting the kernel off the disk image via the - firmware would leave it outside the measurement. A vTPM, if attached via - , must be treated as untrusted by the guest. + unavailable. Direct kernel boot via is required so that the kernel, + initrd and command line are hashed into the launch measurement + (kernel-hashes=on); booting the kernel off the disk image via the firmware + would leave it outside the measurement. Credentials passed via + or are bundled into a cpio archive appended to the initrd + (mirroring what systemd-stub does for ESP credentials), so they enter the + launch measurement via kernel-hashes=on; the SMBIOS and fw_cfg channels + normally used to deliver credentials are not used because they are unmeasured and would be + discarded by PID1 in confidential guests. This channel is measured but not confidential with + respect to the host or VMM: the initrd (and thus the credentials it carries) is supplied to QEMU + as plaintext and only its hash enters the launch measurement, which guarantees integrity but does + not keep the credentials secret from the host. This requires the guest to run a sufficiently + recent version of systemd (supporting /.extra/system_credentials/). A vTPM, + if attached via , must be treated as untrusted by the guest. @@ -864,6 +871,19 @@ systemd.set_credential_binary= which is not a confidential channel. Do not use this for passing secrets to the VM in that case. + Under , SMBIOS and fw_cfg are not covered by the SNP launch + measurement and are discarded by PID1 in confidential guests. Credentials are therefore packaged + into a cpio archive containing + .extra/system_credentials/ID.cred entries and + appended to the initrd that QEMU loads, so they enter the launch measurement via + kernel-hashes=on. PID1 imports them from the initramfs at boot. As with the + kernel command line, this is a measured but not a confidential channel: QEMU receives the initrd + (and thus the embedded credentials) as plaintext from the host and only its hash is covered by the + launch measurement, so a modified initrd produces a different launch measurement that a relying + party can detect via remote attestation, but the credentials are not hidden from the host or VMM. + This requires the guest to run a sufficiently recent version of systemd (supporting + /.extra/system_credentials/). +