[PATCH 5/5] tools: add domgetsevreport virsh command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After domlaunchsecinfo is used to attest a VM, domgetsevreport can be
used to get a full SEV attestation report from the guest.

Signed-off-by: Tyler Fanelli <tfanelli@xxxxxxxxxx>
---
 docs/manpages/virsh.rst | 18 +++++++++++
 tools/virsh-domain.c    | 68 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)

diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index d2e6528533..ce62551f91 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -2119,6 +2119,24 @@ the guest's memory to set the secret. If not specified, the address will be
 determined by the hypervisor.
 
 
+domgetsevreport
+---------------
+
+**Syntax:**
+
+::
+
+    domgetsevreport domain --mnonce mnonce-string
+
+Get an attestation report from a SEV-enabled guest. The guest must have a
+launchSecurity type enabled in its configuration. On success, the attestation
+report can be examined. On failure, guest may not be attested and should be
+examined to confirm so.
+
+*--mnonce* specifies a random 16-byte value encoded in base64 to be included
+in the attestation report
+
+
 dommemstat
 ----------
 
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index d5fd8be7c3..bd8f426596 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -9715,6 +9715,68 @@ cmdDomSetLaunchSecState(vshControl * ctl, const vshCmd * cmd)
     return ret;
 }
 
+/*
+ * "domgetsevreport" command
+ */
+static const vshCmdInfo info_domgetsevreport[] = {
+    {.name = "help",
+     .data = N_("Get domain SEV attestation report")
+    },
+    {.name = "desc",
+     .data = N_("Get an attestation report from a SEV-enabled domain")
+    },
+    {.name = NULL}
+};
+
+static const vshCmdOptDef opts_domgetsevreport[] = {
+    VIRSH_COMMON_OPT_DOMAIN_FULL(0),
+    {.name = "mnonce",
+     .type = VSH_OT_STRING,
+     .flags = VSH_OFLAG_REQ_OPT,
+     .help = N_("random 16 bytes value encoded in base64 to be included in report)"),
+    },
+    {.name = NULL}
+};
+
+static bool
+cmdDomGetSevAttestationReport(vshControl *ctl, const vshCmd *cmd)
+{
+    g_autoptr(virshDomain) dom = NULL;
+    const char *mnonce = NULL;
+    virTypedParameterPtr params = NULL;
+    int nparams = 0, maxparams = 0;
+    bool ret = false;
+    char *report_str;
+
+    if (!(dom = virshCommandOptDomain(ctl, cmd, NULL)))
+        return false;
+
+    if (vshCommandOptStringReq(ctl, cmd, "mnonce", &mnonce) < 0)
+        return false;
+
+    if (mnonce == NULL)
+        return false;
+
+    if (virTypedParamsAddString(&params, &nparams, &maxparams,
+                                VIR_DOMAIN_SEV_ATTESTATION_REPORT_MNONCE,
+                                mnonce) < 0)
+        return false;
+
+    if (virDomainGetSevAttestationReport(dom, &params, &nparams, 0) != 0) {
+        vshError(ctl, "%s", _("Unable to get SEV attestation report"));
+        goto cleanup;
+    }
+
+    report_str = vshGetTypedParamValue(ctl, &params[1]);
+    vshPrint(ctl, "base64-encoded attestation report: %s\n", report_str);
+
+    ret = true;
+
+cleanup:
+    virTypedParamsFree(params, nparams);
+    return ret;
+}
+
 /*
  * "qemu-monitor-command" command
  */
@@ -13827,6 +13889,12 @@ const vshCmdDef domManagementCmds[] = {
      .info = info_domsetlaunchsecstate,
      .flags = 0
     },
+    {.name = "domgetsevreport",
+     .handler = cmdDomGetSevAttestationReport,
+     .opts = opts_domgetsevreport,
+     .info = info_domgetsevreport,
+     .flags = 0
+    },
     {.name = "domname",
      .handler = cmdDomname,
      .opts = opts_domname,
-- 
2.34.1




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux