After domlaunchsecinfo is used to attest a VM, domgetsevreport can be
used to get a full SEV attestation report from the guest.
Signed-off-by: Tyler Fanelli <tfanelli@xxxxxxxxxx>
---
docs/manpages/virsh.rst | 18 +++++++++++
tools/virsh-domain.c | 68 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index d2e6528533..ce62551f91 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -2119,6 +2119,24 @@ the guest's memory to set the secret. If not specified, the address will be
determined by the hypervisor.
+domgetsevreport
+---------------
+
+**Syntax:**
+
+::
+
+ domgetsevreport domain --mnonce mnonce-string
+
+Get an attestation report from a SEV-enabled guest. The guest must have a
+launchSecurity type enabled in its configuration. On success, the attestation
+report can be examined. On failure, guest may not be attested and should be
+examined to confirm so.
+
+*--mnonce* specifies a random 16-byte value encoded in base64 to be included
+in the attestation report
+
+
dommemstat
----------
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index d5fd8be7c3..bd8f426596 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -9715,6 +9715,68 @@ cmdDomSetLaunchSecState(vshControl * ctl, const vshCmd * cmd)
return ret;
}
+/*
+ * "domgetsevreport" command
+ */
+static const vshCmdInfo info_domgetsevreport[] = {
+ {.name = "help",
+ .data = N_("Get domain SEV attestation report")
+ },
+ {.name = "desc",
+ .data = N_("Get an attestation report from a SEV-enabled domain")
+ },
+ {.name = NULL}
+};
+
+static const vshCmdOptDef opts_domgetsevreport[] = {
+ VIRSH_COMMON_OPT_DOMAIN_FULL(0),
+ {.name = "mnonce",
+ .type = VSH_OT_STRING,
+ .flags = VSH_OFLAG_REQ_OPT,
+ .help = N_("random 16 bytes value encoded in base64 to be included in report)"),
+ },
+ {.name = NULL}
+};
+
+static bool
+cmdDomGetSevAttestationReport(vshControl *ctl, const vshCmd *cmd)
+{
+ g_autoptr(virshDomain) dom = NULL;
+ const char *mnonce = NULL;
+ virTypedParameterPtr params = NULL;
+ int nparams = 0, maxparams = 0;
+ bool ret = false;
+ char *report_str;
+
+ if (!(dom = virshCommandOptDomain(ctl, cmd, NULL)))
+ return false;
+
+ if (vshCommandOptStringReq(ctl, cmd, "mnonce", &mnonce) < 0)
+ return false;
+
+ if (mnonce == NULL)
+ return false;
+
+ if (virTypedParamsAddString(¶ms, &nparams, &maxparams,
+ VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE,
+ mnonce) < 0)
+ return false;
+
+ if (virDomainGetSevAttestationReport(dom, ¶ms, &nparams, 0) != 0) {
+ vshError(ctl, "%s", _("Unable to get SEV attestation report"));
+ goto cleanup;
+ }
+
+ report_str = vshGetTypedParamValue(ctl, ¶ms[1]);
+ vshPrint(ctl, "base64-encoded attestation report: %s\n", report_str);
+
+ ret = true;
+
+cleanup:
+ virTypedParamsFree(params, nparams);
+ return ret;
+}
+
/*
* "qemu-monitor-command" command
*/
@@ -13827,6 +13889,12 @@ const vshCmdDef domManagementCmds[] = {
.info = info_domsetlaunchsecstate,
.flags = 0
},
+ {.name = "domgetsevreport",
+ .handler = cmdDomGetSevAttestationReport,
+ .opts = opts_domgetsevreport,
+ .info = info_domgetsevreport,
+ .flags = 0
+ },
{.name = "domname",
.handler = cmdDomname,
.opts = opts_domname,
--
2.34.1
