Re: [libvirt PATCH 12/12] docs/manpages: add checklist of problems for SEV attestation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/7/22 7:43 AM, Daniel P. Berrangé wrote:
> Despite efforts to make the virt-qemu-sev-validate tool friendly, it is
> a certainty that almost everyone who tries it will hit false negative
> results, getting a failure despite the VM being trustworthy.
> 
> Diagnosing these problems is no easy matter, especially for those not
> familiar with SEV/SEV-ES in general. This extra docs text attempts to
> set out a checklist of items to look at to identify what went wrong.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
>  docs/manpages/virt-qemu-sev-validate.rst | 112 +++++++++++++++++++++++
>  1 file changed, 112 insertions(+)
> 
> diff --git a/docs/manpages/virt-qemu-sev-validate.rst b/docs/manpages/virt-qemu-sev-validate.rst
> index 7542bea9aa..e0c18f2d20 100644
> --- a/docs/manpages/virt-qemu-sev-validate.rst
> +++ b/docs/manpages/virt-qemu-sev-validate.rst
> @@ -437,6 +437,118 @@ inject a disk password on success:
>         --domain fedora34x86_64 \
>         --disk-password passwd.txt
>  
> +COMMON MISTAKES CHECKLIST
> +=========================
> +
> +The complexity of configuring a guest and validating its boot measurement
> +means it is very likely to see the failure::
> +
> +   ERROR: Measurement does not match, VM is not trustworthy
> +
> +This error message assumes the worst, but in most cases will failure will be
> +a result of either mis-configuring the guest, or passing the wrong information
> +when trying to validate it. The following information is a guide for what
> +items to check in order to stand the best chance of diagnosing the problem
> +
> +* Check the VM configuration for the DH certificate and session
> +  blob in the libvirt guest XML.
> +
> +  The content for these fields should be in base64 format, which is
> +  what ``sevctl session`` generates. Other tools may generate the files
> +  in binary format, so ensure it has been correctly converted to base64.
> +
> +* Check the VM configuration policy value matches the session blob
> +
> +  The ``<policy>`` value in libvirt guest XML has to match the value
> +  passed to the ``sevctl session`` command.
> +

FWIW In this case, qemu will explicitly error. From 7.0.0-6.fc36:

-accel kvm: sev_launch_start: LAUNCH_START ret=1 fw_error=11 'Bad
measurement'

I think it's worth putting some subset of that qemu error string at the
top of this section too. If users hit it, going through the checklist
here may solve their issue.

For example, If you're flailing around with sevctl like I have, some of
the sub commands will invalidate all your previous generated
session/dhCert blobs, and subsequent VM boots will fail as above.
`sevctl reset` and/or `sevctl rotate`. That's probably obscure enough to
not need documenting, but if the first item here leads to re-running
sevctl session then you'll fix your problem :)

Thanks,
Cole




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux